New Relic is in the business of helping our customers understand and improve the performance of their applications. With that said, we understand that performance isn’t the only application characteristic that our customers are concerned with; security and privacy can be equally important. Our customers have a responsibility to protect both their own data, as well as that of their customers. As part of our customers’ ecosystem that responsibility extends to New Relic. Many of our customers operate in regulated environments, be it PCI, HIPAA or SOX, and New Relic needs to ensure that our offering does not interfere or jeopardize our customers’ compliance requirements. We understand and take these responsibilities seriously, and have always had security at the forefront of our development and operations processes.
New Relic provides our customers with complete control over what, if any, sensitive data is sent to New Relic. We strongly believe in the concept of “secure by default,” meaning that customers have to explicitly enable the sending of this type of data. We recently added an Enterprise Security Mode that lets companies lock down the available security options so that their own employees cannot accidentally enable the transmission of sensitive data.
We have always taken steps to ensure that, once your performance data is sent to our servers, it is appropriately protected. The infrastructure that runs the New Relic service and stores our customers’ data resides in a Tier III, SSAE-16 certified data center. On top of that, we perform continuous security scanning on both our network and applications to ensure that our applications and servers remain secure.
As we continue to grow as a business, running a secure SaaS offering remains a vital factor in our success. Most recently, we have taken three significant steps regarding security that I’d like to share.
First, we hired a dedicated Director of Information Security and Compliance (yours truly). My role is to ensure that we not only maintain, but continuously improve our security posture. I work with the entire organization — everyone from developers and operations staff to support and marketing — to ensure that we understand and address our security responsibilities and risks.
Second, we have created a new security page, trust.newrelic.com, where we can provide our customers with information about our security capabilities and how to best configure New Relic to meet their security requirements.
Finally (and I think this is the most exciting,) New Relic has just successfully completed our first SOC 2 audit of processes and controls relevant to security and availability! Officially, a SOC 2 is an audit that reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. In practice, this is similar to the old SAS 70 audits, but unlike SAS 70, which only verified that the controls and processes that a company had put in place were actually followed, the SOC 2 actually provides a minimal set of security standards that must be followed. This set of standards is known as the Trust Services Principles and Criteria. By putting ourselves through the SOC 2 audit process and by holding ourselves accountable to the Trust Services Principles and Criteria, New Relic is able to provide both ourselves, and more importantly, our customers an independent, third-party assurance that we are in fact taking the appropriate steps to protect our systems and our customer’s data.
We are excited and proud of our recent accomplishments regarding security. As I hope you can tell from this post, security is extremely important to New Relic and I am proud to say that we will continue to raise the security bar in the future.