Security

Introduction

Snow Atlas is an integrated cloud-native technology intelligence platform that delivers SaaS solutions. Snow Atlas is deployed in the Microsoft Azure cloud, and Flexera experts are managing the infrastructure and application operations, allowing customers to consume Snow products directly from the cloud.

This is an overview of the security practices that are being built into Snow Atlas.

Managed cloud instances for your business

All applications in the Snow Atlas platform are deployed to a world-leading cloud provider, Microsoft Azure. The Azure cloud meets a range of security standards , including ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. Azure also provides a full list of its compliance offerings .

The core of the Snow Atlas infrastructure is built using cloud-native technology and is operated by Azure Kubernetes Service (AKS), a secure and modern deployment of the Kubernetes container orchestration platform.

Snow Atlas introduces a completely new data processing model with a dedicated API gateway that filters and securely directs traffic to unique tenants based on a set of secure attributes provided by the Flexera Identity Provider service (IDP). This allows us to provide enhanced data separation and get full control and visibility into data flows as well as any potential malicious requests from infiltrating the system. High severity and priority incidents are alerted to on-call engineers via PagerDuty.

Data confidentiality

Flexera treats all customer data with the utmost confidentiality, regardless of classification. Access to confidential information is restricted to employees who are required to access such information as a part of their job, and then only in those circumstances where access to such information is required to provide a specific service to the customer. In such circumstances, the employee is provided its least privilege account access to perform the task at hand. Flexera has built a secure workflow to make sure that collected information cannot be manipulated or spoofed by malicious actors. Snow Extender is introduced as part of this workflow, to work as a gateway for securely transferring inventory data from customer environments to Snow Atlas. Users can configure, create, and securely download Snow Extender from Snow Atlas.

Snow Extender validates with Snow Atlas at every sign-in to ensure that data is both allowed to be transferred and is transferred to the correct customer tenant. Flexera Identity Provider (IDP) authenticates the connection from Snow Extender to ensure a secure flow of data. All data is encrypted both in-transit and at-rest to ensure data integrity and confidentiality.

All tenant data resides in a specified data region that ensures that the sensitive data does not leave the region and ensures compliance with local data and cipher protection standards. This applies to both live data and data that resides in backup storages.

Data in transit encryption

All data in transit is encrypted using TLS 1.2 or newer with AES 256 bit key length.

Data at rest encryption

Data at rest is achieved through a managed Microsoft Azure Storage. All data at rest is encrypted with AES 256 bit key length.

Shared responsibility model

As a solution, Snow Atlas operates with a multi-tiered architecture, comprising Snow Atlas as the core platform that accepts data from customer-based services. This architecture means that a shared security model is required for Snow Atlas, with both Flexera and customers sharing the responsibility to secure the end-to-end solution.

Identity protection

Identity Access Management (IAM) is provided by the Flexera Identity Provider (IDP). Flexera IDP implements modern and secure frameworks and protocols such as Oauth2 and Open Id Connect (OIDC). Multiple flows are supported depending on client implementation and capabilities, including but not limited to authorization code flow, Proof for Key Code Exchange (PKCE), hybrid, implicit and client credentials grant.

SSO integration is currently supported through Azure Active Directory.

The Flexera IDP is protected by policy-based, rate-limiting and metrics-based threat analysis provides audit-logging capabilities including end-user-facing account logs, and uses modern encryption and hashing standards. The Flexera IDP is at the core of tenant-security management and is designed as the modern cloud-native identity and authorization broker.

The identity management and Snow Atlas tenant operations are done via a brand-new component entitled Snow Portal. It is natively integrated with Identity Provider and allows for granular control over the user rights and permissions via setting scopes for accessing various areas of the Snow Atlas platform, products, and services.

Multi-region

Azure provides data centers in a variety of locations across the globe. Snow Atlas uses a mix of global and regional Azure services. A tenant is pinned to a specific region where the data is kept locally in that region, where the region itself depends on customer preference. Some data is kept in a global storage for global routing purposes.

Flexera supports deployment to the following Azure regions: EMEA | Amsterdam, UK | London, APAC | Victoria, and Americas | Virginia.

Protecting and handling confidential information

Flexera treats all customer data with the utmost confidentiality, regardless of classification. This policy restricts access to confidential information for those employees who are required to access such confidential information as a part of their job, and then only in those circumstances where access to such confidential information is required to provide a specific service to the customer. In such circumstances, the employee is provided its least privilege account access to perform the task at hand.

User access reviews and policy

On a quarterly basis, Flexera management reviews Flexera employees’ user access to in-scope systems for continued appropriateness and removes any access that is no longer required. Upon termination of employment, all account access and rights are revoked.

Secure data transit design

Flexera has built a secure workflow to make sure that collected information cannot be spoofed by malicious actors. Snow Extender is introduced as part of this workflow, to work as a gateway for securely transferring inventory data from customer environments to Snow Atlas. Users can configure, create, and securely download Snow Extender from Snow Atlas.

Snow Extender validates with Snow Atlas at every sign-in to ensure that data is both allowed to be transferred and is transferred to the correct customer tenant. Flexera IDP authenticates the connection from Snow Extender to ensure a secure flow of data. All data is encrypted both in-transit and at-rest to ensure data integrity and confidentiality.

Change management

Flexera follows GitOps practices, which implies maintaining strict change control processes, ensuring a transparent and clear view of production releases and all production changes.

SDLC

The development of Snow products is managed by secure development life cycle (SDLC) that injects various security practices and controls into every stage of the development cycle, from design to release to operations of the system. These activities include, but are not limited to, security code review, threat modeling, automated scanning, workshops, and education sessions for engineers.

Leading automated tools for verifying the security of the products are used as part of Snow Atlas software development and Flexera Continuous Integration pipeline. Flexera uses both static application-security analysis, dynamic application-security analysis, and software composition analysis with integrated alerting for newly discovered vulnerabilities.

Penetration tests

The Snow Atlas platform infrastructure, Snow License Manager, Snow Inventory Agents, and other Snow products that comprise the customer platform, are regularly tested by internal and external security researchers.

External security assessments and penetration tests are conducted by an independent CREST-approved supplier. Security researchers that participate in the assessment are selected based on their skills, experience, and fit to the domain specifics.

Bug bounty program

Flexera has implemented a managed bug bounty program for the critical components of products deployed to millions of devices. The bug bounty program is managed by an independent provider and has the world’s most skilled security researchers working continuously to find vulnerabilities in Snow products. This approach complements regular pen testing and ensures we deliver secure products throughout new versions and releases.

Regulatory compliance and certifications

Flexera complies with the GDPR regulation and adheres to its strict compliance rules and regulation procedures. Flexera has implemented controls to ensure GDPR compliance. Our internal incident-reporting policy is aligned with GDPR requirements.

Flexera is utilizing the ISO 27001 standard for Information Security Management and has implemented an ISO-aligned Information Security Management System which defines information security activities across the organization and is authorized by the Flexera executive leadership team.

Additional resources

For more information on Flexera's security standards, see the Flexera website .

Security

Introduction​

Managed cloud instances for your business​

Data confidentiality​

Data in transit encryption​

Data at rest encryption​

Shared responsibility model​

Identity protection​

Multi-region​

Protecting and handling confidential information​

User access reviews and policy​

Secure data transit design​

Change management​

SDLC​

Penetration tests​

Bug bounty program​

Regulatory compliance and certifications​

Additional resources​