Security and Patching
Overview
The AppsAnywhere Appliance was created to be secure by design.
This includes a number of out-of-the-box security measures:
Customer access to configure the appliance is only available via the hypervisor console.
Networking is disabled by default and must be enabled once the appliance is deployed.
SSH access for AppsAnywhere support is disabled by default. This can be enabled for a specific IP address or range.
Operating system and component security updates are applied automatically, every 30-days following your deployment.
Further details regarding initial setup can be found under the First-time Configuration section.
If you would prefer to patch servers more frequently, or on your organizations preferred schedule; updates can be configured by following Configure System Updates.
Secure Access
The Appliance Configuration Console (ACC) is only available via your hypervisor console.
All accounts used to access the appliance are secure:
The default customer setup account password is randomly generated upon first use, and is unique for your appliance.
The setup account cannot be used via a SSH connection to the appliance.
All SSH accounts used by AppsAnywhere are secured with individual SSL certificate key pairs.
The appliance is locked down with no direct customer access to the operating system.
Security Patching
System Updates
By default, the AppsAnywhere Appliance will install CentOS and 3rd party component updates automatically.
Updates are performed every 30-days from the date the appliance was installed.
The update schedule is therefore randomly staggered, so each of your AppsAnywhere servers will perform updates at different times.
When updates to key 3rd party components such as PHP and Apache are applied, there may be a brief service interruption as the modules are reloaded/restarted.
To ensure service continuity, we recommend that you configure a load balancer with health checks to route all user traffic to the AppsAnywhere servers. This will ensure that there are no service interruptions during automatic patching.
Compatibility Checks
AppsAnywhere actively monitor and test all security updates to guard against any compatibility issues.
Your appliance will perform a daily check with our central API to ensure that there are no known issues with forthcoming updates.
As a fail safe, in the case that we discover a compatibility issue, updates can be temporarily suspended via our API for the affected appliance version(s).
All affected customers will then be notified, and steps to ensure and apply compatible security updates will be provided.
Manual Updates
A manual update option is available within the Appliance Configuration Console (ACC), and can be used at any time.
Manual updates are applied at the customer’s own risk and are not subject to the above compatibility checks.
A server snapshot should always be taken via your hypervisor before manual updates are triggered.
If you prefer to manage your own patching schedule, automatic updates can also be disabled. This action must be performed by AppsAnywhere support team.
Additional Configuration
On occasion it may be necessary to install additional monitoring or security tools on an AppsAnywhere appliance. In order to maintain the support agreement, please be aware that:
Access can only be provided on a temporary basis.
Unapproved changes to an AppsAnywhere appliance will invalidate the AppsAnywhere Support agreement and SLA
Customers must maintain a change log of all modifications to the AppsAnywhere Appliance
AppsAnywhere cannot support custom changes, so these will need to be re-applied after an upgrade, if necessary
Additionally, AppsAnywhere cannot be held responsible or confirm if third party tools will affect an AppsAnywhere appliance
Customers are advised to test and confirm themselves, before making changes to Production servers
If an issue is experienced as a result of a modification to the AppsAnywhere Appliance, it must be reverted before escalating to AppsAnywhere Support