Security Practices
Architecture
Security built in from the ground up. The Gremlin Platform is architected to comply with rigorous security standards and frameworks, such as SOC2. Our design ensures confidentiality, integrity, and availability of customer's data.
Application Development
The Gremlin Platform is built using a Secure Design Life Cycle based on OWASP and SANS frameworks and following a strict change management process that is designed to protect the integrity of the platform and data it holds.
Data centers
The Gremlin Platform is hosted on AWS in some of the most secure data centers on Earth. These data centers are SOC 1&2 and ISO certified, and utilize the most secure physical security technologies, such as biometrics. All facilities are monitored by professional security staff.
Compliance & audit
SOC2
Service Organization Controls 2 audits 60+ controls that ensure the security and confidentiality of The Gremlin Platform and systems. Gremlins SOC 2 Type II report is available upon request.
Independent code audit
All Gremlin code is audited by an independent security firm on a regular basis. Reports of these audits are available upon request.
Penetration testing
Gremlin attack surfaces are regularly subjected to penetration testing by both Gremlin personnel as well as independent third party security firms. Reports of penetration testing results are available upon request.
Networking
Gremlin utilizes Virtual Private Cloud (VPC) routing through software defined networks. We implement controls at each layer to ensure that networks are isolated; segregating our infrastructure by zones, environments, and services.
- Access is controlled by secure keys, multi-factor authentication, and the use of encrypted VPN’s.
- Intrusion detection and prevention systems are used at the host, network, and cloud layers to identify and prevent potential security issues.
Business Continuity and Disaster Recovery
Gremlin is laser focused on resiliency and we employ a rigorous BC/DR plan executed by a continuity team led by executive management.
Our BC/DR plan is tested regularly using Chaos Engineering techniques.
Product Security
Encryption
- All data is encrypted in transit using TLS 1.2+, providing strong ciphers and key-lengths.
- All data is encrypted at rest using AES 256 or stronger.
- All encryption keys are generated and stored in AWS Key Management Service (KMS) which prevents access to underlying keys.
- All passwords are salted and hashed when stored, ensuring they cannot be retrieved.
Threat modeling
Threat modeling is used during all design and implementation phases to understand specific risks associated with the intended change as well as the system as a whole.
Gremlin performs threat modeling utilizing STRIDE, PASTA, Persona non Grata, Attack Trees, and CVSS scoring.
Tenant Isolation
Gremlin provides strict logical segregation of data by validating ownership metadata at each layer of processing and validating that against authentication and access control information for the requesting session.
Testing
Testing is performed at each step of development and includes unit, integration, acceptance, ad-hoc, and static and dynamic security testing. Tests are developed by a combination of development and security engineers using automated and manual techniques.
We also employ specialized security consultants to review and test our applications, systems, and code. This includes penetration testing consisting of white box, code driven, and threat based testing.
Vulnerability Management
Gremlin employs a rigorous vulnerability management program to actively identify weaknesses in our systems. Our dedicated security team performs regular scans, continually on sensitive systems, to detect and respond to vulnerabilities. We also employ automated vulnerability scanning on all deployment systems.
Gremlin performs threat modeling utilizing STRIDE, PASTA, Persona non Grata, Attack Trees, and uses CVSS scoring. Threat and vulnerability management informs and directs the application development requirements at each stage of development.
SAML2
Gremlin provides support for SAML 2 authentication. This allows us to integrate with many enterprise authentication systems and allows our customers to directly control how their users access and use the Gremlin system. We allow SAML initiated user provisioning and access management. SAML authentication can be used in conjunction with other authentication methods or as the only available authentication method.
2FA (MFA)
Gremlin supports Two-Factor Authentication (2FA) in order to harden password based authentication. We accomplish this by utilizing a second factor called a Temporary One Time Password (TOTP), or more commonly called Token Authentication. This is a broadly used security mechanism supported by common devices such as Google Authenticator, and adds an additional layer of protection when using password authentication. We allow customers to require the use of 2FA.
Operational Practices
Access to data (least privilege)
Gremlin adheres strictly to the principle of least privilege. This means that only those users with a strict business need to access data are allowed to do so, and only after signing non-disclosure agreements. Access to sensitive systems is granted on a request basis only on a time-limited basis.
Monitoring & Alerting
Gremlin employs multiple real-time monitoring systems with 24/7 alerting to inform us of violations of policy as well as suspicious activity that may indicate a compromise. These systems include intrusion detection and prevention systems at each layer of our ‘stack’. We maintain on-call staff trained and prepared to handle unexpected events and incidents.
Training & Awareness
Security is everyone's responsibility, and the foundation of that is our Security Training & Awareness program. Our program is built from our internal policies and procedures, and communicates these responsibilities and expectations to call staff. Training is reaffirmed on a regular cadence.
Embedded security experts
We embed security experts throughout the business to ensure proper risk evaluation and threat modeling as well as ensuring that security practices are consistently employed. These experts are able to form a deep understanding of the threats and controls specific to the systems and processes being used and allows us to maintain a strong security posture company-wide.
Change management
Gremlin employs a strict change management process that encompasses feature evaluation, comment and design, threat modeling, multiple layers of testing, and release procedures. At each level approvals from peers and management, as well as a dedicated security review, is required.
Incident management
At Gremlin, preparing for failure is a way of life, and we exemplify this in our Incident Management programs. We employ Chaos Engineering to ensure speed and efficacy in our responses, and ensure impacts are as low as possible. These practices and regular testing ensure we and our customers can be confident in our ability to gracefully handle incidents.
Hiring practices
Gremlin strives to attract and hire the best and brightest experts in their fields. We welcome new members of our team and challenge them to produce their best work. Prior to hiring we perform checks including employment, references, background & financial, and visa verification. Each team member is bound by a confidentiality agreement.
New employees undergo an onboarding process that includes security awareness training as well as role specific training. Security awareness training is reaffirmed by all staff on an ongoing basis.
Privacy
GDPR
Gremlin complies with GDPR via Data Protection Agreement (DPA) and Standard Contractual Clauses (SCC). Compliance requirements are confirmed and documented by an independent audit firm. Reports are available upon request.
Our exacting privacy standards extend to our contractors and sub-processors who are required to maintain at least as strong privacy controls as our own. These controls are reviewed by an independent audit firm and documentation of results is available upon request.
Policy
Please see our privacy policy at https://www.gremlin.com/privacy/.
Avoid downtime. Use Gremlin to turn failure into resilience.
Gremlin empowers you to proactively root out failure before it causes downtime. See how you can harness chaos to build resilient systems by requesting a demo of Gremlin.