Data Privacy at Automox

Why SaaS applications deliver superior security

In the last ten years, cloud computing has evolved from a promising IT trend to the backbone of most businesses’ technology infrastructure. From cloud development platforms (PaaS) to public and private cloud infrastructure (IaaS) to applications run in the cloud (SaaS), cloud now touches virtually every element of the IT ecosystem. 

There are tremendous and well-known benefits to leveraging the cloud: scalability; flexibility; agility; and every organization’s favorite, reduced costs. But there are challenges as well. Security traditionally tops the list of companies’ concerns over cloud hosting and SaaS solutions, although that too is changing fast. 

Modern SaaS applications often outperform their on-premises counterparts when it comes to security. As a result, even mission-critical applications like security solutions have now moved to the cloud. Let’s take a closer look at why cloud-based security solutions can be trusted and how applications like Automox ensure your organization’s protection.   

The debate over the relative security of software hosted in the cloud versus software hosted in-house is well-tread territory. The argument for on-premises deployments centers mainly around control: When your software is sitting in your data center, you have 100% control over every aspect of it, including its protection. In contrast, cloud-based infrastructures are outside of your control and therefore you supposedly cannot depend on their security and reliability. 

While there may have been some truth to this sentiment in the cloud’s early years, the infrastructure behind modern SaaS products is now a security boon, not a risk. Cloud service providers like Amazon, Google, and Microsoft have invested heavily in cloud hosting and work continuously to ensure their security. This includes both tools and technologies as well as people; a recent New York Times article commented that “In the case of the big public clouds, the protection is the work of some of the world’s best computer scientists, hired out of places like the National Security Agency and Stanford University to think hard about security, data encryption, and the latest online fraud.” 

Organizations, on the other hand, struggle to hire and retain cybersecurity professionals. The number of jobs far outweighs the qualified workforce: Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, a 350% increase from 2014. This is significant when it comes to securing on-premise devices and applications. If you are solely responsible for your IT security, but can’t find the right people to carry it out, it’s a problem. Not only is it difficult to keep up with applications’ required maintenance and management, human error introduced by inexperienced IT professionals can further compromise security while attempting to bolster it. 

 This disparity of resources shows no signs of slowing down with the cybersecurity skills gap widening and the big cloud providers doubling down on security. Combined with the other benefits of SaaS applications, including reduced cost and enterprise-grade performance, it has proven a tipping point in most organizations’ shift to a largely cloud-first ecosystem. “There are very few questions left about the comprehensiveness of cloud services,” writes Forbes contributor and technology professor Steve Andriole. “Short-term and easily long-term, on-premise is dead.” 

Instead of worrying about the security of SaaS applications, many modern organizations turn to SaaS solutions as critical tools in their cybersecurity war chest. The availability of cloud-based security tools has grown rapidly in recent years, and with good reason: SaaS applications minimize the burden of securing your infrastructure while offering better features and functionality than many of their on-premises counterparts, all without compromise to the security and privacy of your company data.

The global SaaS security industry market is expected to grow at a CAGR of more than 26.5% between 2017 and 2024.

Three capabilities of cloud-based applications make them particularly well-suited to security:

1. Availability. SaaS applications are not tied to a single physical location but mirrored in many, which allows the provider to maintain uptime in case of any physical or natural disaster. That means that no matter what happens, and where it occurs, you can trust that your organization will remain secure.

2. Visibility. Cloud-based services can be viewed and accessed from anywhere, which enables greater collaboration and visibility. SaaS apps make it easy for subject matter experts across your organization to troubleshoot issues or security concerns at any time and from any location. While visibility does require vigilance — it is critical to protect access to your cloud-based applications with methods like multi-factor authentication and a Zero Trust model — it increases the speed and agility with which your team can handle potential and incoming threats.

3. Scalability. SaaS applications like Automox benefit from the scalability of cloud architectures. Solutions can quickly scale to meet sudden shifts in requirements without the overhead of having to manage and secure additional infrastructure. Customers can be confident that they do not need to replace obsolete hardware or worry about platform compatibility or security while meeting any deployment scale needed.

If your organization is considering a SaaS application for services such as threat monitoring, identity and access management, email protection, endpoint hardening and cyber hygiene, or other security solutions, your first question should concern data privacy. You need to clearly understand how the potential vendor secures the data that they collect from you, where it’s stored, and their processes and procedures in case of a breach.

Ask your potential security vendor how they secure the data they collect, where it’s stored, and what happens in case of a breach.

At Automox, we encrypt all data ingested by our platform, both in transit and at rest. Our website and APIs communicate using TLS 1.2 over the standard HTTPS port 443. All enabled cipher suites utilize Perfect Forward Secrecy (PFS) for key negotiation and AES-128 or higher encryption. All backend databases that house sensitive customer data are encrypted to the same standard. In addition, all of our production systems are hosted in AWS, which allows for continuous availability. If one host goes down, we can spin up another very quickly. 

Further, the Automox agent uses PKI encryption to authenticate the endpoint to our servers. Upon mutual authentication, all communication between Automox and the endpoint is secured. All access to production infrastructure is established through encrypted VPN connections. SSH sessions are regularly used for terminal sessions and data transfer between our servers. We use modern salted cryptographic algorithms to secure selected sensitive data stored in our database.

While organizations like Automox do everything possible to protect against and prevent data breaches, they may occur.

In the event of a breach, it’s important to feel confident that you will be notified in a timely manner. Automox notifies its customers within 3-5 days once a breach has been identified and believes strongly in responsible transparency.

Automox is 100% committed to our customers’ data privacy and organizational security, which we ensure in a number of ways:

1. World-class infrastructure.
We host everything on AWS and utilize many of their security services, including not limited to IAM, CloudTrail, and CloudWatch. These services allow us to segment, audit, and monitor activity and access to our production systems, which enables us to identify anomalies quickly.

2. Industry-leading certifications .
We received SOC 2 Type 2 certification in 2020.

3. No single points of failure.
The Automox architecture uses clustered services to ensure high-availability and reliability as well as the ability to quickly scale with demand. All services are run on two or more servers with load balancers distributing load evenly. If a server goes down, a new one is quickly provisioned to take its place. All data is replicated to at least one additional server in a different geographic region and all data is backed up on a scheduled basis with regular testing of the restore process.

4. Secure-by-design endpoint agent.
The Automox endpoint agent is responsible for monitoring and controlling the endpoint patch and management process. To facilitate this, the agent requires privileged access to the system to access secured locations. Because of this privilege, we architected the agent with multiple security features to protect the endpoint. The agent is written in a modern systems language with features to prevent common coding errors that can lead to security vulnerabilities. All communications are encrypted with TLS and authenticated with public-key cryptography. Automated test suites test agent integrity and ensure the agent is not vulnerable to replay or MITM attacks.

5. Need-based access policies and mandatory logging.
At Automox, we implement IAM policies and partition access to our systems to give our team members the least amount of access to perform their development and maintenance tasks. Need-based access is granted on a per-employee basis and regularly reviewed. VPN access is required to access the production environment and all access to infrastructure and systems are logged and audited on a regular basis.

In addition, production servers are completely isolated from all staging, development, and build systems. We also use monitoring software to track all server logins and privileged command execution, alerting on any anomalous activity. All log files are written to centralized log hosts which are hardened and monitored using OSSEC and other tools.

6. Security-first development process.
The Automox development process is focused on quality and security. We develop software using a modern, quality-driven process and mindset to ensure high reliability. All product changes undergo rigorous automated and manual testing in a staging environment to detect and eliminate operational and security issues before deployment to production.

A cloud-based deployment model offers a wide variety of benefits, from lower costs and improved performance. But it can also improve security by leveraging best-in-class infrastructure, relying on the industry’s top cybersecurity minds, and implementing rigorous internal controls. At Automox, we are both proudly cloud-native and fiercely dedicated to our customers’ data privacy and security. Automox exists to make security stronger and easier — and that starts with us. For additional information about how and why Automox collects and uses data, please refer to our privacy notice and terms of service.

Dive deeper into this topic