Security and Operations

This document outlines common security and operations questions as it applies to Synadia and the managed services it provides including Synadia Cloud and Managed Synadia Platform.

Security

What is Synadia’s SLA for security updates?

30 days for Critical and High severity vulnerabilities, 60 for Medium severity, and 90 for Low severity, with the severity based on that of the corresponding CVE as analyzed by the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).

We have processes in place to automatically check our systems for vulnerabilities and notify us when any are detected in any of our systems, and also make efforts to proactively stay on top of industry news and trends in order to be aware of potential threats that might not be visible to scanners, or which they might not yet have detection capability for, such has new 0-day vulnerabilities.

Does Synadia segregate production environments from development and testing environments?

Yes, our production environments are run in separate accounts from development and testing environments within our cloud providers. This means all networking and compute resources for these environments are completely separated from one another.

Does Synadia harden network and compute devices against attack?

Synadia does not run any physical hardware of our own for our production systems for networking, compute, storage, or any other purpose. Operating systems for all our virtual devices are hardened.

Does Synadia leverage an intrusion detection system (IDS)? Is the IDS network-based or host-based.

Synadia makes use of a network intrusion detection system which notifies us of suspicious activity, which is then investigated and addressed if necessary.

Does Synadia run antivirus software on production servers?

No. Synadia’s production server instances are re-deployed frequently using automated infrastructure-as-code systems from clean images. They are hardened systems with only necessary ports open and unnecessary packages removed.

Fundamentally, the NATS servers carry customer data without the ability to inspect it, while remaining unexposed to attack by it. To date, our analysis has been that for managed minimal Linux images, with server software written in Go, running malware scanning on these machines would actually introduce a broader attack surface than would be defended against and the risk/reward balance says that it would not currently be a benefit.

Does Synadia protect its DNS infrastructure against attack?

Synadia does not run its own DNS servers.

Does Synadia identify and control unauthorized devices connecting to its physical networks?

Synadia does not operate any physical network infrastructure.

Does Synadia properly manage legacy or non-supported technologies to reduce the risk of vulnerability exploitation in the environment?

Synadia does not operate any legacy or non-supported technologies.

Does Synadia use host-based firewalls on its servers?

All servers are subject to network firewalls (AWS Security Groups and analogous concepts in Google Cloud and Azure) which deny all traffic except what’s necessary. There is a host-based firewall on the servers, but it's used for DoS filtering only.

Does Synadia use encryption keys to encrypt data at rest on production servers?

Yes. Encrypted storage is done via cloud vendor key management, and is typically the default used by each cloud provider. At the time of this writing (May of 2024) this is AES-256-GCM for AWS, Google Cloud, and Azure.

Does Synadia monitor database access and activity to identify potentially malicious activity?

Synadia Control Plane and the Controller host both have PostgreSQL databases which are embedded within the respective containers for those services. Those databases are not accessible to anything outside of those containers, and only those specific services make use of them. There is not presently any additional monitoring of those databases.

Does Synadia make use of Two-Factor Authentication and/or Single Sign-On technologies?

Yes, both, wherever feasible.

Does Synadia restrict the use of shared accounts wherever possible?

Yes. Except in cases where a system might not allow for individual user accounts, individual accounts are required and sharing of individual accounts is prohibited by the Synadia Security Policy. This applies not just to our production environment and software, but company wide.

Does Synadia restrict access to production environments only to those with a legitimate need to access those systems?

Yes. Synadia makes use of the principle of least privilege, and only users who require production access for legitimate business purposes are granted such access.

Does Synadia have a change management process that ensures changes are analyzed for security impact and efficiently approved and tested prior to implementation?

Yes. All changes are made from infrastructure-as-code and subject to code review practices before reaching Production. Thus all changes are recorded, tested before going live, and fully tracked. Security review is a routine part of the code review process. Our systems are designed to make roll-back routinely supported, and if review highlights that something would be non-routine to roll back, then we expect a roll-back plan before deployment.

Are access reviews conducted on a regular basis?

Yes, Synadia performs regular access reviews to ensure users do not have access to systems that they do not have reason to access.

Who at Synadia has access to the system, and who can do what?

Only Synadia’s Operations team has access to the machines and to the account and/or project within the cloud provider; that access is root access to the virtual machines, and administrator access for the cloud account.

Can Synadia access customer data, and the data of the customer’s customers in a managed environment?

In theory, Synadia’s Operations Engineers with root access to the systems can potentially access information that is not encrypted before being put into the system. Data put into Synadia Cloud and Managed Synadia Platform is encrypted in transit to our systems, and JetStream data written to disk is encrypted via disk encryption, but data that isn’t encrypted before being sent to Synadia’s servers is unencrypted in memory, and JetStream data on the disk is unencrypted from within the operating system itself.

Operations

Does Synadia implement response and remediation capabilities when configuration deviations are identified?

Yes. We are able to re-deploy instances to known-good images, and do so regularly. Typically this is around once a month.

Does Synadia have a business continuity/disaster recovery plan?

Yes, though such a situation is unlikely as our services generally make use of a wide global distribution and multiple cloud providers to ensure there are no single points of failure, and systems can generally be re-deployed quickly should any issues arise.

Are backups regularly created and validated for production environments?

Synadia’s ability to recover production servers is tested regularly, as recovering from a loss or other incident is the same process as deploying updated operating system images or new versions of software. However, customer data in JetStream is explicitly not backed up and we require that customers manage replication levels and backup strategies themselves; Synadia has no visibility into that data and would not be able to validate that backups or restoration of those backups was successful.

How are updates and patches applied?

We periodically replace the VMs that run the managed platform with new VM images. The images are based off the Ubuntu 22.04 LTS release and the image pipeline applies updates daily.