Security at Node Patrol
Short on time? Here's what you need to know:
- Our ISMS has been externally certified to the international ISO/IEC 27001 standard
- We test our software security against the OWASP testing framework
- Our cloud software and infrastructure is penetration tested by certified ethical hackers
- We encrypt all data in transit and at rest
- Two-factor authentication is available for all customers, and optionally enforceable for all users
- You can permit access only to those within your network using the IP whitelist
- Configure SAML so your team can login using your own identity provider (such as Okta, OneLogin, AzureAD or ADFS)
- We sign our software using an Extended Validation Code Signing Certificate
- The infrastructure you use and data you store is situated in Ireland
We’ve had our Information Security Management System (ISMS) audited and tested against the demanding ISO/IEC standard 27001. The certification has given us great comfort knowing that the identification, monitoring and management of our risks is effective and in line with industry best practice. As a business it has given us peace of mind knowing that we’re applying best practice to protect our assets and our customers. To find out more about ISO/IEC 27001 please visit ISO.org.
All customers are entitled to a read-only copy of our ISMS manual and Security Development policy. Please contact us to request a copy of this document.
As part of our ISMS (ISO/IEC 27001 certified) we conduct background checks all employees prior to their employment.
We provide privacy and security awareness training to all employees as part of their induction and every 6 months thereafter. During these sessions our employees are required to read and sign internal security and privacy policies to confirm their understanding and responsibilities.
Security audits and penetration testing
Our ISMS is audited annually by an independent third-party and our application is regularly patched and penetration tested by Everlution Software, a B2B software development company that specialises in the design, development and maintenance of highly secure and scalable web applications. Our source code is automatically assessed for vulnerabilities.
Data in transit
All data in transit is secured using Extended Validation (EV) SSL with 2048-bit signatures and 256-bit encryption. It’s the same level of encryption used by major banks and government websites.
Extended Validation is the highest form of SSL certificate on the market and it takes approximately one week for an organisation to be granted one. Before receiving our EV SSL certificate a trusted independent authority are required to verify Node Patrol as a legal entity and confirm our good intentions as an organisation, giving customers greater confidence when doing business with us.
Data at rest
Node Patrol uses in-memory data structure stores for its databases, which means our production databases are running in volatile storage (memory). The non-volatile copies of our production databases (data at rest) are protected using AES 256-bit encryption. We also use industry standard disk encryption to protect data saved on our workstations and servers. Our strict ISMS policies prevent Node Patrol employees needlessly accessing your data, and we employ logging with external auditing to ensure these policies are always complied with.
We employ various AWS features to provide the highest possible service performance and availability. These features include but are not limited to Elastic Load Balancing, Availability Zones, Elastic IPs, Simple Queuing Service and Elastic Block Stores. Together, these services protect us from failures at all layers: component, host, service, site and zone.
We sign our software using Extended Validation SSL Code Signing certificates, enabling our customers to verify that an application or script was genuinely created by Node Patrol. Customers may use this certificate to permit our code to run in networks with Application Whitelisting or Script Execution policies. We’re also a Microsoft trusted publisher, so you’ll know that an application you’re installing was created by us and won’t be prevented from installing our software by SmartScreen. You’ll also see our publisher information in User Account Control prompts.
Our central logging system records access to all of our development, testing and production environments. Events are ingested by our logging tool and analysed by our automated monitoring system. All anomalies and unusual behaviour is flagged for manual review, handled by our security team and overseen by our CTO.
Hosted in the United Kingdom or Ireland
All of our infrastructure services are hosted in UK or Irish data centers, and unless stated otherwise your data will never be processed or stored outside of these regions. We utilise Content Distribution Networks to ensure the rapid and reliable delivery of assets such as our JS libraries, stylesheets and images, but never to distribute your data.
Application security features
Two-factor authentication (2FA/MFA)
2FA is available as an option for all users but can also be enforced system-wide by an administrator. You can also configure 2FA to respect your IP whitelist, allowing you to disable it if the visitor already on your corporate network to reduce login time and improve user satisfaction for low risk sessions.
Customisable layer 3 IP whitelist
We’ve developed an optional IP whitelist that can be configured in your System Settings. You can use this whitelist to prevent users from accessing Node Patrol while outside of your corporate network.
All user activity in the application is logged and immediately available for review. This includes changes to administrative settings, user accounts, device groups, devices, organisations, and monitoring templates.
Managing our third parties
Third-party policy alignment