> ## Documentation Index
> Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Security architecture and best practices for Runlayer

# Security

Runlayer implements enterprise-grade security controls with a zero-trust architecture, comprehensive encryption, and advanced threat protection.

## Security Architecture

### Zero-Trust Model

```mermaid theme={null}
graph TB
    subgraph "External"
        User[Users]
        API[API Clients]
    end

    subgraph "Security Perimeter"
        WAF[Web Application Firewall]
        ALB[Load Balancer + SSL]
        Auth[Authentication Service]
    end

    subgraph "Application Layer"
        Gateway[Gateway Service]
        RBAC[Role-Based Access Control]
        Audit[Audit Logging]
    end

    subgraph "Data Layer"
        DB[(Encrypted Database)]
        Cache[(Encrypted Cache)]
        Secrets[Secrets Manager]
    end

    User --> WAF
    API --> WAF
    WAF --> ALB
    ALB --> Auth
    Auth --> Gateway
    Gateway --> RBAC
    Gateway --> Audit
    RBAC --> DB
    Gateway --> Cache
    Gateway --> Secrets
```

## Authentication & Authorization

### Multi-Factor Authentication

* **SAML 2.0**: Enterprise SSO integration
* **OIDC**: OpenID Connect support
* **LDAP/AD**: Active Directory integration
* **Local Auth**: Built-in user management
* **MFA**: Time-based OTP and hardware tokens

### Role-Based Access Control (RBAC)

* **Granular Permissions**: Fine-grained access controls
* **Resource-Level Security**: Per-resource access policies
* **Attribute-Based Access**: Dynamic access based on attributes
* **Audit Trail**: Comprehensive access logging

## Data Protection

### Encryption

* **At Rest**: AES-256 encryption for all stored data
* **In Transit**: TLS 1.3 for all network communication (see [SSL Certificate Management](/ssl-certificate-management))
* **Key Management**: AWS KMS with automatic key rotation
* **Database**: Transparent data encryption (TDE)

For how specific credentials (OAuth client IDs/secrets, tokens, connector env vars) are stored, see [How Runlayer Stores Credentials](/mcp-security-best-practices#how-runlayer-stores-credentials).

### Data Classification

* **Sensitive Data**: PII and confidential information protection
* **Data Loss Prevention**: Automated data classification and protection
* **Retention Policies**: Automated data lifecycle management
* **Geographic Restrictions**: Data residency compliance

## Network Security

### Perimeter Defense

* **Web Application Firewall (WAF)**: OWASP Top 10 protection with AWS Managed Rules
* **WAF IP Allowlisting**: Application-level IPv4/IPv6 CIDR allowlisting with CloudWatch metrics and audit trails
* **DDoS Protection**: AWS Shield Advanced integration
* **Security Groups**: Network-level IP restrictions at the load balancer
* **Rate Limiting**: API rate limiting and throttling

#### WAF IP Allowlisting (ECS Deployments)

For ECS Terraform deployments, you can enable WAF-based IP allowlisting for both IPv4 and IPv6:

```hcl theme={null}
# Enable WAF IP allowlisting
waf_enable_ip_allowlisting = true
waf_allowlist_ipv4_cidrs = [
  "203.0.113.0/24",      # Office network
  "198.51.100.42/32",    # VPN gateway
]
waf_allowlist_ipv6_cidrs = [
  "2001:db8::/48",       # Office IPv6 range
]
```

**Benefits:**

* **Audit Trail**: All blocked requests logged to CloudWatch
* **Metrics**: Real-time metrics for security monitoring (`alb-{project}-{environment}-allowlist`)
* **Compliance**: Detailed request sampling for compliance requirements
* **Priority Enforcement**: Blocks non-allowlisted traffic before other WAF rules execute

**Note**: WAF IP allowlisting is currently available for ECS deployments. EKS deployments use security group-based restrictions.

### Network Segmentation

* **VPC Isolation**: Private network with controlled access
* **Security Groups**: Stateful firewall rules
* **NACLs**: Network-level access controls
* **Private Subnets**: Database and application isolation

For security group rules by tier and VPC peering to private networks, see [Networking](/infrastructure/networking).

## Compliance & Governance

### Regulatory Compliance

* **SOC 2 Type II**: Security and availability controls
* **GDPR**: Data privacy and protection compliance
* **HIPAA**: Healthcare data protection (available)
* **PCI DSS**: Payment card industry compliance (available)

Public docs summarize security controls but do not host downloadable SOC 2, ISO, HIPAA, GDPR, trust-portal, BAA, or customer-reference evidence. Request those materials through your Runlayer account or security-review contact.

### Security Monitoring

* **SIEM Integration**: Security information and event management
* **Threat Detection**: Automated threat detection and response
* **Vulnerability Scanning**: Regular security assessments
* **Penetration Testing**: Periodic security testing

## Enterprise Security Services

For advanced security requirements, including:

* **Security Architecture Review** - Comprehensive security assessment
* **Penetration Testing** - Professional security testing
* **Compliance Consulting** - Regulatory compliance guidance
* **Security Training** - Team security awareness training
* **Incident Response** - 24/7 security incident response
* **Custom Security Controls** - Tailored security implementations

<Card title="Enterprise Security Services" icon="shield-alt" href="mailto:support@runlayer.com">
  Contact our security experts for comprehensive security consulting and
  implementation
</Card>

## Security Best Practices

### Access Management

* **Principle of Least Privilege**: Minimal required access
* **Regular Access Reviews**: Periodic access audits
* **Automated Provisioning**: Just-in-time access provisioning
* **Session Management**: Secure session handling

### Operational Security

* **Security Patching**: Automated security updates
* **Configuration Management**: Secure configuration baselines
* **Change Management**: Controlled change processes
* **Backup Security**: Encrypted and tested backups

### Monitoring & Response

* **Real-Time Monitoring**: 24/7 security monitoring
* **Automated Alerting**: Immediate threat notifications
* **Incident Response**: Documented response procedures
* **Forensic Capabilities**: Security event investigation

## Security Certifications

* **ISO 27001**: Information security management
* **SOC 2**: Security and availability controls
* **Cloud Security Alliance**: Cloud security best practices
* **NIST Framework**: Cybersecurity framework compliance

## Threat Intelligence

* **Threat Feeds**: Real-time threat intelligence integration
* **Behavioral Analytics**: Anomaly detection and analysis
* **Risk Assessment**: Continuous risk evaluation
* **Security Metrics**: Comprehensive security reporting

Contact our security team for detailed security assessments, compliance guidance, and custom security implementations.
