netRMM platform security
We built netRMM to be secure from the ground up. Our code architecture enforces security by design. Our team has a very practical way of thinking about the platform security, looking at not just what security practices we need today but are building it for the future! netRMM is committed to provide you with a safe, secure, and private platform for remote device management.
If you wish to participate in or want to report any vulnerability, please write to us at saras@netrmm.com
Let’s take a look at some of the netRMM security practices:
Two-Factor Authentication
Two-factor authentication (2FA) is an additional security layer that will require an additional step to access your account or perform certain operations. You can opt-in to receive Push notifications on your mobile apps to approve authentication requests or use a TOTP app (Time-based One-Time Passcode) like Google Authenticator, Authy, or 1Password. When setting up 2FA, the system will also generate backup codes that can be used when all the other authentication methods are not available. Each backup code can only be used once.
netRMM users who are part of the Administrators team can also secure the netRMM instance by enforcing two-factor authentication for all user accounts.
Auditing
All netRMM commands are locally logged in the Application Windows Event Log and in the netRMM Server database for auditing reasons. The account owner is notified via email every time a new mobile device or a web browser instance is registered on the account.
Security Testing
Both netRMM infrastructure and the netRMM software are subject to penetration tests on a regular basis. The tests are performed by our internal SaaS OPS team and also by independent companies, specialising in security testing.
Datacenter & Network Security
Infrastructure is critical to keeping your account secure. We host our servers in the US with industry leading cloud providers providing high redundancy, high availability, and lower latency. The Datacenter complies with US federal regulations and industry standards - ISO Certification, LEED Certification, SOC 2, and Uptime Institute.
Code Signing
All the netRMM agents and applications are signed using a Code Signing certificate to guarantee that the binaries have not been altered or compromised by any third party.
Data Transfer and Message Encryption
netRMM uses end-to-end encryption, which ensures that your private infrastructure information stays private and unauthorised access is prevented. All connections to netRMM services are done with a fully encrypted communication based on RSA public/private key exchange and AES (256 Bit) session encoding based on the industry standard encryption algorithm used worldwide.
All communication messages are encrypted with AES (256 Bit) symmetric keys, which are sent via RSA public/private key exchange mechanism to guarantee that in the unlikely event of transport encryption failure, privacy is not compromised. Keys are automatically rotated on a controlled interval to prevent brute-force attacks, also adding an extra layer of security against man-in-the-middle attacks.
Access Control
Because you connect peer-to-peer to the device you’re managing, data never passes through our servers. This greatly reduces access points and attack vectors. You can grant custom permissions for individual users. Restrict the changes users can make, easily add/remove permissions, and onboard new users to your team in seconds. Impose restrictions on which devices can access your data. IP allow lists and deny lists prevent connections from untrusted devices. Review changes to your account & devices at a glance, with an audit trail of who made edits and when. Our internal identity access and secrets management policies mean that access to production data is heavily guarded.
Development Practices
-
All code, no matter how small, are reviewed and tested. Each release has to pass a complete quality assurance checklist.
-
Internal policies enforce and encourage a culture of security. All our developers receive training on security best practices.
-
Using an agile approach with small, frequent releases means changes are easier to review, test, and rollback -- reducing overall risk.
-
We use industry standard version control (git) and cloud repositories (GitLab) to securely host our code and trigger deployments. When a deploy goes wrong, we can instantly roll back to an previous version of the code.
-
Code gets merged into our application only after passing our entire test suite and receiving code review approval. Continuous testing, integration, & deployment means there’s no guesswork or variability in the deploy process.
Incident Response
-
Tracking & logging system metrics and traffic flows at all times. We use best-in-class application and infrastructure monitoring software to drive insights.
-
When there’s an anomaly, we want to know as soon as possible. Our engineers receive automated alerts upon detection. Alerts escalate to senior management above a threshold.
-
We can roll back both the code and the database to prior versions instantly, as needed. Minimal time to remediation for our customers.
-
Transparency is critical when it comes to security events. We’ll keep you up to date on system status, and you’ll have access to post-incident reports.
-
Users are our most valuable source of feedback and error detection. If you notice something amiss, please don’t hesitate to contact us.
-
After every incident, we’ll conduct a thorough review with our team of what happened, how, and what steps we can take in the future to prevent it.