Security Statement
Panoptix (Pty) Ltd (henceforth rereferred to as Panoptix) is dedicated to protecting data through the practice of sound Information Security practice and secure software development techniques.
Panoptix recognises that the confidentiality, integrity and availability of information and data created through the use of our software products is of vital importance to the success of our partners and customers. Panoptix takes this responsibility seriously through adherence to sound business practices to ensure compliance with all applicable laws, regulations and obligations.
Security Engineering and Compliance
Panoptix can draw on deep information security experience through qualified personnel that hold, or have held, various security certifications and academic achievements such as the internationally recognized CISSP certification, M.Sc. in Computer Science with a specialisation in Information Security as well as Electrical Engineering degrees [1].
Over and above the team’s qualifications Panoptix uses 2-Factor Authentication for all critical services and tests its software extensively through the utilisation of cutting-edge Continuous Integration and Continuous Deployment techniques. The most critical software contained in Panoptix’s Hotrod offering is developed in the Rust [2] programming language which is widely regarded as a great basis for secure software development [3].
Hotrod
At the core of the Panoptix offering is our Hotrod product. Hotrod has been designed with operational security in mind. Some of the core aspects of default security within Hotrod are:
- TLS support for all API and client software communications, with strict certificate security.
- Hotrod uses JWT (Json Web Token) security for all authentication and authorisation purposes [5].
- Hotrod requires user authentication for all operations, and API-KEY authentication for all hotrod-agent authentication.
- Hotrod does not use default passwords under any circumstances, and all JWT pre-shared-keys use AES-256 encryption which are randomly generated if not overridden by the end-user.
- Hotrod is centrally managed, all configurations are visible and auditable by administrators.
Hotrod Pipes
Hotrod Pipes are deployed by Hotrod-Agent. Pipes are centrally managed and auditable via the Hotrod server, with Panoptix it is possible to securely administer all data gathering and forwarding activities centrally from within Hotrod. Some core aspects of Pipes security are:
- Developed in Rust[2] to ensure performance, stability and memory-safety.
- Supports TLS for http, AMQP and Redis inputs and outputs[6].
- Supports data anonymisation and encryption through Pipe DSL actions, to allow for the operation of Hotrod in environment with elevated privacy and security concerns.
- Support the generation of metadata to allow sensitive data to be processed in a customer environment with only summarised or actionable events egressing to service providers or Hotrod operators.
Distributed Deployments
Hotrod is by it's nature a decentralised system, and is often deployed into highly sensitive and secure enterprise environments. Over and above the data privacy features that Hotrod supports in Hotrod Pipes the following security features specific to large, distributed deployments are also available:
- The Hotrod Server (hotrodd) automatically generates a unique Eliptic Curve certificate and private key (ECDSA signing using the P-256 curves and SHA-256) for every Hotrod Agent.
- Each Hotrod Pipe is cryptographically signed by the server to enable it to run on it's intented Hotrod Agent.
- The Hotrod Pipe executable that runs in the customer environment will only start cryptographically verified Hotrod Pipes. This means that the Hotrod Pipe executable cannot be misused within customer environments and will only run cryptographically verified Hotrod Pipes on its intented Hotrod Agents.
- Administrators can disable automatic updates on the Hotrod Agent which enables an administrator to first verify and approve Hotrod Pipes targeted at their infrastructure, a manual action on the Hotrod Agent is then required for the update to then propagate, allowing the responsible administrators to have the final say about what runs on their infrastructure.
Multitenant Administration
Hotrod caters for large teams of administrators and specialists to cooperate in the management of the Hotrod system. Some capabilities include:
- The ability to associate an Administrator and Hotrod Agent with one or more tenants.
- Super Administrators, that can view and edit all Hotrod Agents.
- Tenant Administrators are only able to add Hotrod Agents to their assigned tenant, as well as only being able to view and edit Hotrod Agents in their specified tenants.
Continuous Improvement
Hotrod software is constantly being improved by Panoptix, and bug-fixes and improvements are securely distributed to partners. From time to time as the software is altered or as new business requirements come to light this Security Statement may be improved.
Have a concern? Need to report an incident?
Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please visit our security response page for details on how to securely submit a report.
General
All Panoptix software is governed by the Panoptix End User License Agreement
This Security Statement is subjugated to all terms and conditions of the EULA and should be interpreted as a statement of intent, with no additional warranties or guarantees that are not explicitly stated in the Panoptix End User License Agreement.