Secure and effective development without access to sensitive data

Executive summary

SavvyMoney is an online tool that provides users with free access to their credit score, explains factors impacting it and gives suggestions on how it can be improved. The aim of the company is to empower the control of financial health with easy understandable advice about credits and debts, help monitor the credit score according to the interest rates and provide users with more economic options.

 

Get a free consultation

Challenge

Application works with sensitive data of real users and limited access to it is required. From the one side, all passwords for database access, API tokens or any other sensitive configuration parameters for Production instances must be securely stored with limited access to them only by authorized personnel and removed from the application code level.

On another side, there must be a way for effective development and testing on QA and Staging Environments. So strict separation of application’s codebase from its configuration is required here.

 

Solution

The huge variety of AWS services for different cases was a key reason the SavvyMoney team chose to work with AWS. Two of them AWS Systems Manager Parameter Store and CodeCommit were used to overcome this challenge. 

Microservices architecture is built in Java Spring Boot framework. Each microservice is a separate REST API that performs required business logic and is running on EC2 instance in the Autoscaling Group. Launch Configuration has attached the IAM role with read-only access to the parameter store. So any sensitive parameter is known only for the application on startup and there is no way to see it.

All sensitive configuration parameters from classic *.properties files are moved into the AWS Parameter Store and all *.property files with other parameters are moved into the CodeCommit. Spring Cloud Config service reads properties from CodeCommit and REST API application calls Spring Cloud Config for required properties on startup or on-demand refresh. Write access to Parameters store and CodeCommit has only authorized personnel.

Secure and effective development without access to sensitive data

AWS Parameter Store architecture

AWS Services List

 

ElementDescription
aws-codecommit CodeCommit AWS repository. It contains all application’s properties, except sensitive data like DB passwords, etc.
AWS parameter store AWS System Manager Parameter Store. It contains sensitive data like DB passwords.
AWS IAM Role AWS IAM role attached to EC2 instance with permission to Read parameters from Parameter Store.

AWS IAM User that has permissions to edit records in the Parameter Store.

For Sandbox/Beta env development team has these permissions

For PreProduction/Production only account administrator has these permissions.

Amazon-EC2

Restful API, Spring Boot 2 application launched an EC2 instance within the Autoscaling group.

On startup app performs two actions:

  • connects to the Configuration Server to get configuration properties.
  • having attached IAM Role connects to the Parameter Store to get sensitive parameters.

Tools and Frameworks

The following AWS services were utilized:

  • Systems Manager Parameter Store
  • CodeCommit
  • EC2 in Autoscaling Group with Launch Configurations
  • IAM Roles 
  • Identity Access Management (IAM)
  • Virtual Private Network (VPC)

 

Benefits

  • No access to sensitive data for a development team in Parameter Store and no way to see it being logged on the EC2 instance.
  • The application code is separate from configurations. The same application with the same codebase can be launched in different environments: Staging, QA, Production.
  • Separation parameters storage on Parameter Store and Code Commit allows better security, handling, and maintenance.
  • There is a possibility to reload parameters from Code Commit on the fly without application rebuild or restart.
  • There is a possibility to reload parameters from Parameter Store without application rebuild. Restart is required.

Partnership and Membership

Portfolio

ZAXID.NET

ZAXID.NET is the first analytical online news portal in Lviv, Ukraine. It mainly provides Lviv and regional news by giving expert opinions and laying the ground for discussion. Except the main news, texts, blogs, it also has a distinct feature – zaxid.net TV, which is a video section that provides news streaming.

TIM Media

TIM is an ad serving platform, offering advertisers and publishers a variety of robust tools to maximize revenues, increase ad ROI and eliminate budget waste – powered by innovative tech solutions and granular data analytics. TIM is a trusted partner of Fortune 500 companies including Nissan, McDonalds, AT&T, Danone, Disqus and other well-known tech and product brands.

SavvyMoney

SavvyMoney is an online tool that provides users with a free access to their credit score, explains factors impacting it and gives suggestions how it can be improved. The aim of the company is to empower the control of financial health with easy understandable advice about credits and debts, help monitor the credit score according to the interest rates and provide users with more economic options.

Open Market

OpenMarket is an enterprise web application for managing advertisements on radio stations and creating advertising network on radio broadcast.

NewsMaker

News Maker is a high-performance news and media production system designed for TV and radio stations. The unique broadcast workflow automation implemented in the system works for those companies that need file-based content production system. This software was customly designed for internal use by our partner – 24 TV channel.

Home HealthCare Therapy

Home HealthCare Therapy provides software solutions for home therapy staffing companies and therapists contracting with home health agencies. It handles all business and clinical aspects of home health therapy allowing contracting providers to receive patient referrals for medical social work, physical, occupational, and speech therapy.