Ocient Security Guide
This security guide is intended to assist organizations in hardening Software as a Service (SaaS) or customer-deployed Systems. and Ocient Management Services include Ocient support personnel configuring these settings based on organizational requirements and the applicable service agreement. Implement these security features and measures to protect an Ocient System and ensure data privacy.
This guide is not exhaustive and represents a security baseline for an Ocient System. Depending on your environment architecture and services, not all security features and measures might apply.
This section applies to the database application of the Ocient System. You can install the database application on a standard operating system (OS) distribution and apply authentication and access controls to the application host.
You can configure the (OHDW) to use any OpenID Connect (OIDC) identity provider (such as ) for SSO. For details, see Authentication Methods.
Due to the potential sensitive data access provided through the OHDW, use multi-factor authentication (MFA) for all accounts that access the OHDW.
Ocient recommends implementing an OIDC identity provider on the OHDW and utilizing MFA for authentication access. Any local accounts should be limited to emergency access to recover SSO issues.
The OHDW includes default System and Database Roles. The system also allows database administrators to create access groups with specific tables or views. You can assign these access groups to database users to restrict access to data based on the data type or classification.
Ocient recommends assigning System and Database Roles based on the principles of least privilege, separation of duties, and need-to-know. Access groups with specific tables, rows, or views can further restrict access based on data security requirements.
For details, see Manage Users, Groups, and Roles.
This section applies to the network segment that hosts the Ocient System.
The OHDW supports data loading using the stream, cloud bucket (e.g., S3), or local file source. For details, see SOURCE Options.
If loading data from a cloud bucket like AWS S3, GCP storage bucket, and so on, use network access controls, IP whitelisting, or data-in-transit encryption between the OHDW Loader Nodes and the cloud bucket. Only Loader Nodes need access to a data source.
The OHDW supports Kafka Source data streaming to Loader Nodes: source-configuration
Ocient recommends utilizing data-in-transit encryption between the Kafka data source and Loader Nodes.
OHDW hosts should remain in the same network segment. However, you must apply host and network-based firewalls.
Ocient recommends using deny-all allow-by-exception firewall policies on hosts and network infrastructure to secure OHDW environments.
OHDW hosts should not be publicly accessible but within organizational network boundaries and security (or communication service provider (CSP) network boundaries and security).
The OHDW uses these ports, protocols, and services externally and internally.
Port | Protocol | Service | Source | Destination |
|---|---|---|---|---|
4050 | TCP | JDBC | Ocient SQL Hosts | JDBC Connectors |
8090 | TCP | telegraf | Ocient Loader Hosts | Data Source |
9090 | TCP | REST | Ocient Loader Hosts | Metrics Platform |
Port | Protocol | Service | Source | Destination |
|---|---|---|---|---|
5050 | TCP | rolehostd | Ocient LAT Hosts | Ocient Loader Hosts |
8443 | TCP | nginx | Ocient Loader Hosts | Ocient LAT Hosts |
17600 | TCP | rolehostd | Ocient SQL and Metadata Hosts | Ocient SQL and Metadata Hosts |
17700 | TCP | rolehostd | Ocient SQL, Loader, and Foundation Hosts | Ocient SQL, Loader, and Foundation Hosts |
17800 | TCP | rolehostd | Ocient Loader and Foundation Hosts | Ocient Loader and Foundation Hosts |
17900 | TCP | rolehostd | Ocient SQL, Metadata, Loader, and Foundation Hosts | Ocient SQL, Metadata, Loader, and Foundation Hosts |
This section covers the data security and encrytion of the database application. Apply the data security and encryption controls to the Linux OS host.
The OHDW supports self-encryption drives (SED) that meet the Trusted Computing Group (TCG) Opal standard or better.
Ocient recommends utilizing NVMe drives that support Opal or SED and implementing data-at-rest encryption. Encryption strength should be based on data and system sensitivity. For details, see Server Hardware Requirements and Data Drive Requirements.
You can encrypt external connections using JDBC through transport layer security (TLS) or secure sockets layer (SSL). For details, see Secure Connections Using TLS.
Ocient recommends using at least TLS 1.2 for external connections to the OHDW.
This section applies to both the Linux OS host and the database application.
For operating systems supported by the OHDW, see Ocient System Requirements.
Ocient recommends the use of an industry-standard OS hardening baseline like the or the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs).
You must frequently and consistently update hosts running the OHDW to remediate any existing vulnerabilities within the OS.
Ocient recommends performing periodic vulnerability assessments or scans and updating OS packages based on severity and timeframe.
Ocient tracks, monitors, and remediates vulnerabilities within the OHDW application and publishes updated software releases periodically.
Ocient recommends keeping your OHDW application updated to the most current version.
For details, see Ocient Software Upgrade.
Ocient recommends performing regular and periodic application and system maintenance to preserve system performance. For details about the OHDW maintenance activities, see Maintenance Overview.
This section applies to secrets and keys within the Ocient System and database application. The section does not include Linux OS host secrets and keys but should have appropriate authentication and access controls applied. For details, see Set Up Data Encryption.
Ocient recommends using a Key Management Interoperability Protocol (KMIP) compliant key management platform to handle SED lock and unlock operations.
By default, during system installation, if the install detects Opal-compliant hardware, the install enables full disk encryption with the encryption key stored on the OS drive. For details, see Data Drive Requirements.
This section applies to auditing within the database application. The section does not include Linux OS host and infrastructure logs but should have appropriate auditing controls applied.
The Ocient System stores security audit logs for the database application in the /var/log/ directory on the Linux OS host. You can see these files in that directory.
File | Description |
|---|---|
rolehostd.log | Contains all of the error, informational, and debug logs from the running database system. |
query.json | Contains information on all queries and statements executed on the system. This file includes information such as the user who ran the query (or command), the time and duration, and many other details. |
security.json | Contains information on both successful and unsuccessful connections to the system. |
For details, see Log Monitoring.
Ocient recommends using a security information and event manager (SIEM) or system log (syslog) forwarder to ingest the rolehostd.log, query.json, and security.json audit log files located on the Linux OS host.
This section covers privacy controls of the database application.
Ocient recommends implementing database table views based on the sensitivity of the data loaded into the database application, organizational policies, and legal requirements. You can grant access to specific columns or rows to specific users and groups by using database table views. For details, see VIEW.
Ocient recommends using these guides to respond to data subject requests related to the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).
To remove records from an Ocient System, see Remove Records from an Ocient System.
To update or rectify records in the Ocient System, see INSERT INTO TABLE.