I have had a clients IT department ask the following questions and I think it would be great to have these answers for future requests too -
What is the maintenance schedule for AU Servers and will that impact site uptime?
What security measures are in place to ensure that the servers are not hackable? Are there any ports that can be infiltrated?
Will EV SSL (Extended) be available for eCommerce sites or is it a planned enhancement?
Is two-step verification planned for the admin console access? (I don’t know that this is actually necessary if clients set strong passwords but did say I would ask)
I’m interested too as it’ll be a good start to the ‘Infrastructure & Security’ documentation.
Any other security/infrastructure info that can be provided would be good too.
Hi everyone.
I was going to post quick reply yesterday, but this being an important topic I though I’d take time to answer it.
So here goes.
There is no regular maintenance schedule. Security updates are applied to the servers after important and critical security patches and hotfixes are released (we’re talking mostly about OS updates).While full regular updates are good for security, they lead to downtime and can cause some instability (update introducing bugs is no new thing, as you all know). So we apply them only as necessary, which is a standard practice for production environments targeting high availability time. You’ll get notified of all upcoming maintenance’s via our status page, all updates from which are mirrored to Slack, Facebook and Twitter (I suggest subscribing and/or monitoring one of those).
Some of the security measures taken. Use of the strong passwords, centralized password management, having bare minimum of port open to the internet. Using IP restrictions in our backend services. Forcing HTTPS and FTP over TLS. Applying security patches, as was just noted. Each users data being separate from other users. Besides that there is AWS, which is the platform we’re hosted on. AWS automatically filters traffic, reports suspicious activity, regularly updates blacklists, provides substantial protection against DDoS attacks. It’s a great platform and an industry standard, among other things - in security. And of course there are regular backups to ensure that we can always recover the data.
It’s early to talk about specifics, but the idea is that you’ll be able to either manually add certificate you own or purchase certificate from third-party via the Partner portal interface. As this feature is closely related to eCommerce, it’ll be available alongside or after it. In the mean time, we can install certificate manually, should you need it (it may require a small fee).
Yes, two-step verification is planned for the future, though it is not our focus right now, so I can’t provide you with a date when it might be released.
Overall, security is always a work in progress. Rolling out updates, abandoning legacy technologies, improving code, perfecting internal workflows, educating staff members, etc. It’s therefore difficult to cover in a forum reply.
But I hope you’ll find this answer informative.
That is fantastic feedback @alex.n and exactly what I needed to go back to the client with. I appreciate your time detailing this as it helps me better sell the security of this system, especially when IT companies have questions.