- Use Cases
Leaning on the expertise of our personnel and industry practices, we’re using SOC 2 Trust Services Criteria for Security and ISO 27001 for structuring Axonius’ security program. These respected frameworks help ensure that we implement comprehensive security measures such as access control, infrastructure and application defenses, risk management, and so on. They also map to other control catalogs, such as those published by NIST and CIS.
These frameworks also provide a way for independent auditors to review our security and communicate it to our customers. To provide such assurance, we obtained an ISO 27001 certificate, Type 2 SOC 2 and SOC 3 attestations from Schellman, an experienced and accredited audit firm. Current and prospective Axonius customers can request our SOC 2 report from their Axonius representatives. The SOC 3 report, essentially, summarizes key aspects of our SOC 2 report in a way that lets us distribute the SOC 3 report directly without requiring an NDA.
The Axonius website offers many details about our products. At a high level, the Axonius Platform gives organizations a comprehensive asset inventory, uncovers gaps, and automatically validates and enforces policies. It integrates with hundreds of data sources to give our customers the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, automating response actions, and informing business strategy.
Axonius customers use our platform to capture data related to their IT asset inventory, the configuration of each asset, and details about the users that authenticate to these assets. The platform aggregates these details after connecting to the customer’s security and IT management solutions that contain this information. Our product comes with a variety of customer-configured adapters to gather this data.
Axonius incorporates security reviews into our Software Development Lifecycle Process (SDLC), giving the Axonius security team the ability to offer feedback and guidance. It also includes automated scanning to identify security weaknesses. Also, Axonius regularly commissions third-party experts to perform penetration testing to identify additional application vulnerabilities and help maintain our product’s security posture.
The Axonius platform stores sensitive configuration data, such as adapter credentials, encrypted at rest. Customers can choose to enable storage-layer encryption in on-premise instances to ensure that device and user metadata is also encrypted. For our SaaS product instances, we automatically enable a storage-layer encryption feature in AWS called EBS Volume Encryption to achieve this.
Axonius customers directly control much of the security configuration of their instance of the Axonius platform, as described in the product documentation. The documentation describes the product architecture and includes instructions such as configuring third-party identity providers, using Role-Based Access Control (RBAC) and reviewing activity logs.
Customers can host the Axonius platform themselves or elect for us to host it in the typical SaaS fashion. Axonius hosts our platform in Amazon Web Services (AWS) in a single-tenant manner so that each Axonius customer has a dedicated, isolated instance of our product. Our SaaS product instances are hosted in the United States by default, but customers can request other geographic regions if necessary.
We control which Axonius personnel can access our infrastructure to provide the necessary services to our customers without exposing them to undue risks. Connecting to these systems requires first authenticating using our Single Sign-On (SSO) provider, which requires two-factor authentication (2FA), enforces access restrictions, and identifies authentication anomalies. All network interactions are encrypted using modern cryptographic mechanisms.
Axonius regularly patches our infrastructure to address relevant vulnerabilities in a timely and responsible manner. We use vulnerability scanning and other security tools to validate that patching works as expected and identify configuration weaknesses we may need to remediate. Not surprisingly, we use our own platform for maintaining an up-to-date asset inventory. Also, Axonius regularly commissions third-party experts to perform penetration testing of our infrastructure to help maintain our security posture.
We capture and aggregate infrastructure security events to detect suspicious activities related to our infrastructure. Our security team investigates the relevant events to identify security anomalies whenever practical before they escalate into major incidents. We also have a formal incident response plan to handle security incidents in a methodical and responsible manner.
Axonius has a formal data classification policy that guides our personnel regarding the security precautions necessary for handling different types of data, ranging from public to confidential. Depending on the classification, Axonius enforces access restrictions and other security controls to safeguard the data in an appropriate manner. Axonius uses modern encryption techniques to protect data in transit and, where appropriate, encrypts data at rest.
Recognizing the importance of managing security risks in our supply chain, Axonius has a formal vendor management program. It includes conducting security reviews of our third-party vendors and ensuring the appropriate terms are included in our contracts to safeguard our own and our customers’ data. The list of our subprocessors is published on our website.
Axonius welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.
To report a potential security issue to Axonius, contact firstname.lastname@example.org. For details, see our Vulnerability Disclosure Policy, which explains how to report vulnerabilities to us, what we expect, and what you can expect from us. It applies to any digital assets owned, operated, or maintained by Axonius for which Axonius can legally authorize the testing.