← Back to blog

Providing Security by Design - The Element Security Program

According to one recent study*, a massive 78% of companies say that they lack confidence in their company's current cybersecurity posture. While this revelation has prompted at least 91% to increase their defense budgets in 2021, it still points to a harrowing trend that is only poised to get worse before it gets better.

Equally concerning is the fact that, according to the Ponemon Institute's annual Cost of a Data Breach Report, the average total cost of a  breach hit $3.86 million in 2020. Much of this can be attributed to the ongoing COVID-19 pandemic, which saw a massive spike in cyber crime of all types. With the massive spike in ransomware in 2021, including the Colonial Pipeline attack, it’s easy to see why organizations take cybersecurity so seriously.

At Element, we understand that customers have a need to have full access to their data, 24/7.

Our Information Security Management System (ISMS for short) was developed through our implementation of the ISO 27001 standard. It's designed to not only secure the information that an enterprise depends on daily, but also increase its resilience to fend off cyber attacks, reduce the costs associated with information security and more.

The Element Security Program: Governance, Risk, Compliance and Beyond

The team at Element prides itself on doing more than "just" security. We're constantly examining cybersecurity best practices and capitalizing on opportunities to do things better.

This is especially evident in terms of governance. SOC2, PCI-DSS and similar standards bodies offer sets of policies and procedures that must be followed. They are guidelines that provide the bare minimum of protection - nothing more, nothing less. ISO 27001, on the other hand, is a way of operating that improves our security posture on an ongoing basis, as well as the policies and procedures designed to safeguard your enterprise’s lifeblood - its data

Our ISMS, based on ISO 27001, helps us adapt as new threats emerge. We take a proactive approach to cybersecurity, which allows us to stay one step ahead of the bad actors who cause harm.

It's also important to note that this is a true company-wide effort in every sense of the term. It's not a stance that is relegated to the engineering department. It includes executive oversight, regular review cadences, and key performance indicators (KPIs) that we track on an ongoing basis.

All of this is done so that our security program continues to grow and evolve as market needs change. If all of this sounds like an enormous amount of effort, that's because it is. But while it may not be the easiest option for a security program, the continuous improvement we have realized since implementing the program shows that it's more than worth it.

Sophisticated Controls for Better Cybersecurity

At Element, we have a comprehensive set of controls in place to help safeguard the critical data that individuals are creating, storing and sharing on a daily basis.

Every member of our team goes through rigorous background checks to make sure they're able to meet the demands of safeguarding your information. They also go through extensive training to ensure they're up-to-date on all the latest cybersecurity trends, tips and best practices, and we have Access Control Validation throughout all points of our facility to make sure that the only people who have physical access to a particular area are those who need it to do their jobs.

With regards to our internal IT infrastructure, we deploy automated endpoint protection that brings with it the following capabilities:

  • Strict password policies to help prevent passwords from becoming a potential point of compromise.
  • Encryption enforcement, including encryption for data both in-transit and at-rest.
  • Encryption key escrowing, which allows encrypted data to still be accessed in the event that a password is lost or forgotten.
  • Automatic patch management, to make sure that all software and hardware is up-to-date and to help close security loopholes before someone can take advantage of them.
  • Extended detection and response threat protection, which allows us to detect unusual or otherwise suspicious activity immediately so that we can stop a small problem before it becomes a much larger one.
  • DNS filtering, which automatically blocks access to certain sites or domains that we know to be suspicious.
  • A secure web gateway, which filters unwanted malware or software so that users can navigate the Internet safely.
  • Ubiquitous SSO, which is applicable to all supported SaaS services.

The Element Security Program also employs DLP, or data loss prevention services. These are a collection of tools that perform both content inspection and a contextual analysis of all the data being sent via channels like email, text-based messaging and more. This allows us to monitor information that is in use, at rest and even in motion - preventing data exfiltration in real-time. This, in and of itself, goes a long way towards making sure that customers’ confidential information isn't being shared with people who shouldn't have it.

Additionally, we provide automated phishing testing and training for employees - something that is truly essential in the modern era. According to one recent study, about 74% of organizations in the United States say that they've experienced a successful phishing attack. This is a massive 14% increase year-over-year. Phishing attacks are becoming common and they can be devastating if left unchecked.

Thankfully, the Element Security Program routinely exceeds industry benchmarks - both for user awareness and for the detection of phishing attempts across the board.

Protecting the Cloud, Protecting Your Business

The cloud networking security at Element is state of the art, we use network isolated cloud resources that themselves are shielded by an SSO integrated VPN (Virtual Private Network). Not only does this encompass all internal services, but also our development tools, our products and more.

We also offer features like:

  • Logging for all network access, which is handled by our cloud vendors. This critical information, which can be used in the future for the purpose of an audit, is stored in an immutable log indefinitely.
  • Role-based routing rules that allow specific access to each peer network on an as-needed basis. This is critical for making sure that the only people who have access to certain types of data are those who expressly need it to do their jobs.
  • Cloud vendor policies for enforcement of certain standards, including restricting the set of users who can create public IP addresses, determining who can create publicly accessible object stores (Azure Blob and AWS S3), and others.
  • A web application firewall (WAF) for incoming application requests per subscription. This helps protect against a wide range of different types of attacks, including cross-site scripting, SQL injection, plus the full range of OWASP10 attacks that can be mitigated at the network layer.
  • Identity and Access Management (IAM) is configured to apply the principle of least privilege in both Microsoft Azure, and Amazon Web Services (AWS). This ensures that all users have as much access, and no more to the resources they need to do their jobs. This approach is designed to keep our cloud infrastructure safe and secure from both internal and external threat vectors.
  • Cloud Vendor authentication is centralized in our cloud identity provider, OneLogin.

In terms of logging, monitoring and alerting capabilities, we deploy CloudTrail with Amazon Web Services and Azure Monitor in MSFT to increase visibility as much as possible. All logs are forwarded to our logging system for centralized storage and analysis, which itself is the key to uncovering trends and patterns that may otherwise go undiscovered.

In regard to data, we follow all durability best practices and offer encryption both in-transit and at rest. In addition to the data loss prevention (DLP) services outlined above, we provide sophisticated disaster recovery solutions to help get your operations back up and running should a data breach occur. Even as the attack continues, we can replicate your data at a secure site so that you don't lose productivity.

Application Security

Finally, with regards to Element Unify, we perform a static analysis of all code—complete with vendor-managed policies and rules. This allows us to discover, triage, and patch any vulnerabilities before they become security threats.

In addition to static analysis, we also conduct penetration testing to continue to mitigate vulnerabilities that may one day impact our clients. These tests are run against our live systems, targeting both Element Unify and the underlying infrastructure.

We leverage NeuVector for our Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), both of which allow us to compare network packets against a comprehensive database of known signatures for cyber attacks, and discovers unusual communication patterns between the workloads that make up Element Unify. This allows us to flag any suspicious packets immediately, preventing them from harming the rest of the network, and restrict unusual traffic which could be indicative of an attack. This adaptive monitoring with reinforcement learning allows us to block unusual traffic immediately, and alert the security team to respond appropriately.

We also offer several additional levels of security in some of our packages. Single-Tenant hosting options are available, as well as SSO integration to your cloud identity provider (Azure Active Directory, Okta, OneLogin, etc), and finally we offer Private Link on both AWS and Azure to provide a completely private experience for Unify data, transporting all traffic between the customer’s network and Element Unify over the cloud vendor backbone network and not the public internet.

Ultimately, the team at Element wants customers to rest easy knowing that we're doing everything we can to keep their valuable data safe, and that is one standard we will not compromise.

To find out more about the major benefits of The Element Security Program, or to discuss any other questions you may have, please - contact Element today.


------

* Read the study here