Asimily Security Information

Asimily takes the security of our customers’ data seriously. To that end, we follow best practices, including Cloud Security Alliance standards, and apply a defense in depth strategy, with multiple layers of security across both technical and procedural domains. The following provides an overview of security controls that Asimily follows in its software development and service delivery processes.
 

Security and Compliance at Asimily

Asimily maintains SOC2 Type II attestation. Our SOC2 Type II report is available on request by sending an email to security@asimily.com
 

Internal Processes

Asimily’s corporate security program is jointly administered by the VP of Engineering and CTO. As part of onboarding and periodically, employees are trained in proper security processes. Upon termination, a series of steps are followed which include removing access to all Asimily databases and portals. Additionally, Asimily employment agreements ensure that employees must maintain confidentiality both during and after employment.
Internal access controls are put in place based on the principle of least privilege so that employees only have access to data they need for their jobs. Asimily has an incident response plan which employees are briefed on. This process is chaied by our Executive Director and requires immediate cooperation with forensic investigators by all relevant internal stakeholders.
 

Data Security

All user sessions in Asimily’s web application are encrypted using TLS 1.2. The web application uses SSL certificates issued by Digicert and on-premises deployments can use a customer’s internal PKI infrastructure if requested.
Only limited sensitive data are transmitted or stored by the Asimily platform, data generally consist of technical information such as IP and MAC addresses or device classifications. Sensitive data like passwords and tokens stored by the server are encrypted at rest using PostgreSQL database encryption with AES 128. All data sent from the Edge to the server are encrypted using the ChaCha20-Poly1305 encryption algorithm that is part of the standard OpenSSH library. Neither PII nor ePHI are transmitted out the Edge to the cloud or on-prem servers. None of the data processed on the Edge is stored to disk or persisted. All data stored in the Asimily cloud remains in the country of origin and no data are ever shared with any third parties without explicit customer authorization.
Local account passwords and sensitive information such as external connector API keys are hashed and salted using AES 256 bit encryption.
If the customer is uncomfortable with any information being stored in the cloud, Asimily offers a pure on-premises deployment where all data can stay behind the customer’s firewall.
 

Hardening

Both Edges and servers have Sophos anti-malware agents running at all times. For on-premises components such as Edges, customers are able to install their own anti-malware agents if they wish with prior approval.

A list of controls Asimily applies to cloud environments include:
All cloud customer instances are dedicated to a single customer and segregated from each other; no multi-tenancy is employed.
Customer production environments are maintained on different servers from any internal corporate application or test environment.
Cloud VPN with an additional 2 factor authentication is used for any internal access to cloud servers.
Google Secrets is used to store all relevant credentials, including links to the Asimily portal itself.
Separation of duties is in place and only specific employees are granted access, with changes requiring executive approval.
Monitoring is used to detect and alert on any cloud configuration changes.
Cloud servers are hardened such that data access is only allowed in a point-to-point manner from specific customer sites and data is rejected from other sources.
Strict firewall rules are employed on both Edge and server sides to restrict traffic between systems to only what is required for operations.
Geo-fencing on the customer side is implemented so that data can only be accessed from certain locations.
Cloud workload monitoring, along with other solutions offered by Google Cloud Platform, is used to detect various kinds of attacks.
All access to servers is logged and monitored.

A list of controls Asimily applied to Edge appliances include:
Separation of duties is in place and only specific employees are granted access, with changes requiring executive approval.
Iptables-based firewall rules restrict inbound and outbound communication to whitelisted peers.
The Edge only requires outbound access from Edge to cloud or on-prem servers through customer firewalls, other traffic can be denied.
Inbound access to Edge is through direct SSH only via VPN, where applicable.
Edge SSH access uses customer-specific 30-character long randomized passwords.
 

Secure Development Lifecycle

Asimily follows OWASP secure coding practices and runs all its software across both Edge and server through a Tenable Vulnerability Scanner to identify and fix vulnerabilities. Static and dynamic analysis are also employed before any release is deployed to production, along with internal penetration testing. Source code is hosted on private code repositories in GitHub and secured using similar controls as Asimily uses for customer data, such as mandatory 2 factor authentication and limited access to employees in development and QA only. To protect against supply chain attacks, Asimily’s build system runs on a protected server and deployed executables are cryptographically verified to match the authorized build from the server.
When building data processing functionality, any data stored in-memory is only stored temporarily for as long as required and subsequently deleted after processing. Code is defined so that the memory used is locked and cannot be accessed by any other process. Such in-memory analyses are done in a limited manner and mostly used for real-time aspects like flow analysis.
ITIL-based change control processes are implemented such that any change is reviewed by multiple stakeholders before going live. These processes include rollback arrangements in case the change does not work as planned. Asimily requires separation of duties for almost every action including technical design, implementation, and deployment. Any updates to the server are performed by a select number of employees.
Asimily Performs periodic internal and external Penetration testing. Asimily performs regular Vulnerability Scanning at key stages of our Secure Development Lifecyle.
 

Availability

Asimily employs a highly available architecture and has specifically designed the solution without single points of failure to ensure availability. Both the Edge processor and the server will restart critical processes if they stop or stall, and each will continue functioning even if the other is taken offline. Furthermore, even within the server, functionality is separated so that the data processing layer can go down without the customer-facing web interface failing.
Asimily’s team continuously monitors all infrastructure for uptime, and daily backups are taken of the database to ensure that all data can be easily recovered. Asimily also takes daily server snapshots of each server, which are stored in the US multi-region for high availability. Failure of an individual server or downtime of a full Google Cloud region will not result in data loss.
 

Asimily Cloud Provider & 3rd Party SaaS Vendors

Asimily utilizes Google Cloud Services as our cloud provider and each customer is provisioned their own unique server instances in their country of origin. Google Cloud Services complies with and is audited against the following regulatory standards:
ISO/IEC 27001 (Information Security Management)
ISO/IEC 27017 (Cloud Security)
ISO/IEC 27018 (Cloud Privacy)
ISO/IEC 27701 (Privacy)
SOC 2 and SOC 3.
Asimily also supports AWS & Oracle Cloud Infrastructure (OCI) for no US regions. Asimily uses risk-based approach to Vendor Security Assessment prior to onboarding any vendor. The security of the vendor is evaluated to determine a risk rating and an approval decision for the vendor onboarding.

Please contact your Asimily representative with any additional questions on the Asimily solution.