Trust • ARGOS Cloud Security

ARGOS Trust Centre

Our Trust Centre provides you with the most up to date information on the security, compliance and privacy of ARGOS.

Security is front of mind of everything we do at ARGOS which is why we only work with the most trusted providers in the industry that are absolutely aligned to our own security expectations.

Security is not an extra feature that you pay for, it is standard to every ARGOS customer and we are very transparent about how we do things.

Security

Passwords / Single Sign On / Multi-Factor Authentication

We don’t store any passwords. When you register with ARGOS and / or log in to ARGOS you select an Identity Provider (Microsoft Azure Active Directory or Google Identity). You log in to that Identity Provider via auth0 (see below at Identity). Neither us nor auth0 ever store your password and we do not want to know it.
All we rely on are temporary tokens exchanged with your Identity Provider.

This process allows us to also provide Single Sign On (SSO) out of the box, you log in to ARGOS with the user name and password you already know.
Also, if you have Multi-Factor Authentication (MFA) enabled on your user identity (you have, right?) then this automatically also applies to log in attempts to ARGOS.

Secrets

There are plenty of secrets that ARGOS needs to function. All of those secrets are stored in Azure Key Vault as the ARGOS secrets manager service . This ensures that we can easily monitor and control access to those secrets.

Communication with your Cloud

The way ARGOS communicates with your cloud depends on the Cloud Service Provider (CSP).

In general: ARGOS does not access customer data (PII) in your cloud. We only communicate with cloud APIs at the management plane layer. ARGOS does not attempt to access data like sensitive files in storage, or data within databases.

Microsoft Azure

When you provide ARGOS with an Azure App Registration / Service Principal (SPN) we use this SPN to exchange it for a temporary Bearer token from the Azure Active Directory platform and gain temporary access to your Azure Management Groups / Azure Subscriptions.
Each SPN is encrypted with its own nonce with a master key that is stored in a secrets manager (Azure Key Vault). What this means is the tokens for each SPN is encrypted with its own key+nonce pair.

Alternatively, for one-off scans, ARGOS will use the consultant’s Read-Only credentials to access Azure once. No SPN is required. User name and password are not persisted in our database.

Amazon Web Services (AWS)

For AWS we assume an IAM Role (that you create) in your AWS Accounts using the AWS External ID pattern. This means we do not store any secrets relating to your AWS Accounts in our database. We only temporarily assume the IAM Role, retrieve a temporary STS Token and scan your AWS Accounts.

Google Cloud Platform (GCP)

When you provide ARGOS with a GCP Service Account we use this Service Account to exchange it for a temporary Bearer token from the Google IAM platform and gain temporary access to your GCP Projects.
Each Service Account is encrypted with its own nonce with a master key that is stored in a secrets manager (Azure Key Vault). What this means is the tokens for each SPN is encrypted with its own key+nonce pair.

Encryption

All customer data is encrypted at rest using AES-256 encryption algorithms managed by Microsoft Azure.

In addition to this any credentials provided to ARGOS that are required for ARGOS’s functionality are additionally encrypted using AES-256 GCM with a Microsoft-managed and rotated HSM key. Customer credentials are never, at any time stored in clear text in the ARGOS database.

All user-to-ARGOS browser interaction uses industry standard HTTPS as the communication protocol.

All ARGOS-to-customer cloud environment communication uses secured API communication protocols.

Access Control

Access Control is always a difficult topic to get right. At ARGOS we do a multitude of things to ensure that a person can only ever access the data they are privileged to access.

ARGOS supports a simple Role-based-access (RBAC) model for all team members of an ARGOS customer. All ARGOS APIs check the access permissions of every request that is being made and checks internal user IDs against internally stored information.

Data

ARGOS is hosted on the Microsoft Azure public cloud platform.
Customers are able to select one of the following regions to store their data in:

Australia
European Union

Customers are also in full control of their data’s lifecycle. A click on “Remove data” or “remove connection” and the data gets deleted right away from all our systems.

3rd party Integrations

Identity

Globally trusted Identity platform Auth0

Payments

stripe is one of the largest global payment platforms.

Email

We use SendGrid to send out all our customer communication.

Our Partners

Compliance

ARGOS is largely hosted on Microsoft Azure, one of the largest and most trusted public cloud platforms.
In order to support customers on AWS a part of ARGOS is deployed on the AWS cloud.

ARGOS is assessed for security and compliance by Microsoft Azure and achieves a 100% Security Score and perfect security stance across major compliance frameworks like PCI-DSS, ISO27001, Azure CIS and SOC TSP.*

Download the Microsoft Azure Security Center compliance reports for ARGOS from here:

ISO 27001 Compliance Report

Azure CIS 1.1.0 Compliance Report

*These do not replace official compliance certifications by these organisations and are not to be understood as official certifications.

Cloud Security Alliance

Read ARGOS’s CSA CAIQ assessment report here: https://cloudsecurityalliance.org/star/registry/argos-cloud-security-pty-ltd/