Network & Infrastructure Security
Hosting & Data Storage
ProdPad stores data in a multi-tenant environment in AWS in the EU (Ireland) region (Full details on the AWS security measures can be found here). Data, database and file system architecture are replicated between multiple geographically dispersed data centers.
Data is logically isolated on a per Customer basis at the application layer. CreateShift logically separates each Customer’s data from the data of other Customers, and data for an authenticated User will not be displayed to another User (unless both Users have access to the same Customer Account).
ProdPad is a multi-tenancy application with the data logically separated between accounts. Data from one account cannot be accessed from another account, nor can it be shared.
Access to the data is only available by users with an appropriate role in the account or using one of the embeddable plugins.
ProdPad is also available as a single tenancy hosted solution and on-premise. If you are interested in single tenancy or on-premise versions, please get in touch with hello@prodpad.com.
Encryption
In Transit
All data is encrypted in transit both within the ProdPad network and between you and the application using TLS 1.2+. The encryption is based on RSA 256 bit keys with perfect forward secrecy using EDCA.
CreateShift servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
At Rest
All data is encrypted at rest using AWS Key Management System (“AWS KMS”). This uses AES-256 encryption standard.
ProdPad supports BYOK (Bring Your Own Key) through its single tenancy version. This gives you full control over the encryption of the data in ProdPad. An on-premise version is also available. Get in touch with hello@prodpad.com to learn more.
Infrastructure Scans
Weekly infrastructure vulnerability and configuration scans are conducted using a variety of services. Any identified issues are addressed based on the risk rating produced by the scans.
Configuration Monitoring & Control
We use AWS Config to provide configuration monitoring of resources with alerting of changes from both AWS CloudWatch and AWS SecurityHub.
For setting up and managing infrastructure resources we use automation tools Terraform and Chef.
Firewalls
Firewalls exist at both the network layer via virtual private cloud (“VPC”) and on each host. The VPC serves to isolate ProdPad servers from the rest of the AWS network. The infrastructure within the VPC can only be accessed via Application Load Balancers (“ALB”).
AWS Security Groups (“AWS SG”) and VPC Access Control Lists (“VPC ALC”) provide both inbound, outbound and internal content policies.
Web Application Firewall
Each ALB has a Web Application Firewall (“WAF”) running that provides protection for inbound traffic against SQLi and XSS along with other OWASP Top 10 attacks.
AWS Network Firewall
AWS Network Firewall is enabled both to provide IDS and to control the outbound traffic originating from our production servers.
Threat & Intrusion Detection
We use both threat and intrusion detection. The information from the intrusion detection and threat detection are collated in SecurityHub which uses various security standards for compliance checks.
Intrusion Detection
Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. CreateShift’s intrusion detection involves:
- Tightly controlling the size and make-up of CreateShift’s attack surface through preventative measures;
- Employing intelligent detection controls at data entry points; and
- Employing technologies that automatically remedy certain dangerous situations.
Intrusion detection systems operate on each host and at the network/infrastructure level. Network/infrastructure level intrusion detection is done using AWS Network Firewall.
Threat Detection
Threat Detection is provided by AWS GuardDuty.
DDOS Mitigation
DDOS Mitigation is provided by AWS.
DKIM/SPF/DMARC
All emails sent from the ProdPad domain are signed using both DKIM and SPF. DMARC record is also available for receiving mail servers.
Infrastructure Access
Access to the infrastructure is strictly controlled with least access privileges in place. AWS console access requires MFA with key accounts using physical security keys. Direct access to physical servers can only be done via a VPN using SSH keys with MFA enabled.
Physical Security
For full details of AWS physical security see https://aws.amazon.com/compliance/data-center/data-centers/
Our office is protected with security and fire alarms. No physical assets used in the provision of the application or network are accessible from the office.
Logging, Alerts and Audits
Application Audit Log
We provide all account administrators on Advanced accounts and above with an audit log that can be reviewed.
It will show every action taken by all users within the account, including the specific action, item and time and date. The list can be exported as a PDF if needed.
Application Logs
We have extensive application logging to enable the audit of incidences and debugging of customer issues. These logs are centralised and have alerts enabled to watch for key changes and errors.
Infrastructure & Network Logging
We use CloudWatch to provide network, infrastructure and performance logging. CloudWatch has various alerts on things like traffic spikes and resource changes to provide early warning of unexpected changes.