Security state of mind
It’s RSA conference week here in the Bay Area, and just up highway 101 from Mountain View, San Francisco’s Moscone Center is overrun with conference exhibitors and attendees looking to buy, sell, or discover the next big thing in security. While Instart Logic doesn’t have a booth at the RSA conference, we as an organization believe in the importance of security, both for our service and for our customers, so we want to share a bit more about our approach to securing both.
Our mission is to provide our customers the fastest, most advanced website and web and mobile application delivery and streaming service in the world. Careful attention to security is important to us because it can affect whether we're successful in pursuing that mission, so we take it seriously.
Globally distributed network with massive connectivity
At the core of the Instart Logic service is a robust, globally distributed network. Our delivery locations are provisioned with dedicated connectivity from a large number of tier 1 service providers. Using that network capacity, our customers' DNS and HTTP/S traffic is distributed across our expansive network of servers and load balancers.
Robust, granular security throughout our network infrastructure
Each server, load balancer, operating system, network service and physical network connection is configured securely and protected with multifactor authentication where applicable. Our physical serving locations are located in top-tier data centers in their own locked cages.
Along with many other measures, as part of our PCI certification process, we have also taken the extra step of installing our own video cameras in each cage. Virtual serving locations are hosted by carefully screened providers with robust SLAs and strict security measures in place.
Beyond those security basics, and similarly to some classic web delivery solutions such as CDNs and ADNs, our service drops protocols other than DNS and HTTP/S at each edge node, thereby preventing potentially malicious traffic or actual attacks from reaching our customers’ servers and networks. This allows us to protect our customers from both small amounts of malicious traffic as well as from larger, potentially distributed attacks.
Next-generation anycast networking for automatic traffic distribution
We architected the Instart Logic network around anycast technology. By using anycast routing, traffic addressed to one of our IP addresses is automatically routed to the closest network location. While we made this architectural decision primarily for performance reasons, it has the additional benefit of automatically distributing malicious traffic across our entire global network. This enables us to absorb and drop much larger volumes of traffic than might otherwise be possible, especially in the case of distributed attacks which rely on focusing widespread resources on a smaller target.
And yes, that means that we can more effectively defend our customers against DoS and DDoS attacks, like those that have frequently made the news of late, all while ensuring that their websites and applications perform better than they could without our service.
World-class operations and support staff watching out for our customers
We have built up world-class Operations and Customer Success/Support teams to deploy, monitor, and support our service. Both teams have bases in North America and Asia in order to provide 24x7x365 service to our customers.
In the course of monitoring the availability, performance, and reliability of the service, the Operations team also keeps a careful eye out for any security-related activity and responds promptly when necessary. Along with normal operating procedures, standardized procedures for security incident response have been created, and our Operations and Support staff have been trained on how to deal with incidents, whether detected by Instart Logic or reported by one of our customers.
Part of the development of these procedures has been ensuring that we have relationships in place with our network providers in case upstream coordination is necessary to block malicious traffic or take other measures to ensure service availability for our customers. And, of course, our service provides a robust set of controls that allows us to block or throttle malicious IPs and sets of clients.
Engineering a secure platform
Backing up Operations and Customer Success is our Engineering team, the core of the company. To provide fast turnaround times for our regular platform software releases, the Engineering team has standardized on short release cycles managed using Scrum (an agile software development methodology). Within each release cycle, to ensure the security of the software that provides the core functionality of our service, our code is analyzed using a variety of dynamic and static code analysis tools. Vulnerability scans are then performed with the software running on live systems.
On occasions when it becomes necessary for security, stability, or performance purposes, the Engineering team has a standard rapid response process for creating software updates that can then be deployed quickly by the Operations team across our service.
As we discussed earlier, our mission is to provide our customers the fastest, most advanced website and web and mobile application delivery and streaming service in the world. Careful attention to security being vital to the pursuit of that mission, we have built it into our service from the network to the people that make up our team. The result is a robust PCI DSS-compliant distributed service that shields our customers from unsavory elements of the internet while delivering a faster, more robust experience for their customers, and broad value for their businesses.
In this post we provided a brief description of our overall security posture and philosophy. Stay tuned for further details about particular elements of the system in future posts.