ECA Security

1         Introduction

The purpose of this document is to summarize the security practices and security controls applied within ESET Cloud Administrator (hereinafter referred to as “ECA”). Security practices and controls are designed to protect the confidentiality, integrity and availability of customer information. Please note that security practices and controls may change.

2         Scope

The scope of this document is to summarize security practices and security controls for ECA infrastructure, ESET Business account (hereinafter referred to as “EBA”) infrastructure, organization, personnel and operational processes. Security practices and controls include:

▪       Information security policies

▪       Organization of information security

▪       Human resource security

▪       Asset management

▪       Access control

▪       Cryptography

▪       Physical and environmental security

▪       Operations security

▪       Communications security

▪       System acquisition, development and maintenance

▪       Supplier relationship

▪       Information security incident management

▪       Information security aspects of business continuity management

▪       Compliance

3         Terms and abbreviations

Term or abbreviation

Explanation

EBA

ESET Business Account

ECA

ESET Cloud Administrator

ERA

ESET Remote Administrator

 

4         Security concept

ESET s.r.o. company is ISO 27001:2013 certified. Therefore, the concept of information security uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the layer of network, operating systems, databases, applications, personnel and operating processes. Applied security controls and security practices are intended to overlap and complement each other.

5         Security controls

5.1       Information security policies

ESET uses information security policies to cover all aspects of the ISO 27001 standard including information security governance and security controls and practices. Policies are reviewed annually and updated upon significant change to ensure their continuing suitability, adequacy and effectiveness.

ESET performs regular reviews of this policy and internal security checks to ensure consistency with this policy. Non-compliance with information security policies is subject to disciplinary actions for ESET employees or contractual penalties up to contract termination for suppliers.

5.2       Organization of information security

The organization of information security for ECA consists of multiple teams and individuals involved in information security and IT including:

▪       ESET executive management

▪       ESET Internal security teams

▪       Business applications IT teams

▪       Other supporting teams

Information security responsibilities are allocated in-line with information security policies in place. Internal processes are identified and assessed for any risk of unauthorized or unintentional modification or misuse of ESET assets. Risky or sensitive activities of internal processes adopt segregation of duties principle to mitigate the risk.

The ESET legal team is responsible for contacts with authorities. The ESET Internal Security team is responsible for contact with special interest groups like ISACA. The ESET Research lab team is responsible for contact with other security companies and the greater cyber security community.

Information security is accounted for in project management using the applied project management framework from conception to completion of a project.

Remote work and telecommuting is covered through the use of a policy implemented on mobile devices that includes the use of strong cryptographic data protection on mobile devices while traveling through untrusted networks. Security controls on mobile devices are designed to work independently of ESET internal networks and internal systems.

5.3       Human resource security

ESET uses standard human resource practices including policies designed to uphold information security. These practices apply to all teams that access the ECA environment.

5.4       Asset management

The ECA infrastructure is included in ESET asset inventories with strict ownership and rules applied according to asset type and sensitivity. All ECA data and ECA configurations are classified as confidential.

5.5       Access control

All access in ECA is governed by ESET's Access control policy. Access control is set on the infrastructure, network services, operating system, database and application level. Whole user access management on the application level is autonomous. ECA and EBA single sign-on is governed by a central identity provider which ensures that a user can access the authorized tenant only. The application uses standard ERA permissions to enforce role-based access control for the tenant.

ESET backend access is strictly limited to authorized individuals and roles. Standard ESET processes for user (de)registration, (de)provisioning, privilege management and review of user access rights is used to manage ESET employee access to ECA and EBA infrastructure and networks. Strong authentication is used to protect access to all ECA data.

5.6       Cryptography

To protect ECA data, strong cryptography is used to encrypt data at rest and in transit. Generally trusted certificate authority is used to issue certificates for public services. Internal ESET public key infrastructure is used to manage keys within the ECA infrastructure. Data stored in the database is protected by cloud-generated encryption keys. All backup data are protected by ESET managed keys.

5.7       Physical and environmental security

Because ECA and EBA is cloud-based, we rely on our partners Amazon and Azure for physical and environmental security. Both cloud vendors use certified data centers with robust physical security measures. Strong cryptography is used to protect customer data during transport off-site from the cloud environment (for example, in transit to a physical backup data storage).

5.8       Operations security

The ECA service is operated via automated means based on strict operational procedures and configuration templates. All changes, including configuration changes and new package deployment, are approved and tested in a dedicated testing environment before deployment to production. Development, test and production environments are segregated from each other. ECA data is located only in the production environment.

The ECA environment is supervised using operational monitoring to swiftly identify problems and provide sufficient capacity to all services on the network and host levels.

Anti-malware software is deployed as an additional layer of security and threat vectors are minimized through the use of strict privileges, sandboxing and other security mechanisms.

All configuration data is stored in our regularly backed-up repositories to allow for automated recovery of an environment’s configuration. ECA data backups are stored both on-site and offsite. Backups are encrypted and regularly tested for recoverability as a part of business continuity testing.

Auditing on systems is performed according to internal standards and guidelines. Logs and events from the infrastructure, operating system, database, application servers and security controls are collected on a continuous basis. The logs are further processed by IT and internal security teams to identify operational and security anomalies and information security incidents.

ESET uses a general technical vulnerability management process to handle the occurrence of vulnerabilities in ESET infrastructure including ECA and other ESET products. This process includes proactive vulnerability scanning of infrastructure and repeated penetration testing of infrastructure, products and applications.

ESET states internal guidelines for the security of internal infrastructure, networks, operating systems, databases, application servers and applications. These guidelines are checked via technical compliance monitoring and our internal information security audit program.

5.9       Communications security

The ECA environment is segmented via native cloud segmentation with network access limited only to necessary services among network segments. The availability of network services is achieved via native cloud controls like availability zones, load-balancing and redundancy. Dedicated load-balancing components are deployed to provide specific endpoints for ECA instance routing that enforce authorization of traffic and load-balancing. Network traffic is continuously monitored for operational and security anomalies. Potential attacks can be resolved through the use of native cloud controls or deployed security solutions. All network communication is encrypted via generally available techniques including IPsec and TLS.

5.10   System acquisition, development and maintenance

Development of ECA systems is performed in accordance with the ESET secure software development policy. Internal security teams are included in the ECA development project from the initial phase and overlook all development and maintenance activities. The internal security team defines and checks fulfillment of security requirements in various stages of software development. The security of all services, including newly developed ones is tested starting upon release on a continuous basis.

5.11   Supplier relationship

A relevant supplier relationship is covered according to valid ESET guidelines, which cover whole relationship management and contractual requirements from point of information security and privacy. The quality and security of services provided by the critical service provider is assessed regularly. Furthermore, ESET utilizes the principle of portability for ECA to avoid supplier lockout.

5.12   Information security incident management

Information security incident management in ECA is performed in the same way as for any other part of ESET infrastructure and relies on defined incident response procedures. Roles within incident response are defined and allocated across multiple teams including IT, security, legal, human resources, public relations and executive management. The incident response team for an incident is established based on incident triage by the internal security team , and that team will provide further coordination of other teams handling the incident. The internal security team is also responsible for evidence collection and lessons learned. Incident occurrence and resolution is communicated to affected parties.

5.13   Information security aspects of business continuity management

Business continuity of the ECA service is coded in the robust architecture used to maximize the availability of the provided services. Full restoration from offsite backup and configuration data is possible in the event of a catastrophic failure of all redundant nodes for ECA components or the ECA service. The restoration process is regularly tested.

5.14   Compliance

Compliance with the regulatory and contractual requirements of ECA is regularly assessed and reviewed similarly to other infrastructure and processes of ESET, and necessary steps are taken to provide compliance on a continuous basis. Please note that ESET compliance activities do not necessarily mean that the overall compliance requirements of customers are satisfied as such.