Our infrastructure and the Stormpath REST API are built according to architectural and API security best practices
by a team of experts – including our CTO, the Founder and PMC chair of Apache Shiro, the largest open source Java security framework.
Network Level Security
All Stormpath traffic is proxied through a Denial of Service (DDoS) Attack protection layer to protect up-time in the event of a large scale attack.
Advanced Firewall Protection
All Stormpath servers are protected by advanced firewalls designed specifically for dynamic, auto-scaling workloads.
All communication within the Stormpath system is tightly controlled. Only certain ports are open to particular types of traffic from specific IP addresses. When a server is removed from the server do to auto-scaling, its IP address is removed from the whitelist immediately.
Single Sign-On with JWT
By default, all single sign-on performed by Stormpath is implemented using a secure and signed JSON Web Token (JWT) to prevent unauthorized access or tampering of authentication and user data between applications.
HMAC API Security
All Stormpath API requests – both the request headers and the body – are fully authenticated using via HMAC algorithms with secure derived keys. This guarantees that an attacker cannot intercept and alter a request to Stormpath in transit (aka Man-in-the-Middle Attack).
Hosted User Screen Protection
All Stormpath hosted user screens (Login, Registration, Password Reset, etc) implement Cross-Site Request Forgery (CSRF) and Anti-bot submissions protection to prevent a variety of attack vectors on behalf of our customers.
SSL Certificate Management
- Communication between Stormpath and its customers is secured through SSL with AES-256 encryption. Stormpath will not accept unencrypted communication.
- Communication between Stormpath subsystems and components is also secured through SSL with AES-256 encryption.
- SSL traffic is secured using Perfect Forward Secrecy (PFS) in order to ensure that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.
Systems and Storage Level Security
Multi-Factor and Public Key Authentication is enabled and required on all infrastructure and administration tools where available and reasonably necessary.
Password Protection Algorithm
Password security algorithms are reviewed every 6-12 months. Any updates to our algorithms are automatically made to all new end-users without any noticeable impact to our Customers’ workloads. Existing end-users are automatically updated as they login or reset their passwords from that point on.
Production Data Protection
- All credentials for production systems are stored in an encrypted data data store external to our product data stores and is only accessible by a small set of named people in the organization. Access is only granted on a “must-have” basis.
- All production data is backed up on a nightly basis and encrypted to prevent unauthorized access.
End-user Credential Protection
- All end-user credentials are secured using modern password security algorithms. Passwords are never stored in plain-text, and password hashes are never shared without an explicit request from the Customer. Any such request would require that the customer pass a multi-factor authentication process over the phone.
- All end-user credentials are removed before any type of production data is integrated to any other system to prevent unintended dissemination of password hashes. Password hashes only exist on live production servers and encrypted backs up of those servers.
Administration and Policy Level Security
Production Data Protection
- Any access to any production systems or production data is granted on a “must have” basis to named individuals within Stormpath.
- Any and all new technology and tools used for production workloads go through security review to assess known security vulnerabilities, Stormpath security requirements, and availability of Multi-factor and Public Key authentication.
Security and Vulnerability Alert Monitoring
- We subscribe to and regularly monitor all security alerts for tools and technologies we use.
- Any new security vulnerability alert is evaluated individually and prioritized. For critical vulnerabilities that impact our production environments we initiate remediation within 24 hours of discovery.
Production Breach Alert
Upon any breach or suspected breach to Stormpath production systems, we will alert our customers within 5 business days with any known details and any actions we or our customers will need to take to resolve the issue, assess impact, and potentially alert end-users.
Stormpath was built to handle massive scale: millions of users, extreme traffic spikes, and fast response times. We strive for 100% availability and provide a high-availability service with a low-latency multi-zone cloud infrastructure:
- Highly available, clustered data stores with double or triple redundancy
- Redundant availability monitoring systems, staffed 24/7
- Maintenance and upgrades based on rolling version deployments for seamless upgrades/releases
- Automated deployments with the latest systems automation and configuration management tools
- DoS (Denial of Service) monitoring and protection
If you ever decide you want to move your data from Stormpath, for whatever reason, we have you covered. All your data remains yours and is 100% accessible at any time, via the API. We will never lock you in. All encryption methods use the latest open standards and are fully open to peer review and all customers. We do not advocate ‘security through obscurity’.
Stormpath’s dedication to transparency and openness is reflected in our status page: status.stormpath.com and support: [email protected] If you want to discuss any of this in further detail, we are happy to talk!