StrongDM Security Addendum

• Information Security Program
  • Leadership
  • Definitions
  • Security Portal
• Identity and Access Management
  • User Identity Management
  • Authenticator Requirements
  • Privileged Account/Access Management
• Data Security
  • Usage
  • Protection and Encryption
  • Retention
  • Destruction
  • Privacy
• Asset Management
  • Hardware and Software Procurement and Management
  • License Management
• Endpoint and Perimeter Defense
  • System and Application Hardening
  • Vulnerability Management
  • Perimeter Defenses
• Incident Management
• Secure System and Software Development
  • Independent Testing
• Contingency Planning
  • Business Continuity Planning
  • Disaster Recovery Planning
• Information Security Training & Testing
• Risk Management
  • Vendor/Third-party Risk Management
• Auditing and Compliance
  • External Auditing
  • Internal Auditing
• Subservice Organizations & Data Subprocessors

Information Security Program

StrongDM’s Information Security Program (ISP) is based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) v2.0. Our goal is to ensure the security, confidentiality, integrity, and availability of StrongDM’s business and the services we provide to our customers. For more details on the NIST Cybersecurity Framework, please visit NIST's website.

We target compliance with the following regulations and frameworks:

• AICPA Trust Services Criteria 2017 for Security, Availability, and Confidentiality (2022 update)
• Payment Card Industry Data Security Standard (PCI-DSS) version 4.0.1
• EU & UK General Data Protection Regulations (GDPR)
• Other relevant local data protection laws

Leadership

StrongDM’s Vice President, Security & Compliance is responsible for leading the Information Security Program, all subordinate programs in support of the ISP, the Governance, Risk, and Compliance Programs, and Information Technology Program. The Vice President, Security & Compliance is a member of the Executive Leadership Team (ELT), and reports directly to the Chief Executive Officer. They also serve as StrongDM’s Data Protection Officer, responsible for privacy matters. 

Definitions

For clarity and consistency, we define Customer Data as:

Data or information input into the StrongDM Infrastructure Access Platform by a Customer or generated automatically through the usage of the Infrastructure Access Platform, including:

• Customer user information (e.g. first and last names, email addresses)
• Customer log data generated by the Platform (e.g. audit log data)
• Identifiable data source information, including:
  • Resource names and IP addresses
  • Hostnames and URLs
  • Database names
• Authentication secrets and related data, including:
  • Usernames
  • Passwords
  • Cryptographic keys
  • Access/API keys

Trust Center

StrongDM maintains a Trust Center at https://security.strongdm.com. This Trust Center provides Customers and Prospects with access to important documentation relevant to StrongDM’s Information Security Program, including applicable policies, copies of our SOC 2, Penetration Test, and Contingency Planning reports, and periodic updates from the Trust Department. Access to the Trust Center is granted to all Customers on request, and to all Prospects with a fully executed MNDA.

Identity and Access Management

StrongDM’s Identity and Access Management Program is based on the requirements and guidance from a number of sources, including NIST 800-53 Rev. 5, NIST SP 800-63-3, as well as common industry best practices. We have Identity Management and Access Control policies that establish controls and practices governing all aspects of access to systems and data.

User Identity Management

• StrongDM maintains a centralized identity provider to manage accounts used within our business systems
• Each user within StrongDM is provided with a unique username for identification when logging into StrongDM’s systems and SaaS platforms
• Circumstances that require the use of a shared account will be managed on a case-by-case basis, and require a business justification before the account may be created
• We conduct quarterly access reviews to ensure that users have access to only those systems needed to perform their duties, and flag unneeded or outdated accounts for suspension and removal

Authenticator Requirements

• Our Access Management Policy requires that where StrongDM has the ability to set password requirements, we will enforce standards in line with NIST 800-63B. This means:
  • We require all users to set passwords that are at least 14 characters in length and randomly generated
  • We do not require arbitrary or periodic rotation of passwords
• Where StrongDM is not able to enforce specific requirements on passwords, we choose the option that most closely aligns with our policies
• Wherever possible, we implement authentication federation through SAML or OIDC with our centralized identity provider

Privileged Account/Access Management

• Users must have a demonstrated business need to be granted access to privileged/administrative rights and sensitive information
• We conduct quarterly privilege reviews to ensure that users only have the rights they need to perform their duties

Data Security

StrongDM’s Data Security Program is designed to ensure that both sensitive Company Data and Customer Data is protected from unauthorized access, disclosure, and deletion. We have policies in place to govern the classification, usage, protection, retention, and destruction of data.

Usage

• Only those with a demonstrable business need are able to access Customer Data
• Identifiable Customer Data is not permitted to be removed from production systems or downloaded to local user machines via policy
• Data classification levels are defined and applied throughout the organization
• All data and documents should be labeled with their data classification level

Protection and Encryption

• Customer Data is required to be encrypted at rest on whatever platforms we use to provide services to customers
• All data in transit is encrypted by standard encryption methods, including TLS v1.2
• Full-disk encryption is required for all user workstations and is periodically audited for compliance

Retention

Our data retention policy has been established to maintain Customer Data for only as long as is necessary to support business operations. That means:

• We retain the Platform’s Customer audit log data for 13 months and subsequently delete it from our platform
• Customer activities data (interactions with the Platform’s API itself) are stored indefinitely
• When a business relationship between StrongDM and a Customer ends, Customer audit logs are deleted as they age out out the above retention policy, unless the Customer requests in writing at the time of termination that their audit log data be purged
• If a Customer requests deletion of their audit log data, StrongDM will make a reasonable effort to purge said data as soon as possible, generally not longer than 30 days
  • Customer Data will remain in automated backups of Production databases until those backups automatically age out. This is currently 35 days after the backup is taken

Destruction

• Secure delete functions are used wherever possible

Privacy

StrongDM maintains a Privacy Policy for usage of its public-facing website, which can be viewed at https://www.strongdm.com/privacy.

Privacy commitments for usage of the StrongDM Platform are governed within the StrongDM Services Agreement and the incorporated Data Processing Addendum, which may be viewed at https://www.strongdm.com/legal/services-agreement, and https://www.strongdm.com/legal/data-processing-agreement, respectively.

Asset Management

We have established an Asset Management Program to track all corporate assets and ensure strong controls around the purchasing, issuing, reclamation, and disposal of hardware and software.

Hardware and Software Procurement and Management

• All hardware and software is purchased through a central IT team
• All hardware assets are checked out to specific users
• Excess hardware is wiped of all data and disposed of through a trusted business partner

License Management

• We ensure that all software is properly licensed and appropriately used

Endpoint and Perimeter Defense

We have an Endpoint and Network Protection Program that includes system hardening, anti-malware requirements, and vulnerability management controls

System and Application Hardening

• Systems are configured against baselines for basic security controls, such as full-disk encryption, local firewalls, minimal user accounts, and minimal installed software
• All production systems have endpoint detection and response/anti-malware, file integrity monitoring, and vulnerability scanning agents installed
• All corporate systems have endpoint detection and response/anti-malware software deployed that alerts to a central console

Vulnerability Management

• We conduct regular vulnerability assessments against our production systems and workstation endpoints
• Vulnerabilities are rated based on CVSS, availability of exploit code, and public attack surfaces, and remediated in a timeframe governed by StrongDM policy

Perimeter Defenses

• Network access controls are put in place and configured via a source-controlled repository to ensure only appropriate and authorized ports are open
• Direct access to production systems is not permitted, and may be made only via the StrongDM Platform itself

Incident Management

Our Incident Management Framework is based on the Incident Command System to provide assurance that our processes are repeatable and the appropriate resources are available internally.

• We test our Incident Management Framework & associated processes quarterly
• We conduct post-incident reviews after each test and incident to gather feedback and incorporate it into our processes
• If Customer Data is affected by a security incident, we will notify the affected customers in a reasonable timeframe after confirmation of the scope of the incident

Secure System and Software Development

We have implemented a robust Software/Systems Development Life Cycle to ensure the highest quality code and systems are deployed into the StrongDM environment.

• We maintain custom static analysis and linting code
• Every developer contributes to that system and responds to security alerts
• Each commit is authored and reviewed by a pair of developers with responsibilities for cross-training for secure coding practices as part of the code review process
• Responsibilities for releasing application changes are assigned to a separate team from those developing the code changes

Independent Testing

• We partner with an independent third party to conduct annual penetration tests on our Platform, including the AdminUI web application, APIs, installed binaries (Gateways, Clients), and SDKs
• We maintain both a public Responsible Disclosure Program that is available to both security researchers and Customers who wish to report a potential vulnerability. Please use the Submit report link here: https://hackerone.com/strongdm/?type=team

Contingency Planning

We have created a holistic Contingency Planning Program to assess and prepare for potential disruptions to our business and our ability to provide the StrongDM Platform to our customers.

Business Continuity Planning

• We have implemented a system architecture designed to eliminate single points of failure
• Our people are distributed across the Western hemisphere, which helps ensure that a disaster in one region doesn’t affect our ability to continue operating

Disaster Recovery Planning

• We have established RTOs and RPOs for bringing services online in the event of a complete disruption of services
• We conduct full-scale annual tests of our disaster recovery plan and incorporate any improvements into the plan for following years

Information Security Training & Testing

• We train all personnel on security awareness at least annually
• All StrongDM personnel are tested on identifying and reporting phishing emails monthly, with high-value personnel being tested more frequently
• The Trust Department regularly updates StrongDM Personnel on evolving security threats

Risk Management

We have an Enterprise Risk Management Program built around relevant NIST 800-series Special Publications.

• We conduct annual risk assessments and quarterly risk sessions with the Risk Management Committee  to identify, assess, and act on risks to the business and the StrongDM Platform
• Risks are tracked on a centralized Risk Register
• All risks are categorized and assigned an owner who is responsible for evaluating the impact and likelihood of the risk and providing a treatment recommendation to the Risk Management Committee

Vendor/Third-party Risk Management

• We have implemented a vendor risk management program and policy to vet the security of our vendors
• We assess any potential impacts those vendors could have on the security and availability of the StrongDM Platform or our business

Auditing and Compliance

External Auditing

• We partner with an independent third party to conduct an annual SOC 2 Type 2 audit of the services we provide to our customers

Internal Auditing

• We perform a number types of internal audits and self-assessments for compliance with our controls and policies, as well as external frameworks and questionnaires (e.g. VSA Core, CAIQ Lite, etc.)

Subservice Organizations & Data Subprocessors

StrongDM uses Subservice Organizations in the delivery of the StrongDM Platform to its Customers and to process Customer Data. We also use Data Subprocessors in the normal course of conducting business that may contain Personally Identifiable Information (PII) of individuals at a Customer organization. Examples of business uses include prospecting, marketing, contracting, relationship management, and support for the StrongDM Platform.

A complete list of Subservice Organizations and Data Subprocessors can be found on StrongDM’s Trust Center at https://security.strongdm.com/subprocessors.