As a security-first organization, AT&T Cybersecurity makes your data protection and privacy a top priority. USM Anywhere architecture and processes are designed to protect your data in transit and at rest.
All data sent from the USM Anywhere Sensor deployed in your on-premises or cloud environment to the USM Anywhere service in the AT&T Cybersecurity Secure Cloud is encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. and transferred over a secure TLS 1.2 connection. Each sensor generates a certificate to communicate with the USM Anywhere service. This means that all communication is uniquely encrypted between each sensor and USM Anywhere.
All forensic data (raw logs) is backed up on an hourly basis. The data collected in USM Anywhere is secured using AES-256 encryption for both hot (online) storage and cold (offline) storage.
Your data in USM Anywhere is treated as highly confidential, and only a select few AT&T Cybersecurity staff members have access. This group of employees uses multi-factor authenticationA method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge, possession, and inherence. (MFA) to access the AT&T Cybersecurity Secure Cloud. Strict internal controls and automation enable support for the service while minimizing administrative access.
AT&T Cybersecurity also has a formal information security program that implements various security controls to the National Institute of Standards Technology (NIST) Cyber Security Framework. Key controls include: Inventory of Devices, Inventory of Software, Secure Configurations, Vulnerability Assessment, and Controlled Use of Administrative Privileges. Additionally, AT&T Cybersecurity conducts security self-assessments on a regular basis.
Single-Tenant Data Store
Unlike other SaaS solutions that use a multi-tenant architecture, AT&T Cybersecurity uses a single-tenant data store architecture to securely store your data. With USM Anywhere, your data is stored in its own dedicated data store, which is completely isolated from other customers’ data. Unlike multi-tenancy, which is prone to data leakage and breakage that can affect multiple customer accounts, single-tenancy ensures that all customers’ data is kept separate and leak-proof.
Cold Storage Data Integrity
USM Anywhere offers secure long-term log retention, known as cold storage. By default, USM Anywhere stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge, while AT&T TDR for Gov customer data are kept for three years or longer (if requested).
Important: The retention period set on the license (30-days standard or 90-days standard) only applies to regular events. The retention policy for system events is 30 days and for user activities is 180 days, while the user activities related to investigations never expire.
USM Anywhere uses a write once, read many (WORM) approach in log storage to prevent log data from being modified or otherwise tampered with. You can download your raw logs at any time. If you do not renew your subscription, AT&T Cybersecurity will keep the raw logs for 14 days after your subscription expires, giving you a grace period to restart your service. Within the 14 days, no data is collected until your license is reactivated. Therefore, data is lost between license expiration and reactivation. After 14 days, your data will be destroyed.
End-of-Contract Shut Down
If your subscription expires and you decide not to renew, your USM Anywhere instance will be decommissioned 14 days after the expiration. All data, including asset information, orchestration rules, user credentials, events and vulnerabilities (hot storage), and raw logs (cold storage), will be destroyed.
Business Continuity Plan
To ensure business continuity, USM Anywhere executes a backup procedure 2 times a day, encrypts the data, and stores it for 15 days. The Recovery Point Objective (RPO) is up to 12 hours and the Recovery Time Objective (RTO) is approximately an hour, depending on the size of the data being restored.
USM Anywhere stores user credentials as saltedRandom data that is used as an additional input when applying a hash to a password that helps to defend against dictionary attacks and the use of rainbow tables by slowing down calculations in an attack. hashedA one direction checksum value produced to uniquely represent and identify text. The result of a hash function can be used to validate if a file has been altered, without having to compare the files to each other. Frequently used hash functions are MD5 and SHA1. passwords using a Java library called StrongPasswordEncryptor, which is an industry standard library for securing passwords.
Keep in mind these points when you are logging in:
- USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
- The password must contain numerical digits (0–9).
- The password must contain uppercase letters (A–Z).
- The password must contain lowercase letters (a–z).
- Special characters, such as hyphen (-) and underscore ( _ ) are supported but optional.
Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in to the system using the current (now expired) password. A new password must be different from the previous four passwords.
A user account is locked for 30 minutes after 3 failed login attempts within 15 minutes.