🛡️Security
Neverinstall has an industry-leading security program focused on Security, Confidentiality, Integrity, and Availability by design.
Privacy and security are integrated into the foundation of Neverinstall’s architecture from the very beginning. Neverinstall has an industry-leading security program focused on Security, Confidentiality, Integrity, and Availability by design.
Securing Neverinstall infrastructure
Securing Neverinstall user information and data
Storage of data
Transmission of data
Access to data
Sharing or observation of data
Securing Software developed by Neverinstall
Our security program also has an obligation to enforce and uphold our commitments to our customers’ data. We undergo quaterly compliance audits, which serve as an independent attestation of the efficiency and effectiveness of our data protection controls and security program objectives. Neverinstall also undergoes regular external assessments of our products and infrastructure, in addition to our own.
Neverinstall applications are secure-by-default. The security measures implemented for Neverinstall installations are:
On Neverinstall Cloud, all connections are TLS encrypted. For self-hosted instances, we offer the capability to set up SSL certificates via LetsEncrypt during the installation process.
All sensitive credentials, such as database credentials, are encrypted with AES-256 encryption. Each self-hosted Neverinstall instance configures unique salt and password values ensuring data-at-rest security.
Neverinstall Cloud will only connect to your databases/API endpoints through whitelisted IPs ensuring that you only expose database access to specific IPs when using our cloud offering.
We are soon coming up with a self-hosting feature where you can run Neverinstall on your own cloud servers. This will also help to reduce concerns around security.
Organizational security
Neverinstall’s Security Team is responsible for the implementation and management of our security program. Neverinstall’s Security Team focuses on the following areas:
Product security
Security engineering
Data governance
Compliance
Security operations
Data security controls
The focus of Neverinstall’s data security controls is to prevent unauthorized access or observations of protected customer data. Our team of security practitioners in partnership with teams across the organization work together to identify and mitigate risks, develop solutions, and implement best practices. Neverinstall does not store any data returned from your API endpoints or DB queries. Neverinstall only acts as a proxy layer. When you query your database/API endpoint, the Neverinstall server only appends sensitive credentials before forwarding the request to your backend. The Neverinstall server doesn't expose sensitive credentials to the browser because that can lead to security breaches. Such a routing ensures the security of your systems and data.
Penetration testing
In addition to compliance audits and security scanning, Neverinstall engages independent entities to conduct application, infrastructure, and network-level penetration tests (at minimum) twice per year. The results of these tests are shared with the appropriate members of management and then triaged, prioritized, and remediated on time.
Customers can receive a recent penetration test summary (under MNDA) by request from their Success team representative.
Securing the Software Development lifecycle (SDLC)
Starting with Product and Service Development, Neverinstall has implemented a secure software development lifecycle that begins by scanning and remediating security issues found during development and design phases before code is ever merged into a project.
Web and network security development is designed around guidelines such as the OWASP Top 10, Common Vulnerabilities and Exposures, and CIS benchmarks, and observed through the lens of the MITRE ATT&CK and kill chain frameworks.
Encryption: data in transit
As a cloud-based service, Neverinstall transmits data over public networks using strong encryption and security protocols. This includes data transmitted between Neverinstall agents and our public endpoints. Neverinstall has no access to the data entered within applications used within the software.
Across our broad array of authentication protocols, including LDAP, RADIUS, SAML, and our agent-based binding for computers and servers, we support the use of TLS 1.2+ protocols coupled with industry best practice ciphers and key sizes. The transmission of sensitive information over the Internet or other public communications paths is prohibited unless encrypted.
Encryption: data at rest
Neverinstall uses industry best practice algorithms, ciphers, and key lengths to protect confidential data and personal identifiable information (PII) at rest. Encrypted backup data is automatically and asynchronously replicated in a separate data center region to ensure availability in the event of a disaster and resiliently supported across multiple availability zones. This automated backup system is configured to encrypt backup data as a component of the backup process. Access to encryption keys is restricted to user accounts accessible by authorized personnel and audited regularly.
Network and server security
Neverinstall segment systems into separate networks to protect sensitive data. Strict firewall rules and communication protocols protect connections made with our networks.
Systems used for development or testing purposes are hosted separately from production systems. All servers in our production environment are hardened and validated against industry-standard CIS benchmarks regularly.
Access to Neverinstall’s systems is based on the least privilege principle. Neverinstall only explicitly allows internet-facing services for the service role they perform, with the edge being the only internet-facing accessibility point. We log, monitor, and audit all access attempts and connections.
Endpoints
All Company assets assigned to Neverinstall personnel are hardened, configured, and managed by Neverinstall based on our internal security policy and acceptable use standards. This includes disk encryption, password complexity, and endpoint compliance policy (such as predefined lock screen durations).
Assets are monitored by endpoint software to monitor, prevent and detect potentially concerning behavior, malware, or other indicators of compromise.
Access control
To reduce the risk of data exposure, Neverinstall follows the principles of least privilege and uses role-based permissions for provisioning access. Associates are only permitted to access systems and data that they must have to meet their current job responsibilities, and such access is provisioned following an approved Access Control Matrix. All provisioned access is, at minimum, reviewed quarterly, and more frequently whenever any change in access occurs.
Neverinstall requires personnel to use a controlled password manager. Password managers generate, store, and enter unique and complex passwords to avoid potential password-related risks.
To further reduce the risk of unauthorized access to systems or data, Neverinstall enforces multi-factor authentication for access to internal systems. Additionally, VPN provisioned permissions are required for accessing our production environments, from managed Neverinstall endpoints following Zero Trust concepts.
System logging and monitoring
Neverinstall monitors all identities, networks, applications, servers, and workstations to maintain a comprehensive view of the security footprint of our corporate and production infrastructure.
Admin access, use of privileged commands, privilege escalation, connections, and system calls are logged and monitored for indicators of compromise. Logs are prioritized, aggregated, and analyzed to detect potential issues and alert responsible Security personnel.
Disaster recovery
Neverinstall uses many layers of defense, monitoring, and automation to ensure that its infrastructure is resilient and available. Neverinstall’s infrastructure leverages multi-tenant services meshed across availability zones and geographic regions to make Neverinstall infrastructure resilient to data center failures, extreme geographic conditions, and other disaster factors. This architecture is focused on preventing a failure at the cloud service provider level or within any one region or zone down to the service model for each Neverinstall service. Neverinstall leverages configuration automation tools to provision and manages its infrastructure. In the case of a disaster at our cloud service provider, Neverinstall can immediately provide a new infrastructure stack via our configuration automation tool in a non-impacted cloud provider or zone. If necessary, data would be restored from the encrypted backup data.
A number of our services have inherent resiliency built into their architecture. Our agent-based, native authentication platform for Windows®, Linux®, and Mac® OS X would not be impacted by a widespread outage of the Neverinstall platform. Users would continue to access their devices as they normally would with their current credentials.
Authentication service availability is even more dispersed. Neverinstall has deployed infrastructure across a global network capable of operating autonomously from the Neverinstall central infrastructure. If for any reason the central Neverinstall infrastructure were to experience an outage, these systems would continue to operate autonomously. Our customers’ systems and applications can continue authenticating against these global services as normal.
Privacy
Neverinstall’s Privacy Policy has been put into practice acceptable use, verified consent, and transparency of collection (and processing) as a data processor and, in cases, as a data controller. In addition, associated controls are designed to uphold our obligations and commitments about how we collect, process, use and share protected data, as well as our processes to support data retention and disclosure in compliance with legitimate business purposes.
We use a variety of security measures, from the first touch on our website through customer conversion and customer departure to maintain confidentiality, availability, and the integrity of personal information. Personal information is contained behind secure networks and is only accessible to a limited number of vetted persons who have access rights commensurate with their role, and are trained to protect confidential information in place.
To request additional information, including Neverinstall’s formal Privacy Policy, please visit Neverinstall’s Privacy Policy. We have a formal process for data subjects to request data deletion outside their company requirements.
Compliance and data deletion
Neverinstall adheres to obligations under laws such as GDPR related to the processing and sharing of customer data. We operate by the primary principle to only collect, process, and store customer data according to the obligations by which it is classified. This includes our obligations to:
Protect this data.
Provide users with the right to access or delete it at any time.
Provide users the opt-in option for tracking cookies on our website to verify consent to be tracked
Provide controls to make sure that any vendors agree to the use of customer data only for the provision of services.
Share and notify customers of our sub-processors and update based on changes through our website.
Conclusion
Neverinstall is built upon a strong foundation for security that helps protect our customers from emerging data protection and identity risks, as well as ongoing threats to privacy and security. Our approach to security puts us in a position to meet both internal and external security requirements while keeping our product and services agile. If you have questions or concerns at any time, please contact our Customer Success Manager for more details.
Last updated