Shared Responsibility Model
Security and Compliance is a shared responsibility between AWS, Rhythm, and the customer. Rhythm is a serverless platform, which shifts the line of responsibility between AWS and Rhythm when compared to other cloud based software. Only with a serverless platform like Rhythm will AWS take responsibility for operating system hardening, patching, and runtime environments among other activities. Ultimately, this gives both Rhythm and Rhythm customers a stronger security posture, higher availability, and piece of mind. It's important to understand that not all cloud software is made the same and how the cloud architecture of an AMS impacts the Shared Responsibility Model.
Security of the Cloud
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This includes the hardware, software, networking, and facilities that power AWS Cloud services. For most cloud software, this is where AWS's responsibility ends. However, because Rhythm is a serverless platform, AWS also takes responsibility for the security of compute resources, execution environments, language runtimes, and operating systems; a unique benefit of Rhythm among cloud-based AMSes.
Security in the Cloud
Rhythm is responsible for securely developing and deploying the code that makes up Rhythm. Further, Rhythm is responsible for ensuring that the AWS Cloud services used by Rhythm are configured in a secure manner. To ensure this, all cloud configurations are defined in Infrastructure-as-Code (IaC) templates subject to the same storage, versioning, and review as all of Rhythm's source code. Changes to either the code or the configuration are verified and deployed into an AWS account which is secured using Identity and Access Management tools such as Single Sign On, temporary access tokens and Multi-Factor Authentication (MFA). Finally, Rhythm is responsible for the secure backup of customer data in accordance with Rhythm's Backup Policy, Data Protection Policy, Data Retention Policy, and Terms of Service.
Security of your Rhythm account
Rhythm customers are responsible for the integrity of staff user accounts, member user accounts, Rhythm configuration, and data. It is the customer's responsibility to define, and ensure compliance with, policies for creating and managing credentials used to access Rhythm. Among other industry best practices, these policies might include mandatory password complexity, prohibiting shared accounts, designated administrator accounts, console MFA, and approved password management software. Customers are responsible for ensuring all Rhythm configuration and data conforms to their organization's security policies. For example, customer security policies might impact the configuration of a scheduled query, Roles and Permissions assigned to a user, data elements collected on a form, or the Security Policies applied to a portal page.