- PDF
EasySend Application Infrastructure Security
- PDF
Overview
Learn how EasySend encrypts all of your customer's personal data at rest, in transit, and at the application level, and understand the application infrastructure security methods EasySend uses to ensure protection from various cyber-attacks and vulnerabilities.
Application Level Encryption
EasySend encrypts all of your customers' personal data at rest, in transit, and at the application level.
EasySend ensures that your users' data is encrypted at rest, which is a key security measure for data kept on databases or in the cloud. User data encryption at rest protects users' data from unauthorized access in the event that the storage medium is compromised, guarantees regulatory compliance, and provides better security by adding an extra layer of protection against data breaches.
Application-Level Encryption (ALE) provides a robust layer of security for sensitive data by encrypting data within the application rather than solely relying on the underlying transport or at-rest encryption. The encryption mechanism is built into the application's logic and functionality, and protects data throughout its lifecycle: within the application, in transport and in short-term storage.
ALE tackles the majority of data-related threats, provides end-to-end protection for sensitive data, ensures compliance with data security standards, and decreases the attack surface while preventing data breaches by restricting access to authorized users and applications.
ALE is applied to end users’ data in the Player environment. EasySend implements an extra layer of application encryption to all data stored on the Redis cache in the Player environment. Prior to being saved to the database, all data is encrypted with AES 256. The key is held separately, therefore client data is kept secure and cannot be compromised even in case a potential attacker gains access to the Redis cache.
Network Layer Encryption, DDoS Protection, Bot Protection, WAF
EasySend guarantees network security by implementing encryption and authentication on all levels; the application infrastructure security methods used ensure protection from various cyber-attacks and remain updated on vulnerabilities and applicable available fixes.
EasySend's servers are located on AWS's internal networks that are managed via dedicated VPNs. AWS fully monitors internal network traffic, providing substantial protection against typical network security vulnerabilities. EasySend additionally relies on AWS and Cloudflare out-of-the-box network security systems, which include application-level firewall, DDoS mitigation, spoofing and sniffing defense, and port scanning detection and mitigation.
EasySend takes advantage of Cloudflare's enterprise CDN, which leverages caching to increase security and reduce service interruptions, while also maintaining a high level of encryption and integrity through the use of up-to-date TLS/SSL certificates and standards. The transport of users' web-based input data to the backend system is encrypted using HTTPS, TLS 1.3.
Cloudflare security also provides automatic DDoS protection, which defends against a wide range of DDoS attacks at the network and application levels, including advanced TCP and DNS protection. EasySend also employs the enterprise Cloudflare bot protection, which detects and mitigates automated traffic, suspected as originating from malicious bots activity. Clients who are suspected as bots traffic are presented with a human, “Captcha-like” challenge.
Cloudflare's Web Application Firewall (WAF) is utilized with EasySend’s dedicated sets of rules, which we assess for efficacy against typical threats while conducting ongoing penetration testing.
EasySend is committed to conducting frequent penetration testing, assessing application security, and patching application or open-source vulnerabilities.
Application-Internal Network Encryption
The EasySend Player application communicates with the different storage and caching services in a private IP network setup, and the internal traffic is also encrypted, as described below:
- All data managed by Redis is encrypted both in transit and at rest.
- All data in the Object Store MySQL DB is encrypted in transit and at rest.
- Amazon S3, used for end-customer’s file upload. The files are encrypted at rest using Amazon S3’s built in encryption feature.
- All data transferred to the application logs service (Logz.io) is strictly non-PII, and is encrypted both in transit and at rest.
User Data Encryption at Transit
ֿEasySend employs encryption protocols in transit, including TLS1.3/SSL for secure connections and HTTPS for web traffic, to ensure that all private and sensitive user data is carried over the network. All communication with the EasySend platform is encrypted and cannot be read by unauthorized users during transmission.
Key EasySend communication points where user data is encrypted at transit:
- All data managed by Redis is encrypted both in transit and at rest.
- All data in the Object Store MySQL DB is encrypted in transit and at rest.
- All communication with RabbitMQ is encrypted with TLS.
- All communication with AWS Lambda is encrypted in transit using TLS.
- Encryption in transit is used in communication with Amazon S3 Assets Bucket.
- All data transferred to the application logs service (Logz.io) is strictly non-PII and is encrypted both in transit and at rest.
On-going Review of Security threats & Automatic Patches
EasySend provides weekly application updates and delivers new patches as soon as new vulnerabilities are detected. EasySend utilizes various CI/CD mechanisms to ensure that no vulnerable dependency finds its way to the application’s source code.
Custom WAF Rules and Custom Rate-Limiting
(See Table 1)
EasySend’s customers who are looking to protect against more specific threats are offered an add-on package that may include two add-on features on the application level: customizable WAF rules and customizable rate-limiting for server requests; customers are encouraged to contact us to discuss the details, so that we may accommodate their specific security needs. Table 1 displays EasySend's security offering according to the purchased package.
Our custom WAF rules and custom rate-limiting capabilities are based on Cloudflare's rule parameters. For additional information, click here.
Table 1: Security Offering
Security Offering | Baseline | Addon |
CDN | V | |
User data encryption in transit | V | |
User data encryption at rest (disk encryption) | V | |
User data encryption at the application level | V | |
DDos protection | V | |
Bot protection | V | |
WAF | V | |
SSL, latest TLS | V | |
Custom WAF rules | V | |
Custom rate-limiting | V |