This security guide is intended to assist organizations in hardening Software as a Service (SaaS) or customer-deployed Systems. and Ocient Management Services include Ocient support personnel configuring these settings based on organizational requirements and the applicable service agreement. Implement these security features and measures to protect an Ocient System and ensure data privacy. This guide is not exhaustive and represents a security baseline for an Ocient System. Depending on your environment architecture and services, not all security features and measures might apply.Documentation Index
Fetch the complete documentation index at: https://docs.ocient.com/llms.txt
Use this file to discover all available pages before exploring further.
Authentication and Access Control
This section applies to the database application of the Ocient System. You can install the database application on a standard operating system (OS) distribution and apply authentication and access controls to the application host.Identity Provider or Single Sign-On (SSO)
You can configure the to use any OpenID Connect (OIDC) identity provider (such as ) for SSO. For details, see Authentication Methods. Due to the potential sensitive data access provided through the Ocient System, use multi-factor authentication (MFA) for all accounts that access the Ocient System. Ocient recommends implementing an OIDC identity provider on the Ocient System and utilizing MFA for authentication access. Any local accounts should be limited to emergency access to recover SSO issues.Role-Based Access Control (RBAC) Groups
The Ocient System includes default System and Database Roles. The system also allows database administrators to create access groups with specific tables or views. You can assign these access groups to database users to restrict access to data based on the data type or classification. Ocient recommends assigning System and Database Roles based on the principles of least privilege, separation of duties, and need-to-know. Access groups with specific tables, rows, or views can further restrict access based on data security requirements. For details, see Manage Users, Groups, and Roles.Network Security
This section applies to the network segment that hosts the Ocient System.Secure Bucket Access and Data Streaming
The Ocient System supports data loading using the stream, cloud bucket (e.g., S3), or local file source. For details, see SOURCE Options.Secure Bucket Access
If loading data from a cloud bucket like AWS S3, GCP storage bucket, and so on, use network access controls, IP whitelisting, or data-in-transit encryption between the Loader Nodes in the Ocient System and the cloud bucket. Only Loader Nodes need access to a data source.Secure Data Streaming
The Ocient System supports Kafka Source data streaming to Loader Nodes:source-configuration
Ocient recommends utilizing data-in-transit encryption between the Kafka data source and Loader Nodes.
Network Exposure and Firewall
The Ocient System hosts should remain in the same network segment. However, you must apply host and network-based firewalls. Ocient recommends using deny-all allow-by-exception firewall policies on hosts and network infrastructure to secure Ocient System environments.The hosts in the Ocient System should not be publicly accessible but within organizational network boundaries and security (or communication service provider (CSP) network boundaries and security).
Communications External to the Ocient System
| Port | Protocol | Service | Source | Destination |
|---|---|---|---|---|
| 4050 | TCP | JDBC | JDBC Connectors | Ocient SQL Hosts |
| 8080 | TCP | LAT | LAT Client | Ocient Loader Hosts |
| 8090 | TCP | Extractor Engine | Metrics Platform | Ocient Loader Hosts |
| 9090 | TCP | rolehostd | Metrics Platform | Ocient Loader Hosts |
Communications Internal to the Ocient System
| Port | Protocol | Service | Source | Destination |
|---|---|---|---|---|
| 5050 | TCP | rolehostd | Ocient LAT Hosts | Ocient Loader Hosts |
| 17600 | TCP | rolehostd | Ocient SQL and Metadata Hosts | Ocient SQL and Metadata Hosts |
| 17700 | TCP | rolehostd | Ocient SQL, Loader, and Foundation Hosts | Ocient SQL, Loader, and Foundation Hosts |
| 17800 | TCP | rolehostd | Ocient Loader and Foundation Hosts | Ocient Loader and Foundation Hosts |
| 17900 | TCP | rolehostd | Ocient SQL, Metadata, Loader, and Foundation Hosts | Ocient SQL, Metadata, Loader, and Foundation Hosts |
Data Security and Encryption
This section covers the data security and encryption of the database application. Apply the data security and encryption controls to the Linux OS host.Data-at-Rest Encryption
The Ocient System supports self-encryption drives (SED) that meet the Trusted Computing Group (TCG) Opal standard or better. Ocient recommends utilizing NVMe drives that support Opal or SED and implementing data-at-rest encryption. Encryption strength should be based on data and system sensitivity. For details, see Server Hardware Requirements and Data Drive Requirements.Data-in-Transit Encryption
You can encrypt external connections using JDBC through transport layer security (TLS) or secure sockets layer (SSL). For details, see Secure Connections Using TLS. Ocient recommends using at least TLS 1.2 for external connections to the Ocient System.System and Application Security
This section applies to both the Linux OS host and the database application.Operating System Hardening
For operating systems supported by the Ocient System, see Ocient System Requirements. Ocient recommends the use of an industry-standard OS hardening baseline like the or the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs).Operating System Patching
You must frequently and consistently update hosts running the Ocient System to remediate any existing vulnerabilities within the OS. Ocient recommends performing periodic vulnerability assessments or scans and updating OS packages based on severity and timeframe.Application Patching
Ocient tracks, monitors, and remediates vulnerabilities within the Ocient System application and publishes updated software releases periodically. Ocient recommends keeping your Ocient System application updated to the most current version. For details, see Ocient Software Upgrade.Application and System Maintenance
Ocient recommends performing regular and periodic application and system maintenance to preserve system performance. For details about the Ocient System maintenance activities, see Maintenance Overview.Secrets and Key Management
This section applies to secrets and keys within the Ocient System and database application. The section does not include Linux OS host secrets and keys but should have appropriate authentication and access controls applied. For details, see Set Up Data Encryption.SED Key
Ocient recommends using a Key Management Interoperability Protocol (KMIP) compliant key management platform to handle SED lock and unlock operations. By default, during system installation, if the install detects Opal-compliant hardware, the install enables full disk encryption with the encryption key stored on the OS drive. For details, see Data Drive Requirements.Auditing and Log Management
This section applies to auditing within the database application. The section does not include Linux OS host and infrastructure logs, but should have appropriate auditing controls applied.Audit Management
The Ocient System stores security audit logs for the database application in the/var/log/ directory on the Linux OS host. You can see these files in that directory.
| File | Description |
|---|---|
rolehostd.log | Contains all of the error, informational, and debug logs from the running database system. |
query.json | Contains information on all queries and statements executed on the system. This file includes information such as the user who ran the query (or command), the time and duration, and many other details. |
security.json | Contains information on both successful and unsuccessful connections to the system. |
SIEM or System Log Forwarding
Ocient recommends using a security information and event manager (SIEM) or system log (syslog) forwarder to ingest therolehostd.log, query.json, and security.json audit log files located on the Linux OS host.
Privacy
This section covers privacy controls of the database application.Database View Restrictions
Ocient recommends implementing database table views based on the sensitivity of the data loaded into the database application, organizational policies, and legal requirements. You can grant access to specific columns or rows to specific users and groups by using database table views. For details, see Views.Redacted Queries
The Ocient System supports redacted SQL statements in the database. Redacted text appears as***. For details about the privileges that control redaction, see Data Control Language (DCL) Statement Reference.
Data Subject Requests
Ocient recommends using these guides to respond to data subject requests related to the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).Delete
To remove records from an Ocient System, see Remove Records from an Ocient System.Update
To update or rectify records in the Ocient System, see INSERT INTO TABLE.Related Links
Authentication Methods Install an Ocient System Load DataLinux® is the registered trademark of Linus Torvalds in the U.S. and other countries.