The State of The Amazon EC2 Spot Market is now available! Download The White Paper

Security Architecture

Overview of Spotinst Inc.

KEEPING OUR USERS’ DATA PRIVATE IS AN ESSENTIAL ASPECT OF OUR BUSINESS

Spotinst’s security engineers have invested an enormous amount of time and energy into the establishment of robust security practices. Our security strategy and architecture have been designed in cooperation with the Amazon Web Services SaaS security team. With attention focused on the highest compliance regulations and following industry best practices, Spotinst provides robust security to all of our customers.

DATA ENCRYPTION

Sensitive data is encrypted at every step:

  1. Spotinst never receives or transmits unencrypted account information. SpotInst first encrypts data within the browser then re-encrypt that data with an even more secure algorithm (GPG RSA 3072-bit) once it reaches our servers.
  2. Only a specialized set of servers are able to read the encrypted blobs.
  3. Web traffic is limited to the strictest protocol. All web connections are sent via 256-bit DigiCert High Assurance EV CA-1 SSL.
3 STEP AUTHENTICATION

Spotinst does not store any private keys, passwords, or authentication tokens. The authentication is being made based on the IAM Cross Account Role & External ID only.Spotinst does not store any private keys, passwords, or authentication tokens. The authentication is being made based on the IAM Cross Account Role & External IDs only.
Figure 1, shows the process of forwarding a user request from Spotinst SaaS platform to the customers’ AWS account.

  1. First, the customer authenticates with a secured website. All communication outside of our website is sent via 256-bit DigiCert High Assurance EV CA-1 SSL Certificate.
  2. Next, when the request reaches the SpotInst servers, the API service communicates via API SDK calls with the customer’s account via IAM Cross Account Role & UUID External IDs.
  3. All calls within the customer’s account are secured via IAM Cross Account Role & UUID External IDs. Meaning, only Spotinst, Inc. designated AWS account IDs can access this specific IAM Role, and only with an external ID that Spotinst has generated for the customer upon their registration.

security-1

HYBRID ON-PREMISE ARCHITECTURE

For more security conscious customers, Spotinst also supports Hybrid On-Premise Architectures. In this scenario, the Spotinst API service is deployed within the customer’s secured AWS Account, there are no credentials stored outside of the customer’s account. The Spotinst SaaS service communicates via designated secured URL endpoint to fetch API information.

Figure 2 explains the concept of deploying an API service within the customer’s account and exposing it through a designated HTTPS endpoint being whitelisted to Spotinst’s servers.

security-2

STRICT SECURITY AND KEY MANAGEMENT PROCEDURES

Staff members do not have the ability to decrypt encrypted account data, Spotinst follows extensive best practices in order to keep customers’ sensitive information secure.

TEAMED WITH AMAZON WEB SERVICES

Spotinst is an official solution provider for Amazon Web Services. Find us in the AWS Partners Portal

.

SECURE DATA CENTERS

Spotinst’s data is stored on Amazon Web Services data centers that have achieved ISO 27001 certification, PCI DSS Level 1 compliance, and SAS70 Type II.
Learn more about Amazon Web Services security.

STRICT SECURITY AND KEY MANAGEMENT PROCEDURES

Staff members do not have the ability to decrypt encrypted account data, and we use extensive best practices to keep your sensitive information secure. If you’d like more details about our approach to security, we’d be happy to arrange a call with a member of your team,Contact us.