I am working at Earnin as a frontend developer (our Netlify site is app.earnin.com). We are starting to evolve the web version of the Earnin App (a mobile app available for Android and iOS), which is currently hosted at Netlify along with two websites (the current one and the legacy one too). They have been using Netlify before I started working with them, which was earlier this year.
Since Earnin’s web presence will increase as we evolve and release new features in the web app, the Security team raised a few concerns regarding Netlify usage, since it is not really part of their main infrastructure stack (they run everything on AWS, except for these 3 frontend apps/websites). Due to that, we have been having a few discussions to present them with the Netlify features and how these features help us move fast on our daily work.
Even so, to be safe on the Security end, they prefer to run the production site in AWS while keeping development in Netlify (so that we can still make use of features like deploy preview).
With this being said, there are two questions they have asked us to check:
1 - Is it possible to integrate Netlify with AWS so that after it finishes the build steps it actually deploys the code to AWS? As mentioned earlier, they want to have at least the production site running on AWS to have more control over things. (I know, this probably sounds like an odd question)
2 - One of their security questions is related to the fact that Netlify is (probably) multi-tenant and that other tenants could break isolation and end up having access to our static files and change them with malicious scripts or links. Are there details that can be shared about how Netlify isolates and protects tenants from co-tenant attacks?
PS: our plan is currently PRO and I understand that detailed security reports are available to the ENTERPRISE plan. Still, if there is any information you can share with us about the questions above, that would be very helpful for us.
Hi Bruno and thanks for the thoughtful questions!
Certainly you could choose to send the built files to another service during deploy; one of your (last) build steps could be “create a zipfile of my site and send it somewhere”. Depends on what your stack is as to whether that would be usable as-is; for instance if you use functions, clearly, you’ll have to deploy them separately rather than just copying static files over the cloudfront or whatever. It’s not a weird requirement, but, it kinda reduces the value of Netlify. Our Sales team can answer in-depth compliance questions about how our standards likely match your team’s, in case that will help you make the case to keep it here - let me know and I can connect you with them so that they can hear what you need (“ok, we’d need SOC2 and HIPAA compliance to run on Netlify; and we’d need proof of your compliance and penetration tests monthly”). We do have many of those things (not HIPAA compliant yet, but yes to SOC2 and available 3rd-party penetration testing results), so perhaps we could address their concerns instead of routing around our platform, if that appeals to you.
Yes, netlify is multi-tenant - the same CDN node serves millions of sites. However, there is essentially no client code run on our servers, so there is no way for other clients to “mess with” your files. If we had a breach and someone compromised our database, there could be a problem, but we have never had such a breach thus far in our business history. I can talk a little more about it, but if we can’t satisfy them, I wouldn’t want to spend the time. Perhaps you could share that description with them and see what specific follow up questions they have, and I could try to answer them for you?
We do have transparency as a company value and these are questions that all of our customers might have and we’ll do our best to answer publicly. We do require NDA’s for some specific things like the SOC2 results and the penetration test results, so we can’t publish them here, but talking with our sales team can often get you them even at the Pro level - however talking about our security is something that we’re willing and able to do for any account level, and we appreciate your Pro business too (and all the free folks who might someday upgrade ;)) so we’ll be able to answer many questions about general practices (for instance, indicating that we do have a SOC2 compliance) here.
Let me know if you get any feedback from the team that I could try to address!
Chris, thank you very much for the quick and detailed response.
I just got back with them to continue the discussion, will let you know about the outcome.