Ocient Security Guide

this security guide is intended to assist organizations in hardening software as a service (saas) or customer deployed {{ocient}} systems {{ocientcloud}} and ocient management services include ocient support personnel configuring these settings based on organizational requirements and the applicable service agreement implement these security features and measures to protect an ocient system and ensure data privacy this guide is not exhaustive and represents a security baseline for an ocient system depending on your environment architecture and services, not all security features and measures might apply authentication and access control this section applies to the database application of the ocient system you can install the database application on a standard {{linux}} operating system (os) distribution and apply authentication and access controls to the application host identity provider or single sign on (sso) you can configure the {{ocienthyperscaledatawarehouse}} (ohdw) to use any openid connect (oidc) identity provider (such as {{okta}} ) for sso for details, see docid\ rurudicbkdqxfu y99p1r due to the potential sensitive data access provided through the ohdw, use multi factor authentication (mfa) for all accounts that access the ohdw ocient recommends implementing an oidc identity provider on the ohdw and utilizing mfa for authentication access any local accounts should be limited to emergency access to recover sso issues role based access control (rbac) groups the ohdw includes default system and database roles the system also allows database administrators to create access groups with specific tables or views you can assign these access groups to database users to restrict access to data based on the data type or classification ocient recommends assigning system and database roles based on the principles of least privilege, separation of duties, and need to know access groups with specific tables, rows, or views can further restrict access based on data security requirements for details, see docid\ k rpf30u 1c3jfq 7ahiu network security this section applies to the network segment that hosts the ocient system secure bucket access and data streaming the ohdw supports data loading using the {{kafka}} stream, cloud bucket (e g , {{aws}} s3), or local file source for details, see docid\ pbyszqvu5wonpgoso qto secure bucket access if loading data from a cloud bucket like aws s3, {{googlecloud}} gcp storage bucket, and so on, use network access controls, ip whitelisting, or data in transit encryption between the ohdw loader nodes and the cloud bucket only loader nodes need access to a data source secure data streaming the ohdw supports kafka source data streaming to loader nodes source configuration ocient recommends utilizing data in transit encryption between the kafka data source and loader nodes network exposure and firewall ohdw hosts should remain in the same network segment however, you must apply host and network based firewalls ocient recommends using deny all allow by exception firewall policies on hosts and network infrastructure to secure ohdw environments ohdw hosts should not be publicly accessible but within organizational network boundaries and security (or communication service provider (csp) network boundaries and security) the ohdw uses these ports, protocols, and services externally and internally communications external to the ohdw port protocol service source destination 4050 tcp jdbc jdbc connectors ocient sql hosts 8080 tcp lat lat client ocient loader hosts 8090 tcp e xtractor engine metrics platform ocient loader hosts 9090 tcp rolehostd metrics platform ocient loader hosts communications internal to the ohdw port protocol service source destination 5050 tcp rolehostd ocient lat hosts ocient loader hosts 17600 tcp rolehostd ocient sql and metadata hosts ocient sql and metadata hosts 17700 tcp rolehostd ocient sql, loader, and foundation hosts ocient sql, loader, and foundation hosts 17800 tcp rolehostd ocient loader and foundation hosts ocient loader and foundation hosts 17900 tcp rolehostd ocient sql, metadata, loader, and foundation hosts ocient sql, metadata, loader, and foundation hosts data security and encryption this section covers the data security and encryption of the database application apply the data security and encryption controls to the linux os host data at rest encryption the ohdw supports self encryption drives (sed) that meet the trusted computing group (tcg) opal standard or better ocient recommends utilizing nvme drives that support opal or sed and implementing data at rest encryption encryption strength should be based on data and system sensitivity for details, see docid\ yn3ugtv0bcrttcgalkltr and docid\ yn3ugtv0bcrttcgalkltr data in transit encryption you can encrypt external connections using jdbc through transport layer security (tls) or secure sockets layer (ssl) for details, see docid\ ffbnx0kvadbdpj bfjsse ocient recommends using at least tls 1 2 for external connections to the ohdw system and application security this section applies to both the linux os host and the database application operating system hardening for operating systems supported by the ohdw, see docid\ yn3ugtv0bcrttcgalkltr ocient recommends the use of an industry standard os hardening baseline like the {{cisbenchmarks}} or the defense information systems agency (disa) security technical implementation guides (stigs) operating system patching you must frequently and consistently update hosts running the ohdw to remediate any existing vulnerabilities within the os ocient recommends performing periodic vulnerability assessments or scans and updating os packages based on severity and timeframe application patching ocient tracks, monitors, and remediates vulnerabilities within the ohdw application and publishes updated software releases periodically ocient recommends keeping your ohdw application updated to the most current version for details, see docid\ p8zjor81tdsrmyndqlisn application and system maintenance ocient recommends performing regular and periodic application and system maintenance to preserve system performance for details about the ohdw maintenance activities, see docid\ uoulfwcwdjvjfauzi08tq secrets and key management this section applies to secrets and keys within the ocient system and database application the section does not include linux os host secrets and keys but should have appropriate authentication and access controls applied for details, see docid 8vnnuy5udinjo50iik21a sed key ocient recommends using a key management interoperability protocol (kmip) compliant key management platform to handle sed lock and unlock operations by default, during system installation, if the install detects opal compliant hardware, the install enables full disk encryption with the encryption key stored on the os drive for details, see docid\ yn3ugtv0bcrttcgalkltr auditing and log management this section applies to auditing within the database application the section does not include linux os host and infrastructure logs, but should have appropriate auditing controls applied audit management the ocient system stores security audit logs for the database application in the /var/log/ directory on the linux os host you can see these files in that directory file description rolehostd log contains all of the error, informational, and debug logs from the running database system query json contains information on all queries and statements executed on the system this file includes information such as the user who ran the query (or command), the time and duration, and many other details security json contains information on both successful and unsuccessful connections to the system for details, see docid\ maw7vxdbdy83cg5xw6nbv siem or system log forwarding ocient recommends using a security information and event manager (siem) or system log (syslog) forwarder to ingest the rolehostd log , query json , and security json audit log files located on the linux os host privacy this section covers privacy controls of the database application database view restrictions ocient recommends implementing database table views based on the sensitivity of the data loaded into the database application, organizational policies, and legal requirements you can grant access to specific columns or rows to specific users and groups by using database table views for details, see docid\ g tzn2zxb4zp8w7za8a1k redacted queries the ocient system supports redacted sql statements in the database redacted text appears as for details about the privileges that control redaction, see docid\ f55ngxtki0f7kkmyatvug data subject requests ocient recommends using these guides to respond to data subject requests related to the general data protection regulation (gdpr) or california consumer privacy act (ccpa) delete to remove records from an ocient system, see docid\ ubdqnmju5stv aqfavviz update to update or rectify records in the ocient system, see docid\ yhp4b1irv haf8f3df ww related links docid\ rurudicbkdqxfu y99p1r docid\ g68ytqw2qdudqpjld0tko docid\ zncvnrhsf6fg1yvqk6mxt {{linux}} is the registered trademark of linus torvalds in the u s and other countries