Ledidi

Security at all steps, all the time

Our primary focus is to safeguard the sensitive data we process on the behalf of our customers. Ledidi uses a defence-in-depth approach for a layered security approach that applies state-of-the-art technologies combined with operational security for optimum protection. Our solutions are built on the secure global infrastructure of AWS and protect the data end-to-end with encryption of data in transit and at rest in combination with confidential computing to protect data in use. Industry standards are used for encryption, multi-factor authentication, logging, network configuration, backup, data restoration and prevention of attacks.

• Development process

  We adhere to industry best practices for the development process of our solutions. We follow the AWS Well-Architected guidance based on international compliance programs and standards to ensure that Ledidi’s solutions are secure, high-performing, reliable and resilient. The development process and procedures also follow the OWASP SAMM (The Open Web Application Security Project) for a secure development lifecycle.
  

• Encryption and confidential computing

  All data is encrypted in transit and at rest (AES-256). To protect the data throughout the complete lifecycle, the data is protected while in use by confidential computing on AWS EC2 instances using the Nitro architecture. The AWS Nitro System has no operator access, and there is no mechanism for any system or person to log in to EC2 servers, read the memory of EC2 instances, or access any data stored on instance storage. For additional defence-in-depth, we use Graviton2-based EC2 instances with memory encryption. All communication to and from our solutions is protected by TLS 1.2. A thorough description of The Security Design of the AWS Nitro System can be found here.
  

• Access management

  A centralized authentication solution (AWS Cognito), in combination with our own product-specific authorization libraries, is used to prevent unauthorized access to the system. Each component of the solution is, by default, integrated with AWS IAM to restrict inter-component communication according to the principle of least privilege. Ledidi supports standards like OpenID Connect and SAML for integration with other identity providers.
  

• Password and Multi-Factor Authentication (MFA)

  Ledidi enforces strong passwords and multi-factor authentication. MFA-apps such as Google Authenticator can be used.
  

• Data centres

  Ledidi’s solutions run on AWS data centres located within the EEA.
  

• Network Configuration

  The components of the solutions are established and run on a separate logical network in AWS (Virtual Private Cloud), and all components are protected by configuration of AWS security groups constituting virtual firewalls. These are used on multiple levels, i.e. to restrict the number of components that need to be in the same network zones to only the ones that are required to be in that specific zone. AWS WAF is used to provide additional protection against web attacks for those resources that have to be exposed on public networks, like the APIs.
  

• Backup and restore

  All data is backed up at regular intervals, and the solutions have built-in restore capabilities, including the possibility to rebuild in a separate cloud environment.