SECURITY

At eskuad, we care about security

We know we are part of your critical mission tools, so we care for cybersecurity.

Protecting data privacy and security is a top priority for Eskuad. We regularly evaluate our policies and practices to improve security and to keep up with the latest practices in the security industry.

This page is designed to provide technical readers, such as Chief Information Officers or Chief Technology Officers, additional clarity and specifics about our security commitments. While this document is written for technology experts who often play a key role in assessing our policies, we recognize that data security is highly important to all customers. Should you have security or privacy questions, please contact our team at support@eskuad.com.

Infrastructure Security

Encryption at Rest and In Transit

Access to the Eskuad Service occurs via encrypted connections (HTTP over TLS, also known as HTTPS) which encrypts all data before it leaves the Eskuad Service's servers and protects that data as it transits over the internet. All data in transit, including communications with AWS Event Bridge, API Gateway, and MongoDB Atlas, is secured through SSL. Services are hosted on Amazon Web Services (AWS) and initially served from AWS Application Load Balancer (ALB). We utilize HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections.

Data is stored at our Service Provider, AWS, and encrypted at rest using modern encryption algorithms. In AWS S3, we use AES-256 with AWS-managed keys. For MongoDB Atlas, AWS Key Management Service (KMS) is utilized for encryption at rest. Additionally, the AWS Elastic Block Store (EBS) volumes attached to Kubernetes worker nodes are also encrypted at rest. For securing configuration, AWS Secrets Manager is utilized to manage sensitive configurations like API keys, DB URLs, etc., ensuring SecureStrings for appropriate secrets.

All API calls to and from the services are enforced over HTTPS SSL, ensuring that the data in transit is encrypted and secure. Traffic between AKS and MongoDB Atlas is also enforced on SSL, safeguarding the data communications between the Kubernetes clusters and the database.

Network Security

Eskuad Services use AWS to host the infrastructure, capitalizing on AWS’s strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. AWS hosted infrastructure resides in a Virtual Private Cloud (VPC) designed to ensure that only authorized traffic over approved ports is allowed. Network Access Control Lists (NACL) and EC2 Security Groups are employed for an added layer of network security. The production Kubernetes cluster has rules to communicate with each node in the AWS VPC, and a combination of Internet Gateway and NAT gateway is utilized to expose the required services to our customers.

Eskuad Services utilizes a segregated network architecture within AWS, where critical components reside in a private subnet, increasing the system's security. These components include AWS AKS-managed Kubernetes on EC2, an internal load balancer between control nodes and worker nodes, and AWS Elasticache. The private subnet design restricts direct internet access, thereby reducing the exposure to external threats. The NAT gateway serves as the only pathway for outbound internet access from these private subnets, enhancing security by controlling the traffic that exits the environment.

Patching

Automated processes are used to regularly install security updates on the infrastructure powering the Eskuad Services. These processes include:

  • AWS Managed Services: These services offer automated patch management features that can be configured to apply updates within specified maintenance windows. Our engineering team ensures that these configurations are set to maintain a high-security level and apply updates promptly.
  • AWS EC2: All EC2 instances are monitored, and updates are applied promptly to ensure the latest security patches are installed.
  • Docker Image Scanning: AWS ECR (Elastic Container Registry) is used as a docker container registry with the "scan on push" feature enabled to scan docker images for vulnerabilities.
  • Eskuad Application: Monitored for vulnerabilities and updated in a timely fashion.

Backups and Availability Control

A data backup and recovery capability is in place to ensure a timely restoration of the Eskuad Services, with minimal data loss, in case of catastrophic failure. Specifically, automatic backups for MongoDB Atlas are enabled and conducted weekly with a retention period of two weeks. Additionally, configurations of AWS ALB, NAT gateway, and internet gateway are snapshotted monthly with a retention period of 30 days. Disaster recovery plans include deploying the production cluster in another AWS region if the AWS Availability Zone hosting the EKS cluster or any other critical component becomes unavailable. 

In the case of AWS S3, versioning is enabled on critical buckets to ensure that all versions of an object are preserved, which safeguards against both unintended deletes and updates. This feature enhances data durability and protection, allowing for easy recovery from both accidental deletion and version overwrites.

Configuration and state backups of the Kong API Gateway within the EKS environment are taken once a month.

Physical Security

Virtual Access Control

Measures to prevent unauthorized persons from accessing data processing systems include:

  • User Identification and Authentication Procedures: Implementing robust user identification and authentication procedures to ensure only authorized individuals can access the system.
  • ID/Password Security Procedures: Enforcing strong password policies, such as requiring a minimum password length, the use of special characters, and regular password rotations to maintain a high level of security.
  • Encryption of Archived Data Media: Ensuring that any data stored or archived is encrypted using robust encryption algorithms to prevent unauthorized access or disclosure.

Data Access Control

Access to the Eskuad Services infrastructure is highly restricted, with access limited to individuals such as engineers, data scientists, product managers, and support personnel who need access to perform their jobs. All access to the infrastructure is logged and requires the use of strong passwords and multi-factor authentication. Differentiated access rights and control authorization schemes are in place, with monitoring and logging of accesses. Roles align with responsibilities, and fine-grained IAM policies grant permissions to ensure least privilege access to AWS resources. In addition, the MongoDB Atlas is secured through IP whitelisting and Role-Based Access Control (RBAC) to ensure only authorized personnel can access the database.

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such data in accordance with their access rights, and that data cannot be read, copied, modified, or deleted without authorization, include:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions, and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access personally identifiable information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure;
  • Deletion procedure

Disclosure Control

Technical and organizational measures ensure that customer data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage. These measures include:

  • Encryption/tunneling
  • Logging
  • Transport security

Entry Control

Measures to monitor whether the customer data have been entered, changed, or removed, and by whom, from data processing systems include:

  • Logging and reporting systems.
  • Audit trails, and documentation.