Blog


LogBase Security – How do we keep things secure?

LogBase Corporate Security

Compromising an employee laptop/account is the most popular method to gain access to a corporate environment. So we take extra care in protecting our corporate IT systems.

  • All employee laptops are encrypted.
  • Email and other accounts are protected using multi-factor authentication.
  • Employees use secure VPN connections to connect to the backend infrastructure.

Transferring data to LogBase servers

  • We use HTTPS to communicate with LogBase servers. We use SSL/TLS clients with “Perfect Forward Secrecy” technique to provide extra security.
  • Each customer is given an individual encryption key that is used to encrypt the data in addition to SSL.
  • These measures guard against serious bugs like heartbleed bug.

AWS Multi Tenant Systems

  • Messages and files stored in Kinesis and S3 are encrypted with custom encryption key that is specific to each customer to guard against any security bugs in AWS infrastructure and accidental or malicious public disclosure.
  • The encryption keys are stored using Amazon Key Management service which is very secure and reliable.
  • Encryption keys are rotated at regular intervals to provide extra safety in case of a key exposure.
  • A secure Hadoop cluster is used in which all the data will be encrypted during transmission and storage in HDFS.

Network Isolation

Our AWS network is segmented into different private and isolated networks (AWS VPC). This prevents anyone from accessing across networks. For example, all public facing web servers will be isolated in one network and they can only communicate with only few services like Kinesis, and DynamoDB. These web servers are at higher risk of getting compromised because of its public facing nature. Therefore, in case an attacker compromises a web server, he/she won’t have access to rest of the infrastructure . Since the compromised web servers handle only the encrypted data, the actual exposure is minimised.

Multi Tenant Security

  • Each customer’s data is encrypted with a different encryption key.
  • Each backend analytical job, processes only one customer at a time and thus will have access to only a specific customer’s encryption keys.
  • Customers will have option to protect their account with multi-factor authentication.
  • Each internal and external API calls will be authorized and authenticated to prevent any unauthorized access.

Audit Trails

All access to data stored in S3, Kinesis, and other storage systems are tracked using detailed audit logs. We use AWS cloud trail service for this.

Overall Architecture

test

 

 

 

Comments ( 0 )