Platform Security
Discover how Artifakt guarantees the most secure platform to host your web applications.
Each Artifakt workspace uses its own Cloud account, which means that your web application, source code and data are completely isolated from the applications of other Artifakt clients.
Each Artifakt environment has its own resources and is isolated from other environments using different security groups.
Platform isolation
A Web Application Firewall (WAF) is a security layer enabled at the network provider level. This firewall is on top of each platform we provide and cannot be disabled.
The WAF helps protect your applications by filtering and monitoring HTTP traffic coming from the Internet. It strives to detect unusual patterns and specific behaviors. If you want to know more about the WAF please refer to the dedicated page.
Please note that at this time it is not possible to swap our provider with yours.
Artifakt Console, API and underlying platform are evaluated by an external cybersecurity company yearly to find and resolve any security breaches.
Each service (MySQL, Redis, etc.) is private and cannot be accessed from outside the platform. Only services located in the same environment can access the other services. In addition, only the necessary ports are opened to reduce potential attack surface.
By default all outbound accesses are allowed on all components.
Inbound accesses vary depending on the component:
- Web Servers – Accesses are limited to traffic coming from our network provider Cloudflare and to the following protocols on their standard ports: HTTP (TCP/80), HTTPS (TCP/443)
- SSH – Administrative access through SSH is granted only based on allow list defined in the console.
- MySQL – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/3306 is open.
- Redis – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/6379 is open.
- Elasticsearch – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/9200 is open.
Audit logs are provided in the Artifakt Console to track all actions taken by members of the Workspace. This can help with compliance, audit and security practices.
Audit logs are accessed at the workspace level and contain logs for all projects within that workspace.
To access the audit logs, go to Workspace → Activity.
Activity
Every action taken at the Workspace, Project or Environment level is logged. Actions are defined as anything that enforces a change to either the Workspace, Project or Environment.
Please note that general access logs (e.g 'John accessed Environment Settings') are not logged.
Logs are displayed for the last 3 months of actions.
Access to audit logs are reserved for Workspace Admin members only.
For each environment deployed using Artifakt runtimes, an auto-update mechanism is built-in. Auto-update automatically updates system and application layer and fix bugs and security flaws.
Artifakt provides several managed runtimes allowing you to stay focus on your code and delivery features. We take care of the updates and security patches when you uses our standard runtimes.
Runtimes updates are generated automatically as soon as they are published by their editors (generally within the next week) and a dedicated team is responsible for verifying and testing them before we use them in production. Runtimes generated are published through our GA channel after this manual review.
Only versions supported by their editors are available as supported runtimes.
- Major – Potential functionalities break or behavior change.
- Minor – New functionalities, keep compatibility and no breaking changes.
- Patch – Bug fixes or Security fixes, fully compatible with the existing version.
Patch versions are upgraded frequently and at least 6 months after their release. Security updates are auto-applied 30 days after the fix is published.
Minor versions are automatically upgraded to the next minor version when their maintenance window expire.
Major versions are never automatically upgraded, you should upgrade by yourself. When a major version has expired (end of life by the editor), Artifakt no longer supports these versions. Then you have the choice to:
- Upgrade to the new major release version (recommended)
- Continue using this version by dropping your runtime from "Standard" to "Custom"
- Continue using the deprecated version of the "Standard" runtime channel (strongly discouraged, compatibility may be removed at any time incurring a production downtime in case of an update or a scaling)
Custom runtimes (Scalable only) are not automatically upgraded. Only underlying hosts and system are upgraded. In that case you need to check the security and update policies of your environments.
The underlying infrastructure hosting your runtimes is kept up-to-date and security fixes are applied daily. This has no impact on your workloads as we have maintenance windows defined and workloads are automatically migrated from a host to another before running the needed updates.
To ensure optimum security, the Artifakt platform supports encryption at various levels on the infrastructure. We may distinguish between encryption in transit and at rest for each component.
Network encryption refers to the capacity to use SSL/TLS methods to encrypt the traffic in-transit between storage and consumer.
Network | Encryption |
Platform entrypoint | |
Elastic shared storage endpoint | No (planned) |
Database | Yes |
Redis | No |
Elasticsearch | Yes |
Storage encryption depends on the kind of platform, some are encrypted, and some will be encrypted soon.
Storage | Encryption |
Platform local storage | Yes |
Elastic shared storage | Yes |
Database | Yes |
Redis | Yes |
Elasticsearch | Yes |