Security overview

This article details the security mechanisms and processes that Exoprise has implemented to ensure and enforce the safety, protection, and privacy of our customer data. The security measures that Exoprise has implemented span the technology, operations, and legal aspects of protecting customer data and environments.

Executive summary

Exoprise is a hybrid cloud service that enables organizations to proactively monitor their mission-critical cloud applications from any branch office or location. It primarily utilizes synthetic transactions to monitor these services, and, therefore, does not inspect or monitor live traffic from real users.

To monitor cloud and SaaS applications, customers typically create dedicated accounts for the synthetic sensors within the application. Therefore, there is no Personally Identifiable Information (PII) involved. The data that is sent to Exoprise consists of only performance metrics, for example, login times, TCPIP connect times, Time-to-First-Byte (TTFB), latency, and so on.

Legal terms and privacy

Protecting customer data goes beyond technology and processes. Exoprise offers the following assurances:

Data center security and cloud platforms

The Exoprise platform is physically hosted in multiple cloud environments, including Amazon Web Services and Microsoft Azure.

Amazon Web Services

Amazon Web Services (AWS) infrastructure and controls are subject to annual SAS-70 Type II audits, and AWS information security management processes and controls have achieved ISO 27001 and PCI DSS Level 1 certification. For more information about AWS security and controls, refer to AWS Cloud Security.

Microsoft Azure Cloud

Azure cloud services and infrastructure are audited annually against the SOC reporting framework by third-party auditors. More information and a publicly available SOC 3 report can be found in this Microsoft article.

Internal controls

Exoprise operations are maintained at the highest standard to ensure the integrity and security of our customers’ data. Some of the steps taken to achieve this include the following:

  • Periodic review of all policies and internal controls to assure continued compliance.

  • Least privileged access and separation of duties. Only designated, named operational staff members are authorized to access production systems.

  • Exoprise utilizes change and configuration management procedures to ensure accurate and timely updates, including live A/B testing in production and staging environments before, during, and after deployments.

  • Access controls are periodically reviewed and maintained. There is no third-party access to our systems. These controls include, but are not limited to, logically isolated and protected production network access requiring multi-factor access controls.

  • In accordance with local laws, regulations, ethics and contractual constraints, all employment candidates, contractors and third parties are subject to background verification, criminal, domestic, and Office of Foreign Assets Control screening.

  • All new hires are required to sign non-disclosure and confidentiality agreements.

  • All employees have signed legal documents that explicitly address the need for security, privacy, and compliance, and they are required to participate in periodic security awareness training.

  • Exoprise maintains written security policies that are periodically updated and revised.

  • Exoprise utilizes two-factor authentication (2FA) to prevent access by unauthorized individuals should an account be compromised.

  • Before entering into agreements, and periodically thereafter, Exoprise reviews the independent audits of our cloud and third-party service providers to ensure the security provisions are appropriate.

  • Anti-malware programs are installed on all of our systems. Security threat detection systems using signatures, lists, or behavioral patterns are updated across all infrastructure components.

  • Processes, tools, and audit controls are utilized to monitor items such as repeated login failures and unauthorized attempts to access resources within the service. Logs are reviewed on no less than a weekly basis for anomalies.

Incident response handling

Exoprise maintains an incident response team and, for threat or security mitigation, strives to handle incidents and discoveries within 24 hours whenever possible. Customer notifications, as well as updates and mitigation to production server components will occur within 24 hours of Exoprise becoming aware of a problem. Agent updates will be made available within 24 hours of identifying, mitigating, and devising workarounds or updates for issues, provided there is nothing preventing updates on the customer side.

Information protection

Exoprise solutions transmit and store performance metrics such as latencies, TCPIP connect times, and other metrics. No sensitive business or customer data is ever accessed, collected, transmitted, or stored as part of our services and no PII is collected or stored other than Exoprise user sign-in information. Storage of sign-in credential information can be mitigated through the use of integrated SAML solutions by the customer.

  • Exoprise ensures the protection of all customer data and periodically reviews its formal policies and information protection standards.

  • Exoprise maintains a continuous monitoring and testing strategy.

  • Exoprise periodically performs penetration tests and vulnerability scans and remediates any issues identified during those tests and scans.

  • Exoprise has a process to periodically receive and evaluate security alerts, advisories, and directives from external third-party sources to determine our exposure to vulnerabilities.

  • We have established change management control policies and remediation practices.

Software development

Exoprise implements industry-standard software development lifecycle practices for all software that accesses or processes customer confidential information. We build and implement risk-based application security that includes, but is not limited to, policies, governance structures, staffing, and monitoring to protect the confidentiality, integrity, and availability of all customer confidential information.

  • At least annually, engineers participate in secure code training that includes OWASP Top 10 security flaws and other common attack vectors.

  • Exoprise utilizes Ruby on Rails framework security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce exposure Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

  • Testing and staging environments are physically and logically separated from production environments. No actual customer data is used in development, test, or staging environments.

  • Exoprise utilizes third-party security tools to scan for security flaws including the OWASP Top 10.

  • Exoprise source code repositories are scanned for security issues using static analysis tools.

Product security features

Exoprise supports multiple authentication options. By default, when first signing up, Exoprise manages your credentials. Integrated Security Assertion Markup Language (SAML) authentication is supported in addition to Role-Based Administration and Control (RBAC) throughout the system.

When credentials are stored, Exoprise follows best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

API access is via SSL-only and can be enabled or disabled on a per-account basis. By default, API access is disabled.

Business continuity and resilience

Our systems are designed to be highly available. We make use of our own product for 24x7 monitoring to ensure uptime and availability.

Exoprise employs clustering and network redundancies to eliminate single points of failure. Our backup procedures ensure data is actively replicated across primary and secondary Disaster Recovery (DR) systems and facilities. Our backup procedures are periodically tested to ensure they are robust and operating correctly.

Digital components and assets

Exoprise is a hybrid cloud service where some components can be run from customer environments.

Exoprise Management Client

The Exoprise Management Client is a secure, sandboxed network client that enables customers to execute cloud automation delivered from https://secure.exoprise.com.

All interaction between the Management Client and https://secure.exoprise.com are executed over 2048-bit Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encrypted channels. The Management Client is explicitly configured to only interact with https://secure.exoprise.com, and the privileged sandbox is only enabled when the Management Client communicates with secure.exoprise.com via TLS.

The Management Client is utilized for end-user interaction, deployment, and automation. The Management Client installer and components that the client retrieves from secure.exoprise.com are digitally signed with EV code signing certificates currently supplied by Sectigo, Inc. The SSL/TLS certificates utilized to communicate with secure.exoprise.com are SHA-256 2048-bit SSL certificates. The SSL certificates are issued by AWS Certificate Manager.

Exoprise Secure Service Shell

The Exoprise Secure Service Shell (ExoSvcShell), also known as a Private Site, is a Windows Service that was designed from the beginning to be a secure, distributed service endpoint and sandbox. It enables customers to execute cloud-based automation and monitoring tasks delivered from secure.exoprise.com and service.exoprise.com.

As with the Management Client, all interaction between the ExoSvcShell and service.exoprise.com are executed over 2048-bit TLS encrypted channels. The ExoSvcShell is explicitly configured to only interact with https://service.exoprise.com sites.

Deployment

The ExoSvcShell can be installed in multiple ways: interactively via the Management Client, with a custom installer via the Exoprise services, or by downloading the ExoSvcShell installer from secure.exoprise.com for further packaging.

The ExoSvcShell installer is digitally signed with an Exoprise code signing certificate. The initial installation securely binds the ExoSvcShell to service.exoprise.com using unique public-private key pairs. The public-private key pairs can be generated automatically by the installer or by the customer using their own RSA-compatible key generation tools.

Binding

ExoSvcShell requires a secure communication channel with service.exoprise.com. However, since ExoSvcShell is designed to run unattended for long periods of time, it can not authenticate based on username and password. Instead, the ExoSvcShell authenticates with an instance ID and signed HTTPS requests (similar to how many Internet APIs work from vendors like Amazon, Google, and so on). Each request is signed to prevent forgery and spoofing.

During ExoSvcShell installation, Exoprise generates an instance ID and instance key. Both the ID and key are stored on the client computer and encrypted with Data Protection API (DPAPI). The use of DPAPI in this scenario locks the keys to the machine and service account where the ExoSvcShell is installed. This prevents the ExoSvcShell from being moved to another machine (spoofing prevention).

When ExoSvcShell requests data from service.exoprise.com, it generates a Hash-Based Message Authentication Code (HMAC) signature of the HTTPS packet signed with the instance key. The HMAC is validated by ExoSvcShell for every message and instruction received. When data is pushed to Exoprise servers, the data is encrypted using 2048-bit encryption (SSL), and the message authenticity and integrity are validated by the Exoprise servers.

Automated installation

The ExoSvcShell can be deployed via Electronic Software Deployment (ESD) tools such as SCCM. From the Exoprise platform website, a customer can download the separate code-signed installation executable for packaging and automated deployment. For more information, refer to Bulk site installation.

Monitoring tasks

Tasks that are delivered to the ExoSvcShell are regularly retrieved from Exoprise servers and are kept only in memory, never cached to disk, as an additional security protection. Tasks are periodically checked for updating. All task instructions and configuration are fetched via SSL and are HMAC-signed, as previously detailed.

Digitally signed components

All Exoprise installer executables are digitally signed using EV code signing certificates from DigiCert. Additionally, the Management Client and ExoSvcShell are digitally code-signed. For automation and monitoring tasks, the Management Client and ExoSvcShell may download and cache service- or sensor-specific components. These components can be written in various development languages and environments such as Microsoft .NET for Windows and Mono for Linux. All sub-components are digitally EV code-signed and further protected with public-private key pairs for validating authenticity and origin. Each binary is further code-signed by Exoprise and validated prior to execution.