As part of our ongoing commitment to ensure the highest availability and optimal security of our services we are making some updates to the way our services are made available. For any new integration, Zuora will no longer support static IP addresses for customers to whitelist. For existing integrations, this change will take effect on below listed dates.  This change is being made after thorough assessment of evolving security risks and will allow us to take full advantage of latest cloud technologies to provide greater availability and resiliency for you as our customer.   Sandbox and PT1: 19 December, 2018 (Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com)    Production:   19 January, 2019 (Impacted endpoints:  www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)     Actions you need to take: If you use IP whitelisting to connect Zuora services, please remove IP whitelists to lift any restriction on IP addresses to connect to Zuora services.   Other actions you can take for secure integration: If egress traffic filtering is a key security control for you, one or multiple of the below traffic filtering approaches can be used as alternative. Domain name based filtering: You may use domain name based filtering to whitelist *.zuora.com Access Control List using Proxy: You may use forward proxy and restrict proxy to allow only *.zuora.com domain. Tenant IP Access Control List: Use IP Whitelisting within your tenant configuration to restrict access from origin IP addresses authorized by you. How Zuora ensures security of your integration: Encryption in transit: Zuora ensures latest and secure TLS protocols are used to encrypt all traffic to Zuora in transit. Authentication: Zuora enforces strong authentication for all APIs used during integration. Threat Detection: Zuora uses multiple state-of-the-art security tools to detect and mitigate any threat to Zuora services and customer data round the clock. ... View more

With an ever-growing footprint on the public cloud, including production environments, security is at the forefront of Zuora’s business priorities. Having selected AWS as our public cloud vendor of choice, security for our AWS Infrastructure services is built on the Shared Responsibility Model. This essentially means that AWS is responsible for the security of underlying cloud infrastructure, but AWS customers are responsible for the security of cloud resources provisioned using the infrastructure.   AWS provides its customers with several security tools and features, and as a customer, our responsibility is take full advantage of these features to secure our cloud infrastructure. What follows is a description of some of the features and best practices that, from our experience, can help bootstrap your own AWS Cloud Infrastructure.   Root Account Security The root account provides extremely powerful privileged access. Do not use the root account for day-to-day use. One of the best ways to protect your account is to avoid generating an access key for your root account. Also, don’t forget to enable MFA for your root account.   IAM Best Practices AWS Identity and Access Management (IAM) allows for the creation of users, groups and roles - each of which is a more streamlined and standardized way of providing access permissions. A few must-have IAM features and best practices include:   Enabling MFA for IAM Users IAM password policies aligned to your company’s information security policy Least Privileged Access with managed IAM policy Regular audits of unused IAM Access Keys Using IAM Roles for EC2 Instances Segment Your Network Leverage AWS Virtual Private Cloud (VPC) features, including subnets, routes, Internet and NAT Gateways to create a segmented network per your business need. Most web architectures should fit within the following basic 3-Tier architectures:   Perimeter Tier: Hosts ELB and NAT Gateway Application Tier: EC2 instances that host frontend and backend applications Persistent Tier: Hosts database servers & services: RDS, MySQL, Redshift etc. Whether you follow a multi-VPC or Single-VPC architecture (usually driven by your organization policy or VPC limits), you should keep Command & Control (CNC) in a separate VPC outside your service VPC. CNC VPC should host DNS, SMTP, Jumphosts (a.k.a bastion hosts for single point of entry to other hosts) and monitoring services, to name a few. This way you will be able to build simple IAM policies to limit access to CNC Services.   Security Groups & Network Access Control Lists (NACLs)   The stateless firewall of AWS, combined with VPC subnets and routes make Security Groups a convenient way to support your desired network segmentation. Some general best practices for Security Groups include:   Create function or tier specific security groups and define standard set of policies for each category Setup continuous monitoring around those security groups to review changes All inbound connections from public network restricted via Elastic Load Balancer (ELB) All egress traffic to the internet are routed via NAT Gateway Enforce a standard tagging policy for Security Groups to distinguish them by tier, environment or application. Once you have so, you will be able to monitor easily right security group(s) are applied to right resources Some of the key best practices to follow while creating policies for Security Groups:   Do not allow wide open (unfettered) access to instances from world (0.0.0.0/0 to all-ports). Allow management services (SSH, RDP etc) only from authorized sources, such as Jumphosts Allow database (MySQL/3389, Redshift/5439 etc) ports only from application subnet Do not allow database ports from public network Access to world (0.0.0.0/0) is restricted for customer facing application protocols (e.g. HTTP/HTTPS) via ELB Internal service/application ports (8080, 8443 etc) are restricted from ELB (Security Group) only Audit them regularly to identify unused and wide open security groups   Encryption at Rest This is a cool feature we really like using in AWS. In the good old days, whenever we wanted to enable encryption, we always had to be cognisant of performance implications. In AWS, IOPS are guaranteed with or without encryption, which makes “enable encryption wherever you can” practical and realizable. Some of the key places to consider encrypting at rest include S3 SSE, RDS, Redshift, and EBS Volumes. Simple Storage Service (S3) Security If your organization uses S3 storage to store critical data, here are some best practices you should consider:   Ensure that S3 buckets that do not need public access are set as private Access to private buckets are restricted via VPC Endpoint Enable Server-Side-Encryption (SSE) S3 access policies can be managed at multiple places, so auditing might sometimes become tricky if they are not managed properly. Use IAM policies as much as possible to control access. S3 lets you create two types of access policies: Resource Policies: Bucket Policy, Access Control List User Policies:  IAM Policy   Leveraging Resource Tagging While tagging is mostly considered an operational and cost traceability tool, a consistent tagging policy across resources becomes handy for security. You can implement:   Access policies based on tags (e.g. department or service) Governance and audit of controls based on tags (e.g. environment) Vulnerability Management (e.g. intelligent threat modeling based on tier, service or environment) Logging and Auditing   Finally, a key to success for all Security controls is quality monitoring and auditability. We recommend enabling all of the following logging options, then ingesting the logs into whichever 3rd party analysis tools that your organization uses.   CloudTrail: Monitor changes in your infrastructure near real time and set notification/thresholds to be alerted on for critical changes: IAM Policy changes, new user creation, wide-open security group, and so on. ELB Access Log: Monitor who is accessing your web application S3 Access Log: Monitor who is accessing data VPC Flow Log: Monitor traffic reaching deep into your network; do you see SSH, RDP or database access from external origins? What’s next   Now that we’ve provided a bit of a whirlwind tour of some of the security features we leverage and best practices we recommend, we’ll dive deeper into some of the specific controls in future blog posts. Stay tuned!   ... View more