Encryption is a major component to help ensure the authenticity, integrity, and confidentiality of data in transit. The following article discusses:
- Encryption in Transit (API Access, Media Files, Email)
- Encryption at Rest (Assets, Data, Logs)
Key management
We use Google Cloud’s Key Management System or AWS Key Management System (depending on where the customer domain is deployed) and keys are rotated every 90 days by default. Encryption keys are destroyed when the corresponding compute resource is destroyed ensuring that data becomes unreadable. For iconik managed buckets as well as for data in our database servers it is not possible for customers to provide their own encryption keys.
API Access
iconik enforces HTTPS, HTTP2 or WSS for all traffic over external networks. No authenticated connection is allowed via HTTP, WS or other clear-text protocols. iconik only uses TLS 1.2+ or QUIC.
Internal data transfer is on RFC 1918 private IP addresses and may sometimes be sent in clear text within secure facilities, for example for traffic within a kubernetes cluster. All traffic which leaves the secure facilities is encrypted.
We have audited the details such as the certificates we use and their effectiveness and that they conform to the latest standards and that we use TLS 1.2 or better with industry-standard strong encryption algorithms.
Media files
All files that are stored in iconik provided storage are secured and encrypted using AES-256 and are transferred using either HTTPS or QUIC Protocol.
When viewing or transferring assets iconik uses time limited signed URLs which are created on request, making sure the requestor is authenticated, has the correct roles and permissions to access or upload the file being requested. This signed URL is sent to the user’s browser which then downloads the file directly from the cloud bucket.
iconik’s internal access to assets is authenticated internally and uses HTTPS.
For bring-your-own buckets customers have full control over the encryption keys used, including encryption algorithms and key rotation intervals.
Data
All customer data is stored with Encryption at Rest. Our internal databases and search services are backed with redundant SSD drives with AES-256 with integrity and replicated and chunked across multiple storage devices and servers. They are encrypted using full disk encryption using AES-256 and it is not possible for customers to bring their own keys to encrypt database content.
We do not store creditcard or sensitive billing information internally, instead using Stripe to perform these services.
System disks
All compute systems involved in iconik use full-disk encryption using AES-256.
Backups
Backups are stored in cloud buckets in the same cloud provider but separate regions from the source data. All backups are encrypted with at least the same strength as the source data.
System Logs
System logs are logs which are produced by the system and are intended for our engineers to be able to monitor and trouble-shoot the different system components. System logs are stored in Google Stackdriver and are protected using AES-256 encryption.
Audit Logs
Audit logs are per-request logs which are generated by our APIs and are stored in a secure database with AES-256 encryption.
All outbound email from iconik is sent securely to a third-party email service, Sendgrid, using HTTPS. Email is sent from Sendgrid using encrypted connections if the receiving end supports this, otherwise emails are sent in clear text.
Bring your own bucket
When you add your own Storage bucket to iconik it is your responsibility to make sure that the storage meets your security needs. To make your storage more secure:
- Restrict the access that is needed by iconik to be the bare minimum that we require. We will warn you in the GUI if we don’t have sufficient rights.
- Do not share the iconik Cloud storage access credentials anywhere else.
- Use our API for Cloud Storage if you require to rotate those access credentials regularly.
- Turn on audit logging, and any other security logging features for the Cloud buckets
- Make sure that the cloud storage audit logging information itself is secure, such as logging to another bucket with restricted access.
Questions
If you have any questions or concerns please email us at security@iconik.io and we will be happy to help.