Yapster security practices

Updated 11 April 2017

Yapster high-level architecture overview

Yapster is a clustered multi-tenant back-end application with an associated iOS / Android / Web client. The back-end is currently hosted in a single AWS availability zone in Dublin

AWS details

  • The application runs on EC2 instances with EBS block storage
    • EBS encryption on all EBS volumes
    • all EBS data is encrypted at rest
  • S3 storage is used for various customer data purposes
    • S3 Server Side Encryption is used for all customer data
    • all customer data on S3 is encrypted at rest
    • low-risk files (e.g. uploaded user pictures) are stored in unauthenticated S3 buckets, with unguessable (content addressed) urls
    • high-risk files (e.g. PII user-data imports and exports) are stored in protected S3 buckets, with access only proxied via the Yapster API
  • ELB load balancers
    • The ELB load-balancers are the only public route to the Yapster API
    • The ELB load balancers terminate TLS
    • There is a single open port 443 HTTPS with a minimum of TLSv1 (SSLv3 is *not* permitted)
    • All data moving from the client to the back-end and vice-versa is encrypted in transit
  • AWS VPC & firewall
    • All Yapster EC2 resources deployed within an AWS VPC
    • Inbound traffic only permitted from within the VPC, from ELB and admin port 22
    • port 22 is SSH private-key only admin access
    • Inside VPC firewall perimeter, intra-VPC traffic is unencrypted

Cluster details

The Yapster back-end consists of the following services - API, Streaming, Storage, Persistent Messaging, Transient Messaging. The services are deployed on EC2 instances running Ubuntu 14.04 LTS. Some of the services are deployed with Apache Mesos, Apache Marathon and Docker and some are run natively

  • API

    • Clojure - Netty / aleph / yada

  • Streaming

    • Clojure - Onyx

  • Storage

    • Apache Cassandra - DataStax Enterprise

    • Cassandra is Yapster's primary datastore

    • Nightly backups to S3

    • Access to Cassandra is limited to the Yapster VPC by firewall

  • Apache Kafka

    • Kafka is Yapster's primary messaging store

    • Access to Kafka is limited to the Yapster VPC by firewall

App details

  • Apache Cordova / React / ClojureCcript / Reagent / re-frame

Authentication details

  • All external access to Yapster is via the API
  • Authentication to the API is via revokable signed JWT tokens
    • revocation is by de-registering (on the back-end) an id asserted within the token
    • JWT tokens may also be time-limited
  • JWT tokens may be issued directly to a user
    • such tokens will remain valid until the user is de-activated or all their tokens are revoked
  • JWT tokens may be issued to a device address
    • an email address belonging to a user
      • the email address may be associated with the user either by the enterprise or a trusted manager
    • a mobile phone number belonging to a user
      • the mobile phone number may be associated with the user either by the enterprise or a trusted manager
    • JWT tokens issued to a device address will be revoked if the device address is deregistered from the user
  • A delegated auth principal may have rights to request JWT tokens on behalf of users
    • delegated auth principals have an id and share a secret with Yapster
    • JWT tokens issued by an auth principal are revoked if that principal is disabled or removed