Security

Last Updated: December 13, 2024

1. Our Commitment to Security

At Kena Cloud, security is fundamental to everything we do. As an Amazon Connect and AWS consulting partner, we implement comprehensive security measures to protect your contact center infrastructure, customer data, and business operations.

2. Infrastructure Security

2.1 AWS Cloud Security

We leverage AWS's world-class security infrastructure:

  • Physical Security: AWS data centers with 24/7 monitoring, biometric access controls, and redundant power/cooling
  • Network Security: DDoS protection, network segmentation, and traffic encryption
  • Compliance: AWS compliance with SOC 1/2/3, ISO 27001, PCI-DSS, HIPAA, and other standards
  • Availability: Multi-AZ deployments for high availability and disaster recovery

2.2 Amazon Connect Security

  • End-to-end encryption of voice and data
  • Secure SIP trunking and PSTN connectivity
  • Encrypted call recordings and transcripts
  • Secure agent authentication and access controls

3. Data Protection

3.1 Encryption

  • In Transit: TLS 1.2+ for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Call Recordings: Encrypted storage in S3 with access logging
  • Database: Encrypted RDS and DynamoDB instances

3.2 Data Residency

We help clients choose AWS regions that meet their data residency requirements, ensuring compliance with local regulations (GDPR, data sovereignty laws, etc.).

3.3 Data Backup and Recovery

  • Automated daily backups with point-in-time recovery
  • Cross-region backup replication for disaster recovery
  • Regular backup testing and restoration drills
  • Documented recovery time objectives (RTO) and recovery point objectives (RPO)

4. Access Control

4.1 Identity and Access Management (IAM)

  • Principle of least privilege for all access
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) required for administrative access
  • Regular access reviews and revocation of unused permissions

4.2 Authentication

  • Strong password policies (complexity, rotation, history)
  • Single Sign-On (SSO) integration with corporate identity providers
  • Session management and automatic timeout
  • API key rotation and secure credential storage

4.3 Agent Access Security

  • Secure agent login with MFA options
  • IP whitelisting for agent access
  • Session recording and audit trails
  • Automatic logout after inactivity

5. Application Security

5.1 Secure Development

  • Security-first development methodology
  • Code reviews and security testing
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency scanning for vulnerable libraries
  • Secure coding standards and best practices

5.2 API Security

  • API authentication and authorization
  • Rate limiting and throttling
  • Input validation and sanitization
  • API versioning and deprecation policies

5.3 Lambda Function Security

  • Minimal IAM permissions for functions
  • Environment variable encryption
  • VPC isolation when required
  • Function versioning and aliases

6. Network Security

6.1 Network Architecture

  • VPC isolation with public and private subnets
  • Security groups and network ACLs
  • AWS WAF (Web Application Firewall) for web applications
  • AWS Shield for DDoS protection

6.2 Connectivity Security

  • VPN or AWS Direct Connect for secure hybrid connectivity
  • Private endpoints for AWS services
  • TLS/SSL certificates from trusted CAs
  • Certificate rotation and expiration monitoring

7. Monitoring and Logging

7.1 Security Monitoring

  • 24/7 security monitoring and alerting
  • AWS CloudWatch for metrics and logs
  • AWS CloudTrail for API activity logging
  • AWS GuardDuty for threat detection
  • AWS Security Hub for centralized security findings

7.2 Audit Logging

  • Comprehensive logging of all system activities
  • Immutable log storage with retention policies
  • Log analysis and correlation
  • Compliance reporting and audit trails

7.3 Incident Detection

  • Real-time anomaly detection
  • Automated security alerts
  • Intrusion detection and prevention
  • Behavioral analysis and threat intelligence

8. Compliance and Certifications

8.1 Industry Standards

We help clients achieve and maintain compliance with:

  • PCI-DSS: Payment card industry data security standards
  • HIPAA: Healthcare information privacy and security
  • GDPR: European data protection regulation
  • CCPA: California consumer privacy act
  • SOC 2: Service organization controls
  • ISO 27001: Information security management

8.2 Telecommunications Compliance

  • TCPA (Telephone Consumer Protection Act)
  • CALEA (Communications Assistance for Law Enforcement Act)
  • Call recording consent and disclosure requirements
  • Do Not Call (DNC) list compliance

9. Incident Response

9.1 Incident Response Plan

We maintain a comprehensive incident response plan including:

  • Incident classification and severity levels
  • Response team roles and responsibilities
  • Communication protocols and escalation procedures
  • Containment, eradication, and recovery procedures
  • Post-incident analysis and lessons learned

9.2 Security Incident Notification

In the event of a security incident affecting client data:

  • Immediate investigation and containment
  • Notification to affected clients within 72 hours
  • Detailed incident report and remediation plan
  • Assistance with regulatory notifications if required

10. Business Continuity

10.1 High Availability

  • Multi-AZ deployments for critical components
  • Auto-scaling for handling traffic spikes
  • Load balancing across availability zones
  • Health checks and automatic failover

10.2 Disaster Recovery

  • Documented disaster recovery procedures
  • Regular DR testing and validation
  • Cross-region replication for critical data
  • Defined RTO and RPO for each service tier

11. Vendor and Third-Party Security

11.1 Vendor Assessment

  • Security evaluation of all third-party services
  • Review of vendor security certifications
  • Contractual security requirements
  • Regular vendor security audits

11.2 Integration Security

  • Secure API integrations with CRM and business systems
  • Credential management for third-party services
  • Data minimization in integrations
  • Regular security testing of integrations

12. Employee Security

12.1 Security Training

  • Mandatory security awareness training for all employees
  • Role-specific security training
  • Regular security updates and best practices
  • Phishing and social engineering awareness

12.2 Background Checks

  • Background verification for employees with system access
  • Confidentiality and non-disclosure agreements
  • Acceptable use policies
  • Secure device management and remote work policies

13. Vulnerability Management

13.1 Vulnerability Scanning

  • Regular automated vulnerability scans
  • Penetration testing by qualified security professionals
  • Patch management and timely security updates
  • Vulnerability prioritization and remediation

13.2 Security Updates

  • Monitoring of security advisories and CVEs
  • Rapid deployment of critical security patches
  • Testing of patches before production deployment
  • Change management for security updates

14. Client Responsibilities

Security is a shared responsibility. Clients are responsible for:

  • Securing their AWS account credentials
  • Managing agent access and permissions
  • Implementing security policies for their organization
  • Reporting security incidents promptly
  • Maintaining compliance with applicable regulations
  • Securing integrated systems and applications

15. Security Audits and Assessments

We conduct regular security assessments including:

  • Annual third-party security audits
  • Quarterly internal security reviews
  • Penetration testing of critical systems
  • Compliance assessments for regulated industries
  • Architecture reviews for new implementations

16. Continuous Improvement

We continuously enhance our security posture through:

  • Regular review and update of security policies
  • Adoption of new AWS security services and features
  • Participation in security communities and forums
  • Lessons learned from incidents and near-misses
  • Security metrics and KPI tracking

17. Reporting Security Issues

If you discover a security vulnerability or have security concerns, please report them immediately:

Security Team

Email: security@kena.cloud

For urgent security incidents: Include "URGENT" in subject line

We commit to acknowledging security reports within 24 hours

18. Questions About Security

For questions about our security practices or to request additional security documentation:

Kena Cloud Security

Email: security@kena.cloud

Website: Contact Form