Last updated: October, 2021
In addition to creating the world’s most advanced SaaS Security Posture Management offering, we are also dedicated to protecting our solution, in accordance with industry best standards and practices. Our customers demand the highest levels of data security, and we are committed to ensuring that it meets their standards. We have surpassed expectations of some of the most sophisticated, security-minded organizations in the world. Below is Adaptive Shield’s security overview:
Adaptive Shield’s platform collects metadata such as security settings and configurations, user permissions, profiles, audit logs, etc. Adaptive Shield does not collect user or enterprise data such as contents of Email boxes, or business data stored in the SaaS solutions it monitors.
Adaptive Shield is ISO 27001 compliant as well as GDPR compliant. Adaptive Shield maintains a Written Information Security Policy (WISP), and follows common best practices such as Environment Separation (Dev, Staging, Production), and Patch management.
Adaptive Shield uses its own permission platform to ensure that customer data is only accessed by the relevant customer’s users.
Adaptive Shield performs code review and uses Static code analysis scans on its proprietary and 3rd party code packages and libraries as part of its CI/CD pipeline. Adaptive Shield complements this with Dynamic web vulnerability scanning on the application while running, using a Web security scanner both in an authenticated and unauthenticated state.
Adaptive Shield’s infrastructure is protected using multiple tools, including:
The infrastructure and its protections are reviewed and monitored regularly to verify its integrity.
Adaptive Shield only collects metadata, and its security is a top priority. Traffic is encrypted using TLS 1.2 at minimum with modern cipher suites, and when at rest data is encrypted using AES-256 or similar encryption. Field encryption is performed as needed using an HSM based KMS. Keys are rotated regularly and alerts are in place for access events. Credentials are hashed and salted using modern hash functions according to industry best practices.
The Adaptive Shield platform fully supports access control:
Adaptive Shield offers an IP Allow Listing from the platform side and from the customer side. The platform supports an option for the customer to create an IP Allowlist of the account’s trusted IPs, for limiting and controlling access to the platform. Adaptive Shield maintains a pool of static IP addresses from which it monitors the different SaaS integrations; these IP addresses can be added to the Allow List on the customer's end in order to increase security and tighten monitoring.
Customers have full access to Audit Logs of the Adaptive Shield platform. This allows full monitoring of User Activity as well as API Activity. Customers also have access to the System Activity, allowing visibility into the platform’s activity as it communicates with the connected SaaS applications.
Customers can use four types of user roles in order to limit access to the Adaptive Shield platform. Also, customers can use the scope role to limit permissions of users to specific connected SaaS.
Security starts at home, and we at Adaptive Shield practice what we preach. Employees are granted access rights in accordance with the least privilege principle.
Management traffic is conducted out-of-band and is encrypted using VPN, which requires personal client side certificates.
Access rights and Access policies are regularly reviewed. Suspicious events, abnormalities, unexpected behavior, and sensitive activity are centrally monitored and alerts are in place.
Security at Adaptive Shield is dependent on its employees, therefore Adaptive Shield makes sure they are fully trained. All employees undergo information security awareness training during onboarding. Further security training is provided on a yearly basis. When new threats are discovered, all employees are fully briefed on the matter and trained to avoid and mitigate such threats.
Full Point in Time backups are conducted daily and are retained an adequate amount of time. The backups are automatically tested on a daily basis to make sure they can be used to restore.
Production databases are clustered in a Primary-Secondary architecture, allowing a fast switch between them in case of a node failure.
Adaptive Shield is compliant with GDPR, and will share Personal Information with third parties only as detailed in the Adaptive Shield Policy, available here: https://www.adaptive-shield.com/privacy