At Workspot, we are extremely focused on the security of our cloud service. Our cloud control plane is essentially a collection of micro-services running on the Amazon Cloud. Over the last two years, we have followed stringent security policies for developing and deploying our product to address customer concerns in the areas of data protection, identity verification, availability of our cloud service, and multi-tenancy privacy. We have implemented a state-of-the-art security architecture with continuous monitoring and penetration testing of all layers in our infrastructure and application stack.
Skyhigh identifies and classifies thousands of cloud services and provides an objective and detailed evaluation of the enterprise-readiness of each cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). The attributes evaluated span five categories:
- Data attributes
- User and Device attributes
- Service attributes
- Business attributes
- Legal attributes
Below is a high-level description of the technical safeguards we have at Workspot:
- Datacenter Security: Workspot’s physical infrastructure is hosted at Amazon’s secure data centers and leverages Amazon’s Web Services (AWS) technology. Amazon undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
For additional information, see: https://aws.amazon.com/security
- Control vs. Data Plane Separation: Workspot’s cloud service has been architected to be a control plane. Only the IT admin driven “control and command” communication happens between mobile clients and Workspot Control. The separation between control and data planes does not affect the availability and performance of our customers’ business applications. For additional information, check out this white paper.
- Cloud Service Application Security: Here are some of the key tenets used to secure our cloud control service:
- Stateless and share-nothing architecture: All the web containers used in Workspot’s cloud service are stateless. Runtime information, including details like connectivity to other services, is included in the node startup manifest file. All data that needs to be persisted is stored in stateful backing services. This ensures that the individual nodes are not holding any sensitive data and are protected against vulnerabilities discovered in web containers.
- Principle of Least Privilege: All services that encompass the Workspot cloud control follow the principle of least privilege. Only the permissions needed to complete the required tasks are provided to each service.
- Authorization for every API request: Workspot cloud service is front-ended by scalable REST APIs. All elements of the product - mobile client, PC client, Splunk SDK client and IT Administrative UI - use the same API channel. Every API request is authenticated and authorized not only at the API Gateway but at every point in the stack when the business logic is executed. This ensures multi-tenancy protection not only for users in the same organization but also between different customers on the same shared backing datastore.
- Session Management: Rather than using a bespoke session management framework, Workspot service is based on a custom session authorization implementation. Full protection is added and tested regularly for attacks like session fixation, session puzzling, bypassing session schema, session variables exposure and CSRF (cross site request forgery).
- Input validation: Best practices are followed and protection is added for common attacks like SQL injection, NoSQL injection, HTML injection, ORM injection, SSI injection and overflow (stack, heap, integer) attacks.
- Penetration Testing: We frequently perform internal and customer driven penetration testing and use the OWASP Testing guides as a benchmark.
- Monitoring: Our devops and infosec teams uses automated notifications from various internal sources and external providers like Cloudflare, Sendgrid, Zendesk and Heroku to identify and manage risks.
- Data Security: All log files and sensitive data is encrypted automatically using Advanced Encryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys.
Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Rating and which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection. This is a testament to Workspot’s focus on delivering the industry’s most secure and simple unified workspace-as-a-service solution.