Security measures on the Nebius AI side
Here you'll find information about how the cloud platform operation and security processes work.
Asset inventory
Nebius AI has a process for taking asset inventory, including accounting for systems that process customer data. Rules for using information and assets related to information processing are fixed in internal documents and regularly made clear to employees. When dismissed, employees return all corporate assets. System access permissions are revoked automatically.
Assets are classified in accordance with the legal requirements. The classification takes into account the value of information and negative consequences in the event of its unauthorized modification or disclosure.
Requirements for handling different classes of data are specified in the rules for the acceptable use of information and assets. Data carriers that are unfit for use or no longer needed are removed from operation in accordance with internal regulations.
Access control
Nebius AI team members only have access to the resources they require to perform their duties (the need-to-know principle). Permissions are granted according to the principle of least privilege.
Physical security
Nebius AI takes the following measures to ensure physical security:
- Access to data centers is strictly regulated. Guests and Nebius AI members who don't permanently work there may only enter the premises if permission is granted ahead of time.
- Access to the cloud service facilities (racks, lockers, diagnostic areas) are under continuous video surveillance.
- Video camera recordings are stored for at least one month and can be accessed whenever required.
- The Nebius AI security team controls access to secure areas and service racks.
- Nebius AI customer data stored on disks must be encrypted.
- Malfunctioning equipment is only replaced upon request. Data is deleted from carriers when the equipment is removed from operation or reused.
- Faulty equipment is stored in the controlled zone. It may only be removed from the premises after the appropriate request is approved.
Internal and external audits, penetration tests
Nebius AI regularly conducts internal and external audits and penetration tests to check the efficiency of the existing processes for ensuring information security and improves them.
- The Nebius AI security team engages external experts to perform penetration testing. Vulnerabilities detected through regular penetration tests are fixed by development teams or, if it is impossible to quickly release an update, patched with appropriate security tools before a fix is released.
Incident response
Nebius AI has an incident management policy. Information security (IS) incidents are managed by the Information security department. If required, employees from relevant departments provide legal, administrative, and expert support. One of the main objectives of the Information security department is to conduct procedures to improve security:
- Collecting IS events from monitoring tools, user messages, and other sources.
- Detecting IS incidents based on automated tools, as well as the knowledge and expertise of Information security employees.
- Responding to IS incidents based on a standard response plan. If there is no such plan, experts are involved in incident management.
- IS incidents are analyzed immediately after their consequences are eliminated.
- Corrective actions based on the analysis results.
Notifying customers
Situations where the customer needs to be notified of incidents are specified in the agreement. If required, notification is sent within 48 hours as an email.
It's written by the incident manager appointed when the incident is registered. The message describes the nature of the incident, its possible consequences, and measures taken (or planned) to address them. The incident manager agrees the message content with the employees in charge and sends it to the support service.
Emails are sent in English. If the customer can prevent the incident or reduce its consequences, the notification describes the measures they can take.
Nebius AI HR measures
Nebius AI holds events for Nebius AI employees to mitigate possible information security risks associated with their actions.
- Nebius AI carries background verification checks on all candidates for employment.
- Employees are familiarized with the requirements of internal policies and regulations, including the Nebius AI Information Security Policy and Nebius AI Personal Data Processing Regulations.
- Permissions are reviewed every six months.
- When an employee quits or takes a different job within the company, permissions to access information resources are automatically revoked.
- Passwords are checked for compliance with the password policy. We regularly evaluate password strength and make sure passwords aren't found in common dictionaries.
Cloud platform infrastructure security
Resource separation and isolation
Nebius AI isolates administrative and user resources as follows:
- Physical isolation using host groups. Services that are critical in terms of security are run on VMs using a separate group of physical hosts where no user VMs are run.
- Logical isolation at the hypervisor and individual core level. Sometimes the administrative workload can be run on hosts where user VMs reside. In this case, isolation is implemented at the hypervisor and physical core level.
- Logical isolation using Identity and Access Management (IAM). All administrative operations are performed through IAM. This requires special permissions that aren't granted to Nebius AI users.
- Network-level isolation. All administrative VMs run in physically or logically isolated networks. A provider's corporate network is separated from the cloud platform network. Access control is carried out automatically using dynamic and host firewalls and access control lists (ACL) on routers.
- In multi-tenant systems, isolation is implemented at the application level and by verifying cloud and folder access rights of the user performing operations with the resources.
Protecting employee credentials
Authentication on corporate resources that aren't linked to the cloud infrastructure is based on the world's best practices:
- All authentication events are collected and analyzed for possible identity theft.
- Nebius AI uses anti-phishing techniques.
- The company has a password policy.
- External access to the resources requires a VPN connection or two-factor authentication.
- We regularly check password strength.
Authentication on corporate resources that are linked to the cloud infrastructure is more strict:
- Access rights are requested separately and need to be approved by an information security department employee.
- To access the production environment, you must use a hardware token.
- Authentication on production environment web resources is done via the WebAuthn protocol. SSH authentication uses certificates.
- A certificate-linked private key stays on the hardware token.
- The hardware token is additionally protected by the user's PIN or biometrics.
- Access to the production environment is provided through the bastion host. All user sessions are logged and saved.
Strict authentication measures using hardware tokens increase the security of user credentials. Even if an employee's machine is compromised, an attacker won't be able to steal and re-use their credentials. It's unlikely that an account will be compromised through phishing.
Protecting user information
Information about users is provided to the Nebius AI team on a need-to-know basis. This means that user information is only available to those departments that require it to perform their duties. User information processing and storage systems use authentication, authorization, and record action logging.
User information includes:
- User action (operation) logs.
- Console access logs.
- Technical information about the status of user services.
- Financial and resource consumption information.
The rights to access the above information are restricted by default and regularly reviewed by the information security department. Systems for storing and processing this information are created based on the Security Development Lifecycle and are regularly subject to internal penetration testing. If possible, user information is encrypted during storage and transmission.