Smart DIH - Security

The Smart DIHClosed Smart DIH allows enterprises to develop and deploy digital services in an agile manner, without disturbing core business applications. This is achieved by creating an event-driven, highly performing, efficient and available replica of the data from multiple systems and applications, security controls for application and data can be illustrated by the following seven layers:

 

 

  1. Vulnerability Scans

    • The components in the platform are constantly tested against the CVE database.

    • Docker images that are used are also checked for CVEs.

  2. Encryption, Authorization and Authentication

  3. Node Access Control

    • Processes in the nodes run in dockers where access is limited to docker entities by enforcing specific user:group access.

  4. Security Groups & ACLs - Cloud Private Network Security

    • All nodes are running within the private network.

    • Opening security groups to specific ports and entities (gateways load-balancers).

  5. Gateway, Routers, Firewalls

  6. SSL/TLSClosed Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers. Termination

    • Communication to and from the platform is performed in TLS (TLS 1.2).

  7. WAF API-Gateway

    • For services that are exposed to external users (intranet or internet) an API Gateway is added. The API Gateway authorizes the service request (accessing the servicing part of the platform).

    • WAF is optional and added mainly in zero-trust cases where additional rules are applied.

IDP Integration

GigaSpaces supports integration with identity providers (IDP) which support OpenId Connect protocol like Okta and Azure AD. Users or SpaceDeckClosed GigaSpaces intuitive, streamlined user interface to set up, manage and control their environment. Using SpaceDeck, users can define the tools to bring legacy System of Record (SoR) databases into the in-memory data grid that is the core of the GigaSpaces system. (platform control and monitoring) are managed via the IDP and user groups in the IDP are mapped to roles.

For IDP setup details refer to our SpaceDeck - SSO IDP Setup page found in our User Guide

Service Accounts

Service accounts represent components which integrate with the data-grid. An advanced user can write additional components and plug them into the system. These components must enroll in the Service Accounts section in SpaceDeck.

For details about Service Accounts refer to our Service Account Privilege Management page found in our Architectural Overview section.

Roles & Privileges

User and service accounts can be assigned to roles which limit their access to the data-grid and platform control. A role is a collection of privileges, each defines an allowed operation for a resource. Some privileges are system level and some are associated to specific resources which are either a data-grid level, a SpaceClosed Where GigaSpaces data is stored. It is the logical cache that holds data objects in memory and might also hold them in layered in tiering. Data is hosted from multiple SoRs, consolidated as a unified data model. or a table.

For details about Roles & Privileges refer to the our Security Overview page found in our Architectural Overview section.

Auditing

Each operation performed by SpaceDeck (pipelines, services, data-grid/Spaces) is audited and can be found in a log containing both the user ID and the operation performed. The IDP logs user logins and logouts.

 

For information about Smart DIHClosed Digital Integration Hub. An application architecture that decouples digital applications from the systems of record, and aggregates operational data into a low-latency data fabric. refer back to the Smart DIH contents page and choose another topic.