Absolute Security Processes
Introduction
Absolute is the only provider of self-healing, intelligent security solutions. Embedded in more than 600 million devices, Absolute is the only platform offering a permanent digital connection that intelligently and dynamically applies visibility, control, and self-healing capabilities to endpoints, applications, and network connections - helping customers to strengthen cyber resilience against the escalating threat of ransomware and malicious attacks.
Given the scope of Absolute’s capabilities and the scale of our deployment, security is critically important to us. We are committed to providing strong security controls and encryption to protect the information you entrust to us.
We maintain administrative, technical, and organizational security measures to protect your information from loss, misuse, and unauthorized access or disclosure. These measures are based on industry security practices and consider the sensitivity of the information we collect, the current state of technology, the cost effectiveness of implementation, and the scope of the data processing we engage in.
Our executive support for security practices
Absolute is committed to ensuring the confidentiality, integrity, and availability of its data and systems through effective information security management. Our executive management actively supports information security within the organization through clear direction, explicit assignment, and acknowledgement of information security responsibilities.
Absolute’s Chief Information Security Officer (CISO) is responsible for security, technology, and infrastructure, and reports directly to the CEO. The CISO, CEO, and other executives are aware of the controls set within the organization and their importance. An approval process is in place in order to approve and implement technical policies and processes between the CISO and CEO.
Our teams
Our core teams are organized into service teams and their responsibilities are defined as such:
- Security Operations: Manages cross-platform security functions, such as security incident response, application security, threat modelling, security monitoring, penetration testing, and vulnerability management.
- Security Governance, Risk, and Compliance (GRC): Identifies, documents, and advises teams in implementing security and privacy controls to maintain Absolute’s security and privacy commitments to its customers and partners. Performs compliance audits, creation and maintenance of security policies and procedures, as well as risk management functions.
- Cloud Engineering: Builds core infrastructure and cloud initiatives. The team is responsible for building and managing next generation of cloud services.
- Hosting Operations: Responsible for the administration, release of new product features and services, as well as service management of the Absolute Platform.
- Product Development: Responsible for the development, testing, and implementation of new features and services within the Absolute Platform and its Secure Endpoint and Secure Access product portfolios. Performs threat modelling and secure code practices.
- Product Management: Creates requirements for the Absolute Platform and all associated products, including new features and services. Product Management is also responsible for incorporating privacy and security by design principles into the consideration of new features and services.
- Legal: Monitor regulatory and business developments and advise the business on legal compliance and business strategy relating to data security, privacy, risk management, and technology transactions.
We assess ongoing cyber threats and risks
Absolute implements and maintains a cybersecurity framework to manage cyber risk, control, and compliance-based activities. This framework is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The cyber risk landscape is constantly changing, creating new attack vectors, and expanding the attack surface that we must patrol and defend. We assess and evaluate current and emerging threats and risks to our applications and infrastructure on an ongoing basis, including cloud, third-party vendors, and data privacy.
We’ve established a dedicated senior management committee to oversee the cybersecurity risk program and to address any cybersecurity risks within our organization. Through the committee, the implementation of our cybersecurity risk program is performed through regular updates/dialogue between our Board of Directors and senior management.
We remain cyber secure through applying security best practices
Personnel Practices
Absolute employees receive security training during onboarding and on an ongoing basis. Employees are required to read and sign information security policies covering the confidentiality, integrity, and availability of the systems as well as services that are used to deliver Absolute products and services. Where applicable, including for particularly sensitive positions, Absolute also conducts certain criminal background checks on employees before employment.
Security Policies
Absolute implements and maintains industry-standard security policies that align with the NIST Special Publication 800-53. This policy is further defined by control standards, procedures, control metrics, and control tests to assure functional verification.
Security Standards
We design and implement security controls around our most sensitive assets and balancing the need to reduce risk, while enabling productivity, business growth, and cost optimization objectives. Baseline security controls and standards relating to infrastructure, applications, and secure software development lifecycle (SDLC) are implemented using industry security standards such as NIST, Center for Internet Security (CIS) Critical Security Controls, CIS security benchmarks, and the Open Web Application Security Project (OWASP).
Data Classification
We classify our data against industry best practices to ensure that we design and implement security controls to manage and safeguard data against unauthorized access, improper retention, and unsafe destruction.
Audits
Absolute and its products undergo frequent audits. For more details, please refer to the Absolute Product and Company Certifications page.
Vulnerability and Patch Management
We perform scans on a regular basis to identify potential vulnerabilities within our environment. We ensure that risks posed by security vulnerabilities are assessed, prioritized, and remediated in accordance with our risk appetite and requirements outlined within organizational policy.
Penetration Testing
We engage external third parties annually or on a more frequent basis to perform penetration testing on our application, network, and firmware. All findings are reviewed and addressed before production release, or as defined within our risk appetite.
Privacy and Security Assessments
New features, functionality, and design changes go through a review process facilitated by Absolute’s Cybersecurity team. Our Cybersecurity team works closely with product and development teams to resolve any additional security or privacy concerns that may arise during and after development.
We protect your data by implementing and maintaining a defense in depth approach
User Provisioning and Deprovisioning
User administration control processes and procedures exist and are followed to manage the authentication, authorization, and appropriateness of users to key systems and applications including the set-up, maintenance, and termination of access privileges.
Least Privilege
We apply the principle of least privilege to ensure that individuals have only the minimum means to access the information to which they are entitled.
Single Sign-On (SSO)
We apply single sign-on company-wide to ensure greater and more centralized access control to critical systems used by Absolute personnel.
Multi-factor Authentication (MFA)
Access to the systems used by Absolute personnel is controlled by multi-factor authentication. This means that Absolute employees and contractors are required to provide physical proof of their identity.
Periodic User Access Reviews
We review user access including privileged access to sensitive resources on an ongoing scheduled basis.
Physical and Environmental Security
Absolute uses two data center co-location providers to host its infrastructure which are located in Canada and the United States. The third-party vendor operates a number of data centers across the world and is also responsible for the physical security and environmental controls within the data centers.
System Logging
All systems used in the provision of Absolute products and services, including firewalls, routers, network switches, and operating systems, log information to our security information and event management (SIEM) tools to enable security reviews and analysis.
Application Security
We are continuously assessing and addressing threats, vulnerabilities, and overall risk exposure of internal and external applications, as well as its APIs. We have implemented an application security testing program to gain better visibility into potential security issues across our applications. Application security is included early on in the software development lifecycle, including the design, development, release, and upgrade stages. Web application security risks are assessed, reviewed, and monitored against OWASP Top 10.
Code Scanning
Source code builds are scanned for vulnerabilities prior to production release. We perform static analysis security testing (SAST) to analyze source code before compiling to validate the use of secure coding policies. We also perform dynamic analysis security testing (DAST) on fully compiled software to test security of fully integrated and running code.
We protect your data against cybersecurity threats
Encryption
The Absolute Platform supports the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. We encrypt customer data at rest. We also enforce full disk encryption for company-issued laptops.
Network Protection
In addition to system monitoring and logging, we have implemented firewalls that are configured according to industry best practices, and ports not utilized for delivery of Absolute services are blocked.
Cryptography
We monitor the changing cryptographic landscape closely and make commercially reasonable efforts to upgrade the Absolute Platform to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Absolute does this while also balancing the need for compatibility for legacy clients.
All of the data in transit that crosses the Absolute private cloud boundaries is encrypted at all times. Absolute uses a proprietary protocol for device/server communications. Communications from the devices are initially encrypted and authenticated using a public 3072-bit key that is updated periodically.
Randomly generated initialization vectors and encryption keys are used with a GCM-based AES 128-bit encryption algorithm to protect session data. Devices are authenticated using a proprietary algorithm to preclude device impersonation. HTTP over port 80 (with encrypted payloads) and HTTPS over port 443 (mobile) are used to facilitate communications through firewalls and proxies.
We are cyber vigilant by being situationally aware
Being situationally aware starts with understanding possible adversaries, who might attack and why, and then building situational awareness to stay a step ahead. We receive automated cyber threat intelligence reports which are reviewed on a regular basis. We maintain an extensive, centralized logging environment which contains information pertaining to security, monitoring, availability, access, and other metrics about Absolute’s services. We have a dedicated Security Operations Center to alert us of potential events to investigate prior to it becoming a security incident.
We are cyber resilient
Being resilient means being prepared to handle critical cyber incidents, repair damage to business, and return to normal operations as quickly as possible. Absolute maintains security incident management policies and procedures. Absolute notifies impacted customers without undue delay of any unauthorized disclosure of their data by Absolute or its agents of which Absolute becomes aware, in accordance with applicable laws.