Security
- The details on security measures at Okbio
What you are going to learn:
At Obkio, security and privacy are very important to us, and we incorporate security mechanisms at every step of our development and operation processes in order to ensure that our solution is protected against the various types of attacks and vulnerabilities. This article will go through a list of topics related to security and privacy to help IT security teams assess Obkio's solutions.
The Obkio Monitoring Agent is installed either as a software or hardware appliance (learn more on Agent Types). A monitoring agent is like an end-user in your network that is continuously measuring application and network performance. The monitoring agents must be able to communicate with:
- Monitoring agents if Network Performance Monitoring is enabled
- Network devices if Network Device Monitoring is enabled
- Applications (HTTP & Web) if Application Performance Monitoring is enabled
- Obkio Cloud API Infrastructure
A detailed list of ports and urls to open is available at Firewall Configurations. As explained in the article, a list of IP to whitelist is not available.
It is possible to configure an ACL on the switch port on which the agent is connected in order to restrict the traffic flows of the monitoring agents.
The agent’s software is updated automatically whenever a new update is available, ensuring that the latest security patches are always applied. No action is required by the users.
MFA/2FA is available to all users on all Subscription Plans. When enabled, the MFA code is always required to login to the App.
IP restriction can be used to allow only a subset of public IP addresses to interact with Obkio App and API. The list of allowed IPs can be set by the user by going to the Organization settings  (Menu -> Company Name), clicking on Change Organization's Advanced Parameters, inserting the list of public IP addresses, separated by a coma ,, under Allowed IPs and clicking on Save.
To measure network and application performances, there are two types of solutions on the market. Some companies perfer to capture real traffic to analyze it. At Obkio, for the sake of simplicity, security and privacy, we decided to work with synthetic traffic. This means that the Obkio Monitoring Agents send their own traffic to measure the performance. Obkio's solutions don't capture any real user traffic.
Our data is securely encrypted both at rest (when stored on disk) and in transit (during communications).
The Obkio production infrastructure is hosted at Amazon Web Services (AWS) in the Northern Virginia (us-east-1) region across multiple availability zones. Each service runs in its own containerized environment with restricted access to only the required resources and information. The deployment of new releases and software patches are done through our secure continuous integration process.
For the hardware and virtual appliances, we use the BalenaOS operating system in order to simplify our application deployments and to ensure that the OS is always secure and up-to-date. In order to perform device maintenance, we set up an OpenVPN tunnel to the device on BalenaCloud, which gives a few select people from Obkio SSH access to the device. This SSH access is used for troubleshooting and maintenance only. If OpenVPN is blocked by the firewall, the Obkio solution will work correctly but no OS updates will be available and the Support Team will not be able to troubleshoot the hardware and virtual appliances.