luroConnect Secure Hosting

luroConnect employs robust security measures to protect its network, servers, and data. The high traffic stack operates within a private VPC with no public IPs, using a jump server for SSH access and an AWS Network Load Balancer for web traffic. SSH access is secured with ed-25519 keys, and passwords are disabled. Server access is restricted to necessary tools and personnel, with detailed logging and periodic key rotation.

The luroConnect dashboard uses encrypted public/private key pairs for server access, and the cloud account has 2FA enabled. All production servers are in a private VPC, with encrypted disks and secure CI/CD deployment. Database access is tightly controlled, with automatic password rotation and obfuscation of sensitive data for developers.

Additional security features include a read-only file system, extensive whitelist/blacklist management, invariant detection for site hacks, and a managed Web Application Firewall. luroConnect also supports PCI certification for customers.

Network And Cloud Security

• High Traffic Stack: Our entire stack operates within a private VPC, ensuring no public IPs are connected to any server. Web traffic is routed via a AWS Network Load Balancer and SSH is routed through a “jump” server.
• Other Stacks: SSH access is restricted to the edge, with passwords disabled by configuration. Only secure ed-25519 SSH keys are allowed, and the OpenSSH version is patched with the latest security fixes. Ports 80 and 443 are open for web traffic, with port 80 redirecting to port 443.

File System Security

• Disk encryption : Disks are encrypted at the AWS level
• CI/CD secures code deployment : No git in production servers and code artefacts are readonly packages. For additional security, the bulds are done on the customers’ cloud account and the artefacts never leave the customers’ cloud.
• File System Permissions : Ensures any directory that code resides in, is not writable and no code can be executed from a directory that is writable.
• 2 user hosting system: Code directories are owned by a different user than the “web” user that executed Magento code. This helps improve security by not allowing any cartjack type of attacks.
• File System Scans : Scans for viruses and also more advanced scanners such as Sansec are supported.

Tool Access – luroConnect Dashboard

• Access Method: The luroConnect tools access servers using a public/private key pair. Private keys are encrypted and stored securely.
• luroConnect dashboard : All commands are executed on customers’ servers. The dashboard only connects to the server to execute commands. Audit trail with each command is retained.
• Role based Access Control with 2FA : luroConnect dashboard access is with 2FA. In addition, access to functions is enabled on a per user basis, allowing for a fine grained RBAC.
• luroConnect’s own Cloud Account: The cloud account hosting the tool server has 2FA access and is available to one designated persons at luroConnect.

Backup and Disaster Recovery

• Backups: Nightly backups are encrypted and stored securely.
• Database Readonly Replica:  A readonly replica of the database is updated in near realtime.
• Obfuscation: Key customer information is obfuscated before restoring the database to developer environments or to developer if needed.
• Deletion of sensitive data: An option to only provide database backup with truncated sensitive tables on staging / development environments is available.
• Disaster Recovery: We work with each customer to understand the disaster recovery scenarios and present a solution that works for them.

Edge Security

• Web Application Firewall : luroConnect edge includes a ModSecurity with OWASP and Magento rulesets to prevent SQL injection/XSS Scripting type of attacks.
• BOT Blocking : Bot identification and blocking ensures only the required BOTS are accessing the site.
• Rate Limiting : Identified URLs are protected through rate limiting.
• IP Blocking and Whitelisting : IPs and ranges can be blocked or whitelisted.
• GeoIP Fencing : Geo restrictions – except for whitelisted BOTs, IPs – is possible. The GeoIP db is updated weekly.
• Sohisticated DDOS attack protection : A new class of DDOS attacks use fake IPs, with each IP used for a short number of hits and avoiding rate limiting. We have started gaining expertise in detection and blocking these attacks.

Application Security

• Capture sensitive database content in env.php : By capturing sensitive data such as payment gateway merchant id, secure keys, custom header html, etc in the secure file system, these fields are not vulnerable to admin account takeover attacks.

• The database invariant : luroConnect has a unique feature whereby we detect changes in specific “invariant” fields in the database and alert. Examples include admin table changes.
• Periodic Admin User list for review : A periodic list of admin users is sent to ensure admin user access is reviewed by the customer.
• Limited Access to Developers to production systems : Access to the servers including code and database is rarely given with permission of the customer. Access is also limited by time.

Compiance and Audit – PCI / HIPAA

• AWS is a compliant environment : By hosting on your own AWS account, you inherit AWS’s compliance for PCI, HIPAA, etc.
• Compliance audits : Getting a PCI certificate requires an audit by your payment gateway. If you do not store a credit card, a questionnaire may need to be filled and a scan may be performed. Our private VPC stack is fully compliant. Our restricted access rules make it easy to fill the required form.

24×7 vigilance

• Analytics and alerts : luroConnect’s powerful analytics engine surfaces potential attacks that alert our engineers to investigate. The luroConnect dashboard shows many of these analytics results, such as top 10 IPs, top 10 BOTs, etc.
• Alerts with 24×7 action : Analytics and alerting sends information to our engineers who evaluate the risk and decide to act.
• White glove security : All actions with respect to security including modifying various rules, updating whitelists and blacklists are done with our whiteglove service, available to all our customers.
• Audit trails for any changes: All modifications to the production servers are logged creating an audit trail.