I've had a long career in security for software development, so I understand how important it is to uphold the highest levels of security throughout the design process. Equally important is proving to customers that the trust they place in the vendor is well-founded. One of the best tools we have to convey that trust is third-party certifications.
I'm proud to announce that the ExtraHop Addy anomaly detection service has achieved AICPA SOC2 type 1 certification (formerly known as SAS70). SOC2 is an audit process against controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. This certification shows that we've taken careful measure of the security of our SaaS offering. Included in this SOC2 certification is an examination of our people, policies, and procedures. Over the past few months, we've been inspecting and auditing all of the above and improving. An independent, third-party assurance is important to prove to our customers that we have built security deeply into our process and that your data is important to us.
I'm very proud of the work that went into Addy, so I wanted to take a short dive into our security design thought processes.Secure by Design
While designing the Addy service, we wanted to rethink the service architecture to build a completely secure service. We started with some fundamental tenets of security:
- Secure by design
- Security in layers
- Least privilege
When building software, it's always best to make the secure option the default. We thought about the design decisions and broke down our decisions into a few categories that are often scrutinized.Data in Transit
We designed the back-end of Addy to be completely secured all the way to the analytics engine with no possibility of interception. We designed the system so that ExtraHop Discover appliances make an outer TLS tunnel into the Addy infrastructure. Then Addy negotiates an inner TLS connection for transporting all feature and anomaly data. The innermost connection is an end-to-end connection with mutual certificate authentication. We decided to only use TLS1.2 with Perfect Forward Secrecy, the best ciphers available today.Data at Rest
We also mandated that all data be encrypted when stored. AES-256 is the standard.You Own Your Data
The data currently analyzed by Addy is not categorized as personally identifiable information (PII). PII is never sent to the cloud; only count metrics are sent to Addy. In the future, we may analyze PII, but we will give you notice before doing so.Conclusion
Addy promises to help IT organizations be more proactive about performance and security issues. We've done our best to address concerns that our customers might have with adopting the service. If you have any questions, be sure to take a look at our Security, Privacy and Trust document. It covers our policies in depth.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/lessons-securing-a-cloud-powered-analytics-service/