Blockchain Infrastructure

Infrastructure KAIO components

Introduction

The KAIO blockchain infrastructure is the backbone of the KAIO platform. It supports the blockchain network that the smart contracts run on. Its security is essential to avoid disruption of service, loss of data, unauthorized access, and financial loss. Following best practices helps ensure the security of the KAIO infrastructure.

Architecture

An overview of the blockchain network architecture can be found here:

Blockchain Architecture

Security Considerations

Mitigating potential risks is essential to having a robust and secure infrastructure. To achieve this goal, specific security measures have been put in place.

Network Security

  • Dedicated VPC: By utilizing a dedicated VPC, the blockchain infrastructure is isolated from other AWS resources, reducing the attack surface and potential exposure to threats from other network traffic.

  • Network Segmentation: Subnets and security groups are being used to segment the network. Subnets are configured with appropriate access controls, and help organize resources. Security groups act as virtual firewalls, controlling inbound and outbound traffic to instances.

  • NACLs: Network Access Control Lists (NACLs) are used to add an additional layer of security, by controlling inbound and outbound traffic at the subnet level. They provide fine-grained control over traffic flow.

Access Control

  • Authentication: Multi-factor authentication (MFA) is used to ensure that only authorized individuals can access cloud resources. This strong authentication mechanism prevents unauthorized access to sensitive components.

  • IAM, Roles and Policies: AWS Identity and Access Management (IAM) enables granular control over who can access specific AWS resources. Roles and policies ensure that users and services only have the permissions they need.

  • Role-Based Access Control for Deployment: Deployment is done by individuals with the proper roles assigned. This enforces the principle of least privilege. Only authorized personnel can modify the infrastructure.

Node Security

  • Hardened Server Instances: The best security practices have been implemented, such as disabling root login, configuring strong passwords, and using SSH keys for authentication. This minimizes the chances of unauthorized access.

  • Regular OS and Software Updates: Operating systems and software packages are kept up to date to mitigate known vulnerabilities that could be exploited.

  • Unnecessary Services and Ports Disabled: Services and ports that are not required for the blockchain are disabled to reduce attack vectors.

Data Security

  • Encryption for Data at Rest: Data is encrypted at rest using AWS Elastic Block Store (EBS). Additionally AWS provides encryption by default for all S3 buckets. Encryption adds an extra layer of security to sensitive data stored on disk.

  • Encryption for Data in Transit: Data in transit is encrypted using certificates for all domains.

  • Backup and Disaster Recovery: There are detailed plans in place to regularly back up blockchain data and compose a well-defined disaster recovery strategy, to ensure data integrity in case of failures.

Monitoring

  • Centralized Logging: Logs from different components are consolidated, making it easier to monitor and detect abnormal activities.

  • Log Monitoring: Logs are monitored regularly for unusual patterns that might indicate security breaches or potential threats.

Patch Management

  • Patching: Software patches to address known vulnerabilities will be applied swiftly, to reduce the risk of exploitation.

  • Updated and Tested Scripts: Infrastructure as Code (IaC) running on AWS, and DevOps automation tool scripts, will be regularly updated and tested to ensure they are up to date and free of vulnerabilities.

Testing

To enhance the security of the platform, the KAIO infrastructure undergoes periodic penetration testing. These tests are essential to ensure that no new vulnerabilities are introduced during the development phase of the application. This ensures that the infrastructure remains secure throughout the development phase and the CI/CD pipeline.

Cybaverse carried out penetration testing for the infrastructure hosted on AWS. Their findings have been addressed and resolved. The latest certification is available below.

221KB
Libre AWS - Penetration Test Certification.pdf
PDF
Open
AWS penetration testing certification

Last updated