...
The Tentacle product is hosted on the AWS platform which is a highly stable infrastructure and it’s the world’s most comprehensive and broadly adopted cloud platform. These data centers are designed with environmental safeguards to protect AWS data centers around the world.
The services we deployed with ECS/Fargate were configured to run all 3 zones (ap-southeast-2a,ap-southeast-2b and ap-southeast-2c) in the Asia pacific (Sydney) region and the RDS is configured with multi AZ. These zones provide resilience in the face of most failure modes including natural disasters or system failures.
AWS data centers are staffed 24x7 by professional security guards and access to the premises is strictly prohibited.
Development, Staging, Pre-Production and Production environments are completely isolated from a VPC level (Virtual private cloud) and AWS account level.
AWS Compliance empowers customers to understand the robust controls in place at AWS to maintain security and data protection in the AWS Cloud. When systems are built in the AWS Cloud, AWS and customers share compliance responsibilities. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1. i. Additionally, AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS.
Customers reduce the scope and cost of audits required by operating in an accredited environment. AWS continuously assesses its underlying infrastructure, including the physical and environmental security of its hardware and data centers, so customers can take advantage of those certifications and simply incorporate those controls.
Data Security
Field level encryption
Field level encryption is enabled for every sensitive data we are encrypting using AWS KMS.
Key management
The cryptographic keys are created and managed securely by the AWS KMS system (AWS Key management service).
Secure communication
We protect your data even when they are transiting between the application and the servers end to end equipped with transport layer 1.3 protocol and, TLS_AES_128_GCM_SHA256 To ensure that the data cannot be viewed if intercepted. This protection is accomplished by encrypting your data before transmission, authenticating end-to-end and decrypting and verifying your data upon arrival.
...
Although not directly related to security, we all know that in the event of a security incident, the first thing we look at is our backup. These can be useful for forensic investigations as well as returning to a known healthy state. It is critical to keep both fast-to-recover backups and slower air gapped systems. Data backups take place daily and are maintained with appropriate versioning and the retention time for the backups are 30 days.
Backup storage
Backups are stored in the same region(Sydney) in AWS.
RDS - Built-in backup service for RDS.
RedShift - Built-in backup service for Redshift.
Data retention period
Prod Env: RDS - 30 Days (daily backups)
Prod Env: Redshift - 30 Days
Data archival
Only the backups of EC2 instances are archived in both Dev/QA and Prod environments.
Types of Data being backed up
EC2 Instance Data and RDS Data which includes all client data stored in the application.
Expiration of the data retention period
At the end of the data retention period the backed up data will be deleted automatically.
...
AWS shield standard is enabled to protect the application and the API’s from DDoS attacks these attacks violate the CIA triad which is Confidentiality, integrity and the availability,
Monitoring and logging
AWS CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards to get a unified view of AWS resources, applications, and services that run on AWS and these event logs have a retention period of 3 months
...