Skip to main content

Security

Runlayer implements enterprise-grade security controls with a zero-trust architecture, comprehensive encryption, and advanced threat protection.

Security Architecture

Zero-Trust Model

Authentication & Authorization

Multi-Factor Authentication

  • SAML 2.0: Enterprise SSO integration
  • OIDC: OpenID Connect support
  • LDAP/AD: Active Directory integration
  • Local Auth: Built-in user management
  • MFA: Time-based OTP and hardware tokens

Role-Based Access Control (RBAC)

  • Granular Permissions: Fine-grained access controls
  • Resource-Level Security: Per-resource access policies
  • Attribute-Based Access: Dynamic access based on attributes
  • Audit Trail: Comprehensive access logging

Data Protection

Encryption

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all network communication (see SSL Certificate Management)
  • Key Management: AWS KMS with automatic key rotation
  • Database: Transparent data encryption (TDE)
For how specific credentials (OAuth client IDs/secrets, tokens, connector env vars) are stored, see How Runlayer Stores Credentials.

Data Classification

  • Sensitive Data: PII and confidential information protection
  • Data Loss Prevention: Automated data classification and protection
  • Retention Policies: Automated data lifecycle management
  • Geographic Restrictions: Data residency compliance

Network Security

Perimeter Defense

  • Web Application Firewall (WAF): OWASP Top 10 protection with AWS Managed Rules
  • WAF IP Allowlisting: Application-level IPv4/IPv6 CIDR allowlisting with CloudWatch metrics and audit trails
  • DDoS Protection: AWS Shield Advanced integration
  • Security Groups: Network-level IP restrictions at the load balancer
  • Rate Limiting: API rate limiting and throttling

WAF IP Allowlisting (ECS Deployments)

For ECS Terraform deployments, you can enable WAF-based IP allowlisting for both IPv4 and IPv6:
Benefits:
  • Audit Trail: All blocked requests logged to CloudWatch
  • Metrics: Real-time metrics for security monitoring (alb-{project}-{environment}-allowlist)
  • Compliance: Detailed request sampling for compliance requirements
  • Priority Enforcement: Blocks non-allowlisted traffic before other WAF rules execute
Note: WAF IP allowlisting is currently available for ECS deployments. EKS deployments use security group-based restrictions.

Network Segmentation

  • VPC Isolation: Private network with controlled access
  • Security Groups: Stateful firewall rules
  • NACLs: Network-level access controls
  • Private Subnets: Database and application isolation
For security group rules by tier and VPC peering to private networks, see Networking.

Compliance & Governance

Regulatory Compliance

  • SOC 2 Type II: Security and availability controls
  • GDPR: Data privacy and protection compliance
  • HIPAA: Healthcare data protection (available)
  • PCI DSS: Payment card industry compliance (available)
Public docs summarize security controls but do not host downloadable SOC 2, ISO, HIPAA, GDPR, trust-portal, BAA, or customer-reference evidence. Request those materials through your Runlayer account or security-review contact.

Security Monitoring

  • SIEM Integration: Security information and event management
  • Threat Detection: Automated threat detection and response
  • Vulnerability Scanning: Regular security assessments
  • Penetration Testing: Periodic security testing

Enterprise Security Services

For advanced security requirements, including:
  • Security Architecture Review - Comprehensive security assessment
  • Penetration Testing - Professional security testing
  • Compliance Consulting - Regulatory compliance guidance
  • Security Training - Team security awareness training
  • Incident Response - 24/7 security incident response
  • Custom Security Controls - Tailored security implementations

Enterprise Security Services

Contact our security experts for comprehensive security consulting and implementation

Security Best Practices

Access Management

  • Principle of Least Privilege: Minimal required access
  • Regular Access Reviews: Periodic access audits
  • Automated Provisioning: Just-in-time access provisioning
  • Session Management: Secure session handling

Operational Security

  • Security Patching: Automated security updates
  • Configuration Management: Secure configuration baselines
  • Change Management: Controlled change processes
  • Backup Security: Encrypted and tested backups

Monitoring & Response

  • Real-Time Monitoring: 24/7 security monitoring
  • Automated Alerting: Immediate threat notifications
  • Incident Response: Documented response procedures
  • Forensic Capabilities: Security event investigation

Security Certifications

  • ISO 27001: Information security management
  • SOC 2: Security and availability controls
  • Cloud Security Alliance: Cloud security best practices
  • NIST Framework: Cybersecurity framework compliance

Threat Intelligence

  • Threat Feeds: Real-time threat intelligence integration
  • Behavioral Analytics: Anomaly detection and analysis
  • Risk Assessment: Continuous risk evaluation
  • Security Metrics: Comprehensive security reporting
Contact our security team for detailed security assessments, compliance guidance, and custom security implementations.