Heroku Security & Compliance Resources and Features
Last updated August 10, 2023
Table of Contents
This article introduces available compliance collateral, approaches for managing compliance on the Heroku platform, and security features that can help reduce risk and meet compliance objectives.
Shared Responsibility Model & Compliance Resources
Developers around the world entrust sensitive data to Heroku, and nothing is more important to Salesforce than trust and protecting this data. However, protecting your data is a shared responsibility between Salesforce and you, our customer, as described in Heroku’s Security, Privacy and Compliance.
Heroku has leveraged the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CSA CAIQ) as a framework to help customers better understand this delineation of responsibility. In addition, Heroku has created a ‘Security Runbook’ to complement the CSA CAIQ, which provides a starting point of common configurations and considerations for securely developing compliant apps on the Heroku platform.
The CSA CAIQ + Security Runbook, Salesforce audit and compliance reports, and other compliance resources for Heroku Services such as third-party penetration testing reports are available to customers via the Salesforce Trust website (Salesforce Services login required) or via logging a compliance doc request.
A Strategic Approach to Security & Compliance
Heroku offers three application runtimes to allow you to meet different data sensitivity requirements:
- Heroku Common Runtime: Secure multi-tenant environment for low to moderately sensitive data type that provides essential data security features
- Heroku Private Spaces: Account isolated environment with defined network boundaries for moderate to high data types that provides additional data security and geographic isolation features
- Heroku Shield Private Spaces: Account isolated environment with defined network boundaries for highly regulated data types such as PCI or HIPAA data that provides enhanced data security and geographic isolation features
Heroku also offers the following Heroku managed data add-ons for your applications running in the above runtimes:
These add-ons offer a wide spectrum of plan types that allow you to meet not only performance and sizing needs, but also accommodate the different security and compliance needs for various data types.
Similar to the Heroku runtimes, add-ons will have “Private” or “Shield” plan tier options. The “Private” plan tier is designed for moderate to high data types and offers additional data security features over entry-level plan types, while a “Shield” plan offers enhanced security configurations and helps enable customers to meet highly regulated data type requirements such as Payment Card Industry (PCI) and Health Insurance Portability & Accountability Act (HIPAA).
Security and Compliance Features
Heroku offers an array of security and compliance features your organization can configure or utilize to fine-tune security controls, commensurate with your organization’s risk tolerance. These include Authentication & Access, Logging & Monitoring, Advanced Heroku App & Data Access Methods, and Encryption and Data Backups.
Authentication & Access
Single Sign-On (SSO)
SSO for Heroku allows you to use your identity provider to centralize user access and delegate authentication to Heroku’s web experience and Command Line Interface (CLI). Identity Providers can enforce custom password composition requirements and multi-factor authentication.
Multi-Factor Authentication (MFA)
If your organization isn’t ready to take advantage of SSO, MFA is available for an extra layer of security. MFA is a mandatory Heroku security feature and an effective way to increase protection for your account against common threats like phishing attacks, credential stuffing, and account takeovers.
Enterprise Accounts and Enterprise Teams
These Heroku Enterprise features allow for easier management of groups of users and the ability to implement the concept of least privilege through allowing your organization to grant fine-grained permissions to team members on a per-app basis, ensuring that the right people have access to the right operations and resources.
Once releasing an app to production and once user access is stable, you can lock an app, which prevents all access by Team members unless the member has the ‘Manage’ permission.
An app’s environment-specific configuration, such as credentials, should not be stored in version control systems, but should instead be stored as environmental variables. Heroku provides customers to store these sensitive environment-specific configurations as “Config Vars”
Heroku provides first and third-party add-ons through the Heroku Elements marketplace to enhance the capabilities of your applications. The partner add-on allowlist allows your admin to control which add-ons are used with apps in your team and is helpful for ensuring only vetted and approved add-ons are utilized by your developers.
Heroku Postgres Credentials**
Heroku Postgres allows you to grant specific privileges such as Grant, Select, Insert, Update and Delete to individual roles. These roles can then be attached to your application to limit access to the database by your application and allow you to follow the principle of least privilege.
Heroku Flow is a structured deployment workflow that streamlines the app release experience by making continuous integration and delivery easy, visual, efficient and more secure.
Dashboard Session Length Limits
Users can stay logged into the Heroku Dashboard for a limited period of time before they must reauthenticate.
Logging and Monitoring
Logging & Add-On Providers
Heroku aggregates a variety of logs for your deployed apps such as app logs, system logs, API logs, add-on logs, and build logs that allow you to audit important app events and performance metrics. The Heroku platform maintains these logs for a short time period and best practice is to have these logs sent to third-party logging add-on providers or external servers for long-term persistence.
The Heroku Enterprise feature Audit trails provides a chronological history of configuration change events associated with your account and is an important input into your compliance program.
Private Space Logging**
This Shield Private Space feature forwards log events from applications, Heroku Postgres databases, Heroku system services logs and Heroku API logs to a single log capture destination for easily access and validation that logging is correctly setup.
This Shield Private Spaces feature logs all user keystrokes typed into interactive Heroku run sessions and provides the ability to review these logs for auditing purposes.
Advanced Heroku App & Data Access Methods
Trusted IP Ranges**
Allows you to restrict access to applications in Private Spaces and Shield Spaces to only clients originating from a list of approved IP ranges that your organization has defined.
Stable Outbound IP Addresses**
Outbound traffic from apps in a Private Space or Shield Space originate from a stable set of IP addresses. Services receiving traffic from these apps can add the Outbound IP addressees to an allow list as an additional level of security.
Private Space Peering**
This feature allows you to establish a private network connection between dynos running in a Private Space or Shield Space to an AWS VPC that you control. This connection method provides additional security benefits as it does not traverse the public Internet and instead only communicates over AWS’s secure network.
Private Space VPN**
Heroku Private Spaces and Shield Spaces can configure a secure connection to another private network using IPSec VPN. This lets dynos connect to hosts on your private networks and vice versa. Connections are established over the public Internet, but all traffic is encrypted using IPSec.
Access to applications are further restricted through use of Internal Routing, which limits access to applications to only other apps running in the same Private Space or Shield Private Space network and to previously configured Private Space Peering or Private Space VPN connections.
PrivateLink allows you to connect the first-party Heroku add-ons Heroku Postgres, Heroku Data for Redis and Apache Kafka on Heroku to one or more AWS VPCs. This connection method provides additional security benefits as it doesn’t traverse the public Internet and instead only communicates over AWS’s secure network.
Mutual TLS (mTLS)**
This feature creates a secure and mutually authenticated channel between an external resource and a Heroku Postgres database or Apache Kafka on Heroku cluster running in a Private Space or a Shield Private Space. The external resources can include mTLS-enabled applications or systems running in private data centers or in public clouds.
Automated Certificate Management (ACM)
ACM allows you to automatically manage TLS certificates for apps by renewing certificates one month before they expire and issuing new certificates when you add or remove a custom domain.
Apps in Private Spaces and Shield Private Spaces allow you to configure the cipher suites used to negotiate TLS connections with new clients. By default, apps are configured to only support TLS v1.2. In addition, Heroku also automatically manages secure transport of Salesforce data to Heroku Postgres via Heroku Connect without any additional configuration.
Bring Your Own Key (BYOK)**
Heroku automatically encrypts data-at-rest at the disk level for most Heroku Postgres, Heroku Data for Redis and Apache Kafka on Heroku plans; however, for customers with advanced encryption needs we offer the BYOK feature for these Heroku data add-ons in Private Spaces and Shield Spaces. This feature allows customers to create and manage their own Customer Managed Key (CMK) from their AWS KMS Account and the ability to disable the CMK which makes all data encrypted by the key inaccessible.
Heroku Postgres allows you to “roll back” the state of your database to a previous point in time during the last 4-7 days, depending on plan, which can help mitigate the risk associated with an accidental data deletion or data overwrite.
Apps can be configured to take manual and scheduled backups of attached Heroku Postgres databases, which are used to restore the databases, transfer data between databases or downloaded and stored outside of Heroku. These backups provide additional protection in the event of a catastrophe and helps customers meet various compliance and regulatory requirements.
* This feature is only available as part of Heroku Enterprise.
** This feature is only available for a subset of Heroku Enterprise product offerings.