Cloud Infrastructure Security

TSI prioritizes the security of its cloud infrastructure to ensure the availability, integrity, and confidentiality of its platform and user data. We employ a comprehensive set of security measures across various layers, including network security, access control, vulnerability management, and secure configuration.

Network Security

• DDoS Protection: TSI utilizes AWS WAF (Web Application Firewall) and CloudFront to mitigate Distributed Denial of Service (DDoS) attacks, ensuring platform availability even under high traffic loads.

• Rate Limiting: Rate limiting is implemented to prevent abuse and further mitigate potential DDoS attacks by restricting the number of requests from any single source.

• DNSSEC: DNSSEC (Domain Name System Security Extensions) is enabled to protect against DNS spoofing and ensure the integrity of DNS records, preventing users from being redirected to malicious websites.

• VPC and Security Groups: TSI utilizes Virtual Private Clouds (VPCs) for secure network segmentation and implements strict security group rules to control traffic flow within the network. This limits the impact of potential breaches and isolates sensitive components.

Access Control

• IAM User Policies: Fine-grained IAM (Identity and Access Management) user policies are implemented to enforce the principle of least privilege. This ensures that users and services only have access to the resources they need to perform their tasks, minimizing the potential damage from compromised credentials.

Vulnerability Management

• Penetration Testing: TSI regularly conducts penetration testing to identify and address potential vulnerabilities. All identified vulnerabilities are promptly remediated to maintain a high level of security.

• Static Application Security Testing (SAST): SonarQube is integrated into the CI/CD pipeline to perform static code analysis and detect security vulnerabilities early in the development process. This helps prevent vulnerabilities from reaching production.

• Docker Image Scanning: Regular vulnerability scans are performed on Docker images stored in AWS ECR (Elastic Container Registry) to ensure that containerized applications are free from known security flaws.

Secure Configuration

• Email Security: Anti-spoofing mechanisms, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance), are implemented to protect email integrity and prevent spoofing attacks.

• Secret Keys Management: TSI utilizes AWS Secrets Manager to securely store and manage sensitive credentials, such as API keys and database passwords. These secrets are fetched directly within the CI/CD pipeline, minimizing the risk of exposure.

TSI is committed to continuously improving its security posture and implementing industry best practices to protect user data and platform integrity.