Security
We take security seriously at Moogsoft and work diligently to exceed the industry standard when it comes to protecting your data.

Overview

OWASP Open Web Application Security Project

CSA Cloud Security Alliance

(Type I & II) Trust Services Principles Service Organizational Controls

National Institute of Standards and Technology

Product Security

Moogsoft AIOps As A Service utilizes the following features:

  • Security Assertion Markup Language (SAML)-based single-sign-on (SSO) System for Cross-domain Identity Management (SCIM) full provisioning lifecycle management Data Leakage Protection (DLP)
  • Amazon Web Services Web Application Firewall (WAF): We use AWS WAF to mitigate OWASP’s Top 10 web application vulnerabilities
  • Amazon Web Services CloudFront Geo Restriction
  • Amazon Web Services Best Practices for DDoS Resiliency
  • Amazon Web Services Key Management Service (KMS)
  • All SaaS instances of Moogsoft AIOps run in fully isolated Virtual Private Clouds (VPCs) shared with no other client
  • All data is fully encrypted at transit and rest – Data encryption in transit (protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM)) and at rest (AES_256)
  • All cryptographic key lengths, ciphers, protocols etc. are explicitly enforced to be in line with current industry best practices
  • All Moogsoft AIOps SaaS instances running on AWS are AICPA “carve out” compliant ( see the relevant section on subservice “carve out” in this AICPA document and are subsequently complaint with the standards/topics listed here )
  • All access to any Moogsoft AIOps systems are strictly limited via RBAC following a “need-to-know” and “principle-of-least-privilege” approach.
  • All Moogsoft staff is required to use Multiple-Factor-Authentication (MFA)
  • All Moogsoft staff are required to undertake annual IT security and safe data handling practices training
  • Moogsoft immediately patches all SaaS instances in the event of National Vulnerability Database and MITRE CVE and NIST Special Publication 800-70 Revision 3 checklist known vulnerabilities

 

Are Moogsoft solutions able to incorporate single sign-on?

Do Moogsoft solutions allow for a federated Identity Management infrastructure?

Are Moogsoft solutions interoperable with third- party identity providers?

  • Yes. Moogsoft solutions can interoperate with any SAML-compliant Identity Provider (IdP).

Is the password policy technically enforced?

  • Yes. For internal Moogsoft systems this is accomplished via our SSO solution. Clients are able to configure the product according to their own policies.

Do passwords travel in clear text over the internet (or any internal network)?

  • No. All passwords are encrypted. For SSO deployments, the Identity Provider (IdP) handles all authentication and is the only entity with access to password hashes. The IdP is the Moogsoft customer, not Moogsoft itself. For local pre-production testing accounts, only DBAs with access to the Moogsoft MySQL database have access to the password hashes. Such pre-production testing accounts are never used in production.

Does Moogsoft AIOps support two-factor authentication such as RSA SecurID token, software authentication app token, SMS, client certificates?

  • Yes. In production deployments, Moogsoft AIOps is the Service Provider (SP). All authentication is handled by the Identity Provider (IdP), which is typically the Moogsoft customer. Moogsoft AIOps will support any two-factor authentication schemes supported by the IdP. Currently, only client-certificate two-factor authentication is supported for TLS-based data integrations.

Corporate Security

Moogsoft takes security very seriously, and as such, we adhere to the following:

We achieved SOC 2 Compliance in 2019

  • SOC 2 Type I complete and report available upon request.
  • SOC 2 Type II complete and the report is available under NDA

Disaster Recovery and Business Continuity:

  • We have a BC/DR plan in place, and test on a regular basis.

Cloud Security Alliance

  • We have a CAIQ completed and available

GDPR

  • Where applicable, we adhere to requirements

Data Handling

Type of data that Moogsoft AIOps processes

Moogsoft AIOps processes IT data from sources such as servers, network switches, middleware, application error logs, and the like. Although Moogsoft AIOps does not require any non-IT data, any IT telemetry is considered confidential from an IT security perspective. As such, Moogsoft treats all data as sensitive and has put the required controls in place to keep all data fully protected.

Vulnerability Management

National Vulnerability Database

NIST Special Publication 800-70 Revision 3

Penetration Testing

We participate in the l1ackerone vulnerability coordination and bug bounty platform

Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices

AzureSecurity Center provides unified security management and advanced threat protection for workloads running in Azure

Moogsoft Red Team — Please email team at security@moogsoft.com.

Contact Info

For any questions, please reach out to Moogsoft Information Security.
Email: security@moogsoft.com
Phone: +1-415-738-2299 Ext. 3

Moogsoft’s Security Practices, Privacy Policy, and Terms and Conditions.