|
1 | | -# Security |
| 1 | +# Cloud Security Principles |
2 | 2 |
|
3 | | -This section describes the basic security features of Quix. |
| 3 | +## Introduction |
4 | 4 |
|
5 | | -## Data in flight |
| 5 | +Quix's mission is to free developers to build, test and run next-gen applications without the hassle of managing complex technologies. We believe that we must make your data secure and that protecting it is one of our most important responsibilities. We're committed to being transparent about our security practices and helping you understand our approach. |
6 | 6 |
|
7 | | -### Authentication |
| 7 | +Quix includes a robust set of security and data protection product features that give you the control, visibility and flexibility you need to manage all your security challenges, without compromising agility. |
8 | 8 |
|
9 | | - - Our APIs are authenticated using |
10 | | - [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749){target=_blank} token. We |
11 | | - are using [Auth0](https://auth0.com/docs/protocols/protocol-oauth2){target=_blank} |
12 | | - as our provider. |
| 9 | +This document outlines how Quix helps customers configure, deploy and use the cloud service securely. |
13 | 10 |
|
14 | | - - Each Kafka server is authenticated using certificate, which is |
15 | | - provided for each project created and can also be downloaded from |
16 | | - topics view. The client is authenticated using SASL (username, |
17 | | - password). |
| 11 | +## Authentication |
18 | 12 |
|
19 | | -### Authorization |
| 13 | +Securing your information starts with identity controls, no matter where your users are located. Quix allows you to manage users, streamline authentication using your identity provider, and assign roles. We give you the solutions to ensure that only the right people can access your company's information in Quix. |
20 | 14 |
|
21 | | - - The APIs is using RBAC. You are limited in what you can do based on |
22 | | - your token and the role configured for your user. |
| 15 | +OAuth is the protocol Quix uses when you auth against our platform using Google or your preferred Identity provider. Customers are responsible for integrating and managing their identity provider (for single sign-on and provisioning) as well as assigning roles in Quix. |
23 | 16 |
|
24 | | - - Each kafka client is authrozied to only read and write to the topics |
25 | | - or query consumer group information regarding topics owned by the |
26 | | - organization the client belongs to. |
| 17 | +Data in flight is protected with Authentication (OAuth 2.0 tokens, SASL, SSL Certificates), Authorisation (RBAC) and Encryption (TLS 1.2). |
| 18 | + |
| 19 | +### Two-Factor Authentication |
| 20 | + |
| 21 | +Multi-factor authentication splits channels of an authentication process, rendering just one compromised system or device to be insufficient for use for unauthorised access. It is a widely used technique with a proven record. |
| 22 | + |
| 23 | +Customers may use Two-factor authentication to access Quix. This is welcome and encouraged, but it needs to be enforced. To request it you can write to [[email protected]](mainto:[email protected]). |
| 24 | + |
| 25 | +## Data security |
| 26 | + |
| 27 | +By default, Quix encrypts data at rest and data in transit as part of our foundational security controls. We also provide tools that give you even further protection and control. |
27 | 28 |
|
28 | 29 | ### Encryption |
29 | 30 |
|
30 | | - - All our APIs communicate with TLS 1.2 |
| 31 | +Our preferred encryption is TLS 1.3, with 1.2 allowed as a fallback. We don't support TLS 1.1 or older in any part of our platform. |
| 32 | + |
| 33 | +Older cyphers are cryptographically unsafe. We do not serve or support unsafe and weak cyphers, ensuring that our posture is in line with your standards and expectations. |
| 34 | + |
| 35 | +#### Encryption of Data in Flight |
| 36 | + |
| 37 | +Your connection to Quix is secured by the latest in TLS. We also use certificates to encrypt our in-flight traffic internally. |
| 38 | + |
| 39 | +Your traffic to and within Quix is very important to us, and that is why we keep it safe. TLS and the use of certificates at every surface where communication between computers happens ensures we drastically reduce attack vectors and the risk of data falling into the wrong hands. |
| 40 | + |
| 41 | +#### Encryption of Data at Rest |
| 42 | + |
| 43 | +Customer data at rest resides in Azure and AWS. Any persisted data is encrypted with keys managed in a safe and secure manner either by our Cloud Provider vendors or by Quix personnel, adhering to our access policies and procedures. |
| 44 | + |
| 45 | +Data saved on disk is sensitive information and we always treat it as such. |
| 46 | + |
| 47 | +## Separation of Concerns |
| 48 | + |
| 49 | +To give you even further protection and control, we architected Quix on independent environments and firewalls. Logical separation ensures that customers can only access their own data and no one else's: potential malicious usage of the service will not affect the service or data of another. |
| 50 | + |
| 51 | +### Environments |
| 52 | + |
| 53 | +Environments at Quix are hermetically sealed with no reused components between them. Development and Production environments are distinct entities with no cross-talk. |
| 54 | + |
| 55 | +The separation of these concerns allows us to deliver a Quix platform experience in a way that minimizes the chance of errors and mistakes and is a well-supported industry standard of software delivery. |
| 56 | + |
| 57 | +In case you choose to host Quix on your platform, we recommend that you follow the same practices. |
| 58 | + |
| 59 | +### Firewalls |
| 60 | + |
| 61 | +Firewalls in cloud-native infrastructure and applications work differently from how they used to in the days of monolithic apps running on bare metal servers stacked neatly in a server room. |
| 62 | + |
| 63 | +All networking technologies utilised during the delivery of the Quix Platform follow the principle of least privilege; we configure our security groups to only allow the minimum necessary traffic, and we configure our access lists to do the same. We follow industry best practices in architecting these safeguards and constantly monitor and audit them. |
| 64 | + |
| 65 | +## Employee access policies |
| 66 | + |
| 67 | +Quix employees access our key systems with multi-factor authentication enforced. This helps us verify the identity of the person accessing these services and reduce the chance of unauthorised access by way of compromised channels or devices. |
| 68 | + |
| 69 | +At Quix, systems that make up the Quix platform are only ever accessed when necessary and only by authorised personnel. We take our commitment to security and confidentiality seriously. |
| 70 | + |
| 71 | +Restricted access ensures only colleagues in the necessary roles can work on the underlying software and infrastructure stack. This, combined with audit trails built right into our processes and tooling helps us maintain the principle of least privilege, an important security practice. |
| 72 | + |
| 73 | +## Compliance |
| 74 | + |
| 75 | +Quix is aiming to meet and exceed one of the most broadly recognised security standards. |
| 76 | + |
| 77 | +### ISO-27001 |
31 | 78 |
|
32 | | -## Data at rest |
| 79 | +ISO-27001 details IT security management systems and procedures. We are currently pursuing certification under this rigorous standard while actively working towards standardising our written policies and procedures. |
33 | 80 |
|
34 | | - - Your data is encrypted at rest using cloud provider (Azure) managed |
35 | | - keys. |
| 81 | +An ISO-27001 certification is a quick and easy way to judge the general security posture of an organisation. By obtaining this certification soon, we aim to demonstrate our commitment to information security. |
36 | 82 |
|
37 | | - - Your data is phyisically protected at our cloud provider’s location. |
| 83 | +We are aiming to complete the internal audit by October 2023 and obtain the certification by the end of the calendar year 2023. |
0 commit comments