Security controls to protect your data

Daniel Filakovsky
5 minutes
Security
The security of your data is our number one concern. We strictly adhere to responsible AI principles, shield our infrastructure from DDoS, malware, and other threats with multiple layers of defense, back up your data regularly, and enforce robust authorization to safeguard against leaks and breaches.
Our commitment to transparency and trustVisit the Kontent.ai Trust Center to access comprehensive information on security, privacy, governance, and compliance.

Responsible AI

Kontent.ai is committed to aligning with Responsible AI best practices, ensuring AI governance, and complying with relevant laws and regulations. We follow the best practices and standards for AI to guarantee your data security and prevent the misuse of AI for malicious or illegal purposes.

Configuration management

Kontent.ai infrastructure is managed as code, which helps us find misconfigurations that could lead to an insecure state in time. That means the Kontent.ai setup is automated and continuously monitored for unexpected changes. If an issue occurs, the setup can be quickly and automatically reverted to an expected previous state. This approach allows for static analysis and regular manual reviews to ensure configurations are secure and adhere to best practices. Moreover, dynamic configuration scanners are in place to validate infrastructure configuration with standards like CIS Benchmarks, Azure baselines, or NIST.

DDoS protection

Distributed Denial of Service (DDoS) attacks are mitigated by the DDoS protection placed at the edge of our CDN services – Fastly. Microsoft Azure represents a second layer of protection. It’s auto-scaled, filters out communication that tries to bypass Azure’s DDoS protection, and throttles the requests.

Backups

Regular backups are maintained to protect data against ransomware and other corruption. These backups ensure that data can be restored in the event of an attack and minimize the potential data loss. Special recovery drills are regularly tested to train and test the recovery processes for all the cases when it may be needed, not only due to ransomware.

Third-party management

We automatically review third-party packages. All findings are reported daily to the internal security team or to development to secure the supply chain.

Strong authorization

Single-sign-on (SSO) and multi-factor authentication (MFA) represent the core of security in cloud services as they provide strong resistance against attacks on customers’ identities.  To protect the users who cannot use SSO, for example, multiple controls are in place:
  • Password policy: On top of regular password policies, such as minimum length and different character groups, our policy prevents users from using their public information in passwords, such as their name or surname. We also prevent using weak passwords with a sequence of characters, such as 123aaa, or reusing known leaked passwords.
  • Leaked credentials: It’s a common bad practice to reuse the same password for multiple services. To mitigate the impact of data leaks on Kontent.ai and other services, Kontent.ai monitors the use of leaked passwords and helps customers protect their accounts on Kontent.ai and other platforms.
  • Brute-force attacks: To combat brute-force attacks, user accounts or IP addresses that exhibit suspicious behavior are blocked by Auth0, our identity provider, even before accessing data.

Monitoring

Awareness is the key aspect to mitigating any ongoing attack, outage, or inconsistency in the system in time. The web application firewall proactively protects Kontent.ai interfaces by blocking attackers early during their malicious activity and warns the internal security team about such security events.  On top of that, an internal monitoring and alerting solution helps our support team react to various unexpected availability incidents and quickly solve them.

Anti-malware scans

Azure real-time anti-malware detection scans assets uploaded to Kontent.ai. This scanning protects Kontent.ai infrastructure and also helps us to proactively notify customers about suspicious activity.

Vulnerability reviews

Regular manual and automatic (SAST and DAST) security reviews are integrated into the development process to identify and address vulnerabilities early on, even before putting vulnerable code into production. And since nobody is perfect and we also make mistakes, our Vulnerability Disclosure Program (private bug bounty program) provides a safe way for security researchers worldwide to participate in finding and helping fix security vulnerabilities.

Security awareness

Kontent.ai staff is regularly trained to be aware of security threats, common security holes, and methods and insecure practices used by attackers in general.

Logging capabilities of Kontent.ai

Logging is essential for keeping your content management system secure, tracking changes, and ensuring compliance. Kontent.ai provides various logs to help you monitor and analyze activities within your projects. 

Audit logs

Audit logs track changes made to content types, content type snippets, and the asset type within project environments. Users who have audit log access to the environment can access these logs for 90 days.  More details about audit logs.

Content change logs

Each content item has its own change log with versioning. It’s easy to roll back content to any previous version. This log remains available while the content exists, but disappears with the content item's deletion. It’s possible to find information such as:
  • Added or removed content or changes in its format
  • Timestamp and workflow step
  • Who made the changes

Identity logs

Identity logs capture information related to user authentication and management. These logs are crucial for investigating security incidents and are available for 365 days. Identity logs include but are not limited to:
  • Authentication events: Successful and failed login attempts, as well as multi-factor authentication events.
  • User changes: Password changes, and security configurations like MFA enrollment or email verification.
  • Administrative actions: Account blocks due to brute-force attacks or logins from prohibited countries.

HTTP request logs

All HTTP requests and responses to any Kontent.ai interface, such as the Kontent.ai app, Management API, and Delivery API (including all its variants), are logged for 90 days. Support can provide these logs upon request. HTTP request logs include:
  • Request details: URL, HTTP method, status code.
  • Response details: Cache status (HIT, MISS), response time.
  • Metrics: usage of APIs, request/response size.
Thanks to HTTP request logs, it’s possible to identify undetected changes that are not shown in the environment-scoped audit log, for example, when the environment is deleted.

How to access logs

  • Audit logs and content change logs are available in the application.
  • Identity logs and HTTP request logs are available upon support request to prevent exposure to sensitive events.
If you need to track user interactions, review access patterns, monitor content changes, or investigate suspicious activity, Kontent.ai’s support team is available 24/7 to assist you.