đź”’ Security Overview
Learn how ExtensionTotal handles data and security
Introduction
This security overview is intended to help our customers understand how data is handled within the ExtensionTotal platform and the measures we take to safeguard your organization’s assets.
Platform Architecture and Data Flow
ExtensionTotal is a SaaS-based solution that integrates seamlessly with your organization’s environment with our agent-less approach. The following sections explain the key components of our architecture, data flow, and security mechanisms that protect your data.
Solution Diagram
Below is a high-level overview of the ExtensionTotal platform and its interactions with customer environments:
Solution Components
- Endpoint (Client-Side): This is where VSCode, Jetbrains, or any other software is installed and used by employees that includes a marketplace (extensibility).
- ExtensionTotal API: Our API, hosted in the cloud, facilitates the communication between your environment and our platform, submitting extension data and receiving data back for control.
- ExtensionTotal Platform: The management console hosted in the cloud, responsible for extensions, continuous discovery and inventory, policy configuration, risk reports, etc.
Data Flow
- Endpoint machines send extension IDs and endpoint names to the ExtensionTotal API.
- The API communicates with the ExtensionTotal Platform, where risk scores, extension behavior analysis, and other security findings are calculated.
- The ExtensionTotal Platform provides risk analysis, policy outcomes, and alerts.
- Any detection of policy that needs to be remediated is handled by the recurring MDM script or EDR integration that checks for policies that need to be enforced.
Data Collected and Transmitted
The following outlines the types of data collected by the ExtensionTotal platform and sent from the customer’s environment to our SaaS:
- Extension Inventory: A list of all installed extensions per endpoint.
- Extension ID: Unique identifier for the VSCode or IDE extension.
- Extension Name: The name of the searched extension in VSCode.
- Version Information: The current version of the extension is installed on the endpoint.
- Machine/Hostname: (Optional) Identifies the device where the extension is installed for reporting purposes.
- OS Type: (Optional) Identifies the device operating system.
- Username: (Optional) Identifies the logged-in username on the device where the extension is installed for reporting purposes.
Data Protection and Security Measures
At ExtensionTotal, we take security and privacy very seriously. Generally, no sensitive data is collected by the ExtensionTotal platform; most extension information is public data, and the only identifiers that may be collected are the machine name and username. To ensure the data transmitted from your environment is protected at all stages, we employ the following security measures:
- Data Encryption in Transit: All communication between your environment and ExtensionTotal’s cloud services is encrypted using TLS 1.2 or higher. This ensures that data remains secure during transmission over the internet.
- Data Encryption at Rest: All collected data, including extension metadata and security findings, is encrypted at rest using AES-256 to protect against unauthorized access.
- Data Minimization: We only collect the minimal data necessary to perform risk analysis and enforce policies, ensuring that no unnecessary information is stored.
- Audit Logging: All interactions with the ExtensionTotal platform are logged for audit purposes, including policy changes, extension installations, and security findings.
- Isolation of Customer Data: Data for each customer is logically isolated within the platform, ensuring that information from one organization is never shared with another.
ExtensionTotal is committed to providing secure and comprehensive control over third-party extensions within your organization. Our secure architecture, strict data handling policies, and seamless integration with existing security systems ensure that your environments remain safe and productive. For additional questions or to request more information, please contact your ExtensionTotal account representative.