Toursys Best Practices and Security Information
The following section provides a detailed explanation of the infrastructure utilized by the Toursys application. Although Toursys is designed to be flexible and can be installed in any environment, we currently utilize all our resources with AWS (Amazon Web Services) to take advantage of its scalability, reliability, and comprehensive suite of cloud services.
Toursys Best Practices and Security Measures
The following section will be an explanation of all the best practices Toursys does to ensure a secure, integral, resilient and protected infrastructure for its users to use the platform and be sure their information is being taken care.
AWS Resources Practices: Toursys follows AWS best practices to ensure secure, high-performing, resilient, and efficient infrastructure. Also known as the AWS Well-Architected Framework.
Web Application Firewall (WAF) in Load Balancer: Toursys load balancer includes a WAF to protect against common web exploits and vulnerabilities, such as SQL injection and cross-site scripting (XSS).
Image Scanning in ECR (Elastic Container Registry): All application images stored in ECR are scanned for vulnerabilities to ensure they are secure before deployment.
The AWS Virtual Private Cloud (VPC) is configured with clearly identified public and private subnets to segregate and secure network traffic.
Daily backups are performed and encrypted to ensure data recovery and integrity.
AWS Security Hub is used to continuously monitor and improve the security posture of our AWS account.
User Security:
AWS IAM (Identity and Access Management): Implements the least privilege strategy, ensuring users and resources have the minimum permissions necessary.
MFA for AWS Users: Multi-Factor Authentication (MFA) is required for all AWS users, with root access being used only when necessary.
Passwords must be at least 16 characters long, include symbols, numbers, uppercase, and lowercase letters, and expire every three months.
To connect into the virtual machines and databases, the user must also use an access key to prevent unauthorized connections.
A VPN is used with named users to ensure secure access to the internal network.
Encryption:
Database Encryption: All databases are encrypted to protect sensitive data.
Volume Encryption: Storage volumes are encrypted to prevent unauthorized access.
Images and Files Encryption: All the images and files that Toursys stores and uses are encrypted to maintain integrity and confidentiality.
Recurring monthly checking and updates:
Monthly Resource Review: A third-party AWS specialist does monthly reviews of our resources to identify and mitigate potential security risks.
EKS (Elastic Kubernetes Service): Regular updates and patches are applied to ensure the Kubernetes clusters are secure and up-to-date.
Twice a week the Toursys application is updated with new features and fixes, with each update the application creates an immutable image to ensure consistency and security.
Project code repository:
The Toursys team stores all the application codes in Bitbucket. All the code repositories are private and only accessible to named users to ensure code security.
Communication Protocols (HTTP and SSL):
Toursys prioritizes secure entry channels through HTTPS to ensure data integrity and confidentiality. All of our application information, internal and external connections through APIs are following the HTTPs protocols and SSL certificates to ensure the best and most secure communications.
Application Security Measures:
To enhance security, Toursys implements Multi-Factor Authentication (MFA). This requires users to provide two or more verification factors to gain access to the application, adding an extra layer of protection beyond just username and password.
The feature checks the IP address from which a user is connecting. If a user attempts to connect from an IP address that has not been used in the last 30 days, the system will send a confirmation code to the user's registered email address. This measure helps to prevent unauthorized access from unfamiliar locations.
See also: