We build in the Amazon cloud as they have outstanding physical security practices that ensure the safety and integrity of our infrastructure. Amazon Web Services (AWS) implements rigorous measures, including 24/7 surveillance, access controls, and multi-layered security protocols, to protect their data centers. Each customer has dedicated Amazon EC2 hosts that are in a segregated network, ensuring that your resources are isolated from others for enhanced security and performance. This segregation minimizes the risk of unauthorized access and potential data breaches.
Every server in our architecture utilizes UFW (Uncomplicated Firewall) for local firewall rules, which provides an additional layer of security by controlling incoming and outgoing traffic based on pre-defined rules. This complements the network segmentation provided by Amazon, resulting in a robust defense against external threats.
From the Internet, only the web server tier is accessible via port 443 for secure HTTPS traffic (and port 80 for HTTP redirects), thereby limiting exposure to only the necessary services. We employ a wildcard SSL certificate to secure all our subdomains, ensuring encrypted connections between our servers and users. Furthermore, our SSL configuration has been rated "A" by SSLLabs, reflecting our commitment to using best practices for secure communications.
To safeguard server access, SSH (Secure Shell) is restricted. Access to the servers is only allowed from a single bastion host, which acts as a secure gateway. This is designed to further mitigate the risk of unauthorized access, as only those with the proper key and password can connect to the bastion and, subsequently, to the servers.
Each customer receives a dedicated Amazon RDS (Relational Database Service) database instance. This setup ensures that your data is stored in an isolated environment with a unique username and a long, random password for added security. For customers who require heightened security for sensitive information, we also offer the Encrypted Database Extra. This feature allows for the encryption of specific database fields, providing an extra layer of protection for critical data. However, it is important to note that we do not enable this feature by default, as it may result in longer query times. It remains an option for those with specific concerns regarding the sensitivity of their data, allowing you to choose the level of protection that best suits your needs.
