Support Center

JumpCloud Security Practices

JumpCloud takes security very seriously. We understand we're asking you to trust us, and we want to make sure you're comfortable with our internal security practices, so that you know the data you store with us is well-protected and managed.


Agent Communication


JumpCloud manages a private PKI infrastructure to manage digital certificates for two-way TLS authentication and encryption between our servers and each agent. Each agent has its own unique private key generated at install time, which is signed by JumpCloud’s private CA, and we associate that key with our servers by storing its public key in our database.
The JumpCloud agent does not listen on any port for traffic initiated external to the localhost, thus provides no attack surface for a remote attacker. All communications between the JumpCloud agent and the JumpCloud SaaS infrastructure are created outbound from the agent.


Infrastructure Security


Access Controls


All servers in JumpCloud’s infrastructure are accessible only via VPN and do not allow any direct SSH connections to them. All ingress ports, whether on internal or external interfaces, are protected by a firewall, which is configured automatically by JumpCloud’s automated system configuration infrastructure. 
JumpCloud’s private PKI is also leveraged to create and manage all our VPN keys, so all VPN and agent access can be easily revoked at any time. VPN server access is limited to key employees with a verified and documented business need, and requires both a private key and a password to be accessed.
JumpCloud’s production infrastructure is distributed across multiple public clouds. All users are access-controlled using multi-factor authentication. The production accounts use strict IAM roles and only key employees with a verified business need receive administrative access.


Data Protection


All database disk volumes utilize data-at-rest encryption, to prevent data access by unauthorized parties.


Monitoring


JumpCloud utilizes its own product to assist in monitoring its environment, providing strong controls over user access to each server (beyond the required VPN access), as well as monitoring all user logins, and privileged commands, and alerting on any anomalies. JumpCloud (the product) is also used to ensure that all our servers remain fully patched. 
Further, all log files are written to central log hosts which are monitored using OSSEC, to catch any anomalous issues. This helps prevent log tampering during compromise of any edge host, as well as ensures that logged security issues do not go unnoticed.
Finally, JumpCloud uses OSSEC to alert on changes to critical configuration files and installed software.


Assessments


JumpCloud leverages a third party assessor to perform monthly vulnerability scans against its environment, and integrates those results into its development workflow based on priority.
Code audits and penetration testing by a qualified third-party assessor are executed three times per year.


Employment


All employees undergo mandatory security awareness training as well as 7-year criminal and employment background checks prior to employment.


Recovery


JumpCloud leverages DevOps best practices to ensure that our entire environment can be rebuilt from the ground up in less than an hour. Particular parts of the environment vary in recovery time from a matter of seconds up to a few minutes, depending upon their size and number of dependencies.
 
 

Last Updated: May 12, 2017 04:16PM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete