When we started Evident.io, the first thing we did was plan for security. Unlike companies who put the product first, we put our customers ahead of everything else. It’s your data, and we’re the vigilant guardians protecting it. Expect nothing less from a true modern security organization.
The Evident Security Platform (ESP) exceeds industry standards when it comes to security practices. We make “the other guys” blush when compared head-to-head in enterprise security audits, and that makes us proud. Go ahead, put us through the gauntlet. We love it.
Data collected by ESP:
Evident Security Platform collects metadata describing your AWS infrastructure and assembles a global security picture to provide your organization with everything they need to mitigate existing and future threats against your cloud infrastructure. This data collection is controlled by an IAM Security Policy that is owned by the customer organization, and frequently updated by AWS. This read-only policy allows us to run basic informational API calls like Describe and List, allowing us to build a full picture of your environment without granting us access to read actual data inside the environment. We cannot modify your resources at any time under this policy — in fact, we’ll alert you should you accidentally add those kinds of rights to the policy attached to our service role. That’s how serious we are about protecting your cloud.
Your data is encrypted at all touch points in our infrastructure. From collection, where it is secured by HMAC-SHA256 signed API requests with STS authentication, to processing where it is encrypted in flight and on disk, to at rest or in the database where it sleeps in encrypted harmony… we use every sensible mechanism to protect your data. Even your session to view the dashboard and alert data is protected by TLS1.2. Sorry IE6 users.
Customer Access to Data:
We make sure our platform is open and available for customers to obtain their data via various methods, and then get it where it needs to be in order to be most effective. This means you have multiple vehicles to choose from, all of which are tightly secured and monitored by our security operations team.
When it comes to using the ESP Console, we encourage (sometimes forcefully) users to diversify their security measures and layer them. For example, we support MFA but don’t turn it on by default. That doesn’t mean we won’t send you the occasional nag email to ask you to enable it — it’s for your own good. We’re like a caring mother, who also happens to know a lot about protecting the cloud. Many users have commented on our 12-character minimum password with complexity requirements… We require some base level security for your own good, and for the safety of your organization’s data. Mom’s always right. Remember?
Payment Information & PCI Compliance:
Our complete payment system is actually Stripe, which is PCI Service Provider Level 1 Certified and awesome. So swipe away with that credit-card, it’s safer than any gas pump, pizza joint, or big-box store you’ve visited recently.
Our platform is operated in secure computing facilities owned by Amazon Web Services (yes, we’re a customer too!) and subject to their underlying security protocols. You can learn more about their 20+ achieved certifications on the AWS Compliance Page.
None of these security measures are worth squat without the right humans backing it up. We not only put together a team of the most sophisticated cloud security professionals on the planet, but we continue to challenge them through training, security show-and-tell, hackathons, red team exercises, and continued education. Nobody invests more time in improving the collective intelligence of their cloud security team than we do.
Our Affiliations and Partnerships:
We forged a strong alliance with AWS before we ever existed as Evident.io. We’ve carried that partnership through to the highest level recognized by AWS today —Advanced Technology Partner with special recognition for Security Competency.
We also go beyond the ecosystem and spend time improving security for the whole industry as it migrates to the cloud. We are a proud sponsor corporation and contributing member of the Cloud Security Alliance, and a member of the PCI Security Services Council.
We bring all of these together to provide our customers with the latest in security awareness, leading-edge practices to protect against 0-day attacks, and the freshest security insights on emerging technologies. By actively participating and shaping the future of our industry, we ensure that our customers needs are not only met… but exceeded.
Responsible Disclosure and the Security Community:
Evident.io operates a bug bounty program through HackerOne, which is private and requires security researchers to be invited to participate. If you would like to report a security vulnerability to Evident.io or discuss an issue you have identified, please follow this process:
- Go to the HackerOne website (https://hackerone.com/)
- Sign up for a HackerOne account
- Send an email to firstname.lastname@example.org with your HackerOne username and the email address associated with your account so we can add you to our bug bounty program
- Once invited to the Evident.io bug bounty program, go to https://hackerone.com/evident and submit your bug report
- Wait for a response from the Evident.io security team
Thank you in advance for your participation in protecting our platform’s users.
Our Public Key:
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1
—–END PGP PUBLIC KEY BLOCK—–