We are open about our security controls, so if you'd like to know more, please let us know.
Our focus can be split up in agents running on end points, the link between agents and the Skopos engine and the Skopos databases.
When designing and implementing our software we use the following principles:
1. Privacy by design
2. Security by design
3. Defense in depth
4. The software must adhere to principles as least privilege and need to know
We hope to do this in such a way that we are able to remain user friendly and affordable.
Skopos agents run on the Windows and Linux platform.
In case of Linux we use a system user, which is kind of the default way to run services. Humans can't use these (password-less) users, unless they have the right sudo privileges. For Windows we run under the system account, as many services do. The reason for that is we enumerate (among other things, but those can be done with lower privileges) installed Windows patches and updates. This can only be done by querying the windows management system. Sadly Windows requires high privileges to do that.
We are aware that every (technical) control mitigates risk, but also carries (other) risk. The same goes for the Skopos Agent. Therefore we keep the agent logic as simple and dumb as possible. The logic and heavy processing is done on the central system. Furthermore we are considering opening the source of the agents up. This is absolutely possible for (future) clients, so if you'd like to read through the source code, please let us know.
All data travelling from the endpoint until it reaches the Skopos matching engine is encrypted in two layers, the file itself and via the https tunnel.
Or course, our software is never done and there is always room for improvement (which is true about every software product). We like to think critically about what we are doing and where we need to go. If you notice anything that we can improve, we'd like to hear it. We will investigate and put it on our backlog.
Data is stored at Microsoft Azure in Western Europe and at request can be hosted on a geographical location of choice. Data is subject to the highest security standards.