Grafana Cloud security: Three common cloud security myths debunked

Grafana Security Advisory

Grafana Cloud offers organizations an end-to-end observability platform, without the overhead of building and maintaining their own observability stack. We’re constantly shipping new Grafana Cloud features to ensure users get the most out of the fully managed platform, which is powered by our open source Grafana LGTM Stack (Loki for logs, Grafana for visualization, Tempo for traces, and Mimir for metrics).

But despite all the benefits and powerful capabilities that Grafana Cloud provides, we still get questions (rightfully so) from prospective users about whether a cloud-hosted platform is secure enough for sensitive data and critical operations. 

The short answer is yes, but we hear you. That’s why, in this blog post, we want to outline — and debunk — three common security myths we’ve heard about cloud platforms, and explain how Grafana Labs is committed to maintaining the highest standards of data privacy and security in Grafana Cloud.

Debunking cloud security myths 

Myth 1: In a multi-tenant environment, there’s a risk of my confidential data being accessed by others.

The facts: Even in a multi-tenant environment, your data is isolated and protected. You can trust the barriers that keep your information private.

Grafana Cloud employs multi-tenancy for database backends Mimir, Loki, and Tempo. Data is separated using a tenant ID on all read and write operations, managed through the X-Scope-OrgID header. This ensures dedicated storage and access pathways for each tenant’s data.

To prevent cross-tenant data access, Grafana Cloud’s gateway and authentication services validate your credentials against the tenant ID. Only after verification does the system grant access to the relevant database. You can define granular access policies for your tenants and issue tokens that further scope access, ensuring that queries only return data associated with the correct tenant token.

Each database instance, or “cell,” is allocated a unique object storage bucket. Within these buckets, all objects are tagged with the tenant ID, which guarantees that data belonging to one tenant is stored and retrieved independently of others.

This architecture ensures that your data in Grafana Cloud remains secure and isolated, upholding strict data confidentiality across a shared environment.



Myth 2: I’ll need to expose IP address ranges in order to integrate and visualize data from private data sources, hosted either on premises or within a virtual private cloud (VPC).

The facts: When you bring your private data sources into Grafana Cloud, your IP ranges stay private. You benefit from secure, encrypted connections that prioritize your data’s confidentiality.

You might be concerned about visualizing sensitive data sources from on premises or a VPC in Grafana Cloud, especially if it means whitelisting wide IP address ranges. Grafana Cloud addresses this through a capability called Private data source connect (PDC), which enables you to forge a secure connection between your private networks and your Grafana Cloud stack

This allows you to securely visualize and alert on your data without the need to expose a swath of IP addresses.



Myth 3: Cloud platforms, in general, don’t meet the same rigorous security standards as on-premises systems.

The facts: With Grafana Cloud, your data benefits from the latest security practices to keep your information safe.

Grafana Cloud undergoes annual audits by external specialists to achieve both ISO 27001:2022 and SOC II Type 2 certifications. These certifications reflect our commitment to the highest standards of security practices, adhering to a proven industry framework encompassing security, availability, processing integrity, confidentiality, and privacy.

The SOC II Type 2 certification, particularly, signifies operational consistency and reliability over time. It means that Grafana Cloud is regularly audited in detail, with security measures evaluated over a 12-month period by A-Lign Assurance, the premier firm in SOC reporting worldwide. For an in-depth look at our security practices, our latest SOC II Type 2 report is available upon request.

In pursuit of comprehensive compliance, Grafana Cloud also meets a host of other standard industry frameworks, including CSA Star, GDPR, ISO 27001/27017 SoA, Microsoft SSPA, and PCI DSS. Our ISO 27001 certification, performed by an accredited body, is globally recognized and attests to our strong commitment to information security and risk management. This certification has been recently updated to the new 2022 standards, which introduce enhanced controls for cloud security and threat management.

Beyond certifications and pen-testing, Grafana Labs maintains a clear record of security advisories that have been addressed and hosts a proactive bug bounty program. Managed by our dedicated in-house team, this program strengthens our ties with the threat research community, providing rewards for valuable contributions and recognizing individuals in a hall of fame.



Our experience has shown that once organizations understand the extent of our security measures, they often proceed with their migration to Grafana Cloud. It supports their cloud-first initiatives and enables them to leverage the full breadth of features and services we offer. Many also report a reduction in operational risk, particularly as they no longer need to manage patching independently.

Sign up for our Grafana Cloud free-forever tier to get started securely observing your critical data today!

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *