Standard Security Practices
AWS VPC with a Multi-layered Architecture
The AWS Virtual Private Cloud (VPC) environment is isolated from the public network through the allocation of a private IP subnet and virtual communication constructs, such as VLAN, Firewalls, and encrypted communication channels (HTTPS).
The database layer is separated from the application server. Only the application server is allowed to access the database layer.
Permission groups are applied to deny unauthorized access to different layers/services of the application architecture.
Multi-layered architecture is employed to allow secure cross-layer communication. Each layer in the application architecture can communicate only with one layer immediately below it.
Application Load Balancer
Application Load Balancers distribute incoming application traffic across various application instances and routes traffic via path-based routes to a specified target group. Traffic is dispersed across multiple targets, including EC2 instances, within multiple Availability Zones.
AWS Autoscaling
Amazon EC2 Auto Scaling ensures you have the correct number of Amazon EC2 instances available to handle the load for the application. Having the ability to scale increases the agility of your environment as well as acts as a fail safe in the event that the load of the application increases. You can specify the minimum, desired and maximum number of instances in each ASG and ensure that the group never goes above the defined size. Autoscaling also gives the ability to launch or terminate instances as demand on your application increases or decreases.
Please see below for the benefits of using Auto Scaling:
You can configure Auto Scaling to use multiple Availability Zones for HA and fault tolerance. If one AZ becomes unavailable, Amazon EC2 Auto Scaling can launch instances in other AZs. Auto Scaling can detect when an instance is unhealthy, terminate it, and launch an instance to replace it with the AMI specified in the launch configuration.
Auto Scaling helps ensure that the application has the right amount of capacity to handle traffic during demand.
*There are no additional fees with Amazon EC2 Auto Scaling.
Application Servers
Application servers are built on the Python Django Stack utilizing the Model-View-Controller (MVC) architecture.
The intended purpose of Application Servers is to host and execute Cyware’s application logic. As data flows through our optimized algorithms, security best practices are utilized to protect data in transit.
All application servers are stateless; therefore, do not store data on the EC2 Instance. The entire data is securely stored within the database layer.
Application servers are hardened with CIS Benchmark.
All source code and future patches/releases are reviewed against the latest OWASP top vulnerabilities.
File Storage
Storage instances are secured with the industry-standard AES-256 encryption algorithm and only accessible from application servers.
File storage cannot be accessed publicly. Storage is configured for private access only.
Resources stored in the S3 bucket are protected by an ephemeral URL that expires after a pre-configured time.
Encryption
Cyware used AWS KMS CMKs for encryption. A customer master key (CMK) is a logical representation of a master key and contains the key material used to encrypt and decrypt data.
Cyware uses Symmetric CMKs which never leave AWS KMS unencrypted.
CMKs are applied to all AWS Services used by Cyware.
CMKs are created and managed by Cyware to ensure DR failover can occur between regions and automatic key rotation is applied.
WAF
Cyware supports application firewalls to explicitly allow traffic from customer sites.
User Authentication
Cyware products support different types of user authentication methods such as username/password with two-factor authentication and Single-sign on (SSO) based authentication (LDAP and SAML).
SSM
Session Manager gives you remote access to your servers without opening any ports in security groups, building any VPN tunnels, or using bastion hosts giving a “Zero Trust” route.
Access is based on IAM permissions which are locked down by tagging policies and ultimately grant granular access control.
Sessions are proxied by AWS Systems Manager which can be accessed using the AWS Console for web access, or the AWS CLI for a native "terminal" experience.
Database Servers
Only App servers are allowed to access the database layer. The architecture does not entertain any other request to the database layer.
Data transmissions and communications are protected via HTTPS/SSL encryption.
Security Groups
Security Groups are configured in the product network architecture to control incoming and outgoing traffic based on configured rules. This allows the architecture to block unauthorized access by evaluating the rules from the security groups for each and every traffic attempting to reach the instance.
SSL Pinning
A unique key combination validates the handshake between Client and Server and helps in preventing Man-in-the-Middle (MITM) attacks.
Additional Practices
In addition to the security provided by Layered Architecture, as explained previously in this document, some of the other essential security measures are:
Inbound and outbound ports are hardened to communicate only on the defined Port.
VPN/SSO/OTP is mandatory for accessing the dashboard and deployment servers.
All API calls are logged, monitored, and reviewed periodically and access data is stored with encryption.
The Network is constantly monitored for any malicious activity.
Cyware products support session encryption with the TLS 1.1/ TLS 1.2 standards.