> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.
# Security recommendations
> Apply Lerian's shared responsibility security model — infrastructure hardening, network segmentation, TLS, and Zero Trust patterns.
Before jumping into installation and deployment, let’s align on something critical: security.
At Lerian, we operate under a **Security Shared Responsibility Model**—**we secure the application layer (Midaz and all Lerian plugins)**, and **you are responsible for securing the infrastructure where they run**. This guide is designed to help your team establish and maintain a solid security posture across the entire Lerian ecosystem, from Midaz to every integrated plugin.
The following recommendations are not exhaustive. Instead, they’re meant to complement your existing security practices—whether you’re running in the cloud or on-prem.
## Infrastructure & network security
***
Midaz and all Lerian plugins are cloud-native solutions designed to run securely in containerized, distributed environments. To enhance your infrastructure and network security:
* Establish a **patch management process** to ensure OS and services are regularly updated with security patches.
* Apply **hardening** procedures to your operating system images before deployment.
* Leverage **Midaz and plugin Docker images**, which follow the **least privilege principle**—and reinforce this at the cluster level using appropriate controls.
* If you're using **Kubernetes**, enforce security baselines using **policy-as-code** tools such as **Kyverno**, **OPA Gatekeeper**, or similar.
* Run **routine vulnerability scans** across all layers of your infrastructure, including those hosting plugins.
* Use **network segmentation** to restrict plugin and Midaz component access to only the systems that need it.
* Configure **firewalls** to manage traffic flow and prevent unauthorized access.
* Where possible, implement **Intrusion Detection Systems (IDS)** and **Intrusion Prevention Systems (IPS)** to analyze network behavior and block anomalies.
* Adopt a **Zero Trust Architecture** when handling sensitive systems or data flows.
* Enforce **TLS 1.2 or higher** for all communications across Midaz and plugin services.
## General security configurations
***
Protecting secrets, storage, and data is vital across all Lerian components, including Midaz and its plugins. That said, consider:
* Use trusted solutions such as **AWS Secrets Manager**, **Azure Key Vault**, **Google Secret Manager**, or **HashiCorp Vault** to securely store secrets and configuration data.
* **Rotate credentials and secrets** regularly, and follow the principle of least privilege when granting access.
* Enable **audit logging** and ensure **automated backups** are in place for all databases used by Midaz and plugins.
* Apply **encryption at rest** to all persistent data—including that handled by plugins like CRM or Access Manager.
* Enforce **access restrictions** to sensitive data, and use **tokenization**, **encryption**, or **anonymization** when appropriate.
* Maintain Midaz and all Lerian plugins updated with the **latest releases**, including patches and security improvements.
## Identity & Access Management (IAM)
***
A unified and secure IAM approach should encompass not only the environment where Midaz and plugins are deployed, but also the services themselves. Therefore:
* Implement a centralized IAM process to manage access to the infrastructure hosting Lerian products.
* Enforce **multi-factor authentication (MFA)** across all user and admin accounts.
* Monitor and periodically audit access granted to **service accounts**—especially those used by plugins.
* Define access control models that adhere to the **least privilege principle**, using **RBAC**, **ABAC**, or custom strategies.
* Utilize **temporary credentials** and time-limited access for high-sensitivity operations.
* Conduct **regular reviews** of all access privileges, including for Midaz, CRM, Access Manager, Reporter, and other products/plugins.
## Monitoring & incident response
***
To build observability and incident readiness into your Midaz and plugin deployment strategy:
* Deploy security monitoring tools to track behavior across all Lerian services, including plugin activity.
* Enable logs and traces across your infrastructure and each component of Midaz and its plugins.
* **Integrate logs** from Midaz and plugin services with fraud detection or anomaly monitoring tools to enhance protection.
* Consider centralizing logs through a **SIEM platform** to enable more efficient threat detection.
* Maintain an updated **incident response plan**, including specific playbooks for services like Access Manager or Fee Engine.
## Additional protection layers
***
For production-critical or high-compliance environments, we strongly recommend implementing additional protective layers:
* Apply OS and service **hardening procedures** across your entire stack.
* Maintain **regular patch cycles** for all runtime environments, including third-party services and dependencies.
* Conduct **manual penetration tests** to validate the effectiveness of your defenses, including those around plugins and integrations.
* Deploy **Web Application Firewalls (WAFs)** to protect plugin APIs and Midaz endpoints from Layer 7 attacks.
* Use **Anti-DDoS services** and **bot mitigation tools** to block automated or mass-scale attacks on exposed components.
Combine infrastructure-level protections with the built-in security validations of **Midaz and its plugins** to create a cohesive, scalable, and compliant financial environment. At Lerian, security is not an afterthought—it’s part of the design.
## Midaz security configurations
***
Security starts with configuration. Whether you're running Midaz locally or deploying in a managed cluster, it’s critical to review and adjust all credentials and certificates before going live.
### Credentials and secrets
Each Midaz component comes with its own `.env` file, allowing custom configuration per module. This gives you flexibility, but also a shared responsibility.
Never deploy Midaz using default credentials. Always update secret values in your environment before launching.
The following files must be reviewed and updated to ensure sensitive information is protected:
| **Midaz Repo** | **Midaz Helm** |
| :----------------------------- | :-------------------------------------------------- |
| `/components/infra/.env` | `/charts/midaz/values.yaml` |
| `/components/mdz/.env` | `/charts/midaz/templates/onboarding/secrets.yaml` |
| `/components/onboarding/.env` | `/charts/midaz/templates/transactions/secrets.yaml` |
| `/components/transaction/.env` | `/charts/midaz/templates/console/secrets.yaml` |
Make sure secrets like database credentials, encryption keys, and API tokens are securely stored and rotated regularly.
### TLS Certificate configuration
When exposing Midaz services via ingress controllers, it's essential to use valid TLS certificates to secure communication between services and external clients.
Midaz allows ingress to be enabled for the following components:
* **Transaction**
* **Onboarding**
* **Console**
To configure a custom TLS certificate:
**Generate** a valid certificate using a trusted provider (e.g., Let’s Encrypt, GoDaddy).
**Store** the full certificate chain as a Kubernetes secret or in an external vault (e.g., AWS Secrets Manager).
**Reference** the secret in your `values.yaml` file:
```bash YAML theme={null}
ingress:
///class, host, annotations, etc
tls:
- secretName: certificate-tls
hosts:
- midaz.example.com
```
Always enforce TLS 1.2 or higher. For internal clusters, consider issuing short-lived certificates automatically via a service mesh or cert manager.