At Everbridge, we take the responsibility of protecting our customers’ data seriously. Everbridge Suite (EBS) is designed from ground-up to ensure the security and protect the privacy of our customers’ data. This document highlights some of the design principles at the core of Everbridge Suite.
Everbridge Suite Security Architecture
- High Availability and Redundancy
- Robust Access Control and Network Segmentation
- Strong Encryption
- Strict Vulnerability Management
- Tight Incident Response
High Availability and Redundancy
Everbridge Suite is designed as an n-tier Software-as-a-Service (SaaS) platform, and redundancy is baked in at every tier – each web-tier, application-tier, and database-tier subsystem is made up of multiple clusters of servers. These clusters are further distributed across multiple availability zones. As such, if an individual server (or even an entire cluster of servers) sustains performance degradation, the impact on overall platform availability is greatly minimized.
In addition, we recognize that our Technical Support and Cloud Operations Engineering (CloudOps) functions are an extension of our service to you. To ensure you can always reach us in the time of need, the Technical Support team is available 24x7x365 to answer your emails and calls. Similarly, the CloudOps is staffed 24x7x365 across two US offices to ensure continuous monitoring of the platform.
To validate that our high availability architecture stands up in face of disasters, and our CloudOps and TS teams have robust coverage, Everbridge conducts annual disaster recovery tests. These tests are designed to test various disaster scenarios, and any lessons learned allow us to improve our service to you.
Robust Access Control and Network Segmentation
Everbridge implements a strict role-based access control policy and only staff with authorized role are allowed to administrate the systems within Everbridge Suite platform. Furthermore, the platform infrastructure is completely isolated from our corporate network, further limiting administrative access to the platform. All of our administrators are required to connect to the platform via a Transport Layer Security (TLS) v1.2-based Virtual Private Network (VPN), authenticate using strong passwords and token-based multi-factor authentication (MFA), and log into a bastion host before they can gain access to any of the systems within the platform.
Strong Encryption
Everbridge ensures that all customer data is always encrypted at rest within Everbridge Suite using filesystem-level AES 256-bit strong encryption. The encryption keys are stored in an industry-standard key management system, and only a small set of highly skilled administrators have access to these keys. Finally, these keys are rotated on a regular basis to ensure the sanctity and protection of customers’ data.
Additionally, all connections to the platform are encrypted using TLS v1.1 or higher over HTTPS, and for automated file uploads, SFTP protocol ensures the connection is encrypted.
Strict Vulnerability Management
Using industry-leading tools, Everbridge Suite platform is constantly scanned for potential vulnerabilities, and all scan results are reviewed on a weekly basis by our security staff. The vulnerabilities are assigned a severity score based on CVSS and categorized as follows:
|
Vulnerability Severity Rating |
CVSS Score |
|---|---|
|
Critical |
9.0 - 10.0 |
|
High |
7.0 - 8.9 |
|
Medium |
4.0 - 6.9 |
|
Low |
0.1 - 3.9 |
|
None |
0.0 |
Once categorized, the vulnerabilities are remediated by cross-functional Development and Operations staff within following timelines:
|
Vulnerability Severity Rating |
Externally Facing |
Internal Only |
|---|---|---|
|
Critical |
7 business days |
30 days |
|
High |
14 days |
30 days |
|
Medium |
90 days |
90 days |
|
Low |
180 days |
180 days |
We strive to mitigate all vulnerabilities within aforementioned timeframes without any action necessary on our customers’ part. However, occasionally it might be necessary for us to communicate remediation status of certain critical vulnerabilities with you. In such cases, our security staff will publish security bulletins in Everbridge Support Center. To access the security bulletins in the Everbridge Support Center, see Knowledge Base Article 000056222 - How to Access Everbridge Service Advisories and Security Bulletins in the Everbridge Support Center. For more information on the Everbridge Security Bulletins, see Knowledge Base Article 000029593 - Everbridge Suite Security Bulletins
Tight Incident Response
Everbridge Security Operations team heads a robust company-wide Incident Response (IR) program. As part of this, they maintain a detailed Incident Response Plan for Everbridge Suite, which covers the following IR phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident activities. The IR plan is tested annually using a variety of incident scenarios to ensure accuracy and applicability of the plan. The Security Operations team also ensures that all Everbridge staff with IR responsibilities are trained on an annual basis.
Additionally, if a security incident results in a confirmed breach of any customer data, Everbridge is committed to providing timely and accurate communications to all impacted customers.
Article Feedback
Please sign in to leave a comment.