Encryption
Encryption is a major component to help ensure the authenticity, integrity, and confidentiality of data in transit. The following article discusses:
- Encryption in Transit (Access, Assets, Email)
- Encryption at Rest (Assets, Data, Logs)
Key management
We use Google Cloud's Key Management System and keys are rotated every 90 days by default. Encryption keys are destroyed when the corresponding compute resource is destroyed ensuring that data becomes unreadable.
Access
iconik forces using HTTPS, HTTP2 or WSS. No authenticated connection is allowed via HTTP or WS protocols.
- iconik only uses TLS 1.2+ or QUIC.
Internal data transfer is on RFC 1918 private IP addresses in clear text within Google's secure facilities, except for multi-region replication where it is encrypted in transit.
We have audited the details such as the certificates we use and their effectiveness and that they conform to the latest standards and that we use TLS 1.2 or better with industry-standard strong encryption algorithms.
Assets
All assets that are stored in iconik provided storage are secured and encrypted using AES-256 and are transferred using either HTTPS or QUIC Protocol.
When viewing or transferring assets iconik uses time limited signed URLs which are created on request, making sure the requestor is authenticated, has the correct roles and permissions to access or upload the file being requested. This signed URL is sent to the user's browser which then downloads the file directly from the cloud bucket.
iconik's internal access to assets is authenticated internally and uses TLS.
Data
All customer data is stored with Encryption at Rest. Our internal databases and search services are backed with SSD drives with AES-256 with integrity and replicated and chunked across multiple storage devices and servers. They are encrypted using full disk encryption using AES-256 and it is not possible for customers to bring their own keys to encrypt database content.
We do not store creditcard or sensitive billing information internally, instead using Stripe to perform these services.
System disks
All compute systems involved in iconik use full-disk encryption using AES-256.
System Logs
System logs are logs which are produced by the system and are intended for our engineers to be able to monitor and trouble-shoot the different system components. System logs are stored in Google Stackdriver and are protected using AES-256 encryption.
Audit Logs
Audit logs are per-request logs which are generated by our APIs and are stored in a secure database with AES-256 encryption.
All outbound email from iconik is sent securely to a third-party email service, Sendgrid, using HTTPS. Email is sent from Sendgrid using encrypted connections if the receiving end supports this, otherwise emails are sent in clear text.
Bring your own bucket
When you add your own Storage bucket to iconik it is your responsibility to make sure that the storage meets your security needs. To make your storage more secure:
- Restrict the access that is needed by iconik to be the bare minimum that we require. We will warn you in the GUI if we don't have sufficient rights.
- Do not share the iconik Cloud storage access credentials anywhere else.
- Use our API for Cloud Storage if you require to rotate those access credentials regularly.
- Turn on audit logging, and any other security logging features for the Cloud buckets
- Make sure that the cloud storage audit logging information itself is secure, such as logging to another bucket with restricted access.
Questions
If you have any questions or concerns please email us at security@iconik.io and we will be happy to help.