Ocient Security Guide

this security guide is intended to assist organizations in hardening software as a service (saas) or customer deployed systems and ocient management services include ocient support personnel configuring these settings based on organizational requirements and the applicable service agreement implement these security features and measures to protect an ocient system and ensure data privacy this guide is not exhaustive and represents a security baseline for an ocient system depending on your environment architecture and services, not all security features and measures might apply authentication and access control this section applies to the database application of the ocient system you can install the database application on a standard operating system (os) distribution and apply authentication and access controls to the application host identity provider or single sign on (sso) you can configure the to use any openid connect (oidc) identity provider (such as ) for sso for details, see authentication methods docid\ fq5qmoebhw9ylcshl bt due to the potential sensitive data access provided through the ocient system, use multi factor authentication (mfa) for all accounts that access the ocient system ocient recommends implementing an oidc identity provider on the ocient system and utilizing mfa for authentication access any local accounts should be limited to emergency access to recover sso issues role based access control (rbac) groups the ocient system includes default system and database roles the system also allows database administrators to create access groups with specific tables or views you can assign these access groups to database users to restrict access to data based on the data type or classification ocient recommends assigning system and database roles based on the principles of least privilege, separation of duties, and need to know access groups with specific tables, rows, or views can further restrict access based on data security requirements for details, see manage users, groups, and roles docid\ kg5gprnodkng9eigkxp5i network security this section applies to the network segment that hosts the ocient system secure bucket access and data streaming the ocient system supports data loading using the stream, cloud bucket (e g , s3), or local file source for details, see source options docid 0qxabe6vs9pbygbrfmnah secure bucket access if loading data from a cloud bucket like aws s3, gcp storage bucket, and so on, use network access controls, ip whitelisting, or data in transit encryption between the loader nodes in the ocient system and the cloud bucket only loader nodes need access to a data source secure data streaming the ocient system supports kafka source data streaming to loader nodes source configuration ocient recommends utilizing data in transit encryption between the kafka data source and loader nodes network exposure and firewall the ocient system hosts should remain in the same network segment however, you must apply host and network based firewalls ocient recommends using deny all allow by exception firewall policies on hosts and network infrastructure to secure ocient system environments the hosts in the ocient system should not be publicly accessible but within organizational network boundaries and security (or communication service provider (csp) network boundaries and security) the ocient system uses these ports, protocols, and services externally and internally communications external to the ocient system port protocol service source destination 4050 tcp jdbc jdbc connectors ocient sql hosts 8080 tcp lat lat client ocient loader hosts 8090 tcp e xtractor engine metrics platform ocient loader hosts 9090 tcp rolehostd metrics platform ocient loader hosts communications internal to the ocient system port protocol service source destination 5050 tcp rolehostd ocient lat hosts ocient loader hosts 17600 tcp rolehostd ocient sql and metadata hosts ocient sql and metadata hosts 17700 tcp rolehostd ocient sql, loader, and foundation hosts ocient sql, loader, and foundation hosts 17800 tcp rolehostd ocient loader and foundation hosts ocient loader and foundation hosts 17900 tcp rolehostd ocient sql, metadata, loader, and foundation hosts ocient sql, metadata, loader, and foundation hosts data security and encryption this section covers the data security and encryption of the database application apply the data security and encryption controls to the linux os host data at rest encryption the ocient system supports self encryption drives (sed) that meet the trusted computing group (tcg) opal standard or better ocient recommends utilizing nvme drives that support opal or sed and implementing data at rest encryption encryption strength should be based on data and system sensitivity for details, see server hardware requirements docid\ reryjvwhk6gtll71df vw and data drive requirements docid\ reryjvwhk6gtll71df vw data in transit encryption you can encrypt external connections using jdbc through transport layer security (tls) or secure sockets layer (ssl) for details, see secure connections using tls docid\ h yhvexmpqytacgsuwmfh ocient recommends using at least tls 1 2 for external connections to the ocient system system and application security this section applies to both the linux os host and the database application operating system hardening for operating systems supported by the ocient system , see ocient system requirements docid\ reryjvwhk6gtll71df vw ocient recommends the use of an industry standard os hardening baseline like the or the defense information systems agency (disa) security technical implementation guides (stigs) operating system patching you must frequently and consistently update hosts running the ocient system to remediate any existing vulnerabilities within the os ocient recommends performing periodic vulnerability assessments or scans and updating os packages based on severity and timeframe application patching ocient tracks, monitors, and remediates vulnerabilities within the ocient system application and publishes updated software releases periodically ocient recommends keeping your ocient system application updated to the most current version for details, see ocient software upgrade docid\ b3d8esh2i1u jtgcrojt6 application and system maintenance ocient recommends performing regular and periodic application and system maintenance to preserve system performance for details about the ocient system maintenance activities, see maintenance overview docid 5dbvazylang5zrwa3acgo secrets and key management this section applies to secrets and keys within the ocient system and database application the section does not include linux os host secrets and keys but should have appropriate authentication and access controls applied for details, see set up data encryption docid\ j0vufzibkhw6rnlpqwmqp sed key ocient recommends using a key management interoperability protocol (kmip) compliant key management platform to handle sed lock and unlock operations by default, during system installation, if the install detects opal compliant hardware, the install enables full disk encryption with the encryption key stored on the os drive for details, see data drive requirements docid\ reryjvwhk6gtll71df vw auditing and log management this section applies to auditing within the database application the section does not include linux os host and infrastructure logs, but should have appropriate auditing controls applied audit management the ocient system stores security audit logs for the database application in the /var/log/ directory on the linux os host you can see these files in that directory file description rolehostd log contains all of the error, informational, and debug logs from the running database system query json contains information on all queries and statements executed on the system this file includes information such as the user who ran the query (or command), the time and duration, and many other details security json contains information on both successful and unsuccessful connections to the system for details, see log monitoring docid\ vqzqyazgostye1l9efuxr siem or system log forwarding ocient recommends using a security information and event manager (siem) or system log (syslog) forwarder to ingest the rolehostd log , query json , and security json audit log files located on the linux os host privacy this section covers privacy controls of the database application database view restrictions ocient recommends implementing database table views based on the sensitivity of the data loaded into the database application, organizational policies, and legal requirements you can grant access to specific columns or rows to specific users and groups by using database table views for details, see views docid 31awiak6ah4wluypz1tmi redacted queries the ocient system supports redacted sql statements in the database redacted text appears as for details about the privileges that control redaction, see data control language (dcl) statement reference docid\ otlj4xmmckz1yfviq9vxu data subject requests ocient recommends using these guides to respond to data subject requests related to the general data protection regulation (gdpr) or california consumer privacy act (ccpa) delete to remove records from an ocient system, see remove records from an ocient system docid\ s67tmglyp6nefqd3yxox7 update to update or rectify records in the ocient system, see insert into table docid tp6ahq7papbrxirtqxyn related links authentication methods docid\ fq5qmoebhw9ylcshl bt install an ocient system docid 9o0 zwocqxxw5w4rzsyda load data docid\ lk7xyhhwzkwj32rx8p v2 is the registered trademark of linus torvalds in the u s and other countries