Building a secure infrastructure

image description

A message from our Platform Architect

Music Glue takes its responsibilities in safeguarding user data extremely seriously, and applies the same techniques that it has learned and honed over a decade of safely protecting credit card information. Our platform is carefully architected to segregate sensitive information from commonly available and limits access to those that truly have the right to see it.

There are many buzzwords used in describing secure architectures, from redundant firewalls to DMZs and IDS. Us tech guys get maybe a little over-excited when discussing the extent to which they have implemented these, but the important information is that we follow best practice when designing our infrastructure. Of course, no network, server or database is ever fully secure – but there is a lot we can do to try as hard as possible. All sensitive information is encrypted with "military grade" AES256 encryption, both when it is sitting on our servers and when it is in transit. We are PCI compliant and the data centres we use are certified to security standard ISO27001. On top of that, our platform is "immutable", meaning that all access is prevented to servers and changes are made by rebuilding whole segments from scratch to our strict specifications. We believe that guarding doors is a good step, but not as good as not building a doorway in the first place.

Security isn't something that gets designed once and then forgotten about it though, it only works if it is forefront in all minds throughout the process of building and running our platform. All our code is peer reviewed and securely tested in accordance with our development life-cycle processes, and all changes to require sign off from multiple team members before being automatically applied to our platforms.

Many organisations security falls down when it comes to team members trying to do their jobs - a laptop that has the wrong database gets left on a train, or a memory card gets borrowed and returned with the wrong document on it. We understand that it's easier just to "see what is in production" but set a higher standard for ourselves - no access to data means no mistakes with data.

From planning through building and running we put security front and centre. It matters to us as much as delivering industry leading performance or features, because we understand that nothing is more valuable than trust.