We ensure security and data privacy through the entire information processing lifecycleSecurity & Data Protection
Zykrr has a technical infrastructure designed to provide security through the entire information processing lifecycle. This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.
Secure cloud Infrastructure
Our infrastructure is deployed in Amazon Web Services (AWS) data centers in Mumbai, India (ap-south-1). AWS maintains the security of data center following strict guidelines on perimeter security (physical access to data center), infrastructure security (power backup, fire protection, etc.), data security (technological intrusions, disk lifecycle, etc.) and environmental security (flooding, seismic activity). AWS data center has certifications like SOC 2, SOC 3, ISO 27001 and many others. For booting a secure operating system, we use the latest secure virtual machine image from AWS’s AMI store.
Secure service deployment
We will describe how we go from the base hardware and software to ensuring that a service is deployed securely on our infrastructure. By ‘service’ we mean an application binary that a developer wrote and wants to run on our infrastructure, for example, the API server, rating application through which users submit feedback, NLP backend or a custom client integration middleware. There may be multiple deployments of the same service running copies of the same service to handle the required scale of the workload. Services running on the infrastructure are containerized.
Give your business the pinnacle of solutions and unlock new potentials with Zykrr.
Encryption of inter-service communication
All service communications, either in private network or over public internet incoming for web clients and client integrations are done strictly over HTTPS. Encrypted inter-service communication can remain secure even if the network is tapped or a network device is compromised.
Inter-service access management
A service needs to pass a valid token in order to invoke another service. For example, a service may want to offer some APIs solely to a specific white-list of other services. That service can be configured with tokens with information embedded in them telling how much and what is accessible.
Service identity, integrity and isolation
We use cryptographic authentication and authorization at the application layer for inter-service communication. This provides strong access control. We do not rely on internal network segmentation or firewalling as our primary security mechanisms, though we do use ingress and egress filtering at various points in our network to prevent IP spoofing as a further security layer. This approach also helps us to maximize our network’s performance and availability. Zykrr’s source code is stored in a central repository where both current and past versions of the service are auditable. The service’s container images are built and deployed using continuous deployments scripts. The build and deployment process are fully automated. These requirements limit the ability of an insider or adversary to make malicious modifications to source code and provide a forensic trail from a service back to its source.
We use containers as solution to isolation and sandboxing technique for protecting a service from other services running on the same machine.
Secure data storage
Zykrr’s infrastructure uses a variety of storage services, such as Elastic block storage (EBS) and Simple Storage Service (S3). All applications at Zykrr store data on these storage services. All storage services have been configured to encrypt data using AES-256 algorithm before it is written to physical storage in data center.
Encryption operations occur on the servers that host virtual machines, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88.
Secure internet communication
Until this point in this document, we have described how we secure services on our infrastructure. In this section we turn to describing how we secure communication between the internet and these services. We do isolate our infrastructure from the internet into a private IP space so that we can more easily implement additional protections such as defense against denial of service (DoS) attacks by only exposing a subset of the machines directly to external internet traffic.