Cloud Provider Accounts
The regular Managed Service for TimescaleDB (MST) services are hosted under cloud provider accounts controlled by MST. These accounts are managed only by MST (eg Timescale and Aiven) operations personnel and customers cannot directly access the cloud provider account resources.
Each Managed Service for TimescaleDB service consists of one or more virtual machines, which are automatically launched to the target cloud region chosen by the customer. In cloud regions that have multiple Availability Zones (or a similar mechanism), the virtual machines are distributed evenly across the zones in order to provide best possible service in cases when an entire Availability Zone (may include one or more data centers) goes unavailable.
Service-providing virtual machines are dedicated for a single customer, i.e. there is no multi-tenancy on a VM basis, and the customer data never leaves the machine, except when uploaded to the offsite backup location.
Virtual machines are not reused and will be terminated and wiped upon service upgrade or termination.
Managed Service for TimescaleDB at-rest data encryption covers both active service instances as well as service backups in cloud object storage.
Service instances and the underlying VMs use full volume encryption using LUKS with a randomly generated ephemeral key per each instance and each volume. The key is never re-used and will be trashed at the destruction of the instance, so there's a natural key rotation with roll-forward upgrades. We use the LUKS default mode aes-xts-plain64:sha256 with a 512-bit key.
Backups are encrypted with a randomly generated key per file. These keys are in turn encrypted with RSA key-encryption key-pair and stored in the header section of each backup segment. The file encryption is performed with AES-256 in CTR mode with HMAC-SHA256 for integrity protection. The RSA key-pair is randomly generated for each service. The key lengths are 256-bit for block encryption, 512-bit for the integrity protection and 3072-bits for the RSA key.
MST-encrypted backup files are stored in the object storage in the same region where the service virtual machines are located.
Customer access to provided services is only provided over TLS encrypted connections. There is no option for using unencrypted plaintext connections.
Communication between virtual machines within Managed Service for TimescaleDB is secured with either TLS or IPsec. There are no unencrypted plaintext connections.
Virtual machines network interfaces are protected by a dynamically configured iptables-based firewall that only allows connections from specific addresses both from the internal network (other VMs in the same service) or external public network (customer client connections). The allowed source IP addresses for establishing connections is user controlled on per-service basis.
Networking with VPC Peering
When using VPC peering, no public internet based access is provided to the services. Service addresses are published in public DNS, but they can only be connected to from the customer's peered VPC using private network addresses.
The service providing virtual machines are still contained under MST provider accounts.
Normally all the resources required for providing a Managed Service for TimescaleDB service are automatically created, maintained and terminated by the MST infrastructure and there is no manual MST operator intervention required.
However, the MST Operations Team has the capability to securely login to the service Virtual Machines for troubleshooting purposes. These accesses are audit logged.
No customer access to the virtual machine level is provided.
Customer Data Privacy
Customer data privacy is of utmost importance at MST and is covered by internal Security and Customer Privacy policies as well as the strict EU regulations.
MST operators will never access the customer data, unless explicitly requested by the customer in order to troubleshoot a technical issue.
MST operations team has mandatory recurring training regarding the applicable policies.
Periodic Security Evaluation
Managed Service for TimescaleDB services are periodically assessed and penetration tested for any security issues by an independent professional cyber security vendor.