Spokn Security Measures

Spokn Infrastructure

  1. Spokn uses Google cloud platform to host all the needed machines, DBs and APIs

  2. All Infrastructure is hosted inside the US.

  3. A single Security Group is the only one allowed to access the whole infrastructure

  4. Infrastructure contains 2 separate VPC one for Production and one for Staging

  5. VPCs are only accessible from a single machine that is exposed to the Internet and accessible through Tunneled SSH.

  6. To access any machine you will use 2 SSH keys to reach your resource and get authenticated

  7. Multi-Factor Authorization is used on all the systems inside GCP.

  8. All SSH are 2048 RSA length.

  9. Inbound traffic for Spokn Servers are managed by Google Load balancer which include a heavy intrusion detection and prevention measures.

  10. If fake traffic is simulated to Spokn servers it will be directly blocked by firewall.

  11. Main Production cluster is using Google Kubernetes to manage the workloads and scaling up/down when needed.

  12. All inbound communication is done over SSL, certificates are managed by Google.

Spokn Data

Spokn have 2 types of Information that being stored

  1. Audio files, which is stored on Amazon S3
  2. Customers Data, which is consists of:
    1. Customer account, which is stored on our SQL DB Cluster
    2. Customer’s feeds and recommendation which is stored on now SQL DB Cluster
    3. Customer Activities which is stored on Time Series DB Cluster
    4. Customer Analytics which is synchronized to 3rd party Analytics engine (Amplitude)
  3. All DB saved data are encrypted in rest
  4. Communication between DBs and Application services done within the VPC
  5. Only authorized service has a firewall connection to the DBs
  6. Database located inside the US.
  7. A daily Back-up for user data is saved on Google Buckets.
  8. Back-ups are encrypted and expire in 2 weeks from creation.

Spokn Access Management 

Access to Spokn app will be through creating profile, we permit this action through:

  1. Social Login (Facebook, Google and Apple)
    1. No password collected
    2. Access tokens once expired, users will be prompted to login again.
    3. Most commonly used for our customer base (96%)
  2. Username and password
    1. Passwords must be at least 6 characters.
    2. Passwords are SHA2 hashed.
    3. App level manage to access using OAuth standard afterwards (Access token and refresh token)
  3. SAML support with Google as IdP
    1. User Identity will be collected for Enterprise users over secured sso standard.
    2. Only permitted data from IdP is stored to user profile
    3. Access token will be assigned to this user and will be refreshed every defined time slot

Spokn Incident Management

  1. All systems we have are monitored using a platform called Stackdriver from Google

  2. Monitors includes:

    1. System Health Check <> Back-end Latency

    2. System Health Check <> CPU Utilization for K8s

    3. System Health Check <> CPU Utilization for VMs

    4. System Health Check <> Error logs rate is more than 50%

    5. System Health Check <> Hits are huge [6000 rpm]

    6. System Health Check <> K8s Pods Stability <> Restart count

    7. System Health Check <> SQL CPU / Read is high

    8. System Health Check <> Systems availability

  3. Notification Policy for all monitors:

    1. SMS for Production Engineers to check the problem

    2. Periodical notification over Slack channel till the incident get solved

  4. Postmortem and Incident report will be communicated to all our Enterprise customers and users.