This article discusses how Kentik ensures the security of its systems and of the data entrusted to us by customers. These topics are covered in the following topics:
Kentik takes extremely seriously the security of the data collected for, sent to, and ingested by our data platform. At the highest level, our approach can be summed up as follows:
- All data sent to us can be encrypted in transit.
- All access to our system is protected.
- No customer has access to the data of another customer.
The following table shows in somewhat greater detail how the system and the data are protected:
|Data in transit
||- All communication to and from Kentik.com can be limited to HTTPS.
- SNMP supports encrypted and unencrypted modes.
- UDP flow is unencrypted by design, though Kentik offers methods to encrypt it.
- Transport Layer Security (TLS) is used for all customer data transmitted to Kentik from a host (via kprobe), from Google VPC, or via our proxy agent (chfagent).
|Data on disk
||Kentik is currently in the process of encrypting all data stored on disk. This process is expected to be complete on all production systems by the end of Q3 2018.
||- Each user has completely independent UI sessions.
- Each customer has a separate logical database.
- All users within a given customer share the same database.
- No user can alter tables.
- Each password is stored as a salted hash, with a unique salt for each user.
- Data filters can be applied on a per-user level.
Most Kentik customers use the Kentik Detect service — which has been architected to provide multi-factored scalability, reliability, and security — via our multi-tenant SaaS platform. The answers provided in the following FAQ topics — many of which apply as well to on-premises deployment — address how Kentik Technologies handles security concerns that commonly arise in relation to SaaS deployment:
- Does Kentik hold SSAE 16 SOC 2 / ISAE3402 / ISO27001 or similar third party audit reports?
Kentik does not hold any industry certifications at this time. We are currently in the process of obtaining the Privacy Shield certification and the CSA STAR certification.
- Has Kentik undergone a vulnerability assessment or penetration test of its production environment within the past six months?
Yes. Kentik performs vulnerability assessments against the public facing systems as well as private internal systems on a quarterly basis. Kentik also engages with an independent third party firm to perform penetration tests on a semi-annual basis, or when significant changes to the infrastructure have occurred.
- What is Kentik’s process for security event monitoring and notification?
Processes and logs are used to watch for possible security breaches, with internal monitoring via dashboards, pager alerting, and log viewing. Notifications are optionally sent by email to the address associated with user login account. All security related questions can be directed to the Kentik Security Team through email at email@example.com.
- What notification and escalation processes exist in case of a security event?
Were a security breach to occur, all affected customers are notified using email and a message banner in the Kentik portal within 72 hours.
- Is Kentik insured by a 3rd party for security/operational losses?
- How is security supported within Kentik’s company culture?
Discussion of the importance of security, and the procedures we use to support it, is part of the applicant screening process for all positions, and security considerations are built into the design and review process across our platform.
- Are the hosting facilities SOC 1 and 2 Certified?
Yes. Our hosting centers are SOC 1 and 2 compliant.
- Is Kentik’s service PCI and HIPAA compliant?
Neither PCI certification nor HIPAA compliance are currently relevant to Kentik’s services because Kentik does not receive or store any PCI-restricted data, or ePHI, from customer networks.
- Is Kentik GDPR Compliant?
- Kentik has implemented a full suite of information security and privacy policies that fully meet the requirements of the GDPR.
- Kentik is in the process of obtaining its Privacy Shield certification.
- Kentik does not store or process information commonly classified as personally identifiable information (PII), such as Social Security number, drivers license number, home address, medical information, or credit card information.
- Recital 30 of GDPR states that “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.” There is current debate as to whether Internet protocol (IP) addresses by themselves are PII. To that end, Kentik provides options to perform IP address obfuscation should it be required.
- Are customers allowed to conduct vulnerability assessments or penetration testing?
Kentik is open to coordinating any such activity, providing that it is scheduled in advance, poses no potential to disrupt normal operations, is conducted on a running up-to-date copy of Kentik’s SaaS platform, and is conducted at the customer’s expense.
- What risk management framework does Kentik use?
- Kentik has adopted the NIST 800-53 framework as the basis for its information security and privacy program.
- The Kentik information security program includes elements from the following control areas: Access Control, Security Awareness & Training, Audit & Accountability, Security Assessment & Authorization, Configuration Management, Contingency Planning, Identification & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environmental Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisitions, System & Communication Protection, System & Information Integrity, and Program Management.
- The Kentik information privacy program includes elements from the following areas: Authority to Collect, Privacy Impact Assessments, Privacy Requirements for Contractors and Service Providers, Privacy Monitoring and Auditing, Privacy Awareness and Training, Accounting of Disclosures, Validation of PII, Minimization/Removal of PII, Data Retention and Disposal, Consent, Redress, Complaint Management, Incident Response, Internal Use, and Sharing with Third Parties.
- What type of data security/segregation controls does Kentik provide?
Customer data in our public SaaS is stored on common sets of nodes, but with multiple internal system safeguards to ensure that data cannot cross customer boundaries:
- The Kentik Data Engine (KDE) stores each customer’s network data (flow records, BGP, GeoIP, SNMP) in separate logical databases and tables, such that the data from any given customer’s devices is never included in a table with data from any other customer.
- Customers do not have permission/access to change the mapping of data to any KDE table.
- Customers can see only their own logical databases and tables, and thus only their own data.
- Data access audit logs are maintained for all activity within the environment.
- Access to client data is limited to senior, vetted SaaS administrators via logged 2FA authentication.
- Is data encrypted at rest?
Kentik is currently in the process of encrypting all customer data at rest across all production systems to FIPS 120 standards. This process will be completed before the end of Q3 2018.
- Is data encrypted in transit?
- Kentik collects NetFlow data, BGP routing data, and SNMP polling data from customer routers/ switches. Transmitted data can be optionally encrypted over HTTPS via the Kentik agent running on a host inside the customer infrastructure. Inbound data privacy can also be implemented by use of a direct PNI to the Kentik backend, via cross-connect, if the customer has a PoP in an Equinix data center.
- Queries in transit are encrypted via TLS.
- Can data be removed at customer’s request and per customer’s policies?
Yes. Data is automatically removed from the system when past the negotiated retention period. Data can also be optionally removed at any time per customer request.
- Will data be shared with third party vendors?
No. Kentik does not share any customer information with any third parties. Kentik may seek express written consent from our customers to use agreed portions or aggregates of their data for Kentik’s own marketing or research purposes as covered in Kentik’s customer contracts, and would only do so with such written consent.
Third-party vendors used by Kentik undergo a thorough security risk assessment and are analyzed by our security team. Once the vendor meets Kentik’s security requirements, Kentik will periodically reassess their security controls and agreements in place. Kentik ensures that all data is returned and/or deleted at the end of a vendor relationship.
- Are there any interfaces or connections with third party systems?
A number of alliance partners have built connectors to the Kentik Data Engine (backend datastore). However any data retrieval via those interfaces must be instantiated and authorized by the Kentik customer, and must use validated customer access credentials controlled by the user.
- What forms of user management features and controls exist for Kentik?
- Our operations environment is accessible only through a combination of SSH RSA/DSS key authentication in combination with two-factor authentication.
- Internally, only Kentik personnel in the operations group have access to the Kentik infrastructure.
- Service users (customers) use the portal login.
- User accounts exist only within a customer’s account, and can be created only by the designated customer administrator. Users can be assigned Admin or Read-only access.
- API access tokens are generated for each user account.
- Data retrieval filters can be placed on individual users.
- Does Kentik offer single sign-on (SSO)?
Yes, we offer SAML2-based SSO.
- Is multi-factor authentication deployed for “high-risk” environments?
Multi-factor authentication is implemented in Kentik Detect. It is used internally by Kentik employees, and is available for each customer to enable for its own users.
- Pursuant to local laws, regulations, ethics, and contractual constraints, are all Kentik employment candidates, contractors, and third parties subject to background verification?
Kentik performs standard reviews of background, references, and criminal records (federal, state, and local) as part of employment.
- Are employees required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?
- What are Kentik’s user termination procedures and timelines?
- Customer users are deleted from the system as soon as they are removed via the User administration section of the portal.
- Kentik staff accounts are disabled immediately upon change in role or termination and audited monthly.
- What is Kentik’s password policy for systems and infrastructure that is used to host customer data?
Kentik employs secure-key, 2-factor authentication, and all access is logged to multiple endpoints.
- Does Kentik employ a formal secure application methodology?
Kentik currently follows OWASP guidelines for secure web development, including use of the OWASP dependency checker.
- What are your processes for security code review and secure development lifecycle?
Kentik uses several automated source code analysis tools for assessing both performance and security, and we are continuously evolving our development platform and processes to embrace best practices for secure code development. We also conduct regular code reviews, which include security reviews, as part of our implementation process.
- Do you utilize industry standards (Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build-in security for your Systems/ Software Development Lifecycle (SDLC)?
Kentik is in the process of deploying the NIST Systems Security Engineering framework for system development and management. Kentik currently uses the OWASP SDLC as the framework for it software development and management.
- Does Kentik have a Data Protection Officer (DPO)?
Kentik has a designated individual filling the role of DPO. The DPO may be contacted through email at firstname.lastname@example.org.
- Does Kentik have a breach notification policy?
Breach notification is integrated into the formalized Kentik Incident Response plan.
- How long does Kentik store data?
We store customer data for as long as you are an active customer. Once you cancel service, we purge your data from our system. You also can purge your data at any time. Our standard retention period for flow data is 45 days for “full” resolution and 120 days for “trending” resolution.
The tables in the following topics contain information typically requested by prospective customers to assess security concerns related to their vendors:
The categories of data that Kentik does and does not collect and store:
|Business Critical Information
||IP addresses are exported to Kentik either over HTTPS transport or via unencrypted UDP. UDP flow can be encrypted before leaving your site. SNMP supports unencrypted and encrypted formats.
||No packet payload data is exported to Kentik.
|Other Sensitive Information
||Data is only IP address/port-related.
|Payment Card Information
||No packet payload data is exported.
|Personally Identifiable Information (PII)
||No PII is exported (unless contained in IP address). No packet payload data is exported.
|Protected Health Information (PHI)
||No PHI is exported.
||No public information is exported.
|Sensitive Digital Research Data
||No packet payload data is exported.
|Social Security Numbers (SSN)
||No packet payload data is exported.
What Kentik does with collected data, and where:
||Data is sent via UDP or HTTPS to Kentik’s PaaS offering, and is stored, indexed, and made available via the API and portal. Alerts can be configured to run over the data as well.
||- NetFlow can be sent to a Kentik-provided proxy agent that runs on the customer’s network.
- All outbound communication between the agent and Kentik’s network is via HTTPS.
- Data cannot be extracted from the system unencrypted.
- All on-disk customer data across all production systems will be encrypted to FIPS 120 standards by the end of Q3 2018.
||Each company has an independent database fully partitioned from other customers.
All users within a company share a single database.
No databases can be altered by customers.
Current compliance-related information:
||All data stored in a SOC 2-compliant data center.
||Quarterly external and internal vulnerability assessments. Semi-annual penetration tests.
Information on security-related monitoring:
|Audit logging and SIEM technology
||All system, server, and application logs are sent to an internally- hosted SEIM. We have human oversight as well as programmatic alerting for security alerts.
|Event logging and monitoring
||The following types of events are logged and monitored:
Failed authentication attempts
External traffic searches unrelated to queries
Unusual data-traffic patterns both internally and externally
|Incident Response Plan
||Kentik has a formalized incident response program in place based on NIST 800-61.
Information about the processes used to ensure the security of the application:
|Change management program
||Changes are tested through Continuous Integration (CI) QA process, development, and staging systems.
|Data used for development and/ or testing
||The staging system has some production data, but only from customers that explicitly opt in to this program.
|Testing and approval of changes for production
||QA testing is done actively and passively (testing the system and observing alerts and logs). Changes are then approved for roll- out to production.
|Deployment of changes to production
||Software updates are deployed to production through an automated process and systems that include QA, security verification, logging, and monitoring.
|Separation between testing and production environments
||Test environments are hosted on our own machines or on a secure IaaS. Staging is on IaaS and on our own hardware. Prod is separate and currently all on our own hardware.
|Software security code reviews
||We conduct periodic source code reviews and cover security reviews as part of a comprehensive code review.
|OWASP Top 10 Application Security Risks
||The application is audited against OWASP Top 10 Application Security Risks.
||As part of all design reviews we perform threat modeling against components, the system, and interactions (planned and unplanned) between components.
|Automated source-code analysis
||We use an automated source-code analysis tool to detect code security defects prior to production. We also conduct regular security reviews of our code.
||No portion of the development is outsourced to third party developers.
||Both 2FA and SAML2/SSO are supported for customers, and SAML2/SSO is utilized by all backend systems.
||Customers can interact directly with the DBI or RESTful APIs, in which case no JS is needed. Using our portal does involve using our JS.
|Web application vulnerability assessment and penetration tests
||We periodically conduct web application vulnerability assessments, quarterly vulnerability assessments, and semi-annual penetration tests.
Information related to security on production servers (application and database):
|Infrastructure vulnerability assessment and penetration testing
||We conduct quarterly infrastructure vulnerability assessment and semi-annual penetration testing.
||The Kentik patch management program is based around the severity rating of the flaw, taking into consideration the likelihood of the exploitation of the vulnerability, the distribution of the vulnerability across the production environment and the impact to operations.
- Critical severity vulnerabilities must be remediated within 10 days of discovery.
- High severity vulnerabilities must be remediated within 30 days of discovery.
- Medium severity vulnerabilities must be remediated within 60 days of discovery.
- Low severity vulnerabilities must be remediated within 90 days of discovery.
|User authentication to production
||Users are authenticated via SSH RSA/DSS key access and 2FA through our SSH gateway servers.
|Testing, approval, and logging of system changes
||Documentation is via a collaboration service and email.
Basic disaster recovery information:
|Primary data center (production)
||Located on Kentik’s own equipment in Equinix DC3 and DC4, Ashburn, VA.
|Disaster recovery data centers
||Kentik’s datastores in the DC3 and DC4 data centers are fully redundant.
|Recovery time objective (RTO)
||Less than 2 hours
|Recovery point objective (RPO)
||RPO today covers device identification and company/user metadata.
Device dynamics (NetFlow/SNMP/routing) data is replicated in the primary site and is only replicated outside the primary site for customers purchasing HA (multi-site HA+DR) service.