Encryption

Data Encryption at-rest and In-Transit

Mago adheres to NIST standards for encryption, utilising both at-rest and in-transit protection. AES 256 encryption for data at rest TLS 1.2 or higher for transmission, you can be assured that your data is secured by industry standards, globally.

Key Management

The Mago key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys. Encryption key generation, exchange, and storage is distributed for decentralised processing.

File Encryption Keys

File encryption keys are created, stored, and protected by production system infrastructure security controls and security policies.

Internal SSH keys

Access to production systems is restricted with unique SSH key pairs. Security policies and procedures require protection of SSH keys. An internal system manages the secure public key exchange process, and private keys are stored securely.

Key Distribution

Mago automates the management and distribution of sensitive keys to only the systems that are required for operations. The key distribution system is based on Microsoft Azure Key Vault.

Managing Secrets

All secrets such as API keys, passwords, database credentials, or certificates are stored in a centralised system for securely accessing secrets. We never store secrets on local servers or code repositories. Access to the secrets management system is authorised only for a small number IT Operations engineers.

Network Security

Mago diligently maintains the security of our backend network. Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We employ industry-standard protection techniques, including firewalls, network vulnerability scanning, network security monitoring, and intrusion detection systems to ensure only eligible and non-malicious traffic is able to reach our infrastructure.

Our internal private network is segmented according to use and risk level. The primary networks are:

• Internet-facing DMZ

• VPN front-end DMZ

• Production network

• Corporate network

Access to the production environment is restricted to only authorised IP addresses and requires key authentication on all endpoints. IP addresses with access are associated with the corporate network or approved Re Mago personnel. Authorised IP addresses are reviewed on a quarterly basis to ensure a secure production environment. Access to modify the IP address list is restricted to authorised individuals.

Traffic from the internet destined for our production network is protected using multiple layers of firewalls and proxies. Mago identifies and mitigates risks via regular network security testing and auditing by both dedicated internal security teams and third-party security specialists.