Security by Design
SignalFx offers the only in-stream monitoring platform for ingesting, processing, storing, analyzing, visualizing, and alerting on metrics data at massive scale in real real-time. The service was designed from the beginning with security as a key tenet, using best-in-class technologies, infrastructure, and development practices to safeguard customer data while delivering low latency, real-time performance. Our dedicated security function is led by a Chief Security Officer, who works with engineering and product management to deliver enterprise-level product security and continuously improve internal security controls and processes.
Data is sent to SignalFx through a managed collection of open source agents (e.g. collectd, statsd, telegraf, etc), our open source Smart Agent, our Metric Proxy, through a connection to our customer’s cloud infrastructure (e.g. AWS CloudWatch), as well as custom integrations built with SignalFx client libraries. The SignalFx Smart Agent installed on customer infrastructure does not receive any inbound connections. The agent does not have the ability to auto-update, hence all updates must be manually installed and configured by customers. Our cloud infrastructure integrations (AWS, Azure, GCP) use a restricted set of monitoring, list, and describe permissions.
Protecting our customers sensitive data is our key priority. Sensitive data in transit and at rest is encrypted by default.
- All data sent to SignalFx is encrypted with TLS 1.2.
- Any communication between a user’s browser and SignalFx requires an extended validation SSL certificate.
- All requests to SignalFx come through the AWS Elastic Load Balancer (ELB) on port 443. The ELB uses SSL (X.509 certificate) to terminate the connection and then decrypt requests from clients.
SignalFx encrypts customer secrets at rest with AES 256 bit encryption. Each secret is encrypted with a dynamic key which is then encrypted with a root key.
SignalFx has implemented a comprehensive application security program and enterprise level end user application security controls.
- All code changes undergo a rigorous review and approval process
- SignalFx performs a monthly application scan against OWASP Top 10 risks with Qualys
- SignalFx engages a third party agency for an annual code review and penetration testing
- All findings are reviewed, validated, and remediated
- SignalFx provides integrations with common SAML SSO providers
- SignalFx supports user, team, and role based access control
Responsible Vulnerability Disclosure Program
We are a dedicated team of engineers, who are committed to deliver an outstanding SaaS Monitoring and Analytics Platform in a safe and secure way. To achieve our mission, we would like to partner and start building a relationship with the security research community, with the hope that this relationship gets stronger as the time passes by. We will make every effort to recognize your high-level contributions and reward you accordingly. Learn more here »
SignalFx designed its AWS architecture in accordance with the AWS Shared Responsibility model, leveraging AWS security best practices.
- SignalFx platform is deployed in a secure VPC with all production microservices running in a private subnet, with no public IP addresses
- Inbound traffic comes through AWS ELB’s listening on port 443
- Every subnet is associated with a routing table and a network access control list (NACL) controlling traffic in and out of the subnet
- Every instance is associated with security groups controlling inbound and outbound instance connections
- Access is managed through IAM users, groups, and roles based on the principle of “least privileged access”
- MFA is required for console and CLI access
- All access keys are rotated every six months
SignalFx has implemented a comprehensive monitoring strategy to identify and address potentially suspicious events.
- All AWS API calls are recorded and monitored
- AWS CloudTrail logs are encrypted at rest and enabled with validation
- All successful and failed connections, and executed commands by SignalFx employees are logged and monitored