Silverfort was founded on secure practices and takes your company's data security extremely seriously. As such, we have developed this online diligence package with SafeBase.io to make it easy for our clients to assess the risks and effectiveness of our controls related to the Confidentiality, Integrity, and Availability controls of our products and services. We are happy to address any questions not answered here during the diligence process.
Our security self-assessments use the 2023 SIG-LITE and CIAQ v4. In addition, we have a self-assessment available here that is based on SIG and contains additional common privacy questions related to GDPR compliance for our European customers.
Silverfort was architected with security in mind to ensure the product secures the customer's environment with no added risk. The core of Silverfort’s platform can be delivered on-prem as a hardened virtual appliance. Silverfort integrates with AD by installing an AD adapter. The AD adapter is minimal in its design and well-tested to reduce the attack surface as much as possible.
Most importantly, Silverfort doesn’t extract passwords, hashes, session keys or any other secret from AD. So even in the unlikely event that the virtual appliance is compromised, the AD secrets remain secure. Security is an important consideration in the design of every feature in Silverfort. Among other controls, all code is peer reviewed, and the product undergoes periodic external testing. The product is considered a Microsoft-preferred solution and received the Microsoft Intelligent Security Association Zero Trust Champion award.
Silverfort benchmarks its cybersecurity program against the following standards, controls, and frameworks: ISO27xxx, ITIL NIST Cybersecurity Framework, SANS Top20 CSC & SANS Common Weakness Enumeration (CWE) 25, the CIS Controls (V8), the COSO Enterprise Risk Framework, OWASP including OWASP Top 10, and AICPA SOC2 Type 2 Trust Services Criteria for Security, Confidentiality, Availability, Privacy, and Integrity Controls.
Documents
Silverfort has released is Product Security Assessment Confirmation Letter for 2024 (Pentest). This can be found on the home page of our trust center, or by following this link: https://trust.silverfort.com/?itemUid=722b9671-c0d5-4a19-a5f7-0ad8fd81307c&source=click
Thank you.
Background:
On or about April 19, 2024, Snowflake, running within Google Cloud, was breached by a cybercriminal group known as UNC5537. This event was investigated by Mandiant, and impacted customers were notified beginning May 22, 2024. Approximately 165+ companies were impacted by the breach. Affected customers were customers that did not have multifactor authentication turned on for their Snowflake accounts, had not updated account passwords after previous breaches, and didn't place key limits on who can access these accounts, according to Mandiant's blog.
Silverfort Scope:
Snowflake is not used within our on-premises and SaaS Unified Identity Protection product, but is used internally for business analytics, research, and investigations.
Silverfort Impact:
Silverfort was not impacted by this breach.
Related to https://nvd.nist.gov/vuln/detail/CVE-2024-3094, where a vulnerability allowed malicious code to be inserted into the upstream xz tarballs via a modified liblzma, Silverfort has confirmed that neither our on-premises deployment nor our SaaS application and messaging services are affected by this vulnerability. Please feel free to contact us as security@silverfort.com if any other questions.
If you need help using this Trust Center, please contact us.