Encryption

Encryption is a major component to help ensure the authenticity, integrity, and confidentiality of data in transit. The following article discusses:

  • Encryption in Transit (Access, Assets, Email)
  • Encryption at Rest (Assets, Data, Logs)

Access

iconik forces using HTTPS, HTTP2 or WSS. No authenticated connection is allowed via HTTP or WS protocols.

  • iconik only uses TLS or QUIC.

Internal data transfer is on RFC 1918 private IP addresses, apart from multi-region replication where it is encrypted in transit.

We have audited the details such as the certificates we use and their effectiveness and that they conform to the latest standards and that we use TLS 1.2 or better with industry-standard strong encryption algorithms.

Assets

All assets that are stored in iconik provided storage are secured and encrypted using AES-256 and are transferred using either HTTPS or QUIC Protocol.

When viewing or transferring assets iconik used time limited signed URLS which are created on request, making sure the requestor is authenticated, has the correct roles and permissions to access or upload the file being requested.

iconik's internal access to assets is authenticated internally and uses TLS.

Data

All customer data is stored with Encryption at Rest. Our internal databases and search services are backed with SSD drives with AES-256 with integrity and chunked across multiple devices.

We do not store creditcard or sensitive billing information internally, instead using Stripe to perform these services.

System disks

All compute systems involved in iconik use full-disk encryption using AES-256.

System Logs

System logs are logs which are produced by the system and are intended for our engineers to be able to monitor and trouble-shoot the different system components. System logs are stored in Google Stackdriver and are protected using AES-256 encryption.

Audit Logs

Audit logs are per-request logs which are generated by our APIs and are stored in a secure database with AES-256 encryption.

Email

All outbound email from iconik is sent securely to a third-party email service, Sendgrid, using HTTPS. Email is sent from Sendgrid using encrypted connections if the receiving end supports this, otherwise emails are sent in clear text.

Bring your own bucket

When you add your own Storage bucket to iconik it's your responsibility to make sure that the storage meets your security needs. To make your storage more secure:

  • Restrict the access that is needed by iconik to be the bare minimum that we require. We will warn you in the GUI if we don't have sufficient rights.
  • Do not share the iconik Cloud storage access credentials anywhere else.
  • Use our API for Cloud Storage if you require to rotate those access credentials regularly.
  • Turn on audit logging, and any other security logging features for the Cloud buckets
  • Make sure that the cloud storage audit logging information itself is secure, such as logging to another bucket with restricted access.

Questions

If you have any questions or concerns please email us at security@iconik.io and we will be happy to help.

Learn More