AWS security model

AWS built-in security

Amazon offers a multitude of security documentation​ on their website.​ Highlights include information on DDOS prevention​ and​ Database Security. Here™ leverages these managed services at all layers of its application stack, including Amazon’s VPCs, storage solutions and Docker Container Orchestration (ECS).

AWS security practices

The Here™ deployment environment follows AWS’ best security practices. Critical computing resources run in a private subnet, with controlled SSH access and limited inbound firewall scope. Any AWS access is restricted to users with MFA enabled and applied least privileges policy.

Here™ has real-time alerting and monitors in place to ensure staff are aware of changes on the infrastructure or resource issues. Duplicated sandbox are available to enable testing. The entire backing static assets for the Here™ CDN are geo-replicated to a west-coast datacenter and can be available via a direct HTTPS URL without edge-termination. Additionally, all databases are backed up daily, available across multiple datacenters and encrypted at rest.

Asset security

Every time a Here™ product is built, the CI (continuous integration) process ensures that the executables are digitally signed and have a valid certificate from Comodo. The Here™ CDN is using an SSL connection to protect against man in-the-middle attacks. Additionally, the Here Core RVM (Runtime Version Manager), verifies that the files are signed and valid. If the files are not valid, the RVM prevents them from starting up on the desktop.

To ensure Here™ files are compatible with the various cybersecurity software, the CI process runs a VirusTotal​ scan and alerts are generated if there are any false-positive detections.

Both the VirusTotal scan results and a SHA-256 checksum of Here™ assets can be found in our versions page.

Have questions? Get in touch with us at support@here.io.