Absolute’s Security Processes
Absolute’s cloud-based endpoint visibility and control platform enables the management and security of computing devices, applications, and data for enterprise and public sector organizations. The platform enables IT and security professionals to enforce asset management, security hygiene, and data compliance for computing endpoints, both on and off the corporate network. Our unique solutions are anchored to endpoint devices by our patented Persistence® technology, which is embedded in the firmware of laptop, desktop, and tablet devices by the majority of the world’s largest global computer manufacturers and currently serve more than 13,000 customers worldwide.
Given the scope of Absolute’s capabilities and the scale of our deployment, security is critically important to us. We are committed to providing strong security controls and encryption to protect the information you entrust to us.
We maintain administrative, technical, and organizational security measures to protect your information from loss, misuse, and unauthorized access or disclosure. These measures are based on industry security practices and take into account the sensitivity of the information we collect, the current state of technology, the cost effectiveness of implementation, and the scope of the data processing we engage in.
Our executive support for security practices
Absolute is committed to ensuring the confidentiality, integrity, and availability of its data and systems through effective information security management. Our executive management actively supports information security within the organization through clear direction, explicit assignment, and acknowledgement of information security responsibilities.
Absolute’s Chief Information Security Officer (CISO) is responsible for security, technology, and infrastructure, and reports directly to the CEO. The CISO, CEO, and other executives are aware of the controls set within the organization and their importance. An approval process is in place in order to approve and implement technical policies and processes between the CISO and CEO.
Our core teams are organized into service teams and their responsibilities are defined as such:
- Security Operations - Manages cross-platform security functions, such as security incident response, application security, threat modelling, security monitoring, penetration testing, and vulnerability management.
- Security Governance, Risk, and Compliance (GRC) – Identifies, documents, and advises teams in implementing security and privacy controls to maintain Absolute’s security and privacy commitments to its customers and partners. Performs compliance audits, creation and maintenance of security policies and procedures, and risk management functions.
- Cloud Engineering - Builds core infrastructure and cloud initiatives. The team is responsible for building and managing next generation of cloud services.
- Hosting Operations - Responsible for the administration, release of new product features and services, and service management of the Absolute Platform.
- Product Development - Responsible for the development, testing and implementation of new features and services within the Absolute platform. Performs threat modelling and secure code practices.
- Product Management - Creates requirements for the Absolute product and platform including new features and services, and responsible for incorporating privacy and security by design principles into the consideration of new features and services.
- Legal - Monitor regulatory and business developments and advise the business on legal compliance and business strategy relating to data security, privacy, risk management, and technology transactions.
We assess ongoing cyber threats and risks
Absolute implements and maintains a cybersecurity framework to manage cyber risk, control, and compliance-based activities. This framework is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The cyber risk landscape is constantly changing, creating new attack vectors and expanding the attack surface that we must patrol and defend. We assess and evaluate current and emerging threats and risks to our applications and infrastructure on an ongoing basis, including cloud, third party vendors, and data privacy.
We’ve established a dedicated senior management committee to oversee the cybersecurity risk program and to address any cybersecurity risks within our organization. Through the committee, the implementation of our cybersecurity risk program is performed through regular updates/dialogue between our Board of Directors and senior management.
We remain cyber secure through applying security best practices
Absolute employees receive security training during onboarding and on an ongoing basis. Employees are required to read and sign information security policies covering the confidentiality, integrity, availability of the systems and services that are used to deliver Absolute services. Where applicable, including for particularly sensitive positions, Absolute also conducts certain criminal background checks on employees before employment.
Absolute implements and maintains industry-standard security policies that align with the NIST Special Publication 800-53. This policy is further defined by control standards, procedures, control metrics and control tests to assure functional verification.
We design and implement security controls around our most sensitive assets and balancing the need to reduce risk, while enabling productivity, business growth, and cost optimization objectives. Baseline security controls and standards relating to infrastructure, applications and secure software development lifecycle (SDLC) are implemented using industry security standards such as NIST, Center for Internet Security (CIS) Critical Security Controls, CIS security benchmarks, and the Open Web Application Security Project (OWASP).
We classify our data against industry best practices to ensure that we design and implement security controls to manage and safeguard data against unauthorized access, improper retention, and unsafe destruction.
The Absolute Platform is audited once a year for ISO/IEC 27001:2013 compliance by a third-party accredited certification body, providing independent validation that security controls are in place and operating effectively. The scope of the audit includes our Canadian Data Centre (CADC) and US Data Centre (USDC). For details, refer to: https://www.absolute.com/company/legal/compliance-certifications/iso-27001/
Vulnerability and Patch Management
We perform scans on a regular basis to identify potential vulnerabilities within our environment. We ensure that risks posed by security vulnerabilities are assessed, prioritized, and remediated in accordance with our risk appetite and requirements outlined within organizational policy.
We engage external third parties annually or more frequent basis to perform penetration testing on our application, network, and firmware. All findings are reviewed and addressed before production release, or as defined within our risk appetite.
Privacy and Security Assessments
New features, functionality, and design changes go through a review process facilitated by Absolute’s Cybersecurity team. Our Cybersecurity team works closely with product and development teams to resolve any additional security or privacy concerns that may arise during and after development.
We protect your data by implementing and maintaining a defense in depth approach
User Provisioning and Deprovisioning
User administration control processes and procedures exist and are followed to manage the authentication, authorization and appropriateness of users to key systems and applications including the set-up, maintenance, and termination of access privileges.
We apply the principle of least privilege to ensure that individuals have only the minimum means to access the information to which they are entitled.
Single Sign On (SSO)
We apply single sign-on company-wide to ensure greater and more centralized access control to critical systems used by Absolute personnel.
Access to the systems used by Absolute personnel is controlled by multi-factor authentication. This means that Absolute employees and contractors are required to provide physical proof of their identity.
Periodic User Access Reviews
We review user access including privileged access to sensitive resources on an ongoing scheduled basis.
Physical and Environmental Security
Absolute uses two data center colocation providers to host its infrastructure which are located in Canada and the United States. The third-party vendor operates a number of data centers across the world and is also responsible for the physical security and environmental controls within the data centers.
All systems used in the provision of Absolute Services, including firewalls, routers, network switches, and operating systems, log information to our security information and event management (SIEM) tools to enable security reviews and analysis.
We are continuously assessing and addressing threats, vulnerabilities, and overall risk exposure of internal and external applications, as well as its APIs. We have implemented an application security testing program to gain better visibility into potential security issues across our applications. Application security is included early on in the software development lifecycle, including the design, development, release, and upgrade stages. Web application security risks are assessed, reviewed, and monitored against OWASP Top 10.
Source code builds are scanned for vulnerabilities prior to production release. We perform static analysis security testing (SAST) to analyze source code before compiling to validate the use of secure coding policies. We also perform dynamic analysis security testing (DAST) on fully compiled software to test security of fully integrated and running code.
We protect your data against cybersecurity threats
The Absolute platform supports the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. We encrypt customer data at rest. We also enforce full disk encryption for company-issued laptops.
In addition to system monitoring and logging, we have implemented firewalls that are configured according to industry best practices, and ports not utilized for delivery of Absolute services are blocked.
We monitor the changing cryptographic landscape closely and make commercially reasonable efforts to upgrade the Absolute platform to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Absolute does this while also balancing the need for compatibility for legacy clients.
All of the data in transit that crosses the Absolute private cloud boundaries is encrypted at all times. Absolute uses a proprietary protocol for device/server communications. Communications from the devices are initially encrypted and authenticated using a public 3072-bit key that is updated periodically.
Randomly generated initialization vectors and encryption keys are used with a GCM-based AES 128-bit encryption algorithm to protect session data. Devices are authenticated using a proprietary algorithm to preclude device impersonation. HTTP over port 80 (with encrypted payloads) and HTTPS over port 443 (mobile) are used to facilitate communications through firewalls and proxies.
We are cyber vigilant by being situationally aware
Being situationally aware starts with understanding possible adversaries; who might attack and why, and then building situational awareness to stay a step ahead. We receive automated cyber threat intelligence reports which are reviewed on a regular basis. We maintain an extensive, centralized logging environment which contains information pertaining to security, monitoring, availability, access, and other metrics about Absolute’s services. We have a dedicated Security Operations Center to alert us of potential events to investigate prior to it becoming a security incident.
We are cyber resilient
Being resilient means being prepared to handle critical cyber incidents, repair damage to business, and return to normal operations as quickly as possible. Absolute maintains security incident management policies and procedures. Absolute notifies impacted customers without undue delay of any unauthorized disclosure of their data by Absolute or its agents of which Absolute becomes aware, in accordance with applicable laws.