Security

Overview

OneStream utilizes a layered approach to security, in some cases referred to as a “defense in depth” strategy, to ensure that the Service and Customer Data remains secure. OneStream is committed to delivering a scalable, integrated, and highly performant solution with robust security measures that keep your data safe, and your business protected. OneStream understands that our customer’s data is one of its most valuable assets.

Data Encryption

OneStream’s Service utilizes industry standard encryption to protect all Customer Data while in-transit and at-rest. All data-in-transit between the Customer and the Service, using OneStream provided clients such as the OneStream Web Application for Windows and Excel add-in, is encrypted through the use of HTTPS/TLS 1.2 or greater. For data ingested from source systems, OneStream requires that the Customer provide an endpoint which supports industry-standard encryption protocols and cipher suites for connectivity.

Data-at-rest is encrypted using an industry-standard cipher suite, such as AES-256. All data-at-rest is encrypted using a minimum key complexity of 256-bit for symmetric encryption keys.

In addition to service-managed encryption of data-at-rest, OneStream supports customer’s key management with our Bring Your Own Key (BYOK), as further specified in the applicable documentation.

Server Hardening

All compute images are built and configured with only the necessary services to operate the OneStream Service, and built to conform to the Center for Internet Security 1.1 Benchmark. All Cloud Instances are regularly patched and maintained in accordance with our policy noted under the section labeled “Maintenance & Change Management”.

Network Security and Isolation

OneStream follows industry-standard practices when configuring virtual networks and applying associated access controls. Our standard network access controls implement a policy of deny by default, allow by exception. Inbound network traffic is only permitted using specific network protocols and ports based on the minimum requirements to operate the Service. In addition, all applicable Cloud Instance resources, such as virtual machines, have firewalls enabled at the individual resource level. 

By default, the OneStream Service is only accessible via a connection from the public internet.  To the extent that a customer requests, OneStream will restrict access to the customer’s Cloud Instances to only those connecting from a designated list of IP addresses. While OneStream will undertake reasonable security practices and precautions for connections originating from the customer’s private network, customer is responsible for ensuring appropriate security policies are applied from within their internal network to such a connection.

Isolated Management

A customer’s instance is accessible only to OneStream authorized personnel connecting through the OneStream corporate network. Administrative credentials, such as passwords, certificates, or cryptographic keys, for each customer’s instance are stored in an isolated storage service dedicated to the specific customer. Access to this service is highly restricted and may only be accessed by authorized OneStream personnel when responding to a documented support request, during a maintenance event (both planned and unplanned), or other similar situations to ensure continuity of Service operations.

Secure Secrets Storage Service

Each customer is provisioned two dedicated instances of our Secure Secrets Storage Service. The first is for OneStream’s operational use to manage all service-related administrative credentials, including passwords, certificates, API keys, and cryptographic keys. Both instances provide the following functionality and benefits:

  • Advanced monitoring and logging

  • Increased security with role-based access control policies and default encryption

  • Automated administrative credential rotation and management

Only authorized OneStream personnel with documented approval via a support request, during a maintenance event (both planned and unplanned), or other similar situations to ensure continuity of Service operations may access this information. All administrative work performed in a customer’s Cloud Instance is logged and can be traced to the specific authorization and team members who performed the assigned work task. Prior to accessing the secrets storage service, authorized OneStream personnel must first authenticate against our corporate identity provider using their credentials and a multifactor authentication token.

In addition to Secure Secrets Storage Service for OneStream’s operational use, OneStream provides a customer Hardware Security Module HSM backed secret storage service that is managed and maintained by the customer. This secrets storage service is used to support (BYOK) for encryption of data-a-rest and storage of items such as credentials used to connect to external systems, API Keys, and other secrets.

Privileged Identity Management (PIM)

OneStream utilizes the principle of “least access” in designing its security architecture, to ensure that only authorized personnel have access to customer resources for approved requests. To facilitate this, OneStream utilizes PIM which temporarily allows access to a customer’s Cloud Instance for approved tasks.  Prior to accessing protected customer resources, authorized personnel must specify an approved support request number and time window for access. Use of PIM to access a customer’s Cloud Instance is logged to provide a full audit history of any access to a specific customer’s environment.

Administrative Access Audits

Privileged access to sensitive resources is restricted to defined users whose role requires the access and that are approved by the OneStream management. This access is reviewed on a periodic basis by the OneStream Compliance department. Audit logs are retained for a period of no less than twelve (12) months.

Intrusion Detection

To protect against online threats, OneStream provides anti-malware for Cloud Instance resources, such as virtual machines, containers, and select services. Our third-party cloud services providers also employ industry-standard intrusion detection, (distributed) denial-of-service (DDoS) attack prevention, regular penetration testing, data analytics, and machine learning tools to mitigate threats against the underlying infrastructure.

Data Center Physical Security Controls

Data centers managed by OneStream’s third-party cloud service providers have extensive layers of protection including, but not limited to: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the data center floor. This layered approach reduces the risk of unauthorized users gaining physical access to data and the data center resources. In addition, our third-party cloud services providers are ISO 27001 compliant and regularly audited to ensure compliance with applicable standards, including SOC1 and SOC2 reporting standards.