The infrastructure of SocialShared is hosted in the cloud computing platform provided by Amazon Web Services, a leading Cloud Computing Company.
Amazon’s platform provides a high level of reliability and availability to the project, through the use of large DataCenters and redundant computing networks on a global scale, complying with the highest standards of quality and reliability.
Its cloud equally provides the flexibility and ease required to scale the project to your needs, thus allowing to migrate, increase or reduce hardware resources dynamically, without service interruption.
Amazon guarantees the reliability of its cloud computing services, offering a SLA commitment of 99,95% for its EC2 services network. (http://aws.amazon.com/es/ec2/sla/).
Managing the platform through Amazon AWS allows to dispose of any number of servers needed at any time, quickly and efficiently,in order to ensure that the service and data processing is optimal.
These servers can increase or decrease in number depending on what is required at each particular moment, allowing high availability in order to process data in a matter of minutes, and to then reduce the number of servers gradually while the data processing demand decreases.
We are not speaking of one server managing the SocialShared website, but of a server cluster that complement each other and are aligned to guarantee the stability and integrity of the service.
Using Amazon Web Services for our network means we benefit from many years of experience and all the security certifications of a leading Company in Cloud Computing.
All physical and operational security processes for network infrastructure controlled by AWS can be found in their Security Whitepaper (http://awsmedia.s3.amazonaws.com/pdf/aws_security_whitepaper.pdf).
The flexibility of the cloud and use of an indeterminate number of parallel execution servers can ensure an uptime of nearly 99,99%.
Physical access to data stored in our instances is practically non-viable, and only logical access using authentication systems is authorised.
Data is stored in Amazon Web Services EBS logical volumes, which are distributed and replicated in order to guarantee durability of nearly 99,99% of objects.
Logical servers work simultaneously as a cluster so that in the event of data integrity failure on a server, data is automatically replicated and secure in a parallel server.
SECURITY COPIES AND DATA BACKUP
Level 1 - Incremental backups.
These security copies use the same cloud the application servers run on, in AWS EBS storage devices. Depending on the type of data being copied, incremental backups are programmed across multiple time periods:
- Website files: 1 time a day. Incremental backups stored for a maximum of 45 days.
- Software development and update files: 2 times a day. Incremental backups stored for a maximum of 21 days.
- Databases (1): 3 times a day. Full SQL dump each 8 hours, stored for a maximum of 30 days.
- Databases (2): 72 times a day. Full SQL dump each 20 minutes, stored for a maximum of 2 days.
- Server configuration files: 1 time a day. Incremental backups stored for a maximum of 120 days.
- Traffic log and server log: 1 time a day. Data stored for 2 years.
Level 2 - Disc imaging (snapshots of hard drives).
Every 2 hours, a snapshot (disk image backup) is automatically done, for each one of the hard drives of the system and its data. These snapshots, are exact copies of the full data at a point of time, and they are being kept for 8 days.
These snapshots, allow to completely restore the complete system, configurations and data, in a few minutes, to selected point in time from last 8 days at 2 hours intervals. For example, we could generate from scratch, a brand new Storage server, being an exact copy of the original one five days ago, at 19:00pm. Therefore we are supported by the flexibility, reliability and performance that Amazon Web Services offers.
Level 3 – Incremental backups on remote access server located at HETZNER network.
On a daily basis, incremental backups are carried out for all the data previously listed on Level 1, on a secure remote access server located at HETZNER network in Germany. These incremental backups are stored for a maximum of 14 days.
Access control and security:
Access to the websites of SocialShared are restricted to SSL encryption of 128bits, SHA-1 algorythm and security key of 2048bits. An HTTPS protocol will be used for bidirectional encryption of communications between client and server, to ensure that the contents of communications cannot be read by any third party.
Platform access and management
Internally our cloud offers different security levels for access to the platform: -Front-end security:
SocialShared servers’ domains are only accessible via web.Traffic is only allowed on ports 80 and 443 (http and https), therefore preventing attackers from launching a port scan.
The technical administrator team for theSocialShared platform have a backdoor to the servers’cloud for administration and management. Access will be via SSH without password authentication and restricted to a RSA key-file of 1024-2048bits which will only be provided to the technical team responsible for this service.
The IP address the SSH server listens on will not bear any relation to the SocialShared domains, and will therefore be secureon a dark web setting.
Only authorized personnel will have the information and access to this server, either via IP or via a management subdomain.
These two conceptual security levels on the cloud are reinforced through use of restrictive firewalls at each endpoint.
The firewalls will only allow incoming traffic to come through to specific ports.
The different servers that the Social Shared platform runs on are protected and located in a VPC virtual private cloud on the Amazon AWS cloud: communication between them is possible and equally secured through firewalls.
Access to the services on this cloud is only defined on the two aforementioned security levels: front-end and back-end, and is controlled through Firewall.
All data between servers,either to set up remote backups or to publish programming code, is transferredthrough a SSH tunnelwith public/private RSA keys.
AES 128-192-256bits is used for data encryption, while the ECDH-SHA2-NIST algorithm is used for key exchange.
Via web Social Shared is restricted to SSL encryption of 128bits, SHA-1 algorithm and security key of 2048bits.
Within the architecture of Social Shared, all services are distributed through a network of application servers.The application is divided into 3 steps:
The instances required to process data can be added and removed to provide the availability of the service needed, which is provided through an ELB load balancer (AWS).
Capacity on the instances can be scaled up or down automatically thanks to Auto Scaling and according to the conditions that are defined, such as the system upload or the broadband used by the platform.
File, session and media processing:
The media servers provide all the file and session data necessary for performance of the instances. Access to these servers is equally done through front-end application load balancing.
Database server clusters are equally accessed through application load balancing. This distribution of services allows to react quickly against situations that could affect the service and provide an extra layer of reliability based on multi-points
The technical capacity to run new application servers for each level in a matter of minutes, along with the flexibility of the backup system, provides the ability to respond quickly in case of network overload or possible failures.
WEB APPLICATION SECURITY
This application manages possible unauthorized access through 3 security stages:
- First stage: if not valid access is attempted, a Captcha system automatically appears to prevent Bots.
- Second stage: the visitor’s IP will be blocked if the maximum number of login attempts is exceeded.
- Third final stage: even when blocking the IP, if not valid access is attempted again, the user will be blocked and a notification will be sent via email with instructions for reactivation.
The production environment of Social Shared is managed in compliance with that set forth in the Organic Law 15/1999 of 13 December (LOPD of Spain), on Personal Data Protection.
Some of the management measures carried out are:
- There are policies in place for the management of supports and documents.
- Login data and trackings are available for all Software access, incidents and updates, as for any maintenance performed on the platforms.
- Access to the servers for Software maintenance or update is allowed with certificate or key exchange, not with passwords.
- All the Software versions on the platform are updated, taking into account the security updates published via secure repositories.
MONITORING AND SUPPORT
To ensure the quality of service, the environment is constantly monitored on two levels.
On one hand, Amazon AWS provides tools and alerts that determine the Hardware status of the Social Shared platform.
Status checks are performed every 5 minutes, and an alarm and corresponding alert to the support team will be sent if status checks fail on a specific instance.
Furthermore, alert sensors will autoscale the number of instances available in case of crashing, overload or demand spikes, to adapt the platform to maintain performance or decrease capacity during lulls.
Besides, a remote monitoring system run by NODEPING offers checks with one minute intervals to show if there is an incident of the service is down. It is programmed to measure different function parameters, such as processing time, access time to database, access time to multimedia content, etc. In the event that the service is down, an alert is sent via SMS to notify the support team.
The support team offers 24x7 coverage to respond to any queries or incidents related to the service.