The Ambassador Platform incorporates security and privacy by design. This article details our approach.
Architecture
Our platform is hosted by Amazon Web Services. We use a variety of services including EC2, S3, RDS, CloudFront, Elastic Beanstalk, Comprehend and GuardDuty.
The Ambassador Platform is built on the PERN stack (Postgres, Express, React and Node.js). The mobile app is built in React Native and we also offer a RESTful public API for third-party integrations.
The platform is architected inside a virtual private cloud (VPC). Servers cannot be accessed directly from the Internet, and databases have no Internet access. Servers are maintained via an SSH bastion (tunnel). Access is limited to developer IP addresses. Users authenticate via SSL.
All applications are developed in a secure environment and source control is secured. Developers refer to the OWASP guidelines. All code passes through a quality assurance (QA) process which tests functionality against a user story and for security vulnerabilities. We perform code reviews on an ongoing basis and User Acceptance Testing on more complex new features.
Encryption
The platform is served over TLS1.2. Sensitive data is hashed using SHA256. Passwords are hashed using Bcrypt.
Identity and access management (IAM)
We mandate strict permissions and access management for developers, with highly limited database access. Keys are cycled every sixty days. ‘Super Admin’ accounts are held by TAP employees who have completed data protection training. All users can delete their own accounts.
Multi-factor authentication (MFA)
Internal systems are protected by 2-step authentication as a minimum, including employee email accounts.
Data security and integrity
We carry out penetration testing on all key systems, including data stores, at least once annually. Testers simulate an attack under controlled conditions, with the aims of:
-
breaching the confidentiality of data stored by, or on behalf of, The Ambassador Platform
-
identifying the level of exposure to a targeted or untargeted attack
-
identifying whether an attack could penetrate the VPC
-
disabling internal infrastructure
-
reducing or otherwise affecting the availability of the service
In accordance with OWASP penetration testing methodologies, tests are conducted under controlled conditions with the same level of access as a regular Internet user.
Monitoring and recovery
We monitor continuously using both AWS services and external services such as New Relic. We have processes for backups, updates, patches and disaster recovery.
All vulnerabilities are categorised using a traffic-light system and patches are released within 48 hours; in most cases within two hours. Errors and events are logged for 90 days. Backups are automated by AWS and checked daily for integrity. We perform vulnerability assessments on an ongoing basis with a monthly review.
We have an RPO of under 6 hours and RTO under 2 hours.
Processes and Training
Developers and account managers undergo a data protection training course provided by High Speed Training. We also take basic security measures including a 'monitor-off' policy, antivirus policies, and password management.