Security

Fugoku Cloud is built with security at every layer — from physical infrastructure to application-level isolation.

Architecture

Tenant Isolation

Every customer's resources run in fully isolated environments:

• Dedicated compute — your VMs run on isolated hypervisor instances, never shared
• Network isolation — private networks are segmented at the hardware level using VLANs and software-defined networking
• Storage encryption — all block storage volumes are encrypted at rest with AES-256

Zero-Trust Networking

• All internal service communication is encrypted with mTLS
• No implicit trust between network segments
• API access requires authentication on every request

Identity & Access Management

User Accounts

Account Types:

• Owner — full control over account, billing, and resources
• Admin — manage resources, but cannot modify billing or delete account
• Developer — create/manage instances and resources
• Viewer — read-only access to resources

Console: Account → Team → Invite Member

CLI:

# Invite team member
fugoku team invite user@example.com --role developer

# List team members
fugoku team list

# Change role
fugoku team update user@example.com --role admin

# Remove member
fugoku team remove user@example.com

Role-Based Access Control (RBAC)

Permissions are scoped by role:

API Token Management

API tokens are scoped credentials for programmatic access.

Token Scopes:

• read — Read-only access to all resources
• write — Full read/write access to resources (default)
• admin — Full control including account settings

Creating Tokens:

Console: Account → API Credentials → Create Token

CLI:

# Create read-only token
fugoku auth create-token --name ci-readonly --scope read

# Create token with expiration
fugoku auth create-token --name temp --expires 7d

# List all tokens
fugoku auth list-tokens

# Revoke token
fugoku auth revoke-token token-abc123

API:

curl -X POST https://api.fugoku.com/v1/auth/tokens \
  -H "Authorization: Bearer $FUGOKU_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "ci-pipeline",
    "scope": "read",
    "expires_at": "2024-12-31T23:59:59Z"
  }'

Best Practices:

• Use separate tokens for different applications
• Set expiration dates for temporary access
• Use read-only tokens when write access not needed
• Rotate tokens quarterly
• Never commit tokens to version control
• Store in secret management (Vault, AWS Secrets Manager, etc.)

API Token Rotation

Zero-downtime rotation:

1. Create new token
2. Update applications to use new token
3. Verify new token works
4. Revoke old token

Automated rotation:

#!/bin/bash
# Example rotation script

# Create new token
NEW_TOKEN=$(fugoku auth create-token --name app-prod --scope write --output json | jq -r '.token')

# Update application config
kubectl set env deployment/app API_TOKEN=$NEW_TOKEN

# Wait for rollout
kubectl rollout status deployment/app

# Revoke old token (stored in OLD_TOKEN variable)
fugoku auth revoke-token $OLD_TOKEN

SSH Key Management

Adding SSH Keys

Console: Account → SSH Keys → Add Key

CLI:

# Add key
fugoku ssh-keys add --name laptop ~/.ssh/id_rsa.pub

# List keys
fugoku ssh-keys list

# Delete key
fugoku ssh-keys delete laptop

API:

curl -X POST https://api.fugoku.com/v1/account/ssh-keys \
  -H "Authorization: Bearer $FUGOKU_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "laptop",
    "public_key": "ssh-rsa AAAAB3NzaC1yc2E... user@laptop"
  }'

Key Rotation

Best practice: Rotate SSH keys every 6-12 months.

Process:

1. Generate new key pair on your machine
2. Add new public key to Fugoku account
3. Update instances to include new key in ~/.ssh/authorized_keys
4. Verify SSH access with new key
5. Remove old key from account

Automated rotation with Ansible:

---
- name: Rotate SSH keys on instances
  hosts: all
  tasks:
    - name: Add new SSH key
      authorized_key:
        user: ubuntu
        key: "{{ lookup('file', '~/.ssh/new_key.pub') }}"
        state: present
    
    - name: Remove old SSH key
      authorized_key:
        user: ubuntu
        key: "{{ lookup('file', '~/.ssh/old_key.pub') }}"
        state: absent

SSH Key Security

Supported key types:

• RSA 2048-bit or higher (recommended: 4096-bit)
• Ed25519 (recommended for new keys)
• ECDSA 256-bit or higher

Weak keys rejected:

• RSA below 2048-bit
• DSA keys (deprecated)
• Keys without passphrases (warning issued)

Generate secure key:

# Ed25519 (modern, secure)
ssh-keygen -t ed25519 -C "user@laptop"

# RSA 4096-bit
ssh-keygen -t rsa -b 4096 -C "user@laptop"

Always use a strong passphrase to protect private keys.

Two-Factor Authentication (2FA)

Enabling 2FA

Console: Account → Security → Enable 2FA

Supported methods:

• TOTP authenticator apps (Google Authenticator, Authy, 1Password)
• Hardware security keys (YubiKey, Titan)
• SMS (backup only, less secure)

CLI:

# Enable 2FA
fugoku auth enable-2fa
# Follow prompts to scan QR code with authenticator app

# View recovery codes
fugoku auth recovery-codes

# Regenerate recovery codes
fugoku auth recovery-codes --regenerate

Recovery Codes

When enabling 2FA, you receive 10 single-use recovery codes.

Store securely:

• Password manager
• Encrypted file
• Physical safe

Using recovery code: Login normally, then enter recovery code when prompted for 2FA token.

Each code can only be used once. Regenerate after using 5+ codes.

Hardware Security Keys

Supported protocols:

• FIDO U2F
• WebAuthn
• FIDO2

Adding hardware key:

1. Console → Account → Security → Hardware Keys
2. Click Add Key
3. Insert hardware key
4. Follow browser prompts
5. Name the key (e.g., "YubiKey 5C")

Best practice: Register 2+ hardware keys in case one is lost.

2FA for Team Members

Owner/Admin can enforce 2FA:

Console: Account → Team → Security Settings → Require 2FA

CLI:

fugoku team settings --require-2fa

Enforcement:

• All team members must enable 2FA within 7 days
• Cannot access account without 2FA after deadline
• New members must enable 2FA on first login

Encryption

Data at Rest

All data stored on Fugoku Cloud is encrypted:

Key rotation: Encryption keys are automatically rotated every 90 days.

Bring Your Own Key (BYOK) - Coming Q3 2026: Use your own KMS keys from AWS KMS, Google Cloud KMS, or HashiCorp Vault.

Data in Transit

• All API traffic uses TLS 1.3
• Inter-node communication encrypted with mTLS
• VPN tunnels available for hybrid connectivity
• SSH connections use strong ciphers only (AES-256-GCM, ChaCha20-Poly1305)

TLS Configuration:

# Check TLS version on API endpoint
curl -vI https://api.fugoku.com/v1/status 2>&1 | grep "TLS"
# Output: TLS 1.3

Weak ciphers disabled:

• SSLv3, TLS 1.0, TLS 1.1 (deprecated)
• RC4, 3DES (insecure)
• CBC mode ciphers (vulnerable to timing attacks)

Data in Compute

• GPU memory is cleared between tenant allocations
• VM memory is zeroed on deallocation
• Disk blocks are crypto-erased on volume deletion (keys destroyed, not data overwritten)

Secure deletion:

# Delete volume with crypto-erase
fugoku volumes delete my-data --confirm
# Encryption keys destroyed immediately, data unrecoverable

Network Security

Firewalls

Cloud firewalls are stateful and support IPv4/IPv6.

Default policy: Deny all inbound, allow all outbound.

Console: Networking → Firewalls → Create Rule

CLI:

# Allow SSH from specific IP
fugoku firewall add-rule \
  --direction ingress \
  --protocol tcp \
  --port 22 \
  --source 203.0.113.0/24

# Allow HTTPS from anywhere
fugoku firewall add-rule \
  --direction ingress \
  --protocol tcp \
  --port 443 \
  --source 0.0.0.0/0

# Allow PostgreSQL only from private network
fugoku firewall add-rule \
  --direction ingress \
  --protocol tcp \
  --port 5432 \
  --source 10.10.0.0/24

# Deny specific IP range
fugoku firewall add-rule \
  --direction ingress \
  --action deny \
  --source 192.0.2.0/24

API:

curl -X POST https://api.fugoku.com/v1/firewalls/rules \
  -H "Authorization: Bearer $FUGOKU_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "instance_id": "inst-abc123",
    "direction": "ingress",
    "protocol": "tcp",
    "port_range": "22",
    "source": "0.0.0.0/0",
    "action": "allow"
  }'

Firewall Best Practices

Principle of least privilege:

# BAD: Allow all traffic
fugoku firewall add-rule --source 0.0.0.0/0 --port 0-65535

# GOOD: Allow only required ports from specific sources
fugoku firewall add-rule --source 203.0.113.5/32 --port 22  # SSH from office
fugoku firewall add-rule --source 0.0.0.0/0 --port 443      # HTTPS from internet

Use security groups for common patterns:

# Create security group for web servers
fugoku firewall create-group web-servers \
  --rule "tcp/80/0.0.0.0/0" \
  --rule "tcp/443/0.0.0.0/0"

# Apply to instance
fugoku firewall apply web-servers --instance web-1

DDoS Protection

Every instance includes built-in DDoS mitigation:

Layer 3/4 Protection:

• Volumetric attack filtering at the network edge
• SYN flood protection
• UDP amplification mitigation
• ICMP flood filtering

Layer 7 Protection (via load balancers):

• HTTP flood protection
• Slowloris mitigation
• Request rate limiting
• Geographic blocking

Advanced DDoS Protection (Enterprise):

• Always-on traffic analysis
• 10 Tbps+ mitigation capacity
• Sub-second detection
• Custom mitigation rules

Contact enterprise@fugoku.com for Layer 7 and enterprise DDoS protection.

Security Groups

Security groups are reusable firewall templates.

Console: Networking → Security Groups → Create Group

CLI:

# Create group
fugoku security-groups create web \
  --description "Web server security group" \
  --rule "ingress tcp 80 0.0.0.0/0" \
  --rule "ingress tcp 443 0.0.0.0/0" \
  --rule "ingress tcp 22 203.0.113.0/24"

# Apply to multiple instances
fugoku security-groups apply web --instance web-1,web-2,web-3

# Update group (affects all instances)
fugoku security-groups add-rule web \
  --rule "ingress tcp 8080 0.0.0.0/0"

Use cases:

• Apply consistent rules across multiple instances
• Update rules centrally (change once, apply everywhere)
• Organize rules by application tier (web, app, database)

Private Networking

• Instances can communicate over private networks without exposing traffic to the public internet
• No bandwidth charges on private network traffic
• VLAN-based isolation between tenants

Create private network:

fugoku networks create backend \
  --subnet 10.10.0.0/24 \
  --region lagos-1

Attach instance:

fugoku networks attach backend --instance db-1

Network ACLs: Control traffic between private networks.

# Allow app network to access database network
fugoku network-acls create \
  --source-network app-net \
  --dest-network db-net \
  --protocol tcp \
  --port 5432 \
  --action allow

VPN & Hybrid Connectivity

Site-to-Site VPN: Connect your on-premises network to Fugoku Cloud.

Supported protocols:

• IPsec IKEv2
• WireGuard

Console: Networking → VPN → Create Connection

CLI:

fugoku vpn create \
  --name office-vpn \
  --remote-gateway 203.0.113.1 \
  --local-network 10.10.0.0/24 \
  --remote-network 192.168.1.0/24 \
  --preshared-key "your-secure-key"

Encryption: AES-256-GCM, ChaCha20-Poly1305

Audit Logs

Event Logging

All account and resource actions are logged:

Logged events:

• User logins (success and failures)
• API requests (all endpoints)
• Resource creation/modification/deletion
• Permission changes
• SSH key additions/removals
• Payment method updates
• Team member invitations
• 2FA enable/disable

Log retention: 90 days (standard), 1 year (enterprise)

Viewing Audit Logs

Console: Account → Security → Audit Logs

CLI:

# View recent logs
fugoku audit-logs list --limit 50

# Filter by event type
fugoku audit-logs list --event instance.delete

# Filter by user
fugoku audit-logs list --user user@example.com

# Filter by date range
fugoku audit-logs list --start 2024-02-01 --end 2024-02-29

# Export to JSON
fugoku audit-logs export --format json --output audit-feb-2024.json

API:

curl "https://api.fugoku.com/v1/audit-logs?start_date=2024-02-01&limit=100" \
  -H "Authorization: Bearer $FUGOKU_API_TOKEN"

Response:

{
  "data": {
    "events": [
      {
        "id": "evt-abc123",
        "timestamp": "2024-02-15T14:32:05Z",
        "actor": {
          "type": "user",
          "email": "user@example.com",
          "ip": "203.0.113.5"
        },
        "action": "instance.create",
        "resource": {
          "type": "instance",
          "id": "inst-xyz789",
          "name": "web-1"
        },
        "details": {
          "plan": "standard-2",
          "region": "lagos-1",
          "image": "ubuntu-22.04"
        },
        "result": "success"
      }
    ]
  }
}

Log Export & SIEM Integration

Export formats:

• JSON
• CSV
• Syslog (RFC 5424)

SIEM integrations:

• Splunk
• Datadog
• Elastic Stack
• Sumo Logic

Syslog forwarding:

fugoku audit-logs configure-syslog \
  --endpoint syslog.yourcompany.com:514 \
  --protocol tls \
  --format rfc5424

S3 export (coming Q3 2026): Automatically export logs to your S3 bucket for long-term retention.

Real-Time Alerts

Console: Account → Security → Alerts

Alert triggers:

• Failed login attempts (5+ in 10 minutes)
• API token revoked
• Instance deleted
• Firewall rule changed
• Team member added/removed
• 2FA disabled

Notification channels:

• Email
• SMS
• Webhook
• Slack
• PagerDuty

CLI:

fugoku alerts create \
  --event failed_login \
  --threshold 5 \
  --window 10m \
  --notify email:security@yourcompany.com

fugoku alerts create \
  --event instance.delete \
  --notify slack:https://hooks.slack.com/services/YOUR/WEBHOOK

Compliance

Standards & Certifications

Current compliance:

• ISO 27001 (Information Security Management)
• SOC 2 Type II (Security, Availability, Confidentiality)
• PCI DSS Level 1 (for payment processing)

In progress (2026):

• SOC 3 (public report)
• ISO 27017 (Cloud Security)
• ISO 27018 (Cloud Privacy)
• HIPAA (healthcare workloads)
• GDPR compliance framework (data residency, right to erasure)

Data Residency

Current regions:

• Lagos, Nigeria (lagos-1)
• London, UK (london-1) - Coming Q2 2026
• Frankfurt, Germany (frankfurt-1) - Coming Q3 2026

Data residency guarantee: Your data never leaves the region you select unless you explicitly configure replication.

Regional compliance:

• GDPR (EU regions) - Coming with London/Frankfurt launch
• NDPR (Nigeria Data Protection Regulation) - Active
• UK Data Protection Act - Coming with London launch

GDPR Compliance Tools

Right to erasure:

# Delete all customer data
fugoku account delete --confirm --erase-all-data
# All instances, volumes, snapshots, backups permanently deleted within 24 hours

Data export:

# Export all account data (GDPR data portability)
fugoku account export --format json --output my-data.json
# Includes: instances, volumes, audit logs, billing records

Data Processing Addendum (DPA): Available in Console → Account → Legal → Sign DPA

SOC 2 Compliance

Control framework:

• Security (firewall rules, encryption, access controls)
• Availability (99.9% SLA, redundant infrastructure)
• Confidentiality (tenant isolation, data encryption)

Audit frequency: Annual

Report availability: Request SOC 2 report: compliance@fugoku.com (requires NDA)

PCI DSS Compliance

PCI DSS Level 1 certified for payment card processing.

Shared responsibility:

• Fugoku provides: secure infrastructure, network isolation, encryption
• You provide: secure application code, PCI-compliant configuration

Compliance assistance:

• Pre-configured PCI-compliant instance templates
• Network segmentation guides
• Quarterly vulnerability scanning

Contact compliance@fugoku.com for PCI compliance consultation.

Vulnerability Management

Security Patch Management

Platform patches:

• Critical CVEs patched within 24 hours
• High-severity CVEs patched within 7 days
• Regular security updates deployed monthly

Customer instance patches: You are responsible for patching your instances.

Enable automatic updates (recommended):

# Ubuntu/Debian
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Rocky/Alma
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

Vulnerability Scanning

Free scanning (coming Q2 2026): Scan instances for known vulnerabilities.

# Run vulnerability scan
fugoku security scan instance web-1

# View scan results
fugoku security scan-results web-1 --latest

Integrations:

• Qualys
• Tenable
• Rapid7
• Snyk

Penetration Testing

Customer-initiated pen testing: Allowed with notification.

Requirements:

1. Email security@fugoku.com 7 days before test
2. Provide: test dates, source IPs, target resources, scope
3. Testing only allowed on your own resources
4. No social engineering or phishing of Fugoku staff

Professional pen testing: We can recommend certified partners.

Incident Response

Security Incident Reporting

Report security issues:

• Email: security@fugoku.com
• PGP key: Available at fugoku.com/security.txt
• Response time: <24 hours

Severity levels:

• Critical: Active exploit, data breach, account takeover
• High: Vulnerability allowing unauthorized access
• Medium: Vulnerability requiring user interaction
• Low: Minor security improvement

Incident Response Process

Fugoku's process:

1. Detection: Automated monitoring + customer reports
2. Triage: Severity assessment within 1 hour
3. Containment: Isolate affected systems
4. Investigation: Root cause analysis
5. Remediation: Patch, update, reconfigure
6. Communication: Customer notification within 24 hours
7. Post-mortem: Public incident report

Customer notification:

• Email to account owner
• Status page update (status.fugoku.com)
• Post-mortem published within 7 days

Security Advisories

Subscribe to security advisories: Console: Account → Notifications → Security Advisories

Mailing list: security-announce@fugoku.com

Best Practices

Secure Instance Configuration

1. Use SSH keys, disable password auth:

# /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin prohibit-password
PubkeyAuthentication yes

2. Configure firewall (allow only required ports):

fugoku firewall add-rule --protocol tcp --port 22 --source YOUR_IP/32
fugoku firewall add-rule --protocol tcp --port 443 --source 0.0.0.0/0

3. Enable automatic security updates:

sudo apt install unattended-upgrades  # Ubuntu/Debian
sudo dnf install dnf-automatic        # Rocky/Alma

4. Run fail2ban to block brute force:

sudo apt install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

5. Use private networks for internal services:

# Database should NOT be on public internet
fugoku firewall add-rule --instance db-1 --action deny --source 0.0.0.0/0 --port 5432
# Only allow from app network
fugoku firewall add-rule --instance db-1 --source 10.10.0.0/24 --port 5432

API Security

1. Use environment variables for tokens:

export FUGOKU_API_TOKEN="your-token-here"

2. Use read-only tokens when possible:

fugoku auth create-token --name monitoring --scope read

3. Set expiration on temporary tokens:

fugoku auth create-token --name contractor --expires 30d

4. Rotate tokens quarterly:

# Create new token
NEW_TOKEN=$(fugoku auth create-token --name app-prod --output json | jq -r '.token')

# Update application
kubectl set env deployment/app API_TOKEN=$NEW_TOKEN

# Revoke old token after rollout
fugoku auth revoke-token $OLD_TOKEN

5. Use IP allowlisting (Enterprise):

fugoku auth configure-ip-allowlist --add 203.0.113.0/24

Account Security

1. Enable 2FA (mandatory for production):

fugoku auth enable-2fa

2. Use hardware security keys: Console → Account → Security → Add Hardware Key

3. Review team access quarterly:

fugoku team list
# Remove inactive members
fugoku team remove old-employee@example.com

4. Monitor audit logs:

fugoku audit-logs list --limit 100

5. Enable real-time alerts:

fugoku alerts create --event failed_login --threshold 5 --notify email:security@company.com

Physical Security

Fugoku Cloud infrastructure is hosted in Tier III+ data centers with:

Facility security:

• 24/7 on-site security personnel
• Biometric access controls (fingerprint + iris scan)
• Video surveillance (90-day retention)
• Mantrap entrances
• Metal detectors

Environmental controls:

• Redundant power (N+1 UPS, dual utility feeds, diesel generators)
• Redundant cooling (N+1 CRAC units)
• Fire suppression systems (VESDA + FM-200)
• Seismic bracing (earthquake zones)
• Flood protection (elevated floors)

Network security:

• Physical network segmentation
• Locked network cabinets
• Cable management and labeling
• Regular equipment audits

Reporting Vulnerabilities

If you discover a security issue, contact us at security@fugoku.com.

Responsible disclosure:

• We take all reports seriously
• Response within 24 hours
• Fix timeline: Critical (24-48h), High (7d), Medium (30d)
• Public disclosure coordinated with Fugoku team
• Security researcher recognition (with permission)

Vulnerability rewards program (coming Q3 2026):

• Critical: $500-$5,000
• High: $100-$500
• Medium: $50-$100

PGP key: Available at fugoku.com/security.txt

Bug bounty platform (coming 2026): HackerOne

Security Resources:

• Security Advisories
• Status Page
• Compliance Documentation
• Security White Paper (coming Q2 2026)

Security Contact:

• Email: security@fugoku.com
• PGP: Available at fugoku.com/security.txt
• Response time: <24 hours