Skip to main content

Compliance & Audit Considerations

Executive Summary

Cocos is a secure, open-source platform designed for compliance-sensitive environments.

It combines hardware-based isolation, Trusted Execution Environment (TEE) attestation, and hardened runtime security to protect sensitive workloads and meet the highest audit and regulatory standards.

Through Trusted Execution Environments (TEEs), Attested TLS, and transparent architecture, Cocos ensures that data and algorithm remain confidential, verifiable, and auditable — making it a trusted foundation for regulated industries such as finance, healthcare, and government.

Overview

Cocos is designed with strong security guarantees to meet the needs of compliance-driven environments, ensuring confidentiality, integrity, and auditability for sensitive workloads. By combining hardware-backed TEEs, TEE attestation, and hardened runtime configurations, Cocos provides a foundation for meeting strict regulatory requirements.

Trusted Execution Environments (TEEs)

Cocos supports hardware TEEs such as AMD SEV-SNP, Intel TDX, and Confidential VMs. These technologies:

  • Isolate workloads from the host OS and hypervisor
  • Protect data in use from unauthorized access
  • Reduce the Trusted Computing Base (TCB) by running only essential components inside the CVM

This isolation ensures that even privileged system software cannot access protected data or code.

Remote Attestation

Cocos implements remote attestation to verify the integrity of workloads at runtime. This includes:

  • Measuring the initial code and data of the CVM before the CVM is started
  • Measuring the boot process. This means that the kernel, initramfs, and kernel command line are measured
  • Providing verifiable attestation reports to external verifiers
  • Using Attested TLS, embedding attestation evidence directly into the X.509 certificate

These capabilities enable customers and auditors to verify that workloads run only in trusted, untampered environments.

Integrity & Isolation

To maintain operational integrity and reduce attack surfaces, Cocos incorporates:

  • Linux Integrity Measurement Architecture (IMA) to hash and keep track of opened files, before the files are executed
  • Runtime image that disables unnecessary services (e.g., SSH)

This ensures that system components remain unchanged and trustworthy throughout their lifecycle.

Secure Communications

All Cocos components communicate over encrypted channels with strong authentication:

  • TLS with certificate-based authentication
  • Attestation report bound to X.509 certificate
  • Protection against man-in-the-middle and replay attacks

This ensures data-in-transit encryption and binds the attestation report to the TLS secure channel.

Auditability & Transparency

Cocos is open source under the Apache 2.0 license, enabling:

  • Independent code review and verification
  • Transparent security architecture

This transparency builds trust and supports regulatory compliance audits.

Continuous Security Improvements

Security features are continuously enhanced with each release. Examples include:

  • SSH hardening
  • Virtual TPM (vTPM) integration
  • Expanded secure cloud integrations

Summary

Cocos provides a secure and auditable platform ready for deployment in compliance-sensitive environments. Through hardware-backed isolation, TEE attestation, encrypted communications, and an open-source security model, Cocos enables organizations to meet modern data protection and audit requirements with confidence.