Amazon Web Services
Our applications are housed on Amazon Web Services (AWS) and hosted on servers located in Singapore region. The AWS cloud infrastructure has been architect-ed to be one of the most flexible and secure cloud computing environments available today. It provides a reliable, and scalable platform.
AWS infrastructure provides the following features:
- The AWS cloud infrastructure is housed in AWS’s data centers, designed to satisfy the requirements of our most security-sensitive customers. The AWS infrastructure has been designed to provide the highest availability while putting strong safeguards in place regarding customer privacy and segregation.
- The AWS infrastructure is protected by extensive network and security monitoring systems. In addition, AWS infrastructure components are continuously scanned and tested.
- AWS builds its data centers in multiple geographic regions as well as across multiple Availability Zones within each region to offer maximum resiliency against system outages. AWS designs its data centers with significant excess bandwidth connections so that if a major disruption occurs there is sufficient capacity to enable traffic to be load-balanced to the remaining sites, minimizing the impact.
- AWS provides certification reports that describe how the AWS Cloud infrastructure meets the requirements of an extensive list of global security standards, including: ISO 27001, SOC, the PCI Data Security Standard, FedRAMP, the Australian Signals Directorate (ASD) Information Security Manual, and the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584).
Virtual Private Cloud (VPC)
VPC is a network layer that isolates other virtual networks in the AWS cloud. VPC comes with a security group that acts as a virtual firewall for the VPC to control inbound and outbound traffic into the individual servers. Network access control lists (ACL) is added as a second layer of defence by controlling traffic into the individual subnet. We create a public subnet for HTTP/HTTPS access to the web servers and a private subnet for the backend databases.
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between servers in the VPC and the Internet.
S3 is a scalable, high-speed, Web-based service designed for online backup and archiving data and application programs. S3 will be used for daily backup of application data. S3 encrypts data in transit via SSL-encrypted endpoints, and data will be encrypted at rest. S3 is designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. All files and secondary artefacts such as images will be stored in S3.
Amazon Relational Database Service (Amazon RDS) provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. MySQL database instances run in Amazon Virtual Private Cloud (Amazon VPC), enabling us to isolate the database instances from public access. RDS also replicates the data to a standby instance in a different Availability Zone (AZ).
Elastic Load Balancer
To achieve higher levels of fault tolerance, we deploy Elastic Load Balancing (ELB) to automatically route traffic across multiple servers and two different Availability Zones. ELB ensures that only healthy Web Servers receive traffic by detecting unhealthy instances and rerouting traffic to other healthy Web Servers in other Availability Zones.
ELB also provides SSL services that ensure that data sent over from client to servers are verified and encrypted. The ELB uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the instances.
The SSL and TLS protocols use an X.509 certificate (SSL/TLS server certificate) to authenticate both the client and the backend application. An X.509 certificate is a digital form of identification issued by a certificate authority (CA). It contains identification information, a validity period, a public key, a serial number, and the issuer’s digital signature.