Website Security Policy
This policy describes at a high level the measures we have used to reduce the risk of this.
Higher security approaches exist. We have chosen this approach based on a balance of security, convenience and cost.
- We use an Apache web server with PHP and a MySQL database, hosted on an Ubuntu operating system
- The Ubuntu operating system is set to auto-update
- Logins to the Ubuntu operating system are protected by passwords and two-factor authentication
- The web server is running on two load-balanced Amazon EC2 instances
- The EC2 security policy is set to allow HTTP access only (TCP port 80) to the instances from the EC2 load balancer, together with SSH access from a single administrative IP address
- The EC2 load balancer is located behind an AWS Web Application Firewall using the WAF policy described at: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/template.html
- The AWS administrative accounts are protected by passwords and two-factor authentication