We believe in security by design that permeates all aspects of the software lifecycle. Protego Labs is committed to best practices across our organization.
As a security company, Protego Labs understands the crucial role that privacy and security play early on and thus builds everything with these two key elements in mind. We demand only the highest standards of both.
All services provided by Protego require authentication using AWS Cognito. After successfully authenticating, a temporary JSON web token (JWT) is issued. This token is used to secure and authorize access to our services and APIs. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO compliant. Protego also supports federated identities, enabling you to use our services with your identity providers, allowing you to continue working with your own user directory while using our services. Additionally, Protego supports Two-Factor Authentication (2FA) for increased security.
Protego runs on a strict access control policy. This means that every user, function, or resource in our platform is running with a separate IAM role that is carefully designed to follow the least privilege principle, and which is restricted of any undesired permission. This enables us to reduce the potential attack surface and maintain a robust access control policy.
To view the list of the requested permissions, contact us at [email protected]
Protego uses cryptography algorithms and standards according to NIST cryptography standards. In particular, Protego uses RS256 (RSA Signature with SHA-256), an asymmetric algorithm, for integrity checks to ensure data is not viewed or altered during storage or transmission. Protego also uses AES256-GCM as a symmetric encryption of data at rest and RSA-2048 for data confidentiality and integrity and for non-repudiation of transactions. All keys are adequately protected and rotated. In addition, Protego uses AWS Cognito for authentication, which means Protego does not store or manage customers passwords, which are securely handled by AWS.
Insecure configuration is one of the most common pitfalls in serverless development. Protego Proact has been designed to help customers ensure their applications are deployed according to best practices, such as the least privilege principle. Proact helps customers make a real difference in achieving secure configuration so it should come as no surprise that we use the Protego solution ourselves to protect our product. Restricted resource policies and minimal execution time, as well as continuous auditing and pruning of unused versions and resources are part of our secure configuration management principles.
Serverless functions are usually small and used for micro-services. To be able to execute the desired tasks, they make use of many dependencies and 3rd-party libraries. It’s not uncommon for a single serverless function to include tens of thousands of lines of code from various external sources. To make sure applications are not vulnerable through supply chain attacks, Protego Proact identifies use of vulnerable libraries based on several sources, including the NIST vulnerability database. We use Protego Proact to continually scan our staging and deployment environments and ensure that known vulnerabilities are removed before they can become security risks.
Protego utilizes AWS CloudTrail to keep an audit trail of all events that occur in the cloud account, both external and internal. Information about the events is sent to the Protego backend and is stored according to our retention policy. This data can later be used for generating security events and providing detailed forensics information.
Protego Labs undergoes internal penetration tests. Additionally, an annual information security and penetration test by an independent security firm is to be initialized on Q1 2019. The penetration tests use rigorous and uncompromising methodologies to test Protego Labs’ entire infrastructure. The tests utilize a gray box approach, where the attackers are assumed to have some knowledge about the internals of the system. The penetration test focuses on information gathering, configuration, deploy management, authentication, authorization, session management, data validation, error handling, business logic and cryptographic testing.
Policy is the cornerstone of an information security program, as it reflects the organization’s objectives and the agreed upon management strategy for securing information. Protego Labs dedication to security is self-compliant with ISO 27001, the governing criteria for Information Security Management System (ISMS) standard.
Protego Labs has an established process that periodically assesses risks within the organization relating to customers’ information assets. We strive to follow the ISO 27001 standards for the design and implementation of risk management to address company and architecture security risks.
All user accounts used to access information assets are unique and clearly associated with an individual user. The company is responsible for reviewing authorization privileges assigned to its employees to ensure that access is appropriate for the user’s functioning role. The company ensures that procedures exist for prompt modification or termination of access rights in response to organizational changes.
Protego uses cryptography algorithms and standards according to NIST cryptography standards. Protego Labs uses RS256 (RSA Signature with SHA-256) for integrity checks to ensure data is not viewed or altered during storage or transmission, and AES256-GCM for encryption of data at rest. Additionally, RSA-2048 is used for data confidentiality and integrity and for non-repudiation of transactions.
Protego Labs continuously validates and tests its software and application source code against vulnerabilities and weaknesses before deploying code to production. Software development follows Software Development Process or Lifecycle (SDLC) with appropriate security checkpoints. All software deployed to a production status must adhere to and utilize the company’s change control process. Additionally, we run Protego Proact as part of our development scheme to ensure functions are not deployed with vulnerable libraries or code and that they follow the least privilege protocol to minimize potential attack surface.
We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.
Data in Transit
Protecting data in transit is an essential part of our data protection strategy and therefore, transactions with cloud APIs are protected with TLSv1.2 (as supported by the cloud providers) with appropriate session authentication using temporary IAM access keys. Additionally, the Protego dashboard is available only via HTTPS with Cognito-based user authentication. The Protego REST API is protected by TLS (HTTPS) with token-based authentication.
Data at Rest
Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Protego makes use of AWS provided data-at-rest Key Management Service (KMS) to support the encryption process. Data stored on AWS facilities is encrypted using AES-256.
To protect against cross-account leakage, Protego uses a separate sub-account for each customer. This ensures all customer data is stored in separate tables, in separate accounts, with separate IAM roles and access policies. Additionally, Protego uses a key separation procedure to ensure no account could decrypt data stored in any other account.
Data is retained according to the account retention policy. Basic account retention is typically 30 days. Paid accounts store data for one year unless otherwise mutually agreed with customers. Data retention is implemented using S3 and DynamoDB TTL settings. Additionally, a periodic housekeeping operation is implemented to ensure data has been erased according to policy.
Data validation is executed to ensure only properly formed data is entering the workflow, and to prevent injection attacks leading to the persistence of malformed data in the database and triggering malfunction of components. Input validation is performed on all inputs and deserialized data before processing.
We believe in transparency and we do it wherever we can. We want you to know exactly what type of data we collect and why.
Protego collects detailed metadata about the following resources: CloudFormation Stacks, Lambda Functions, S3 Buckets, API Gateways, DynamoDB Tables, IAM Roles. For Lambda functions, Protego runs detailed code analysis and emulation. For all other resources in the customer account, Protego collects basic resource information.
Nevertheless, even this metadata can potentially contain sensitive information, especially about the topology and operation of the customers application. Therefore, all data collected by Protego is stored secured and is protected with high industry standards.
Protego code analysis executes within the confines of the customer account which ensures that customer code and IP never leave the customer account and is not accessible in the Protego backend at any given time.
The analysis process sends its findings to the Protego backend including:
- Cloud provider resources that are accessed by the function and the actions taken upon those resources
- A list of code behaviors such as whether the code accesses SQL or NoSQL databases, whether the code processes HTML, etc.
- A list of risky code behaviors detected in the function, such as usage of text-to-code conversions such as eval or exec. (Note: The code is not reported, only the detected behavior.)
Protego Labs does not collect end-user data. We only collect application behavior metadata. We take several steps to ensure that we collect data that is only related to the application behavior without collecting end-user data or sensitive information.
Protego takes active steps in making sure no private or sensitive data is collected by our services. Additionally, to maintain a high level of privacy and to help customers, a periodic auditing is conducted by a compliance team to identify and flag any potentially sensitive data that customers may have inadvertently included in data we collected.
Protego uses AWS compliance-ready facilities, services, and controls to maintain your organization’s security and data protection in the cloud and to align with your organizational regulations and compliance. For more information, you can refer to our compliance page.
As a security company, we believe our product should have the highest level of security. In order to fulfill this promise, we treat security as our number one priority and guide our decisions based on our security and privacy principles. If you have found a security vulnerability in Protego’s products or services, we appreciate your help in responsibly disclosing the details to our team.
What We Request from You
Make sure to have included the following information:
- Detailed description of the vulnerability containing such info as URL and type of vulnerability
- The necessary information that we need in order to reproduce the problem
- If applicable, a screenshot of the vulnerability you found
- Contact information, name, email, phone number, and your public PGP key (if you have one)
We Ask You to Be Responsible
- Do not share the problem with others until it has been resolved.
- Delete all confidential information that was obtained during the existence of the vulnerability immediately after the vulnerability has been solved.
- Never purposely disrupt services for other users.
- Never attempt to access or modify data from other users.
- In order to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.
What You Can Expect from Us
- If you have followed the instructions above, we won’t take legal action against you, if you act accordingly.
- We will respond to your report within three business days with our evaluation of the report and an expected resolution date.
- We will not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem and we will give your name as the discoverer of the problem (unless you desire otherwise).