Axcient’s Security-First Approach Part 2: Process
In part one of this three part series, Axcient’s Security-First Approach Part 1: People, we discussed our three pillars of cybersecurity: people, process, and infrastructure. From the top down, Axcient has been adjusting to the changing cybersecurity landscape to prioritize security both within our company culture, as well as with our Managed Service Provider (MSP) partners. Through these three pillars we’re empowering each individual within Axcient to take ownership of cybersecurity in everything they do.
See how the people at Axcient – regardless of their role, department, or level of cybersecurity knowledge – are contributing to protecting data and ensuring business continuity for our partners. Keep reading here to see how Axcient is empowering our people through process security in engineering and operations .
Security is embedded into each process that makes up Axcient’s operations for ongoing protection, to understand new threats, and invite independent testing into our networks.
- Real-time and regular maintenance: Includes static code analysis, dependency analysis, code signing, security scans, and automatic code reviews.
- Daily security scans: Across everything we do, the entire network, every asset in our data centers, and in all of our data centers – security scans report on new issues and vulnerabilities.
- Vulnerability disclosure program: Partners are encouraged to submit any security issues they find during security audits and testing of Axcient products in their environments. Once we’re notified of a potential vulnerability, we work with our partner to resolve the issue and any additional gaps that may be present.
- Penetration testing: Axcient regularly works with third-party threat and security management companies to complete both internal and external penetration tests on our products, data centers, corporate networks, IT, and with social engineering.
- Risk assessments: All Axcient departments go through periodic risk assessments to understand vulnerabilities throughout the company. For example, could somebody in finance be compromised to gain access to billing systems and credit card numbers? Could a breach in the sales department reveal partner data? Again, these assessments are completed by third-party companies and we make resolutions based on the potential for disaster.
- Full change management process: Any time a critical change is needed on a system or infrastructure, Axcient’s development teams are required to document and propose the change for review by executive leadership. Only after proposed changes are discussed and receive multiple layers of approval can they be implemented.
- Protected code source repository: Only a limited number of people have the access and permissions required to merge code into production. This prevents a malicious actor from polluting Axcient’s code base and compromising everything we do.
- Weekly release cadence: Teams can respond to issues quickly, deploy a solution, and tighten the timeframe to less than a week that something exists in production. With QA automation, security automation, unit testing, and manual testing on top of everything else, we can pivot quickly, while also having the ability to release features in rapid succession, be more agile, and respond to the marketplace in real-time.
- SOC 2 certified: Regular auditing ensures Axcient’s compliance with established standards based on the five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy.
Ben Nowacky, Senior VP of Product at Axcient says, “We pay extreme attention to how Axcient could be used as a weapon of attack. Can the onsite application be weaponized? The backup agent? Anything in our updates? Our appliances? Is there any way that allows a threat actor, or cybercriminal to gain access to the network?” A legitimate and common concern is how vulnerabilities could be exploited through an onsite appliance.
For Axcient, the answer is no – not as of today. Ben explains, “If you follow the best practices that we outline, no, Axcient’s appliances cannot be used as an attack vector, or a method to get a foothold to pursue persistence in the network. Now, that’s as of today based on all the security scanning we’ve done up to today, but there’s always things popping up. Security is an ever evolving thing that you constantly have to be vigilant about. However, I can say that as of today, we haven’t discovered any way to compromise a network using the Axcient appliance.”
The fact is, cyber attacks are increasing in sophistication and frequency every day. Process security keeps you aware of those risks, warnings, and vulnerabilities, so that you can take the necessary precautions to keep data protected. As a solutions provider, it’s Axcient’s responsibility to educate MSPs about the potential for data loss and provide solutions to ensure security. Your job as an MSP is to pass that information and protection along to your clients. With that said, supply chain attacks, social engineering, phishing and ransomware attacks, and other malware are always changing and unfortunately, 100% guaranteed data protection just isn’t available in today’s digital landscape.
Backup Agent Security
As Ben said, Axcient is constantly questioning the vulnerabilities of our own products and services, and that includes our backup agents. When asked if the backup agents can be compromised and used for commanding control, Ben gives a familiar answer, “So far, we have not found any weaknesses or vulnerabilities in the agent.” He goes on to explain how the agent is secure-by design:
“The agent is a one-way sync, so it does not have the ability to delete anything. The agent can’t ever delete something in the cloud because it’s a one-way push. That was done purposefully to make sure the agent couldn’t be used to delete stuff in the cloud. Anytime that there’s an update or a patch, or anything like that that needs to be applied – those updates and patches are digitally signed by a signing certificate and hardware key in the data center. So anytime an update has to get applied, that agent checks the signing certificate, and checks the validity of that package before it’s downloaded. So somebody can’t spoof, or man-in-the-middle something and force the agent to download something maliciously. It can’t be compromised or weaponized.”
RMM Integration Security
Axcient’s hardware-free BDR solution, x360Recover – Direct-to-Cloud, is designed to simplify backup with one solution that satisfies multiple uses cases. Without hardware, we were able to eliminate the pains of ‘rip and replace’ with silent install through your remote monitoring and management (RMM) tools. While the value of a fast and easy transition without server reboots or needing to deactivate existing backup products is attractive, as with any change, it creates potential for new vulnerabilities. Ben discusses Axcient’s RMM integrations:
“We have specifically not done deep integrations with RMMs because we don’t want to open the possibility that we’re compromised because of an RMM. So any integration that we have with RMMs are strictly for monitoring and alerting. None of our integrations can be used to push updates to the appliances or the agents. They can’t delete any data in the cloud. We want to make sure that we’re walking the line between providing value to our MSP partners, and what they can get out of the RMM integration – and the security necessary to make sure the RMM can’t be used to leverage against the agent or compromise Axcient.”
Data Center Security
Axcient requires mandatory multi-factor authentication (MFA) on all critical systems in our infrastructure. We’ve also added an extra layer of protection for our development operations and engineering teams using hardware keys. In order to gain access to a data center, the process requires that you have VPN in with MFA, which is typical. But to access a specific server or device within the network, a hardware key must be plugged in, and you’re required to physically push a button. Additionally, these sessions time out automatically after a certain period to prevent persistence.
If a developer or person in operations gets compromised – which are the most likely targets for bad actors – and the hacker is able to piggyback off the employee’s computer into the network, they will time out shortly. As soon as the developer, or person in operations disconnects, the connection to the server is lost. Without both the physical hardware key and manually pushing the button, there is no way for the hacker to reauthenticate the connection.
Keep reading part 3 in this series, Axcient’s Security-First Approach: Infrastructure, see how security takes center stage in our engineering and development departments.
About the Author:
Liz Mellem // Technical Copywriter, Axcient
Liz Mellem has been a freelance copywriter for over four years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.