Introduction

Rookout revolutionizes the way we observe software in production environments. Since no company should risk its production systems by introducing elements that aren’t fully secured, we’ve baked cybersecurity into the very DNA of Rookout. As a company founded by cybersecurity experts, we’re fully committed to putting security first.

Reporting Vulnerabilities

To report a vulnerability or security concern with any Rookout product, please contact security@rookout.com. Include a proof of concept, as well as a list of tools that were used (with version information), and the output of the tools. We relate very seriously to all security reports and concerns. Upon receiving a report, we thoroughly verify vulnerability/ies before determining the best way to fix it and taking appropriate action. Once verified, we will periodically issue disclosures as problems are fixed.

Compliance

When it comes to delivering a secure software service, we understand that internal security controls and processes are the sine qua non.
Rookout is scheduled to complete the trial period for SOC 2 compliance by Q3 2018. Compliance documentation is available under NDA.
In addition, the company is considering additional certifications such as ISO 27001, PCI, and HIPAA.
Please contact our sales team for further compliance information.

Infrastructure and Networks

Physical Access

Because Rookout is hosted on Google Cloud Platform, we rely on Google data centers’ layered security model, which includes the following safeguards:

  • Custom electronic access cards
  • Alarms
  • Barriers to vehicular access
  • Perimeter fences
  • Metal detectors
  • Biometric ID scanners

The Google Security Whitepaper describes the following physical access controls: “…the data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Googlers will ever set foot in one of our data centers.”
No Rookout employees ever physically enter Google data centers or access the servers, network equipment, or data storage devices therein.

Logical Access

Rookout is the administrator of its Google Cloud Platform infrastructure. When needed, only designated and authorized Rookout operations team members who use Google two-factor authentication are able to configure the infrastructure.

Penetration Testing

Rookout contracts with an independent, third-party agency to conduct annual black box penetration testing and provides them with an isolated clone of app.rookout.com and a high-level application architecture diagram.
Information about any security vulnerabilities discovered through testing is used to establish mitigation and remediation priorities. A penetration test findings summary is available to Enterprise customers upon request.

Third-Party Auditing

Google Cloud Platform is independently audited by various third parties on a regular basis. Compliance control verification is available for data centers, infrastructure, and operations, as is SSAE 16-compliant SOC 2 certification, ISO 27001 certification and additional relevant certifications.

Intrusion Detection/ Prevention

Rookout is extremely vigilant regarding unusual patterns of network activity or suspicious behavior relating to infrastructure hosting and management. As such, we rely on the intrusion detection and prevention systems (IDS/IPS) utilized by Google Cloud Platform, which identify traffic patterns that resemble known attack methods through signature- and algorithm-based security modalities.
IDS/IPS activity includes the following strategies:

  • Tightly controlling the size and make-up of the attack surface
  • Deploying intelligent detection controls at data entry points
  • Leveraging technologies which automatically remedy risky situations
  • Blocking known threats from accessing systems.Rookout customers cannot access to security event forensics directly. However, they may be in touch with engineering teams and/or customer support during or subsequent to unscheduled downtime.

BCP and DRP

Business Continuity

Rookout encrypts and backs up data daily, and retains backups in multiple regions on Google Cloud Platform. Should primary production data stores be lost, we will utilize these backups to restore organizational data.

Disaster Recovery

In the event of a region-wide power outage, Rookout duplicate its environment in a different and unimpacted Google Cloud Platform region. The Rookout operations team has extensive experience performing full region migrations.

Data Flow

All data entering Rookout’s system goes through a proxy known as Rookout Agent. This proxy can either be installed on premises or provided on a SaaS basis, with explicit control of outgoing data including features such as limits on data collection and data redaction.

Observability Metadata

Rookout collects basic data regarding the customer environment and operations that Rookout is requested to perform. Data collected includes machine information (hostname, OS, etc…), and Rookout internal information (successful execution, errors, etc..).

Program State

Rookout collects program state data only to the extent requested by each customer. Rookout allows data to be sent to 3rd party data services (local/cloud) without first going through Rookout servers. In addition, Rookout supports security policies such as limiting data sinks and data redaction to further control data exposure.

Data Security

Encryption of Data

All data in Rookout servers is encrypted at rest automatically. Data cryptography keys are stored and managed by Google Cloud Platform through its redundant, distributed Key Management Service. As a consequence, it would be impossible for an intruder — in the unlikely event that he was able to access a physical storage device — to decrypt the Rookout data contained on the device. All information would seem to be random characters.
Encryption at rest enables gathering and recording of continuity measures, such as infrastructure management and backup, while maintaining full privacy and data security. For additional security, Rookout transmits data to and from the application exclusively over HTTPS transport layer security (TLS)-encrypted connections.

Application Security

Modifications Sandbox

Rookout runs all modifications to the application within a sandbox environment to ensure that Rookout cannot be used to maliciously (or benignly) change anything in the production environment, including impacting application logic, changing the operating system or initiating network traffic.

Secure Application Development (Application Development Lifecycle)

Rookout practices continuous delivery, meaning that all code changes are committed, tested, shipped, and iterated in rapid sequence. Continuous delivery methodology, together with pull request, continuous integration (CI), and automated error tracking, reduces the incidence of security issues as well as cutting response time and improving eradication of bugs and vulnerabilities.

Corporate Security

Malware Protection

At Rookout, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. Company-provided workstations run anti-malware software as needed and full-disk encryption, screen locks and firewalls are configured for all workstations.

Risk Management

All Rookout product changes undergo thorough code review, CI, and build pipeline to reach production servers. Only designated employees on the Rookout operations team have secure shell (SSH) access to production servers.
Testing and risk management are performed on all systems and applications on a regular and ongoing basis and we develop new methods, review them, and deploy to production through pull requests and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.

Security Policies

Rookout maintains an internal set of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Rookout Enterprise customers upon request.

Background Checks

Rookout conducts background checks for all new hires.

Security Training

As an integral part of onboarding, new employees receive systems training that includes environment and permissions setup, formal software development training (when relevant), security policy review, and company policy review.
All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Major updates are communicated via email to all Rookout employees.