Sophos Central is the cybersecurity management platform for all Sophos next-gen security solutions. This page details the security measures that ensure Sophos Central remains the industry’s most protected platform.

Sophos Central platform

Sophos Central is a cloud-native application with high availability. It is hosted on public cloud platforms, such as Amazon Web Services (AWS) and Microsoft Azure, that dynamically scale to handle an ever-changing workload.

Each Sophos Central account is hosted in a named region – users choose their preferred region when creating their account. All customer data is locked to the chosen region and cannot be transferred across regions. Within each region we employ replication across multiple data centers (availability zones) to provide seamless failover in the event of infrastructure-level failures.

Sophos Central uses well-known, widely used, and industry standard software libraries to mitigate common vulnerabilities (e.g. covered in the OWASP Top Ten). This enables us to benefit from the high level of scrutiny they face in terms of security and stability.

Sophos Central architecture

Sophos Central uses a set of global services for identity and session management, together with fully-scalable regional API and product services. All Sophos next-gen products share threat, health and security information via Sophos Central, elevating protection. Everything is controlled through a single web interface for easy day-to-day management.

Sophos Central Architecture

Physical security

We operate a shared responsibility model with the public cloud providers that provide the physical infrastructure for Sophos Central. They are responsible for the security of the cloud, and Sophos is responsible for security in the cloud.

Learn About the AWS Shared Responsibility Model

For details on the steps Amazon takes to secure the infrastructure and services they offer, see their security whitepaper.

AWS Security Whitepaper


Network security

Auto-scaling virtual networks

Sophos Central is segmented into a number of logically separate virtual networks based on the various workloads they perform (such as authentication or endpoint management). All workloads are then placed into auto-scaling groups, behind a load balancer, so that when a particular workload sees increased load/traffic, additional temporary resources can be allocated to give the group capacity to handle the load.

Network access control lists

Security Groups and Network Access Control Lists are in place using the principle of least privilege. By default, any service that is built for use in Sophos Central is placed on a private subnet that is not exposed outside of the virtual network. Additionally, services are not given permission to talk to other services unless explicitly needed and access has been granted by the Sophos Central Infrastructure Services (CIS) team. Only services that must expose an external interface are given a public-facing interface.

Database access

Databases are not exposed to the internet, are only accessible within the virtual network. They are kept on separate, private subnets from the other Sophos Central infrastructure. Services wishing to interact with a database must do so through the Data Access Layer (DAL). More on the DAL can be found in the Data Security section of this document.

Maintenance access

Maintenance access to Sophos Central is only available via a VPN tunnel originating from a specific network within Sophos’ IT infrastructure. The tunnel cannot be established outside of Sophos’ network even with credentials, keys, and certs.

DDoS protections

Distributed Denial of Service (DDoS) mitigations are made via dedicated DDoS protection technologies, autoscaling, system monitoring, and traffic shedding.

Data security



All data is stored in database clusters that are, at a minimum, triplicated. Event-driven clustered replication, with a replication factor of at least three, ensures two database instances in our cluster can fail and data will still remain available. Being event-driven, any database change is immediately pushed to all instances in the cluster, rather than changes being replicated on a schedule, making sure that even when an instance fails, the full dataset is available on failover instances.


Each instance of a database is supported with its own storage volume which is snapshotted hourly. These instances are transient, with only the storage volumes persisting. This enables us to destroy database instances without fear of data loss thanks to the cluster replication factors. Vulnerabilities in database applications, operating systems etc. can be rapidly addressed without data loss.


All data at rest is encrypted using volume-level encryption: storage volumes, object storage, and virtual drives of virtual machines.

For sensitive customer data, we use field-level encryption within storage volumes using a per-field multi-part key. These parts are formed from several different locations, including a key management system. Each key is unique to every customer, and every field.

Transport-level encryption is used to secure management communication between the client software and Sophos Central platform via certificates and server validation.

Sophos never stores nor sends Central account passwords in plain text. When a new user signs up for an account, they must set a password as part of the activation process.

Threat protection


Sophos Central is architected so that all machines are user-less, requiring no interaction, and allowing machines to be locked down and hardened. Machines are built from pristine sources, thanks in part to our secure digital code signing process, and only execute the prescribed software from our development team as part of creating the machine gold image.

As with database server instances, machines that comprise Sophos Central can be destroyed and rebuilt at any time without data loss.


The gold images for virtual machines are upgraded with the latest software libraries and applications every three weeks. No virtual machine instance exists for longer than three weeks, with old instances being destroyed and new instances deployed based on the new gold images.

Should a vulnerability be found via the vulnerability dependency framework, internal or external testing, bug bounty program, or other means, patching and redeployment take place as part of the vulnerability response program.

Security monitoring and response

Sophos’ Global Security Operations Center monitors all logging data from Sophos Central and its related services. Sophos Central has forensic capabilities in the event of a data breach for rapid incident response.

Customer controls

Multi-factor authentication (MFA)

MFA is required for all Sophos Central Account Administrators in our multi-tenant Partner and Enterprise dashboards, and we are currently going through the process to enroll all Central Administrators for single-tenant dashboards. MFA enrollment is on by default for all new Central accounts. Integrated options currently include OTP delivered via email or SMS, as well as Time-based OTP (TOTP) via any compatible app.

Role-based administration

A number of pre-defined administrative roles can be assigned to admins that restrict access to sensitive log data as well as preventing them from making changes to settings and configurations.

Telemetry and data gathering

Full details on the data we collect and store are detailed on the following pages of our website:

Sophos Group Privacy PolicySophosLabs Information Security Policy

Secure updating

We ensure the integrity of our software updates for customers in several ways:

  • We digitally sign all binary files we publish.
  • By default devices download updates over a secure HTTPS session. If they're not already using HTTPS updating, the admin can activate it via the Global Settings in Sophos Central.
  • Devices receive a manifest (signed by us) that lists the components they need to install. Devices install only files that are on the list and that are signed by us.
  • Devices can't install any files that we haven't approved.