Security at Action1
Security and reliability of Action1 services are the two core priorities of our team. We utilize military-grade security best practices to protect our users.
Download Action1 Security Brief
Action1’s co-founders, Alex Vovk and Mike Walters are also the co-founders of Netwrix, the data security company trusted by thousands of customers worldwide. Both Alex and Mike have over 20 years of professional cybersecurity experience. They built Netwrix from the ground in 2006, and then it was acquired by TA Associates in 2020. The amount of due diligence demanded by private equity firms in such transactions is beyond anyone’s imagination, which includes rigorous cybersecurity assessments.
We use multiple layers of cyber defense controls to protect user data and prevent security attacks from reaching our customer endpoints. These include physical, technical, and administrative controls that are continuously enhanced based on ever-evolving security threats. As a rule of thumb, we always assume that any employee’s machine can be hacked at any time (or already hacked) and design our internal controls around it.
Such as to maintain our repository of third-party patches, employees who download the updates for pre-testing cannot do this from their machines. They must log in to a locked-down environment in our data center that restricts access to everything except for known URLs and has AV, firewall, and other protections in place. The other example is a strict change management process for all code and configuration changes to the production systems. All changes must pass a management review and include automated and manual security testing pre- and post-deployment.
We use NIST SP 800-171/CMMC for our security practices. All essential sections of access control, minimum privilege, audits, config management, authentication, etc., are strictly followed.
SOC 2 is the golden standard for cloud-based service providers who aim to achieve the highest standards in customer data protection. Action1 built its cybersecurity practices around SOC 2 compliance requirements. We enforce access controls, perform risk assessments, follow strict change management workflows, and implement all other relevant controls. We are in the process of getting formal SOC 2 and ISO 27001 certifications from independent auditors.
Data Center Security
Action1 uses Amazon Web Services (AWS) with the highest physical security standards, surveillance, and access controls. Action1 uses AWS infrastructure because it has been designed to be one of the most reliable and secure cloud computing environments. The infrastructure is divided into many geographically distributed data centers for maximum reliability and security. The data centers follow industry best practices, including physical access restrictions for authorized personnel only, state-of-the-art fire and water protection systems, backup power supply, and more. AWS has multiple security certifications, which include ISO 27001, SOC 2 Type II, FedRAMP, and HIPAA.
Data and Protocol Security
Action1 designed all communications between its agents, servers, and other components to use the latest security protocols (TLS 1.2) and cryptography standards (AES-256). NIST SP 800-57 is used as a standard for managing cryptographic keys to ensure the best possible protection of user data. All passwords are encrypted and hashed with SHA 256 algorithm.
Action1 implements several must-have security features in the service architecture:
- Enforced MFA: it is always on for all customer accounts and cannot be turned off. The default MFA is email-based (get a code via mail), but you can also enable app-based MFA (Google Authenticator, etc.). We are also looking at adding support for hardware tokens (Fido, Yubikey, etc.)
- Audit logs: Action1 maintains logs of all operations, including account management, actions performed, etc. These logs can be obtained upon request from Action1 support.
- IP restrictions: customers can request Action1 support to restrict access to their accounts from specific IP address only.
- Role-based access: a system of granular access levels per organization enables complete isolation of multiple environments from each other and allows multiple users with restricted permissions.
- Session timeout: all Action1 console sessions are automatically terminated after 30 minutes of inactivity.
Security Vulnerability Disclosure Program
Action1 has a publicly documented Security Vulnerability Disclosure Program. Please refer to it when reporting any discovered security vulnerabilities.