We know your data is extremely important to you and your business, and we’re very protective of it. After all, Humio’s data is hosted on Humio, too!
Please email support@humio.com to submit a vulnerability report.
We employ a team of server specialists at Humio to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ monitoring solutions for preventing and eliminating attacks to the site.
All private data exchanged with Humio is always transmitted over SSL (which is why your dashboards are served over HTTPS, for instance). All transport of data is done over HTTPS using your Humio credentials.
Humio user credentials are authenticated using a thirdy party IdP of your choise (GitHub or Google), and we do not store any passwords. All users are virtual and have no user account on our machines.
Every log entry we receive is saved on a minimum of three different servers, including an off-site backup. We do not retroactively remove repositories from backups when deleted by the user, as we may need to restore the repository for the user if it was removed accidentally.
We do not encrypt repositories on disk because it would not be any more secure: the website and time series back-end would need to decrypt the repositories on demand, slowing down response times. Any operator with shell access to the file system would have access to the decryption routine, thus negating any security it provides. We do encrypt our backups though.
No Humio employees ever access customer data spaces unless required to for support reasons. Staff working directly in the file store access the compressed Humio database, your data is never present as plaintext files. Support staff may sign into your account to access settings related to your support issue. Support staff does not have direct access to your data spaces, they will need to temporarily attach their user identity to your data space to interact with your data, which will show up in your audit logs. When working a support issue we do our best to respect your privacy as much as possible, we only access the data needed to resolve your issue.
We protect your login from brute force attacks with rate limiting. We do not store any passwords, as we only support login with 3rd party IdP’s. Login information is always sent over SSL.
Our 3rd party IdP’s allow you to use two-factor authentication, or 2FA, as an additional security measure when accessing your Humio account. Enabling 2FA adds security to your account by requiring both your password as well as access to a security code on your phone to access your account.
We also maintain relationships with reputable security firms to perform regular penetration tests and ongoing audits of Humio and its code.
We’re extremely concerned and active about security, but we’re aware that many companies are not comfortable hosting logs outside their firewall. For these companies we offer Humio On-Premise, a version of Humio that can be installed to a server within the company’s network.
Have a question, concern, or comment about Humio security? Please contact support@humio.com.