Security

Security is important and fortunately with a Software-as-a-Service solution like Zento, this is something that you no longer need to worry about for your shop.

We know very well that in order to achieve a secure system, security needs to be a focus from the first stages of a development process and not an afterthought.

In the security of any application in production, there are 2 components:

• Application security

• System security

Application security is the security built into the code and there are plenty of best practices to adhere to in both frontend and backend development. Developers guard against a wide range of vulnerabilities, while also keeping frameworks and libraries up to date, so that known vulnerabilities in outdated versions can’t be exploited. Code reviews and testing tools make sure mistakes are detected and resolved in the development stage, well before they reach production.

System security refers to the security of the infrastructure the application runs on and in this article we’ll continue to focus on it while covering the following points:

• SSL & Encryption

• Isolation

• Container Security

• Firewall

SSL & Encryption

Security starts with the SSL certificate generated by AWS Certificate Manager and attached to CloudFront so all user connections are made through HTTPS. Certificates are automatically re-issued yearly by Amazon and since they are directly attached to CloudFront, their secret key is not available for download to anyone, so certificate compromise risk is reduced.

At-rest encryption is used for both the databases and S3 file storage, although through the private networking, reaching even the encrypted data is impossible. However, this is a security requirement in multiple standards and it’s one applied to all Zento data.

Isolation

Beside the encryption of traffic and encryption of stored data, another important practice applied by Zento systems is allowing public Internet access to the minimum amount of components.

This means that the databases are running through an internal VPC with no access from the outside; this way, no connection can be made to the database from the outside, keeping it completely protected from the Internet.

Files stored in S3 are blocked from being allowed public access, so the only way they can be accessed is by another authorized service or through CloudFront on the explicitly allowed paths.

Container Security

Zento runs on Kubernetesand Lambda, so all the application components are running in containers. Smaller containers are easier to audit and to keep up to date with newest versions of libraries and operating systems.

For additional security, all the application codes running in Lambda and Kubernetes are being executed in read-only environments, so that no vulnerabilities that rely on source codes being altered can be exploited.

Firewall

On top of all the security architected into the solution, all calls are protected by the AWS Web Application Firewall (WAF) that is attached to CloudFront so any attacks are detected and blocked. The Lambda functions are also protected from DDoS (Distributed Denial of Service) and the less known EDoS (Economic Denial of Sustainability) attacks; this new type of attacks consists of flooding a site with traffic not with the goal of taking the site down, but with the goal of pumping up its cloud hosting costs.

WAF is constantly evolving to protect against more and more types of attacks.

Security is important, but with the advantage of using a Software-as-a-Service solution like Zento, this is something you no longer need to worry about.