Ocient Security Guide

this security guide is intended to assist organizations in hardening software as a service (saas) or customer deployed {{ocient}} systems {{ocientcloud}} and ocient management services include ocient support personnel configuring these settings based on organizational requirements and the applicable service agreement implement these security features and measures to protect an ocient system and ensure data privacy this guide is not exhaustive and represents a security baseline for an ocient system depending on your environment architecture and services, not all security features and measures might apply authentication and access control this section applies to the database application of the ocient system you can install the database application on a standard {{linux}} operating system (os) distribution and apply authentication and access controls to the application host identity provider or single sign on (sso) you can configure the {{ocienthyperscaledatawarehouse}} (ohdw) to use any openid connect (oidc) identity provider (such as {{okta}} ) for sso for details, see authentication methods docid 5vdoeimcg9i6p xff 6b due to the potential sensitive data access provided through the ohdw, use multi factor authentication (mfa) for all accounts that access the ohdw ocient recommends implementing an oidc identity provider on the ohdw and utilizing mfa for authentication access any local accounts should be limited to emergency access to recover sso issues role based access control (rbac) groups the ohdw includes default system and database roles the system also allows database administrators to create access groups with specific tables or views you can assign these access groups to database users to restrict access to data based on the data type or classification ocient recommends assigning system and database roles based on the principles of least privilege, separation of duties, and need to know access groups with specific tables, rows, or views can further restrict access based on data security requirements for details, see manage users, groups, and roles docid\ gkk8nmzjjsbyfjvqzihla network security this section applies to the network segment that hosts the ocient system secure bucket access and data streaming the ohdw supports data loading using the {{kafka}} stream, cloud bucket (e g , {{aws}} s3), or local file source for details, see data pipelines docid\ l8tdfpfzzvzeyabc2h7bq secure bucket access if loading data from a cloud bucket like aws s3, {{googlecloud}} gcp storage bucket, and so on, use network access controls, ip whitelisting, or data in transit encryption between the ohdw loader nodes and the cloud bucket only loader nodes need access to a data source secure data streaming the ohdw supports kafka source data streaming to loader nodes source configuration ocient recommends utilizing data in transit encryption between the kafka data source and loader nodes network exposure and firewall ohdw hosts should remain in the same network segment however, you must apply host and network based firewalls ocient recommends using deny all allow by exception firewall policies on hosts and network infrastructure to secure ohdw environments ohdw hosts should not be publicly accessible but within organizational network boundaries and security (or communication service provider (csp) network boundaries and security) the ohdw uses these ports, protocols, and services externally and internally communications external to the ohdw port protocol service source destination 4050 tcp jdbc ocient sql hosts jdbc connectors 8090 tcp telegraf ocient loader hosts data source 9090 tcp rest ocient loader hosts metrics platform communications internal to the ohdw port protocol service source destination 5050 tcp rolehostd ocient lat hosts ocient loader hosts 8443 tcp nginx ocient loader hosts ocient lat hosts 17600 tcp rolehostd ocient sql and metadata hosts ocient sql and metadata hosts 17700 tcp rolehostd ocient sql, loader, and foundation hosts ocient sql, loader, and foundation hosts 17800 tcp rolehostd ocient loader and foundation hosts ocient loader and foundation hosts 17900 tcp rolehostd ocient sql, metadata, loader, and foundation hosts ocient sql, metadata, loader, and foundation hosts data security and encryption this section covers the data security and encrytion of the database application apply the data security and encryption controls to the linux os host data at rest encryption the ohdw supports self encryption drives (sed) that meet the trusted computing group (tcg) opal standard or better ocient recommends utilizing nvme drives that support opal or sed and implementing data at rest encryption encryption strength should be based on data and system sensitivity for details, see ocient system requirements docid\ jopccanxfdrocwkl0qcfv and ocient system requirements docid\ jopccanxfdrocwkl0qcfv data in transit encryption you can encrypt external connections using jdbc through transport layer security (tls) or secure sockets layer (ssl) for details, see secure connections using tls docid\ ohgldjfash0zwpzwtsauq ocient recommends using at least tls 1 2 for external connections to the ohdw system and application security this section applies to both the linux os host and the database application operating system hardening for operating systems supported by the ohdw, see ocient system requirements docid\ jopccanxfdrocwkl0qcfv ocient recommends the use of an industry standard os hardening baseline like the {{cisbenchmarks}} or the defense information systems agency (disa) security technical implementation guides (stigs) operating system patching you must frequently and consistently update hosts running the ohdw to remediate any existing vulnerabilities within the os ocient recommends performing periodic vulnerability assessments or scans and updating os packages based on severity and timeframe application patching ocient tracks, monitors, and remediates vulnerabilities within the ohdw application and publishes updated software releases periodically ocient recommends keeping your ohdw application updated to the most current version for details, see ocient software upgrade docid\ rwh1i49ltwi9rtpqjmjdf application and system maintenance ocient recommends performing regular and periodic application and system maintenance to preserve system performance for details about the ohdw maintenance activities, see maintenance overview docid\ ntnzigtcxwdugx7mtyuak secrets and key management this section applies to secrets and keys within the ocient system and database application the section does not include linux os host secrets and keys but should have appropriate authentication and access controls applied for details, see set up data encryption docid\ emkvay1tlauswulnbac3f sed key ocient recommends using a key management interoperability protocol (kmip) compliant key management platform to handle sed lock and unlock operations by default, during system installation, if the install detects opal compliant hardware, the install enables full disk encryption with the encryption key stored on the os drive for details, see ocient system requirements docid\ jopccanxfdrocwkl0qcfv auditing and log management this section applies to auditing within the database application the section does not include linux os host and infrastructure logs but should have appropriate auditing controls applied audit management the ocient system stores security audit logs for the database application in the /var/log/ directory on the linux os host you can see these files in that directory true false 230false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type false unhandled content type for details, see log monitoring docid\ f1pitqcnfjxgupjryknmc siem or system log forwarding ocient recommends using a security information and event manager (siem) or system log (syslog) forwarder to ingest the rolehostd log , query json , and security json audit log files located on the linux os host privacy this section covers privacy controls of the database application database view restrictions ocient recommends implementing database table views based on the sensitivity of the data loaded into the database application, organizational policies, and legal requirements you can grant access to specific columns or rows to specific users and groups by using database table views for details, see database, tables, views, and indexes docid\ uacarixqhe493vlhudb5b data subject requests ocient recommends using these guides to respond to data subject requests related to the general data protection regulation (gdpr) or california consumer privacy act (ccpa) delete to remove records from an ocient system, see remove records from an ocient system docid\ mhtrg3 ibhiiqyailb9xj update to update or rectify records in the ocient system, see database, tables, views, and indexes docid\ uacarixqhe493vlhudb5b related links authentication methods docid 5vdoeimcg9i6p xff 6b install an ocient system docid\ ohaih2 yvgdxfvej8iu w load data docid\ xq0tg7yph vn62uwufibu {{linux}} is the registered trademark of linus torvalds in the u s and other countries