Security Is in Our DNA
Beyond password-based authentication, Kolide offers OAuth sign-in through Slack and Google. Additionally, Kolide is compatible with SAML-based SSO providers like Okta, OneLogin and others.
For password-based authentication, Kolide hashes all passwords with BCrypt. Additionally, at sign-in, Kolide checks all passwords against Troy Hunt's Pwned Passwords API (v2) using the K-Anonymity model.
Shortly after signing in, Kolide requires users to re-authenticate when they perform sensitive actions like adding or removing users, or creating API keys. We call this feature "sudo mode".
Kolide's API key authentication is resistant to timing attacks and has a bespoke and documented format which can be identified with security tools like semgrep
All web, API, and endpoint agent traffic sent to or from Kolide's application uses HTTPS with TLS 256 bit encryption. Kolide uses HSTS preloading and leverages Let's Encrypt to automatically renew TLS certificates.
Customer data transmitted to Kolide's service that is earmarked for long-term storage is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume.
Kolide runs a generous bug bounty program (facilitated through HackerOne) to incentivize independent security researchers to responsibly disclose vulnerabilities. This program covers: Kolide's web application, the API, and the Kolide agent.
To request an invitation to the program, please reach out to firstname.lastname@example.org
Kolide offers a "limited-user" role which allows administrators to grant access to only a subset of Kolide's features. Kolide also offers customers the ability to generate API Keys with a custom set of "write" permissions.
Kolide maintains a customer accessible audit log of meaningful user interactions which can be accessed in the UI or programmatically via a REST API. Additionally, Kolide offers each end-user a personalized Privacy Center which features an audit log that displays impactful events, such as ownership assignment, and live queries issued against their devices.
Kolide develops its product with a continuous application deployment model. In this model, all code must be reviewed by qualified Kolide engineers before it is merged into the main-line branch and deployed to production. Additionally, Kolide uses automated tools that continuously analyze the code-base for vulnerable dependencies, unsafe coding practices, and inadvertent inclusions of sensitive data.
Kolide collects, sanitizes, and aggregates logs for all web, API, and agent communication. These logs are structured, auditable, searchable, and are retained for at least 30 days.
Additionally, Kolide sends alerts to on-call engineers for notable events. These include run-time exceptions and other signals that may indicate abusive behavior or potential application performance and availability problems.
All credit card payments made to Kolide go through our partner, Stripe. Kolide itself never stores credit card information. Details about Stripe's security practices and PCI compliance can be found on Stripe's security page.