Frameworks and Certifications
Leaning on the expertise of our personnel and industry practices, we’re using SOC 2 Trust Services Criteria for Security and ISO 27001 for structuring Axonius’ security program. These respected frameworks help ensure that we implement comprehensive security measures such as access control, infrastructure and application defenses, risk management, and so on. They also map to other control catalogs, such as those published by NIST and CIS.
These frameworks also provide a way for independent auditors to review our security and communicate it to our customers. To provide such assurance, we obtained an ISO 27001 certificate and Type 2 SOC 2 and SOC 3 attestations from Schellman, an experienced and accredited audit firm. To provide additional assurance to customers that process protected health information, we also obtained a Type 1 attestation for the HIPAA Security Rule and HITECH Breach Notification requirements applicable to HIPAA Business Associates from the same audit firm.
Current and prospective Axonius customers can request our SOC 2 and HIPAA reports from their Axonius representatives. The SOC 3 report, essentially, summarizes key aspects of our SOC 2 report in a way that lets us distribute the SOC 3 report directly without requiring an NDA.
Product Security
The Axonius website offers many details about our solutions. At a high level:
- Axonius Cybersecurity Asset Management gives customers a comprehensive asset inventory, helps to uncover security gaps and risks, and automatically validates and enforces policies. This solution deploys in hours to improve IT and security operations, incident response, vulnerability and patch management, configuration management, and more. The solution aggregates, normalizes, and deduplicates data from over 500 sources to deliver a comprehensive asset inventory of devices, cloud assets, user accounts and identities, and more.
- Axonius SaaS Management allows customers to discover known and unknown SaaS applications, identifies misconfigurations and data security risks, and delivers insights for better IT management and cost optimization. This solution allows for deeper visibility into SaaS applications within the organization, including how SaaS applications are interconnected, and provides insights to optimize SaaS spending and license management. It helps identify shadow and unsanctioned SaaS applications that would otherwise go unrecognized and unmanaged.
Axonius incorporates security reviews into our Secure Development Lifecycle (SDL) process for these solutions, giving the Axonius security team the ability to offer feedback and guidance. It also includes automated scanning to identify security weaknesses. Also, Axonius regularly commissions third-party experts to perform penetration testing to identify additional application vulnerabilities and help maintain our product’s security posture.
The Axonius Cybersecurity Asset Management solution stores sensitive configuration data, such as adapter credentials, encrypted at rest. For our product instances that we host on behalf of customers, we automatically enable a storage-layer encryption feature in AWS called EBS Volume Encryption to achieve this. Customers can choose to enable storage-layer encryption in on-premise instances that they host to ensure that device and user metadata is also encrypted. Our SaaS Management solution stores customer data in Amazon OpenSearch using encrypted EBS volumes.
Axonius customers directly control much of the security configuration of their instance of the Axonius Cybersecurity Asset Management solution, as described in the product documentation. The documentation describes the product architecture and includes instructions such as configuring third-party identity providers, using Role-Based Access Control (RBAC) and reviewing activity logs.
Axonius customers can integrate their own SAML Single Sign-On (SSO) solution with our products.
Infrastructure Security
Customers can host the Axonius Cybersecurity Asset Management solution themselves or elect for us to host it in the typical SaaS fashion. Axonius hosts our products in Amazon Web Services (AWS) in a single-tenant manner so that each Axonius customer has a dedicated, isolated environment. Customers can direct Axonius to host their product instances in available AWS regions.
We control which Axonius personnel can access our infrastructure to provide the necessary services to our customers without exposing them to undue risks. Connecting to these systems requires first authenticating using our Single Sign-On (SSO) provider, which requires two-factor authentication (2FA), enforces access restrictions, and identifies authentication anomalies. All network interactions are encrypted using modern cryptographic mechanisms.
Axonius regularly patches our infrastructure to address relevant vulnerabilities in a timely and responsible manner. We use vulnerability scanning and other security tools to validate that patching works as expected and identify configuration weaknesses we may need to remediate. Not surprisingly, we use our own platform for maintaining an up-to-date asset inventory. Also, Axonius regularly commissions third-party experts to perform penetration testing of our infrastructure to help maintain our security posture.
We capture and aggregate infrastructure security events to detect suspicious activities related to our infrastructure. Our security team investigates the relevant events to identify security anomalies whenever practical before they escalate into major incidents. We also have a formal incident response plan to handle security incidents in a methodical and responsible manner.
Data Protection and Privacy
Axonius has a formal data classification policy that guides our personnel regarding the security precautions necessary for handling different types of data, ranging from public to confidential. Depending on the classification, Axonius enforces access restrictions and other security controls to safeguard the data in an appropriate manner. Axonius uses modern encryption techniques to protect data in transit and, where appropriate, encrypts data at rest.
In the context of data privacy, our customers control what data they collect using the Axonius platform and, therefore, are considered data controllers. For more information about our privacy-related practices, see our Privacy Policy and our Data Processing Addendum (DPA). Legal and related details about our services and commitments are captured in Axonius Terms and Conditions.
Recognizing the importance of managing security risks in our supply chain, Axonius has a formal vendor management program. It includes conducting security reviews of our third-party vendors and ensuring the appropriate terms are included in our contracts to safeguard our own and our customers’ data. The list of our subprocessors is published on our website.
Reporting a Vulnerability
Axonius welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.
To report a potential security issue to Axonius, contact security@axonius.com. For details, see our Vulnerability Disclosure Policy, which explains how to report vulnerabilities to us, what we expect, and what you can expect from us. It applies to any digital assets owned, operated, or maintained by Axonius for which Axonius can legally authorize the testing.
Trust Center
We have a dedicated site, the Axonius Trust Center, to outline key aspects of our security program and products. Please take a look to explore additional aspects of our security controls.
