It seems like every day some major new vulnerability or data breach gets reported in the world of cloud-native, leaving enterprise customers scrambling for a fix.
Sometimes the crisis is the result of a sophisticated hack by a powerful nation-state. At other times? Well, human error, unprotected repos, hardcoded secrets, critical bugs… they leave the door wide open.
When your company’s own security posture depends on third-party vendors taking risk seriously, you can understand why IT buyers make security such a big part of the purchase decision:
- Security was ranked the #1 software buying consideration in G2’s 2024 survey of 1,900+ decision-makers, with 81% saying they check a vendor’s breach history, and 80% requiring a security assessment.
- 99% say external privacy certifications matter when choosing a vendor, according to Cisco’s 2025 Data Privacy Benchmark.
- 31% cite compliance capabilities as a ‘decisive factor’ in final vendor selection, says. Kiteworks Buyer Behavior Survey.
Here at Spectro Cloud we’ve seen this first hand. Almost every customer that engages us has a security assessment they need to conduct (and we wouldn’t have it any other way).
So we thought it would be good to share some behind-the-scenes insights into the work we do to keep customers like you safe. At Spectro Cloud, security isn’t a checkbox. We embed it in our culture, our technology, people, processes, and every relationship we build with our customers.
Our security culture
Like any reputable software vendor, we have a dedicated security team within our engineering function, and a separate security, privacy and compliance team tasked with companywide risk management.
But we’re fond of saying that security is everyone’s job. Security truly is a collective responsibility woven into the fabric of how we operate. Every team member receives ongoing training, and contributes to maintaining secure systems and processes.
Security starts with transparent communication, inside and out. We encourage security reporting — for example, for phishing attempts — as part of our daily companywide culture, from marketing and finance to support and customer success.
Spectro Cloud maintains a proactive vulnerability management program that is focused on continuously monitoring, identifying, and remediating risks across all our product components, including open-source and third-party dependencies. Vulnerabilities are prioritized using NIST CVE severity ratings, verified through testing, and communicated via our public facing Security Bulletins and Advisories page. That means as a customer you’re not in the dark: we know there’s no such thing as perfect software, particularly in the fast-moving cloud native world, and being informed is vital.
In addition to our own internal testing, we are proud to have run a bug bounty program for years, putting our software and public-facing digital footprint under constant attack from white-hat security experts. We have recently expanded this program to include year-round pentesting by a leading security services company.
Putting ourselves in the spotlight
You may have seen us shouting about all the certifications and schemes we participate in — most recently that we earned FedRAMP Moderate In Process, FedRAMP 20x Low ATO, and FIPS 140-3 validation for our Palette VerteX edition.
These — and others like AICPA’s SOC 2 Type 2 and ISO 27001:2022 — are not just marketing logos to stick on our website. They are the final result of long, thorough independent assessments of our business practices and product security, indicating that we verifiably and repeatedlyrepeatably comply with best practice frameworks, and apply literally hundreds of different security controls across our operations.
Very few tech vendors, especially those our size, go to the trouble of validating their security in this way… and we would go further and hazard that very few would pass if they did put themselves to the test.
Core security guidelines
At its foundation, security is about controlling who can access data, what they can do with it, and when — viewing this from both an operational and product perspective.
We've built our framework on the CIA Triad: Confidentiality, Integrity, and Availability extended with Authentication, Authorization, and Auditing (AAA) to ensure comprehensive protection across everything we do.
We apply several guiding principles that go beyond the basics:
- Secure by Design: We build security into every stage of product development, not as an add-on.
- Secure by Default: Palette, our product, is secure right out of the box, featuring MFA, audit logging, and access controls.
- Defense in Depth: Multiple, redundant layers of protection guard every system and process.
- Least Privilege: Every user and service has only the access necessary to perform their job, nothing more.
- Secrets Management: Secure credential storage, dynamic secret rotation, MFA, and SSO integration.
- Continuous Improvement: Regular testing, internal audits, and external validation keep our security posture evolving.
Digging into Palette’s product security
OK, principles are good, but you want a little more detail, we get it. When you buy a product like Palette that sits in your infrastructure, where all your apps and data lives… you want to know that it’s not going to be a weak spotweakspot for hackers to target.
Every component of Palette is designed with layered protection, combining hardened infrastructure, secure configurations, and strong encryption to safeguard your environments across all deployment models. Our customer success teams work with you during deployment and provide knowledge transfer to help you configure and maintain Palette in a secure state, from RBAC configurations to Zero-trust and everything in between.
Zero-trust architecture
With Palette, we follow a zero-trust model. No user, service, or system is trusted by default. Palette authenticates and authorizes every interaction, using identity verification, multi-factor authentication, and token-based access. Combined with granular role-based controls and network isolation, this ensures only verified, least-privilege entities can access critical workloads.
Infrastructure security
Palette applies defense-in-depth across its multi-layer architecture from cloud and OS to containers and Kubernetes. Each layer is hardened and validated to industry standards. Data is encrypted at rest and in transit, ensuring confidentiality and integrity across all customer environments.
Role-based access control (RBAC) and user management
Palette enforces a least-privilege model with role-based access control (RBAC) and attribute-based access control (ABAC). With support for SAML and OIDC single sign-on, organizations can integrate Palette with existing enterprise identity providers. The result is secure, centralized access management that maintains flexibility and compliance across teams.
Workload isolation and Virtual Clusters
At Spectro Cloud, we isolate workloads and limit team access across dedicated clusters to minimize the risk of compromised credentials. Palette’s multicluster architecture makes this simple across environments. With Virtual Clusters, teams can quickly spin up isolated CI/CD or development environments, maintaining strong separation without unnecessary complexity.
Data encryption
Palette protects data through encryption at rest and in transit. Each tenant’s data is isolated with unique cryptographic keys, protected through TLS-secured communication, and stored securely. All inter-service, database, and cluster traffic is authenticated and encrypted to preserve confidentiality, integrity, and trust.
Network security
Palette provides security and flexibility across all our supported deployment models: SaaS, self-hosted, and tenant clusters.
- SaaS deployments use isolated virtual networks and secure communication channels.
- Self-hosted environments generate and manage their own keys and certificates behind enterprise firewalls.
- Tenant clusters combine hardened OS, container, and Kubernetes configurations with a shared responsibility model between Spectro Cloud and customers for ongoing compliance.
Edge security
Edge computing environments are a common entrypoint for hackers, who benefit from physical access to tamper with devices and gain access.
We have spent years building up a rich set of edge-specific security capabilities to help our customers guard against these risks, even publishing an architecture document (the Secure Edge-Native Architecture) cataloging the principles and controls we believe edge deployments should follow.
Using Kairos-hardened operating systems, Trusted Boot, and Full Disk Encryption, Palette ensures integrity from power-on to workload. Our immutable OS and air-gapped capabilities enable secure, autonomous operation even in zero-connectivity environments, protecting edge workloads with the same rigor as core data centers. And our A/B partition-based upgrade approach means you can quickly apply a new (even untested) patch for a vulnerability in any of your edge software, without worrying about the risk of bricking your edge devices.
These are just a few of the key components of our product security posture. For more information, visit our Spectro Cloud Security Documentation.
Enabling security and compliance for regulated industries
With Palette VerteX, Spectro Cloud extends enterprise-grade security to government and regulated industries. VerteX meets stringent compliance standards, including FIPS 140-3 validation and FedRAMP Moderate (in process) readiness.
It enables secure, compliant Kubernetes deployments across clouds, data centers, and air-gapped environments providing mission-grade protection and control from the management plane to the edge. Organizations can deploy confidently, knowing every layer of their stack is validated for the most demanding operational standards.
Why do we do all this?
Spectro Cloud is a security-focused organization. From how we train our teams to how we design Palette and Palette VerteX, security is at the heart of every decision we make. We continuously monitor, test, and refine our practices to stay ahead of emerging threats. Our mission is straightforward: to empower customers to innovate confidently, securely, and without compromise.
Why do we do this? Because we know that security-conscious organizations like yours are looking for a partner they can trust with the infrastructure that runs their business.
Our customers depend on Spectro Cloud to turn security into an advantage. A strong security culture means teams can innovate faster, reduce risk, and meet compliance requirements with confidence.
The end result is that you can:
- Accelerate innovation: Deliver modern and AI workloads securely and at scale.
- Simplify compliance: Automate controls across ISO 27001, SOC 2, and FedRAMP frameworks.
- Protect business value: Reduce exposure to vulnerabilities, data loss, and service downtime.
- Build resilience: Ensure continuity and availability under changing threat conditions.
We’ve covered a lot of ground in this blog, but there is plenty more to say. If you’re interested in learning more about our approach to security, the Spectro Cloud Security Documentation is a great next step. You can also reach out to us at any time with questions.