Network Security

Runtime Application Self-Protection

In addition to standard network security practices such as firewalling, Sophos Central uses Runtime Application Self-Protection (RASP) technology. As an alternative to a typical perimeter defense, RASP monitors inputs to detect and block attacks on Sophos Central by leveraging real-time knowledge from within the inner workings of the application itself. By using RASP, Sophos Central can dynamically respond to attacks, preventing exploitation, and take further actions such as terminating a session or alerting security teams, keeping customer data secured at all times.

Auto-Scaling Virtual Networks

Sophos Central is segmented into a number of logically separate virtual networks based on the various workloads they perform (such as authentication or endpoint management). All workloads are then placed into auto-scaling groups, behind a load balancer, so that when a particular workload sees increased load/traffic, additional, temporary resources can be allocated to give the group capacity to handle the load.

Network Access Control Lists

Security Groups and Network Access Control Lists are in place using the principle of least privilege. By default, any service that is built for use in Sophos Central is placed on a private subnet that is not exposed outside of the virtual network. Additionally, services are not given permission to talk to other services unless explicitly needed and access has been granted by the Sophos Central Infrastructure Services (CIS) team. Only services that must expose an external interface are given a public-facing interface.

Database Access

Databases are not exposed to the internet, are only accessible within the virtual network, and are kept on separate, private subnets from the other Sophos Central infrastructure. Services wishing to interact with any database must do so through the Data Access Layer (DAL). More on the DAL can be found in the Data Security section of this document.

Maintenance Access

Maintenance access to Sophos Central is only available via a VPN tunnel originating from a specific network within Sophos’ IT infrastructure. The tunnel cannot be established outside of Sophos’ network even with credentials, keys, and certs.

DDoS Protections

Distributed Denial of Service (DDoS) mitigations are made via dedicated DDoS protection technologies, autoscaling, system monitoring, and traffic shedding.