Automox logo header e480a89e12699f44c7eb2bf04af059570769c7f02126bb1a6acc2fdf9f265570
security

Automox Security

We know you depend on Automox to increase your organization’s security by ensuring endpoint and patch compliance. The Automox team goes to great lengths to ensure our platform is not susceptible to security threats. We use Automox internally to make sure that our systems are secure and up to date.

security topics


Meet our Chief Information Security Officer

security

Joe McManus

Joe McManus is a Senior Cyber Security Researcher at CERT and a Professor at the University of Colorado College of Engineering where he teaches Graduate level courses in information security and forensics.

Recently, Joe was the Director of Security at SolidFire, (acquired by NetApp [NTAP]). He has joined Automox to lead our security team and implement the processes, defenses, and monitoring necessary to run a modern, secure, cloud application.

Contact Joe with questions

Team

Operational cloud experience at scale

The Automox team has over three decades of operational experience designing and securing multi-tenant cloud and internet applications at scale. Our team comes from some of the most successful and sought after internet companies including, SendGrid, SolidFire, StillSecure, and LeftHand Networks. All team members undergo mandatory background checks prior to employment.

Data Encryption

Modern and mandatory

All private data exchanged with Automox takes place over encrypted channels. Our website and APIs communicate using TLS 1.2 over the standard HTTPS port 443. All enabled cipher suites utilize Perfect Forward Secrecy (PFS) for key negotiation and AES-128 or higher encryption.

The Automox agent uses PKI encryption to authenticate the endpoint to our servers. Upon mutual authentication, all communication between Automox and the endpoint is secured.

All access to production infrastructure is established through encrypted VPN connections. SSH sessions are regularly used for terminal sessions and data transfer between our servers.

We use modern salted cryptographic algorithms to secure selected sensitive data stored in our database.

Endpoint Agent

Secure by design

The Automox endpoint agent is responsible for monitoring and controlling the endpoint patch and management process. To facilitate this, the agent requires privileged access to the system in order to access secured locations of the system. Because of this privilege, we have architected the agent with multiple security features to protect the endpoint.

The agent is written in a modern systems language with features to prevent common coding errors that can lead to security vulnerabilities. As mentioned above all communications are encrypted with TLS and authenticated with public-key cryptography. We have automated test suites that test agent integrity and ensure the agent is not vulnerable to replay or MITM attacks.

Access Controls and Reporting

Need-based access policies, mandatory logging

At Automox, we implement IAM policies and partition access to our systems to give our team members the least amount of access to perform their development and maintenance tasks. Need-based access is granted on a per-employee basis and regularly reviewed. VPN access is required to access the production environment, and all access to infrastructure and systems are logged and audited on a regular basis.

Production servers are completely isolated from all staging, development, and build systems.

Automox uses monitoring software to track all server logins and privileged command execution, alerting on any anomalous activity. All log files are written to centralized log hosts which are hardened and monitored using OSSEC and other tools.

Availability and Reliability

No single points of failure

The Automox architecture uses clustered services to ensure high-availability and reliability as well as the ability to quickly scale with demand. All services are run on two or more servers with load balancers distributing load evenly. Loss of a server is not an issue as a new one is quickly provisioned to take its place.

All data is replicated to at least one additional server in a different geographic region and all data is backed up on a scheduled basis with regular testing of the restore process.

Credit Card Handling

Managed on our behalf by Stripe

All credit card processing is handled by Stripe, and no credit card numbers are stored or handled by Automox or its employees. Stripe has PCI Compliant security architecture in place to ensure your payment information is kept secure.

Development, Code Testing and Evaluation

Development process focused on quality and security

The Automox software is developed using a modern quality-driven process and mindset to ensure high reliability. All product changes undergo rigorous automated and manual testing in a staging environment to detect and eliminate operational and security issues before deployment to production.

Security Roadmap

Always evolving and improving

We know security is not a one-and-done effort so we’re always working to improve our security. Here’s a peek at some of our future plans:

  • Two-factor Authentication
  • Agent access control through sudo
  • SSAE16 Type II Certification expected 2H17

Certifications

Ours and those of our vendors

Reporting Security Vulnerabilities

We appreciate responsible disclosure

If you believe you have found a security vulnerability in our product we would appreciate your help in disclosing it to us at security@automox.com. You may encrypt your communications with the PGP key below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFZeK4gBCAClnB5SzVLnQFJPSnAfnEzEPTTKIakGnBSjymqoO49U9asZ0jwC ZTtie+Zu1ZQEfU6pB7VcRhu5FeSxHSb/ ES0Zv8YvNdvlidmsoA5LKge4SLue7UmA eG0BdNVB2HK1zwM29gIk9q7xEAYRRTHaXphtRcfx1hWJUjZ526QalMVJyH 75PXr1 wPeqcxJUHObGkPLTvZnJIF6F8uPQvGYwtjPvlN5YG2ThzWJ0KkxZF3xOca 6xxU+n 1JUuK4hWowQ1/ TRCDNrXbKI3Eb5ugZAGyWhUmTCKupRqaJXVLNkWPiiDJBrmg4KW mIKXOoZnLzt1Wmg9k8jpdABw7sHsljR9PxRfABEBAAG0MVBhdGNoU2ltcG xlIEVu Z2luZWVyaW5nIDxzdXBwb3J0QHBhdGNoc2ltcGxlLmNvbT6JATkEEwEIAC MFAlZe K4gCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBV2RuRzmdpqz hVB/98 vop4nzK7pujClah7RRHcrzVyhmQQaSnfy70DMZxUrhfWMy9NrfyKffwFL3 k6PHlo ea/HnqLXLF6vrbovtwyoE7+PPs/ oIb0aGwS8eYN+Pu++1FvM5yDMdfQ4gbIjhvJo YqZtAIGzkV/ tNOZr+3o/+xGQvEl8dPwRT6ROHW0mqXMVqdHI3Mnf/565thlLgnX0 uOxoS47VqsW/ tnbyHXfngAzlkTuW7wGNB+YWJ3UjiNmfztms2wFhsn6JDF07SL6U E5wQIOz6cVCCzn1sFiVlYP0yZwx8FZ+GTbNyueI5+Ggcc7CMwkkhmqDM5c 3af+sT Qqh+3koLfl3zNz1YDYxtuQENBFZeK4gBCADZirqdmR39Z2FSE2pIKJc3gl ydU6/l IRxn1R1XGkjtaSRv69fUBoJcc2iRcSuXXYjbKSCMKQQZOhanZw/ oRYOYZckO8IEj XdWLTW+8ln1g5kHpVBGEeeTpmOVg9BR3ipWKRuDSiXLYE5vu2k+0Pi3dZs VHqGnN qDMc0rrQp5ktUDwL6+9nW5H3hjBS/ ZNoovOtUoRyVDsZxtcOKWhyh6ACuc/2WaUb yhN5mMKSPa4YpprpFWbjmltB6KFkPGwCyaM0Hi6wCLgr2sTakGWqyHorzi BaHfI4 spA23Mr6LMNaXQpwiD8wM5JjpYqxe+0pVCQtHkGiPH9rRJyUGR1SK2WBAB EBAAGJ AR8EGAEIAAkFAlZeK4gCGwwACgkQVdkbkc5naauEuQf/ b04h6fn6CUB8TCblgd7j vXzJEYKD3YKXZooiSmqnyNnDzrIRixyjaABlj1RGK4sV99sW7FbZe4/ h3vRqtuoE ozA2dhJoVMyy0wYSKscN5XDdx+D+OI1VkVsYjptPjDc5dk97JwFwHbvU6y tnIaKl AWJ0p2cIuCHTq5Ok3/ hu0DP7jCw2zBodNiJdXWIyyTPHsmt97cGKNRUSXLPGrJ6q 1yoRUICD64ZMJTzVSYNnI8ftdnD780Ew45l7iVRhjVMNLpnJTTmQgy0f6r 3a5wGm Cas1L6ON1/eHl/ uYHAAhcNiPjfPOnvORYCkAuP8KQ7aunrf43FBjvMcsrC8iz9Qa HQ==
=zmYY

-----END PGP PUBLIC KEY BLOCK-----

White x min 72dcc2c08816c0e66ffb9ef82c9f0f8fed8ba568926e2f5270230a6a798a2783

Thanks for contacting us! We'll be in touch shortly.