This document details the security mechanisms and processes that Exoprise has implemented in order to ensure and enforce the safety, protection and privacy of our customer data. The security measures that Exoprise have implemented span the technology, operations, and legal aspects of protecting customer data and environments.
Exoprise CloudReady is a hybrid cloud service that enables organizations to proactively monitor their mission-critical cloud apps from any branch office or location. It primarily utilizes synthetic transactions to monitor these services and therefore does not inspect or monitor live traffic from real users.
To monitor cloud and SaaS applications, customers typically create dedicated accounts for the CloudReady sensors within the application. Therefore, there is no Personally Identifiable Information (PII) involved. The data that is sent to CloudReady consists of only performance metrics; e.g. Login times, TCPIP connect times, Time-to-First-Byte (TTFB), latency, etc.
Legal Terms and Privacy
Protecting customer data goes beyond technology and processes, Exoprise offers the following assurances:
Data Center Security and Cloud Platforms
Amazon Web Services (AWS)
AWS infrastructure and controls are subject to annual SAS-70 Type II audits and AWS information security management processes and controls have achieved ISO 27001 and PCI DSS Level 1 certification. More information about AWS security and controls can be found http://aws.amazon.com/security/.
Microsoft Azure Cloud
Azure cloud services and infrastructure are audited annually against the SOC reporting framework by third-party auditors. More information and a publicly available SOC 3 report can be found https://www.microsoft.com/en-us/trustcenter/compliance/soc.
Google Cloud Platform
The Google Cloud Platform are audited regularly and meet or exceed ISO 27001, ISO 27017, and ISO 27018. More information and a publicly available SOC 2 and SOC 3 report can be found https://cloud.google.com/security/.
Exoprise operations are maintained at the highest standard to ensure the integrity and security of our customers’ data. Some of the steps taken to achieve this include:
- Periodic review of all policies and internal controls to assure continued compliance
- Least privileged access and separation of duties – Only designated, named operational staff members are authorized to access production systems
- Exoprise utilizes change and configuration management procedures to ensure accurate and timely updates, including live A/B testing in production and staging environments before, during, and after deployments.
- Access controls are periodically reviewed and maintained. There is no third-party access to our systems. These controls include, but are not limited to, logically isolated and protected production network access requiring multi-factor access controls.
- In accordance with local laws, regulations, ethics and contractual constraints, all employment candidates, contractors and third parties are subject to background verification, criminal, domestic and Office of Foreign Assets Control screening.
- All new hires are required to sign Non-disclosure and Confidentiality agreements.
- All employees have signed legal documents that explicitly address the need for security, privacy, and compliance and are required to participate in periodic security awareness training.
- Exoprise maintains written security policies that are periodically updated and revised
- Exoprise utilizes 2-factor authentication to prevent access by external people should an account be compromised
- Before entering into agreements, and periodically thereafter, Exoprise reviews the independent audits of our cloud and third-party service providers to ensure the security provisions are appropriate.
- Anti-malware programs are installed on all of our systems. Security threat detection systems using signatures, lists, or behavioral patterns are updated across all infrastructure components.
- Processes, tools and audit controls are utilized to monitor items such as repeated login failures, unauthorized attempts to access resources within the service. Logs are reviewed on no less than a weekly basis for anomalies.
Exoprise implements industry standard software development life-cycle practices for all software that access or processes customer confidential information. We build and implement risk-based application security that includes, but is not limited to, policies, governance structures, staffing, and monitoring to protect the confidentiality, integrity and availability of all customer confidential information.
- At least annually, engineers participate in secure code training that includes OWASP Top 10 security flaws and other common attack vectors.
- Exoprise utilizes Ruby On Rails framework security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce exposure Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
- Testing and staging environments are physically and logically separated from production environments. No actual customer data is used in development, test, or staging environments.
- Exoprise utilizes third-party security tools to scan for security flaws including the OWASP Top 10.
- Exoprise source code repositories are scanned for security issues using static analysis tools.
Product Security Features
Exoprise CloudReady supports different authentication options. By default, when first signing up for CloudReady, Exoprise manages your credentials. Integrated Security Assertion Markup Language (SAML) authentication is supported in addition to Role Based Administration and Control (RBAC) throughout the system.
When credentials are stored, Exoprise follows best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
API access is via SSL-only and can be enabled or disabled on an account-by-account basis. By default, API access is disabled.
Business Continuity and Resiliency
Our systems are designed to be highly available. We make use of our own product for 24×7 monitoring to ensure uptime and availability. In the case of an outage or service interruption we will keep our customers up to date via this webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Exoprise employs clustering and network redundancies to eliminate single points of failure. Our backup procedures ensure data is actively replicated across primary and secondary Disaster Recovery (DR) systems and facilities. Our backup procedures and periodically tested to ensure they are robust and operating correctly.
Digital Components and Assets
CloudReady is a hybrid cloud service where some components can be run from customers environments.
Exoprise Management Client
The Exoprise Management Client is a secure, sand-boxed network client that enables customers to execute cloud automation delivered from https://secure.exoprise.com.
All interaction between the Management Client and https://secure.exoprise.com are executed over 2048-bit Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encrypted channels. The Management Client is explicitly tied to only interact with https://secure.exoprise.com and the privileged sandbox is only enabled when the Management Client communicates via TLS to secure.exoprise.com.
The Management Client is utilized for end-user interaction, deployment and automation. The Management Client installer and components that the client retrieves from secure.exoprise.com are digitally signed with code signing certificates from Digicert. The SSL certificates utilized to communicate with secure.exoprise.com are SHA-256 2048-bit SSL certificates. The SSL certificates are also from Digicert.
Exoprise Secure Service Shell
The Exoprise Secure Service Shell (ExoSvcShell), also known as a Private Site, is a Windows Service that was designed from the beginning to be a secure distributed service endpoint and sandbox enabling customers to execute cloud-based automation and monitoring tasks delivered from secure.exoprise.com and service.exoprise.com.
As with the Management Client, all interaction between the ExoSvcShell and service.exoprise.com are executed over 2048-bit TLS encrypted channels. The ExoSvcShell is explicitly tied to only interact with https://service.exoprise.com sites.
The ExoSvcShell can be installed in multiple ways; interactively via the Management Client, with a custom installer via the CloudReady services, or by downloading the ExoSvcShell installer from secure.exoprise.com for further packaging.
The ExoSvcShell installer is digitally signed with an Exoprise code signing certificate. The initial installation securely binds the ExoSvcShell to service.exoprise.com using unique public/private key-pairs. The public/private key-pairs can be generated automatically by the installer or generated by the customer utilizing their own RSA-compatible key generation tools.
ExoSvcShell requires a secure communication channel with service.exoprise.com. However, since ExoSvcShell is designed to run unattended for long periods of time it can not authenticate based on user name and password. Instead, the ExoSvcShell authenticates with an instance ID and signed HTTPS requests (similar to how many Internet APIs work from vendors like Amazon, Google, etc). Each request is signed to prevent forgery and spoofing.
During ExoSvcShell installation, CloudReady generates an instance ID and instance key. Both the ID and key are stored on the client computer and encrypted with the DPAPI. The use of DPAPI in this scenario locks the keys to the machine and service account where the ExoSvcShell is installed. This prevents the ExoSvcShell from being moved to another machine (spoofing prevention).
When ExoSvcShell requests data from service.exoprise.com, it generates a Hash-Based Message Authentication Code (HMAC) signature of the HTTPS packet signed with the instance key. The HMAC is validated by ExoSvcShell for every message and instruction received. When data is pushed to CloudReady the data is encrypted via 2048-bit encryption (SSL) and the message authenticity and integrity is validated by the CloudReady servers.
The ExoSvcShell can be deployed via Electronic Software Deployment (ESD) tools such as SCCM. From the CloudReady Monitor website a customer can download the separate code-signed installation executable for packaging and automated deployment. For additional information see the Bulk Deployment Guide.
Tasks that are delivered to the ExoSvcShell are regularly retrieved from CloudReady and are only kept in memory, never cached to disk, as an additional security protection. Tasks are periodically checked for updating. All task instructions and configuration are fetched via SSL and HMAC signed as previously detailed.
Digitally Signed Components
All Exoprise installer exes are digitally signed using code-signed certificates from Digicert. Additionally, the Management Client and ExoSvcShell are digitally code-signed. For automation and monitoring tasks the Management Client and ExoSvcShell may download and cache service or sensor specific components. These components can be written in various development languages and environment such as Microsoft .NET, for Windows, and Mono for Linux. All sub-components are digitally code-signed and further protected with public/private key-pairs for validating authenticity and origin. Each binary is further code-signed by Exoprise and validated prior to execution.