ARGOS Trust Centre
Our Trust Centre provides you with the most up to date information on the security, compliance and privacy of ARGOS.
Security is front of mind of everything we do at ARGOS which is why we only work with the most trusted providers in the industry that are absolutely aligned to our own security expectations.
Security is not an extra feature that you pay for, it is standard to every ARGOS customer and we are very transparent about how we do things.
Passwords / Single Sign On / Multi-Factor Authentication
All we rely on are temporary tokens exchanged with your Identity Provider.
Also, if you have Multi-Factor Authentication (MFA) enabled on your user identity (you have, right?) then this automatically also applies to log in attempts to ARGOS.
Communication with your Cloud
The way ARGOS communicates with your cloud depends on the Cloud Service Provider (CSP).
In general: ARGOS does not access customer data (PII) in your cloud. We only communicate with cloud APIs at the management plane layer. ARGOS does not attempt to access data like sensitive files in storage, or data within databases.
When you provide ARGOS with an Azure App Registration / Service Principal (SPN) we use this SPN to exchange it for a temporary Bearer token from the Azure Active Directory platform and gain temporary access to your Azure Management Groups / Azure Subscriptions.
Each SPN is encrypted with its own nonce with a master key that is stored in a secrets manager (Azure Key Vault). What this means is the tokens for each SPN is encrypted with its own key+nonce pair.
Alternatively, for one-off scans, ARGOS will use the consultant’s Read-Only credentials to access Azure once. No SPN is required. User name and password are not persisted in our database.
Amazon Web Services (AWS)
For AWS we assume an IAM Role (that you create) in your AWS Accounts using the AWS External ID pattern. This means we do not store any secrets relating to your AWS Accounts in our database. We only temporarily assume the IAM Role, retrieve a temporary STS Token and scan your AWS Accounts.
Google Cloud Platform (GCP)
When you provide ARGOS with a GCP Service Account we use this Service Account to exchange it for a temporary Bearer token from the Google IAM platform and gain temporary access to your GCP Projects.
Each Service Account is encrypted with its own nonce with a master key that is stored in a secrets manager (Azure Key Vault). What this means is the tokens for each SPN is encrypted with its own key+nonce pair.
All customer data is encrypted at rest using AES-256 encryption algorithms managed by Microsoft Azure.
In addition to this any credentials provided to ARGOS that are required for ARGOS’s functionality are additionally encrypted using AES-256 GCM with a Microsoft-managed and rotated HSM key. Customer credentials are never, at any time stored in clear text in the ARGOS database.
All user-to-ARGOS browser interaction uses industry standard HTTPS as the communication protocol.
All ARGOS-to-customer cloud environment communication uses secured API communication protocols.
Access Control is always a difficult topic to get right. At ARGOS we do a multitude of things to ensure that a person can only ever access the data they are privileged to access.
ARGOS supports a simple Role-based-access (RBAC) model for all team members of an ARGOS customer. All ARGOS APIs check the access permissions of every request that is being made and checks internal user IDs against internally stored information.
Customers are able to select one of the following regions to store their data in:
- European Union
ARGOS is largely hosted on Microsoft Azure, one of the largest and most trusted public cloud platforms.
In order to support customers on AWS a part of ARGOS is deployed on the AWS cloud.
ARGOS is assessed for security and compliance by Microsoft Azure and achieves a 100% Security Score and perfect security stance across major compliance frameworks like PCI-DSS, ISO27001, Azure CIS and SOC TSP.*
Download the Microsoft Azure Security Center compliance reports for ARGOS from here:
*These do not replace official compliance certifications by these organisations and are not to be understood as official certifications.
Cloud Security Alliance
Read ARGOS’s CSA CAIQ assessment report here: https://cloudsecurityalliance.org/star/registry/argos-cloud-security-pty-ltd/