AWS Cloud Computing Platform
Safa Insight is hosted on the Amazon Web Services (AWS) Cloud Computing Service platform. Leveraging the AWS hosted platform allows Safa to offload the security of the physical infrastructure required to run Safa’s solution to one of the global leaders in the cloud computing space. AWS implements controls in their data centres to ensure the integrity, availability, and confidentiality of all data stored on their infrastructure.
Safa has implemented a defense-in-depth security strategy for the Safa Insight solution. Defense-in-depth provides multiple layers of defense which increase the effectiveness of an organization security posture. While AWS provides the physical security controls, Safa has put in place multiple technical and administrative controls to ensure the security of all data its trusted with.
AWS Web Application Firewall (WAF)
Safa utilizes AWS's WAF to provide a front line defense against the unauthorized access of the Safa Insight solution. The WAF has been configured with geographic IP address restriction which allows connections only from IP addresses originating in the United States or Canada.
All server instances utilized to host the Safa Insight solution are built using encrypted volumes which provides encryption while the data is at rest and moving between the volume and the server instance. All snapshots (backups) of server instances are also encrypted. This encryption protects against the unauthorized access of any information stored in these volumes.
These instances have also been hardened by implementing the Center for Internet Security (CIS) benchmarks for securing Ubuntu Linux. The CIS benchmarks ensure that the instances used by Safa have been secured to disable any features or services of the operating system that could potentially pose a security vulnerability.
RDS Instance Encryption
Safa Insight utilizes an encrypted PosgreSQL Amazon relational database service (RDS) as the back end. This provides security in the form of encryption for both data in transit to and from the database and data at rest while the data is residing in the database.
The Safa Insight architecture includes a reverse proxy layer that houses instances that accept requests from the Internet. These requests then get forwarded to a web server in a separate subnet which does not receive any inbound requests directly from the Internet. This added proxy layer allows Safa to prevent any instances which communicate with the database to accept connections directly from the Internet.
Safa Insight leverages AWS' Certificate Manager Service to generate an SSL certificate for insight.safa.io. This ensures that all communication between a user's browser and Safa's network is done over through an encrypted connection.
Safa maintains a regular monthly cadence for applying security updates to the instance operating systems and the applications installed on them. This ensures that any vulnerabilities that are discovered are patched regularly.
Isolated Production Network
The Safa Insight production network is hosted in a virtual private cloud (VPC) that is used to host only the production environment. All testing and development work for Safa Insight is done in a separate VPC and we are vigilant in ensuring that no customer data should ever be moved to these environments.
Principle of Least Privilege
The Safa Insight solution has been designed with the principle of least privilege at the forefront. This principle ensures that users and services are given permission to only the resources that are required to perform their intended function. This helps prevent situation in which users or resources have the "keys to the kingdom."