ABOUT THE AXONIUS SECURITY PROGRAM
The Axonius security program is designed to safeguard the confidentiality, integrity, availability, and privacy of our information systems and data that Axonius stores or processes.
Axonius has a formal cybersecurity program, aspects of which are outlined below. It’s managed by our full-time security team and encompasses stakeholders across all Axonius departments. Consistent with customers’ expectations, the program is designed to safeguard the confidentiality, integrity, availability, and privacy of our information systems and data that Axonius stores or processes.
When deciding how to describe key aspects of the Axonius security program, we decided to focus on those components that we ask about when talking with our own vendors. With this in mind, below is what we thought you might want to know about our program.
Frameworks and Certifications
Leaning on the expertise of our personnel and industry practices, we’re using SOC 2 Trust Services Criteria for Security and ISO 27001 for structuring Axonius’ security program. These respected frameworks help ensure that we implement comprehensive security measures such as access control, infrastructure and application defenses, risk management, and so on. They also map to other control catalogs, such as those published by NIST and CIS.
These frameworks also provide a way for independent auditors to review our security and communicate it to our customers. To provide such assurance, we obtained an ISO 27001 certificate and the Type 2 SOC 2 attestation from Schellman, an experienced and accredited audit firm. To provide additional assurance to customers that process protected health information, we also obtained a Type 1 attestation for the HIPAA Security Rule and HITECH Breach Notification requirements from the same audit firm.
Current and prospective Axonius customers can access our SOC 2 and HIPAA reports at the Axonius Trust Center after an NDA is executed with us.
The Axonius Platform
The Axonius website offers details about the Axonius Platform, which aggregates, normalizes, deduplicates, and correlates data from hundreds of existing data sources to deliver a system of record for a diverse range of digital assets. By providing comprehensive visibility into all assets — devices, identities, cloud, software, SaaS applications, vulnerabilities, security controls, and their interrelationships — the platform enables organizations to discover security coverage gaps, risks, vulnerabilities, and optimization opportunities, automatically validate and enforce policies, and simplify workflows.
The Axonius Platform combines solutions for both cybersecurity asset management (Axonius Cybersecurity Asset Management) and SaaS management (Axonius SaaS Management) into a centralized platform covering all asset types for all users.
- Axonius Cybersecurity Asset Management aggregates, normalizes, deduplicates, and correlates asset data from existing data sources to give customers a complete cyber asset inventory, uncover security issues, and automate remediation action — to reduce the attack surface and simplify workflows.
- Axonius SaaS Management helps customers control the complexity, cost, and risk associated with software as a service (SaaS) applications. Designed to mitigate SaaS management, security, and spend challenges, it provides organizations with a single source of truth into their SaaS environments.
Product Security
Axonius incorporates security reviews into our Secure Development Lifecycle (SDL) process for the Axonius Platform, giving the Axonius security team the ability to offer feedback and guidance. It also includes automated scanning to identify security weaknesses. In addition to internal oversight, Axonius regularly commissions third-party experts to perform penetration testing to identify additional application vulnerabilities and help maintain our product’s security posture.
The Axonius Platform stores sensitive configuration data, such as adapter credentials, encrypted at rest. For our product instances that we host on behalf of customers, we automatically enable a storage-layer encryption feature in AWS called EBS Volume Encryption. Customers can choose to enable storage-layer encryption in on-premise instances that they host to ensure that device and user metadata is also encrypted.
Axonius customers directly control much of the security configuration of their instance of the Axonius Platform, as described in the product documentation. The documentation describes the product architecture and includes instructions such as configuring third-party identity providers, using Role-Based Access Control (RBAC), and reviewing activity logs.
Axonius customers can integrate their own SAML Single Sign-On (SSO) solution with the Axonius Platform.
Infrastructure Security
Customers can host the Axonius Platform themselves or elect for us to host it in the typical SaaS fashion. Axonius hosts our solution in Amazon Web Services (AWS) in a single-tenant manner so that each Axonius customer has a dedicated, isolated environment. Customers can direct Axonius to host their product instance in available AWS regions.
We control which Axonius personnel can access our infrastructure to provide the necessary services to our customers without exposing them to undue risks. Connecting to these systems requires first authenticating using our Single Sign-On (SSO) provider, which requires two-factor authentication (2FA), enforces access restrictions, and identifies authentication anomalies. All network interactions are encrypted using modern cryptographic mechanisms.
Axonius regularly patches our infrastructure to address relevant vulnerabilities in a timely and responsible manner. We use vulnerability scanning and other security tools to validate that patching works as expected and identify configuration weaknesses we may need to remediate. Not surprisingly, we use our own platform for maintaining an up-to-date asset inventory. Also, Axonius regularly commissions third-party experts to perform penetration testing of our infrastructure to help maintain our security posture.
We capture and aggregate infrastructure security events to detect suspicious activities related to our infrastructure. Our security team investigates the relevant events to identify security anomalies whenever practical before they escalate into major incidents. We also have a formal incident response plan to handle security incidents in a methodical and responsible manner.
Data Protection and Privacy
Axonius has a formal data classification policy that guides our personnel regarding the security precautions necessary for handling different types of data, ranging from confidential to external. Depending on the classification, Axonius enforces access restrictions and other security controls to safeguard the data in an appropriate manner. Axonius uses modern encryption techniques to protect data in transit and, where appropriate, encrypts data at rest.
In the context of data privacy, our customers control the type of information their product instance processes and whether that information includes personal data. Therefore, our customers are considered data controllers. For our standard policies and processes regarding personal data, including our role and obligations as a data processor, please see our Data Processing Agreement (DPA). Legal and related details about our services and commitments are captured in Axonius Terms and Conditions.
Recognizing the importance of managing security risks in our supply chain, Axonius has a proper vendor management program in place. It includes conducting security reviews of our third-party vendors that would act as a subprocessor and ensuring the appropriate terms are included in our contracts to safeguard our own and our customers’ data. The list of our subprocessors is published on our website.
Reporting a Vulnerability
Axonius welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.
To report a potential security issue to Axonius, contact security@axonius.com. For details, see our Vulnerability Disclosure Policy, which explains how to report vulnerabilities to us, what we expect, and what you can expect from us. It applies to any digital assets owned, operated, or maintained by Axonius for which Axonius can legally authorize the testing.
TRUST CENTER
We have a dedicated site, the Axonius Trust Center, to outline key aspects of our security program. Please take a look to explore additional aspects of our security controls.
See the Platform
See the Axonius Platform for yourself with an interactive product tour, where we'll guide you through key applications of our Cybersecurity Asset Management and SaaS Management solutions.
Book a Demo
Request a demo to learn how the Axonius Platform provides a system of record for all digital infrastructure helping IT and security teams manage an always-expanding sprawl of devices, users, software, SaaS applications, cloud services, and the tools used to manage and secure them.