How do you handle security in Exalate?
The security posture of Exalate is based on 3 dimensions:
- Security by Design
Security vulnerability scanning has been implemented at every stage of the development, deployment, and operation of the solution. This scanning is based on the solutions provided by Snyk, which allow highlighting the security problems from the moment a developer types a line of code.
- Advanced Endpoint detection and response (EDR) monitored by a 24/7 SOC
EDR is implemented through a combination of the Palo Alto Cortex XDR solution, a 24/7 manned SOC for addressing incidents and vulnerabilities, and the Security Command Center to guard the Exalate cloud environment.
- Process and policies focused on increasing the security awareness of the whole team
All policies related to the ISO27001 standard have been implemented and are controlled by various processes. Roles and responsibilities are defined and assigned to various people in the team.
These policies include:
- Acceptable use
- Privacy and Employee privacy
- Security awareness training for all the employees
- HR recruitment
- The Incident, Vulnerability, and Change management
- Risk management
Do you have certifications?
iDalko, the company behind Exalate and the related services, is currently in the process of the audits required to achieve an ISO27001 Certification.
This means that all the conditions for achieving this certification have been implemented, we only need the final stamp of approval. Evidence of the auditing process can be provided as per request.
Are you SOC2 compliant?
We are continually improving our security program and we are going to obtain the SOC2 certification once the ISO27001 certification is achieved.
Are you GDPR Compliant?
Yes. iDalko, the company behind the product and the related services has its HQ in Europe (Belgium) and is required to comply with all GDPR-related legislation.
Is Exalate a data processor as defined in GDPR?
Exalate is NOT a data processor as defined in GDPR Art 4. Exalate can be compared to an email system, which is processing synchronization transactions as fast as possible. Exalate has not been designed for processing PII data (ie. there are no tables with user-related information). Exalate can fully operate, even if there is no PII data in the messages.
Can Exalate be integrated with an SSO Solution?
Exalate performs authentication through the underlying task management system. Whenever there is a need to log into the application, Exalate will check with the task management system if the authenticated user is authorized to perform configuration tasks or not. The authentication protocol is either 'Basic Authentication' or 'Oauth' based.
Since Exalate has no such concept as a user directory, there is no need for SSO Solution integration.
What is the benefit of Exalate's single-tenant architecture compared to a multi-tenant one?
A single-tenant application, in the context of integration software, is an application that is related to only one task management system. A multi-tenant application on the other hand allows using one infrastructure to connect with multiple task management systems.
So whenever considering an integration solution, you should pay attention to the tenancy of the proposition.
All software has bugs either because of improper development, configuration mistakes, or any other reason. The recent breaches at Lastpass and Octa show that protecting information is a Herculean task. Integration software is more complex as it needs to take care of many diverse aspects and information paths.
To minimize the risk of information leakage, a single-tenant architecture is a way better option as it allows to contain information leaks at the infrastructure level.
When an Exalate node is deployed on the Exalate Cloud, it is running inside a 'Kubernetes pod' that is configured to ensure no information can leak. The maintenance of this Exalate cloud is fully based on the principles of 'Infrastructure as Code'. There is no action of manual configuration for the environment.
How is Exalate cloud protected?
Exalate cloud is protected through all the provisions provided by Google Cloud:
- All the hosts are based on 'Container OS' which is secured and automatically patched by Google.
- All activity on the cluster is monitored through the 'Security Command Center'.
- Any security alerts are fed into the Palo Alto-based Cortex XSOAR which is picked up by the SOC.
- The SOC is manned 24/7 by NVISO. NVISO is a top-tier MSSP as evaluated by the MITR ENGENUITY OilRig assessment.
How does Exalate encrypt my data?
Any customer data in the Exalate cloud is encrypted in transit and at rest. Offline backups are encrypted for each tenant. Furthermore, Exalate Cloud ensures that every node is totally separated from any other node including - computing resources, file storage, database storage, and network path.
Where is my data hosted?
Depending on the deployment model, there are several models of data hosting. In case the node is deployed on-premise, data will be hosted on-premise. There is no need for an Exalate node to be connected to the Internet to fully operate.
When the node is deployed on the Exalate Cloud, all data resides on the Google Cloud datacenter in Europe-West1 (Belgium). Backups of that environment are stored offline in the data center of Rsync.net in Zurich (Switzerland).
What kind of data is hosted?
Exalate is storing the metadata required for the integration functionality, such as the relation between an incident and an issue. This metadata consists of unique identifiers (like numbers or strings), without any meaningful content.
Furthermore, it stores the payload of the synchronizations in flight. It does this due to an advanced transaction-based synchronization engine where every stage of the transaction requires the queueing of this payload. Once the transaction is fully processed, no payload information is stored in the database.
Who has access to my data?
Access to the application is defined by the underlying task management system and is fully configured by the administrator of that platform.
When deployed on Exalate Cloud, our employees such as support engineers and cloud operators can have access, only after explicit approval by the customer. All our staff goes through background checks, and only a well-identified list of employees with appropriate clearances can access the information.
Do you use data for testing?
We do not use production data for testing unless explicitly approved by the customer in case of a root cause analysis (RCA) of a defect.
How long do you keep audit logs?
Audit logs are kept for 30 days.
Is there an Endpoint Detection and Response solution as well as Malware/Virus protection?
The whole Exalate infrastructure is protected by the Palo Alto Cortex XDR solution, which provides next to malware and virus protection, an extensive set of cyber security capabilities including vulnerability and incident management.
How do you deal with vulnerabilities?
Vulnerabilities are handled according to the ISO27001 standard. Customers are notified in case of Critical vulnerabilities.
How do I report a security vulnerability to the Exalate team?
If you notice a vulnerability in one of our products, you can notify us so that we can fix it as quickly as possible. Any vulnerability, concern, or incident can be reported either on the support portal or by email to firstname.lastname@example.org.
Do you notify customers in case security vulnerabilities have been detected?
Yes, in case of critical security vulnerabilities, all Exalate users including evaluators will be notified within 48 hours of finding the vulnerability.
Does Exalate have Business Continuity and Data Recovery Processes?
Business continuity processes are defined in the context of policies and procedures.