Security is a critical aspect of any software, often raising many questions. In this article, we’ve compiled the key points about Kreo's security measures to address your concerns and provide clarity.
Location and jurisdiction
Kreo Software is a UK-based company, and all legal jurisdiction matters are handled in accordance with UK law.
Data storage
User data is stored on servers in Amazon (UK) and Hetzner (Germany) data centers. Both Amazon and Hetzner adhere to stringent data security measures within their facilities, including physical security of premises, fire safety, cooling and power supply, and security monitoring. Physical access to them is limited by their security procedure. Access to the rooms where developers work is controlled through key cards, and unauthorized visitors are not permitted entry.
Backup
In Kreo, we follow the 3-2-1 backup strategy. All information has two local copies stored in different formats with different encryption methods, and a third copy stored in the AWS S3 London region.
General Principles
Kreo has an information system security policy that outlines our organization's approach to safeguarding sensitive information and maintaining security controls.
We do not currently hold an ISO 27xxx certification, but we diligently adhere to its standards and principles.
We ensure the confidentiality and integrity of data through robust encryption, access controls, and regular security audits, alongside continuous monitoring for unauthorized access or anomalies. Additionally, we implement strict data handling policies to uphold data protection standards.
Data Transit
Data exchange
Data exchanges between us and the clients are secured using industry-standard encryption protocols such as TLS (Transport Layer Security) to encrypt data during transmission. Additionally, we enforce strict access controls and authentication mechanisms to ensure that only authorized individuals can access the exchanged data, thereby safeguarding its confidentiality and integrity.
Consumer - Service
All Kreo databases are hosted within a Kubernetes cluster, making it entirely impossible to connect to any of the Kreo databases from outside the cluster. Kreo also stores data in AWS S3, where all the data is encrypted by AWS itself. All secrets are encrypted with the sealed-secret utility, these secrets can only be decrypted inside the cluster.
Within the service
Kreo Software uses a Kubernetes firewall on all cluster nodes, ensuring that only the necessary ports are open. All pages inside the cluster work necessarily only through the SSL connections. Kreo also uses network policies within the cluster, thereby controlling which pods can interact with each other.
Access control and authentication
User access rights to the application are managed through Keycloak - Identity and Access Management System, utilizing role-based access controls (RBAC). Users are assigned specific roles or permissions within Keycloak, which dictate their access levels to various features and functionalities of the application.
Accesses are tracked. We maintain detailed logs of access attempts and activities, including user logins, file access, and system interactions. These logs are regularly reviewed and monitored by authorized personnel to detect any suspicious behavior or unauthorized access. Additionally, access permissions are strictly controlled, and only a limited number of individuals have access to the systems, ensuring accountability and traceability of all actions.
Authentication
User identification is based on unique credentials, such as login and password, as well as additional methods of identity verification. These measures provide protection against unauthorized access and ensure that only authorized persons can access the necessary resources and functionality.
Kreo supports Single Sign-On (SSO) mechanisms, offering authentication options like login through Google, LinkedIn, and Microsoft accounts. This streamlines the login process and provides users with seamless access to our services.
Currently, our application does not support two-factor authentication (2FA), but we can easily add this feature if necessary. Additionally, we already utilize security measures such as CAPTCHA and email verification to enhance login security.
Log Data
Log data include:
Timestamps: Precise date and time of events.
User Information: User IDs, session identifiers.
Event Details: Type of event (e.g., login attempts, data access, errors).
System Information: Device or server identifiers, software versions.
Error Messages: Detailed error codes and descriptions.
Source and Destination: Origin and target of network communications.
We keep logs for 1 month, then we archive them and store them on AWS.
Confidentiality of the data in the logs
We ensure the confidentiality and integrity of log data by encrypting it both in transit and at rest, implementing strict access controls, and using cryptographic hash functions to detect any tampering. Additionally, we conduct regular security audits and continuously monitor log access for suspicious activities.
Vulnerability management and protective monitoring
Kreo uses Datadog to monitor our service. Datadog enables our technical team to continuously track the status and performance of various components within our infrastructure. We have configured alerts that automatically notify us of any anomalies, including new threats, vulnerabilities, or exploit methods that could impact our service.
Addressing and resolving any security or stability issues is the highest priority for the Kreo team.
Malicious behaviors and attacks
We use Datadog to track all possible user activities, including login, date, time, action, and the object of the action. All our services have request limits and notification systems in place, allowing us to quickly identify any known malicious behaviors.
Solution for malicious codes - SonarQube.
DoS, DDoS, DrDoS attacks
Kreo has protection mechanisms against DoS, DDoS, and DrDoS attacks. In addition to traditional network-level protections, such as rate limiting and traffic filtering, we also utilize CAPTCHA challenges and email verification during login processes to mitigate the risk of automated attacks and unauthorized access attempts. These measures collectively strengthen our defenses against various types of cyber threats aimed at disrupting our services.
Data sanitization
We ensure data destruction by implementing secure deletion mechanisms within the application's database and file storage systems. This includes utilizing cryptographic methods or permanent deletion commands to irreversibly remove user data when requested or when it's no longer needed, following industry best practices for data sanitization.
You can also check the status on our status page: https://status.kreo.net/status/prod