Guides
Start typing to search…

Security recommendations

Before jumping into installation and deployment, let’s align on something critical: security.

At Lerian, we operate under a Security Shared Responsibility Modelwe secure the application layer (Midaz and all Lerian plugins), and you are responsible for securing the infrastructure where they run. This guide is designed to help your team establish and maintain a solid security posture across the entire Lerian ecosystem, from Midaz to every integrated plugin.

The following recommendations are not exhaustive. Instead, they’re meant to complement your existing security practices—whether you’re running in the cloud or on-prem.


Infrastructure & network security

Midaz and all Lerian plugins are cloud-native solutions designed to run securely in containerized, distributed environments. To enhance your infrastructure and network security:

  • Establish a patch management process to ensure OS and services are regularly updated with security patches.
  • Apply hardening procedures to your operating system images before deployment.
  • Leverage Midaz and plugin Docker images, which follow the least privilege principle—and reinforce this at the cluster level using appropriate controls.
  • If you're using Kubernetes, enforce security baselines using policy-as-code tools such as Kyverno, OPA Gatekeeper, or similar.
  • Run routine vulnerability scans across all layers of your infrastructure, including those hosting plugins.
  • Use network segmentation to restrict plugin and Midaz component access to only the systems that need it.
  • Configure firewalls to manage traffic flow and prevent unauthorized access.
  • Where possible, implement Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to analyze network behavior and block anomalies.
  • Adopt a Zero Trust Architecture when handling sensitive systems or data flows.
  • Enforce TLS 1.2 or higher for all communications across Midaz and plugin services.

General security configurations

Protecting secrets, storage, and data is vital across all Lerian components, including Midaz and its plugins. That said, consider:

  • Use trusted solutions such as AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or HashiCorp Vault to securely store secrets and configuration data.
  • Rotate credentials and secrets regularly, and follow the principle of least privilege when granting access.
  • Enable audit logging and ensure automated backups are in place for all databases used by Midaz and plugins.
  • Apply encryption at rest to all persistent data—including that handled by plugins like CRM or Access Manager.
  • Enforce access restrictions to sensitive data, and use tokenization, encryption, or anonymization when appropriate.
  • Maintain Midaz and all Lerian plugins updated with the latest releases, including patches and security improvements.

Identity & Access Management (IAM)

A unified and secure IAM approach should encompass not only the environment where Midaz and plugins are deployed, but also the services themselves. Therefore:

  • Implement a centralized IAM process to manage access to the infrastructure hosting Lerian products.
  • Enforce multi-factor authentication (MFA) across all user and admin accounts.
  • Monitor and periodically audit access granted to service accounts—especially those used by plugins.
  • Define access control models that adhere to the least privilege principle, using RBAC, ABAC, or custom strategies.
  • Utilize temporary credentials and time-limited access for high-sensitivity operations.
  • Conduct regular reviews of all access privileges, including for Midaz, CRM, Access Manager, Smart Templates, and other plugins.

Monitoring & incident response

To build observability and incident readiness into your Midaz and plugin deployment strategy:

  • Deploy security monitoring tools to track behavior across all Lerian services, including plugin activity.
  • Enable logs and traces across your infrastructure and each component of Midaz and its plugins.
  • Integrate logs from Midaz and plugin services with fraud detection or anomaly monitoring tools to enhance protection.
  • Consider centralizing logs through a SIEM platform to enable more efficient threat detection.
  • Maintain an updated incident response plan, including specific playbooks for services like Access Manager or Fee Engine.

Additional protection layers

For production-critical or high-compliance environments, we strongly recommend implementing additional protective layers:

  • Apply OS and service hardening procedures across your entire stack.
  • Maintain regular patch cycles for all runtime environments, including third-party services and dependencies.
  • Conduct manual penetration tests to validate the effectiveness of your defenses, including those around plugins and integrations.
  • Deploy Web Application Firewalls (WAFs) to protect plugin APIs and Midaz endpoints from Layer 7 attacks.
  • Use Anti-DDoS services and bot mitigation tools to block automated or mass-scale attacks on exposed components.

Tip

Combine infrastructure-level protections with the built-in security validations of Midaz and its plugins to create a cohesive, scalable, and compliant financial environment. At Lerian, security is not an afterthought—it’s part of the design.


Midaz security configurations

Security starts with configuration. Whether you're running Midaz locally or deploying in a managed cluster, it’s critical to review and adjust all credentials and certificates before going live.

Credentials and secrets

Each Midaz component comes with its own .env file, allowing custom configuration per module. This gives you flexibility, but also a shared responsibility.

⚠️

Important

Never deploy Midaz using default credentials. Always update secret values in your environment before launching.

The following files must be reviewed and updated to ensure sensitive information is protected:

Midaz RepoMidaz Helm
/components/infra/.env/charts/midaz/values.yaml
/components/mdz/.env/charts/midaz/templates/onboarding/secrets.yaml
/components/onboarding/.env/charts/midaz/templates/transactions/secrets.yaml
/components/transaction/.env/charts/midaz/templates/console/secrets.yaml

Make sure secrets like database credentials, encryption keys, and API tokens are securely stored and rotated regularly.


TLS Certificate configuration

When exposing Midaz services via ingress controllers, it's essential to use valid TLS certificates to secure communication between services and external clients.

Midaz allows ingress to be enabled for the following components:

  • Transaction
  • Onboarding
  • Console

To configure a custom TLS certificate:

  1. Generate a valid certificate using a trusted provider (e.g., Let’s Encrypt, GoDaddy).
  2. Store the full certificate chain as a Kubernetes secret or in an external vault (e.g., AWS Secrets Manager).
  3. Reference the secret in your values.yaml file:
ingress:
  ///class, host, annotations, etc
  tls:
    - secretName: certificate-tls
      hosts:
        - midaz.example.com

Tip

Always enforce TLS 1.2 or higher. For internal clusters, consider issuing short-lived certificates automatically via a service mesh or cert manager.

Updated 22 minutes ago