Security at Action1
SOC 2 Type II Compliance
Action1 has passed the audit requirements of the American Institute of Certified Public Accountants (AICPA), achieving SOC 2 Type II compliance without exceptions to demonstrate how secure our internal organization’s processes are. SOC 2 Type II is a benchmark for cloud service providers showcasing the provider’s overall cybersecurity hygiene. Going through SOC 2 audit is not mandatory, and we are proud to say that we are among the few companies specializing in patch management to adhere to this high-security standard. We follow dozens of strict guidelines mandated by SOC 2 daily, in real-time, to protect our customer environments reliably. To request the SOC 2 audit report, please contact your Action1 representative.
ISO/IEC 27001:2022 Compliance
Action1 has achieved ISO 27001:2022 compliance with zero exceptions, demonstrating our commitment to maintaining a secure environment. This means we adhere to stringent guidelines, ensuring that our information security measures are not only robust, but also adaptable to the evolving demands of cloud-based data protection. Before undergoing the audit process, we implemented secure processes for continuous supervision of our operations, which encompass management controls and policies, security for employee devices, system monitoring for unusual activities, and more. An independent auditor conducted an exhaustive two-stage audit and validated Action1’s adherence to this standard. To request the compliance certificate and audit report, please contact your Action1 representative. You can also verify Action1 certification posted at IAF.
Action1’s co-founders, Alex Vovk and Mike Walters are also the co-founders of Netwrix, the data security company trusted by thousands of customers worldwide. Both Alex and Mike have over 20 years of professional cybersecurity experience. They built Netwrix from the ground up in 2006, and then it was acquired by TA Associates in 2020. The amount of due diligence demanded by private equity firms in such transactions is beyond anyone’s imagination, which includes rigorous cybersecurity assessments.
We use multiple layers of cyber defense controls to protect user data and prevent security attacks from reaching our customer endpoints. These include physical, technical, and administrative controls that are continuously enhanced based on ever-evolving security threats. As a rule of thumb, we always assume that any employee’s machine can be hacked at any time (or is already hacked) and design our internal controls accordingly.
Examples include, but are not limited to:
- maintaining our own repository of third-party patches derived directly from the vendor of origin
- restricting employee downloaded updates (done for legitimate pre-testing purposes) from local machines, and utilizing a log in, locked down data center environment that restricts access to everything except known URLs and has AV, firewall and other protections in place
- strict change management processes for all code and configuration changes to production systems
- management review of all changes including automated and manual security testing both pre and post deployment
- third-party auditing of adherence to the above and other practices
Data Center Security
Action1 uses Amazon Web Services (AWS) with the highest physical security standards, surveillance, and access controls. Action1 uses AWS infrastructure because it has been designed to be one of the most reliable and secure cloud computing environments. The infrastructure is divided into many geographically distributed data centers for maximum reliability and security. The data centers follow industry best practices, including physical access restrictions for authorized personnel only, state-of-the-art fire and water protection systems, backup power supply, and more. AWS has multiple security certifications, which include ISO 27001, SOC 2 Type II, FedRAMP, HIPAA, GDPR and CCPA.
Data and Protocol Security
Action1 designed all communication between its agents, servers, and other components to use the latest security protocols (TLS 1.2) and cryptography standards (AES-256). NIST SP 800-57 is used as a standard for managing cryptographic keys to ensure the best possible protection of user data. All passwords are encrypted and hashed with SHA 256 algorithm.
Action1 implements several must-have security features in the service architecture:
- Enforced MFA: it is always on for all customer accounts and cannot be turned off. The default MFA is email-based (get a code via mail), but you can also enable app-based MFA (Google Authenticator, etc.). We are also looking at adding support for hardware tokens (Fido, Yubikey, etc.)
- Audit logs: Action1 maintains logs of all operations, including account management, actions performed, etc. These logs can be obtained upon request from Action1 support.
- IP restrictions: customers can request Action1 support to restrict access to their accounts from specific IP address only.
- Role-based access: a system of granular access levels per organization enables complete isolation of multiple environments from each other and allows multiple users with restricted permissions.
- Session timeout: all Action1 console sessions are automatically terminated after 30 minutes of inactivity.