MemCachier Security

Last Revised: November 14, 2016

MemCachier Overview

MemCachier is a managed caching service used by organizations of all sizes to store and retrieve cached data for their applications throughout the world. Our service allows you to focus on your application development and not worry about running and/or optimizing your caching database.

MemCachier applies security best practices and manages service security so customers can focus on their business. Our service is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.

MemCachier’s Commitment to Trust

MemCachier's founding team includes two Stanford PhD students who spent their graduate years working on security and privacy for web-applications. We care deeply about privacy, security and customer rights in the digital age.

Vulnerability Reporting

For any security inquiries, please open a support ticket.

Security Assessments and Compliance

Data Centers

MemCachier’s physical infrastructure is hosted and managed within the same data center as your application, or, the data center of your choosing at cache creation. We currently use the following data center providers:

  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Google Cloud Compute
  • Rackspace

Customers who sign up with us through Heroku have their caches hosted on AWS. All our hosting partners apply careful security practices, please refer to their websites for more information on this:

PCI

We use PCI compliant payment processor Stripe for encrypting and processing credit card payments. MemCachier’s infrastructure providers are PCI Level 1 compliant.

Penetration Testing and Vulnerability Assessments

MemCachier performs its own penetration testing at this time. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.

Physical Security

MemCachier utilizes ISO 27001 and FISMA certified data centers managed by Amazon, Microsoft, Google and Rackspace. Each of our partners has many years of experience in designing, constructing, and operating large-scale data centers. Their data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

For additional information see:

Network Security

Firewalls

Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.

DDoS Mitigation

Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth.

Spoofing and Sniffing Protections

Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. MemCachier supports and encrypted connections with mutual authentication to further ensure risk is mitigated at all levels.

Data Security

A MemCachier cache is hosted on a shared, multi-tenant database that keeps all data in memory, never writing it to disk or elsewhere. Each cache requires a unique username and password that is only valid for that specific cache and is unique to a customer. MemCachier supports using multiple unique username and password pairs to access a single cache to allow rotation of credentials in the event of them becoming known by an untrusted party.

MemCachier is designed to only be accessed by applications running in the same datacenter as their multi-tenant database. All infrastructures we work with provide highly secure networks that cannot be attacked through spoofing or man-in-the-middle. This removes the need for encryption or authentication of connections.

MemCachier also optionally supports using SSL for connections, with mutual authentication, if the customer desires the extra security, or to access their cache outside the datacenter.

Stored data can be encrypted by customer applications in order to meet data security requirements. Customers can implement data storage, key management, and data retention requirements when developing their application.

System Security

System Configuration

System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.

System Authentication

Operating system access is limited to MemCachier staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing. Only MemCachier staff with a need to access a system are given access.

Vulnerability Management

Our vulnerability management process is designed to remediate risks without customer interaction or impact. MemCachier is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to MemCachier’s environment, ranked based on risk, and assigned to the appropriate team for resolution.

New systems are deployed with the latest updates, security fixes, and MemCachier configurations and existing systems are decommissioned as customers are migrated to the new instances. This process allows MemCachier to keep the environment up-to-date.

To further mitigate risk, each component type is assigned to a unique network security group. These security groups are designed to only allow access to the ports and protocols required for the specific component type.

Backups

We do not perform any backup of customer caches. All data stored by a customer in a cache is strictly kept in the cache and in-memory at all times. Our data model is one of a cache and a cache only, do not store data that cannot be lost with MemCachier. This reduces the security risks of providing our service greatly.

Your configuration and meta-information is backed up every minute to high-durability, redundant infrastructure.

Disaster Recovery

Customer Caches

The MemCachier service is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our service maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple failure regions designed for resiliency. MemCachier reviews service issues to understand the root cause, impact to customers, and improve the platform and processes.

Customer Data Retention and Destruction

You have the freedom to define what data your cache stores and the ability to purge data from your cache to comply with your data retention requirements. If you deprovision a cache, we update access control list to prevent any access in the future to the data, and remove the stored data from memory over the next several days, after which the data is unrecoverable.

Decommissioning hardware is managed by our infrastructure providers using processes designed to prevent customer data exposure.

For additional information see:

Privacy

MemCachier has a published privacy policy that clearly defines what data is collected and how it is used. MemCachier is committed to customer privacy and transparency.

We takes steps to protect the privacy of our customers and protect data stored within the platform. Some of the protections inherent to MemCachier’s service include authentication, access controls, data transport encryption, HTTPS and the ability for customers to encrypt stored data. For additional information see: MemCachier Privacy Policy.

Access to Customer Data

MemCachier staff does not access or interact with customer data or applications as part of normal operations. There may be cases where MemCachier is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by MemCachier staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.

Employee Screening and Policies

As a condition of employment all MemCachier employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.