Frequently asked questions

What is Firefly?

Firefly is a Cloud Asset Management solution that enables Cloud Owners to discover their entire cloud and better manage it.

How does Firefly help with cloud management?

One of the key metrics that Firefly shows its customers is the IaC Coverage status of their cloud and which cloud assets are Codified, Unmanaged, Drifted, or Out-of-Sync (Ghost). To do so, Firefly seamlessly scans the customer’s cloud accounts (and Kubernetes clusters), and the Infrastructure-as-Code files associated with it.

What type of data access does Firefly need?

To enable cloud scanning, Firefly asks for a Read-Only permission set, which allows the scanning for the configuration of cloud resources, and not their data. For example, Firefly will know about the existence of a storage bucket, but can’t read or know about the objects inside it.

To discover IaC state files (and specifically Terraform’s .tfstate files), Firefly asks for Read-Only permissions [S3:GetObject] to AWS S3 Buckets which hold “.tfstate” files.

Firefly doesn't collect any personal data, PII or any data on it's customers' customers (e.g Company's customers). Firefly has Data Protection Policy that is available in Firefly's security portal as part of SOC2 Type2 compliance, The policy reviewed and updated on an annual basis by the CTO.

How does Firefly encrypt its data?

All data in transit is encrypted using SSL (TLS 1.2). The entire Firefly infrastructure is gated inside a private VPC. Connections to the Firefly (Inc. Infralight Ltd) network and databases are obtained through a secured bastion server, only accessible from within the office network. Encryption between Infralight Ltd customers and the Infralight application is enabled using an authenticated SSL/TLS tunnel. Internet traffic is encrypted using high-class level certificates based on the PKI infrastructure.

Data at rest is encrypted using AES256 when such protections are deemed appropriate based on assessed risk. Processes are in place to protect encryption keys during generation, storage, use, and destruction.

  1. All secrets are saved in HashiCorp Vault and encrypted by it.
  2. Data is saved on ElasticSearch, which is encrypted (TLS) and SOC2 Type2 complied.
  3. We also use AWS KMS to encrypt data from DynamoDB

Who has access to the data and how?

  1. Production data access is limited to SRE & production engineers and engineering leadership such as the CTO & VP of Engineering.
  2. Firefly has implemented a recertification process to help ensure that only authorized personnel have access to the production interface, servers, environments, and databases.
  3. Users, administrators, and permissions with the different environments (servers, database, and application) are reviewed and approved by the Firefly's CTO on a quarterly basis.
  4. Employees whose job functions have changed and therefore no longer require access to a group of user permissions will have their access disabled or modified as needed. Remote access to the production system is only accessible through a VPN (Axis Security) for authorized personnel.