This document discusses configure8’s approach to security. It covers the key areas and the steps we take and controls we implement across a number of security domains, both in securing our own environments (including our cloud-based platforms), and the processes we have in place to ensure we create products that are “secure from the start” for our customers and users.
Our approach to security is based around a couple of core themes: Customer’s security is “job zero” at configure8.
- Everything we do must have a security lens applied to it from beginning to end.
- We are open and transparent about our security practices, processes, and metrics.
- We constantly evaluate and improve the way we secure our customer’s data in our products.
Below we will highlight some of the measures and initiatives we have in place to fulfill our key themes.
We are intent on ensuring our security program remains leading edge and best in the industry. We know that to do that, we need to continually evaluate our current approach to security, identify opportunities for improvement and always push ourselves to “do better”. To this end, we have undertaken (and will continue to undertake) numerous maturity assessments of our security program, using independent security consulting companies.
An effective approach to security starts with making sure our own house is secure – specifically by keeping our own internal environments secure. There are a number of steps we take to achieve this.
configure8 practices a layered approach to security for our networks. We implement controls at each layer of our cloud environments, dividing our infrastructure by zones, environments, and services. We have zone restrictions in place that include limiting office/staff, customer data, CI/CD and DMZ network traffic. We also have environment separation to limit connectivity between production and non-production environments, and production data is not replicated outside of production environments. Access into production networks and services is only possible from within those same networks – e.g. only a production service can access another production service.
Services must be explicitly authorized to communicate with other services through an authentication allowlist. We control access to our sensitive networks through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking, with all connections into those networks encrypted. We’ve also implemented intrusion detection in our production networks to detect potential compromises.
configure8’s approach to secure our networks ensures that whether users are able to access resources and services on our networks is a decision based on not only their authentication credentials, but also involves a dynamic policy decision that takes into account a range of factors to deny or allow access at a per-resource level based on the security posture of the user’s device (regardless of their location).
configure8 uses a combination of endpoint management to deploy updates and patches to operating systems and key applications across our endpoint fleet. We have also implemented multiple endpoint protection solutions to protect against threats such as malware.
We strive hard to build security into all aspects of our day-to-day operational processes. We want security to be an inherent part of how we do things so that we minimize the need to apply security after-the-fact.
Our production systems are located in infrastructure obtained through cloud service providers. These systems are not tracked at a hardware level due to the nature of the service. The underlying microservices that our products run on are tracked in a custom-built ‘Service’ database. This database is updated automatically when a service is deployed.
We blend best practices we have learned over the years in designing, developing and releasing software. We require Design / Improvement proposals before we jump right to coding. These documents are written by engineers and then reviewed by the entire engineering team before being approved. This allows a more diverse perspective while at the same time preventing the dreaded “Fire…ready…aim” development conundrum. We then embrace an agile style approach we call “Define, Design, Develop, Deploy (D4). The D4 approach requires that each change – be it a code change or an infrastructure change – is reviewed by one or more peers to identify any issues the change may potentially cause.
During the planning and design phases for our products, we use threat modeling to help us better understand security risks when projects face complex threats or involve development of security critical features. This involves a table-top brainstorm session between our engineers, architects and product managers to identify and priority relevant threats. This information feeds into the design process and ensures appropriate controls are implemented. It also supports targeted review and testing in later phases of development.
We increase the number of reviewers based on the criticality of the change or the criticality of the systems that the change is going to impact, trusting our engineers to identify issues and then flag them before the change can go through. This process works well to provide a dynamic and adaptable way of managing changes in our environment. The Deploy portion of this control refers to a successful or clean build in our CI/ CD with the new changes included. If the change introduces components that do not successfully pass any of the integration, function, unit or security tests, the build is rejected and returns to the original change request to address any issues.
We have a limited set of engineers and architects who are allowed to update or install software in our production environment. In most cases, software installation is not possible. Configuration management tools are utilized in our production environments to manage configurations and changes to servers. Direct changes made to those systems are set to be overwritten by the approved configuration pushed through those configuration management tools ensuring consistency. We rely on standard container images, all changes to either our images must be made via our standard change management process, we track and report on exception configurations, and we have implemented resource isolation so issues with services don’t impact other services. We also rely on our D4 process to ensure multiple reviewers approve configuration changes pushed through configuration management tools. All image builds are automatically scanned on upload to the container repository and only clean images are allowed to run in our production environment.
We operate a comprehensive backup program at configure8. With respect to our configure8 customer and application data, we also have extensive backup measures in place. configure8 has implemented automated back-ups of all our data stores on a 24 hour basis. all back-ups are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers.. We also perform quarterly testing of our backup and recovery procedures.
We have a number of measures to ensure that we keep customer data secure, available and that customers retain control over it to the fullest extent possible.
configure8 products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services (AWS). We make use of optimal performance with redundancy and failover options globally. We make use of multiple geographically diverse regions and multiple availability zones within each of those regions to ensure that a failure in any single data center does not affect the availability of our products or customer data. Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
configure8 uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.
While our customers share a common cloud-based IT infrastructure when using configure8’s products, we have measures in place to ensure they are logically separated so that the actions of one customer cannot compromise the data or service of other customers.
In the case of our auto-discovery service, each customer’s data is isolated in a unique container to achieve logical isolation of our customers. This is enforced via container isolation and within the application code to ensure each customer’s data is kept logically segregated from other tenants.
Any customer data in configure8 cloud products is encrypted in transit over public networks using TLS 1.2+ to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser. All data stores on holding customer data use full disk, industry-standard AES-256 encryption at rest.
We treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and any contractors during the on-boarding process which covers the importance of and best practices for handling customer data.
Within configure8, only authorized personnel have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections from configure8 and internal data center locations. All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA.
With stringent authentication and authorization controls in place, our global support team facilitates maintenance and support processes. Hosted applications and data are accessed for the purpose of application health monitoring and performing system or application maintenance, or upon customer request via our support system.
Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.
We have an automated code analysis platform that covers all code repositories at configure8. This platform runs a variety of static analysis tools (which we are continually adding to and improving) that help to ensure the overall security of our code. Any time a pull request is raised in a repository, the platform:
- Finds and identifies outdated code dependencies that may introduce vulnerabilities
- Identifies any accidental or inadvertent disclosure of secrets in code repositories (e.g. authentication tokens or cryptographic keys)
- Undertakes an analysis to identify any problematic coding patterns that could lead to vulnerabilities in our code
Our security testing approach is built around the concept of ‘continuous assurance’ through the use of targeted, point-in-time penetration tests. We believe this approach maximizes our chances of finding vulnerabilities and providing our customers with the most secure products possible. A summary of our testing measures is provided below:
- Internal Security Review - As mentioned above, our team runs a security review program including security testing as a regular activity. Testing consists of code review and application security testing, targeting areas of weakness highlighted by risk assessment
- External Penetration Testing - We use an automated service to conduct white-box, code assisted and threat based penetration tests on high risk products and infrastructure every 24 hours.
Any security vulnerabilities identified are tracked in our internal support tools as they come through and will be triaged, tracked and responded to as Sev one.
configure8 is constantly working to reduce the severity and frequency of vulnerabilities in our products, services and infrastructure and ensure that identified vulnerabilities are fixed as quickly as possible. To facilitate this, we have implemented a multi-faceted and continually evolving approach to vulnerability management that utilizes both automated and manual processes to identify, track, and remediate vulnerabilities across our applications and infrastructure.
We identify security vulnerabilities via a number of different sources such as automated scanners, internal security reviews, and customer reports. Once a vulnerability has been identified, a ticket is logged and assigned to the relevant system owner or engineering team. Our centralized approach allows us to leverage automation to provide proactive notifications, automated escalations, and enterprise-wide reporting to ensure that vulnerabilities are remediated in a timely fashion.
We use a range of vulnerability detection tools that are run regularly across our infrastructure to automatically scan for and identify vulnerabilities. This includes:
- Network scans – to identify active services, open ports and applications running across our environment, as well as any vulnerabilities at the network level
- Continuous asset discovery – we undertake continuous asset discovery and security analysis across our external network perimeters. We also have an internally developed asset inventory and discovery mechanism
- AWS Security Hub, AWS Guard Duty and AWS WAF - we leverage AWS’s Security Hub to Conduct Cloud Security Posture Management (CSPM) and initiate Security Orchestration, Automation, and Response (SOAR) workflows. We leverage AWS Guard Duty to protect with intelligent threat detection and continuous monitoring and analysis. We also use AWS WAF to protect our web applications from common web exploits.
We are continually reviewing the latest tools available and adding them to the suite we use if we believe they will enhance our vulnerability detection capabilities.
As part of our development process we use a range of tools to try to identify and prevent as many vulnerabilities and bugs as possible from making their way into our products by the time our customers and users have access to them. We use a platform to facilitate the deployment of these tools across our code repositories. These include the following:
- configure8 deploys the bulk of its services using Docker container images. These images provide a packaged, self-contained environment consisting of relevant system libraries, tools, configuration settings and any other dependencies required so that our products are able to run regardless of individual machine configuration parameters. We integrate a full container security scanning process into our CI/CD pipeline or any containers that are deployed into our development, staging or production environments
- Our products and services rely on numerous open-source libraries. We use a combination of internally built, open source, and commercial tools to scan for and identify dependencies and compare these to a database of known security vulnerabilities
In addition, when a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.
configure8 has a comprehensive approach to handle security incidents. We consider a security incident to be any instance where there is a negative impact to the confidentiality, integrity or availability of customers’ data, configure8’s data, or configure8’s services.
We have a clearly defined internal framework that includes documented playbooks for different incident types. The framework covers the steps we need to take at all stages of incident response to ensure our processes are consistent, repeatable and efficient. These include coverage of incident detection and analysis, incident categorization, containment, eradication and recovery.
Comprehensive and centralized logging and monitoring of our products and infrastructure is in place to ensure we quickly detect potential incidents. We also have access to a range of external experts to assist us with investigating and responding as effectively as possible.
We have notification processes in place for our customers if their data is involved in a confirmed incident, as well as a robust post-incident review process so we can take any lessons from an incident to improve our practices to make the job of malicious actors harder in the future.
While our security practices have provided a broad overview of our approach to security, naturally given this is a complex area and configure8 is doing a significant amount in this space, we haven’t been able to cover everything in detail here. If you need more information, contact us at:
Copyright © 2022 configure8, Inc. All rights reserved.