Platform Security

Discover how Artifakt guarantees the most secure platform to host your web applications.

Platform Isolation

Each Artifakt workspace uses its own Cloud account, which means that your web application, source code and data are completely isolated from the applications of other Artifakt clients.

Each Artifakt environment has its own resources and is isolated from other environments using different security groups.

Platform isolation

Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a security layer enabled at the network provider level. This firewall is on top of each platform we provide and cannot be disabled.

The WAF helps protect your applications by filtering and monitoring HTTP traffic coming from the Internet. It strives to detect unusual patterns and specific behaviors. If you want to know more about the WAF please refer to the dedicated page.

Security Audit & Evaluation

Artifakt Console, API and underlying platform are evaluated by an external cybersecurity company yearly to find and resolve any security breaches.

Services Access

Each service (MySQL, Redis, etc.) is private and cannot be accessed from outside the platform. Only services located in the same environment can access the other services. In addition, only the necessary ports are opened to reduce potential attack surface.

Ports

By default all outbound accesses are allowed on all components.

Inbound accesses vary depending on the component:

  • Web Servers – Accesses are limited to traffic coming from our network provider Cloudflare and to the following protocols on their standard ports: HTTP (TCP/80), HTTPS (TCP/443)

  • SSH – Administrative access through SSH is granted only based on allow list defined in the console.

  • MySQL – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/3306 is open.

  • Redis – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/6379 is open.

  • Elasticsearch – Accesses are only allowed from inside the platform. No direct access from Internet is possible. Only the standard port TCP/9200 is open.

Audit logs

Audit logs are provided in the Artifakt Console to track all actions taken by members of the Workspace. This can help with compliance, audit and security practices.

Audit logs are accessed at the workspace level and contain logs for all projects within that workspace. To access the audit logs, go to Workspace β†’ Activity.

Activity

What is tracked?

Every action taken at the Workspace, Project or Environment level is logged. Actions are defined as anything that enforces a change to either the Workspace, Project or Environment.

Please note that general access logs (e.g 'John accessed Environment Settings') are not logged.

How far back do the logs go?

Logs are displayed for the last 3 months of actions.

Who has access to the audit logs?

Access to audit logs are reserved for Workspace Admin members only.

Auto Update

For each environment deployed using Artifakt runtimes, an auto-update mechanism is built-in. Auto-update automatically updates system and application layer and fix bugs and security flaws.

Standard runtimes

Artifakt provides several managed runtimes allowing you to stay focus on your code and delivery features. We take care of the updates and security patches when you uses our standard runtimes.

Runtimes updates are generated automatically as soon as they are published by their editors (generally within the next week) and a dedicated team is responsible for verifying and testing them before we use them in production. Runtimes generated are published through our GA channel after this manual review.

Only versions supported by their editors are available as supported runtimes.

We use SemVer for defining which version is major, minor, or patch:

  • Major – Potential functionalities break or behavior change.

  • Minor – New functionalities, keep compatibility and no breaking changes.

  • Patch – Bug fixes or Security fixes, fully compatible with the existing version.

Patch versions are upgraded frequently and at least 6 months after their release. Security updates are auto-applied 30 days after the fix is published.

Minor versions are automatically upgraded to the next minor version when their maintenance window expire.

Major versions are never automatically upgraded, you should upgrade by yourself. When a major version has expired (end of life by the editor), Artifakt no longer supports these versions. Then you have the choice to:

  • Upgrade to the new major release version (recommended)

  • Continue using this version by dropping your runtime from "Standard" to "Custom"

  • Continue using the deprecated version of the "Standard" runtime channel (strongly discouraged, compatibility may be removed at any time incurring a production downtime in case of an update or a scaling)

Custom runtimes

Custom runtimes (Scalable only) are not automatically upgraded. Only underlying hosts and system are upgraded. In that case you need to check the security and update policies of your environments.

Infrastructure

The underlying infrastructure hosting your runtimes is kept up-to-date and security fixes are applied daily. This has no impact on your workloads as we have maintenance windows defined and workloads are automatically migrated from a host to another before running the needed updates.

Encryption

To ensure optimum security, the Artifakt platform supports encryption at various levels on the infrastructure. We may distinguish between encryption in transit and at rest for each component.

Network encryption

Network encryption refers to the capacity to use SSL/TLS methods to encrypt the traffic in-transit between storage and consumer.

Network

Encryption

Platform entrypoint

Yes (more details)

Elastic shared storage endpoint

No (planned)

Database

Yes

Redis

No

Elasticsearch

Yes

Storage encryption

Storage encryption depends on the kind of platform, some are encrypted, and some will be encrypted soon.

Storage

Encryption

Platform local storage

Yes

Elastic shared storage

Yes

Database

Yes

Redis

Yes

Elasticsearch

Yes