Skip to Content

Changes for page eMagiz Security Guide

Last modified by Erik Bakker on 2024/08/20 08:53
From version 40.1
edited by Erik Bakker
on 2024/08/08 11:54
Change comment: There is no comment for this version
To version 13.1
edited by eMagiz
on 2022/06/13 09:34
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,0 @@
1 -eMagiz Security Guide
Parent
... ... @@ -1,1 +1,0 @@
1 -WebHome
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ebakker
1 +XWiki.marijn
Content
... ... @@ -1,8 +1,19 @@
1 -{{container}}{{container layoutStyle="columns"}}(((
2 -in this fundamental, we will delve into the security perspective of the eMagiz landscape. We'll explore the cloud setup, data protection, and more to understand the role security plays in each part of the eMagiz architecture. Let's dive in!
1 +{{html wiki="true"}}
2 +<div class="ez-academy">
3 + <div class="ez-academy_body">
4 +<div class="doc">
5 +
3 3  
7 +
8 += eMagiz Security Guide =
9 +
10 +In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
11 +
4 4  Should you have any questions, please get in touch with academy@emagiz.com.
5 5  
14 +* Last update: February 17th, 2022
15 +* Required reading time: 15 minutes
16 +
6 6  == 1. Prerequisites ==
7 7  
8 8  * Some context on cloud functionality will be helpful.
... ... @@ -12,8 +12,10 @@
12 12  * Protecting your data is a joint responsibility between eMagiz and you
13 13  * The repository is read-only for clients
14 14  * Data in the Cloud is kept within your VPC
15 -* The portal is behind an MFA check
26 +* Production data in the portal is behind an MFA check
16 16  
28 +
29 +
17 17  == 3. eMagiz Security Guide ==
18 18  
19 19  In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
... ... @@ -35,9 +35,9 @@
35 35  * A bitbucket pipeline will be created soon to enable automatic updates. This data pipeline will also need a unique username/password combination along with the fact that the connection itself is a one-way SSL connection (encrypted)
36 36  * The repository is read-only for clients. This means that even if someone gets their hands on a username/password combination, they do not have sufficient rights to alter anything in the repository. They can only read the data that is kept in the repository.
37 37  
38 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--definition-emagiz-model.png]]
51 +<p align="center">[[image:fundamental-emagiz-security-guide--definition-emagiz-model.png||]]</p>
39 39  
40 -=== 3.2 Security Guidelines - Cloud ===
53 +=== 3.2 Security Guidelines * Cloud ===
41 41  
42 42  In this section, we take a closer look at the cloud setup in general. Here we will focus on high-level security measurements because we already specified security measurements at the data level.
43 43  
... ... @@ -46,7 +46,7 @@
46 46  The picture below shows a standard double-lane setup of an eMagiz instance within the eMagiz Cloud. A single-lane design looks similar but only consists of one core machine.
47 47  This gives insight into how messages flow through the Cloud, which measures are taken for monitoring and auto-healing, and where data is temporarily stored 'in transit.'
48 48  
49 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-cloud-inner-workings--customer-level-overview-double-lane.png]]
62 +<p align="center">[[image:fundamental-emagiz-cloud-inner-workings--customer-level-overview-double-lane.png||]]</p>
50 50  
51 51  We want to use this picture to explain specific components within the Cloud from a security perspective. We will start at the outside and work our way inwards.
52 52  
... ... @@ -73,7 +73,7 @@
73 73  * Monitoring
74 74  * Notification options
75 75  
76 -Making sure you are on the latest cloud template version guards yourself against vulnerabilities in older versions of Java and OS, for example. In addition, it gives the user more options for monitoring the health of the cloud environment reducing the risk of a loss of availability of data (promptly) without compromising the integrity of the data. For more information on what cloud templates are and how to control and update them, please check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.novice-emagiz-cloud-management-cloud-templates-explained||target="blank"]].
89 +Making sure you are on the latest cloud template version guards yourself against vulnerabilities in older versions of Java and OS, for example. In addition, it gives the user more options for monitoring the health of the cloud environment reducing the risk of a loss of availability of data (promptly) without compromising the integrity of the data. For more information on what cloud templates are and how to control and update them, please check out this [microlearning](../microlearning/novice-emagiz-cloud-management-cloud-templates-explained.md).
77 77  
78 78  ==== 3.2.5 Carwash ====
79 79  
... ... @@ -117,7 +117,7 @@
117 117  
118 118  Support engineers can see more to analyze problems on a lower level.
119 119  
120 -All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the Cloud via the eMagiz portal. For more information on how please see the [[eMagiz Cloud Management>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.WebHome||target="blank"]] course.
133 +All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the Cloud via the eMagiz portal. For more information on how please see the [eMagiz Cloud Management](../microlearning/novice-emagiz-cloud-management-index) course.
121 121  
122 122  ===== 3.3.2.1 Rights for installing =====
123 123  
... ... @@ -135,7 +135,7 @@
135 135  
136 136  Let us first look at the data "in transit." This is the process phase where data is interchanged between flows within the eMagiz platform. This data interchange goes (i.e., from entry to onramp or offramp to exit) via the orchestration of the JMS server on the messaging layer. This is nicely shown in the picture below.
137 137  
138 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--data-orchestration.png]]
151 +<p align="center">[[image:fundamental-emagiz-security-guide--data-orchestration.png||]]</p>
139 139  
140 140  Data "in transit" is temporarily stored on an encrypted filesystem with the help of encryption algorithms.
141 141  For the Cloud, eMagiz uses the AES-256 encryption algorithm.
... ... @@ -174,25 +174,28 @@
174 174  
175 175  ==== 3.5.2 API Gateway ====
176 176  
177 -A structure with roles and rights per role can be specified within the portal or via an external IDP to secure the front end of the API Gateway in eMagiz. For the backend of the API Gateway, the same logic applies as stated above for messaging, which means that eMagiz supports the industry standard. Therefore, you as a user should confer with the external party about the correct method.
190 +A structure with roles and rights per role can be specified within the portal or via an external IDP to secure the front end of the API Gateway in eMagiz.
178 178  
179 179  ===== 3.5.2.1 Portal =====
180 180  
181 181  As you can see in the picture shown below, the roles are defined so that the Read role can only access two integrations available for this specific API Gateway. If a client has insufficient rights, they will receive a 401 Unauthorized
182 182  
183 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--api-gateway-portal-feedback.png]]
196 +<p align="center">[[image:fundamental-emagiz-security-guide--api-gateway-portal-feedback.png||]]</p>
184 184  
185 -===== 3.5.2.2 (External) IDP =====
198 +===== 3.5.2.2 External IDP =====
186 186  
187 -Apart from configuring the roles, users, and rights within the portal itself, it is also possible to hook the API Gateway up to an (external) IDP.
200 +Apart from configuring the roles, users, and rights within the portal itself, it is also possible to hook the API Gateway up to an external IDP.
188 188  By communicating with this IDP via the OAuth2.0 protocol, a check is done every time a client calls a specific operation to see whether that client has sufficient rights to access the operation.
189 189  If the client has sufficient rights, the process continues. For example, if the client has insufficient rights, the client receives a 401 Unauthorized.
190 190  
204 +For the backend of the API Gateway, the same logic applies as stated above for messaging, which means that eMagiz supports the industry standard. Therefore, you as a user should confer with the external party about the correct method.
205 +
191 191  ===== 3.5.2.3 Error handling =====
192 192  
193 193  To prevent the error message if it occurs is sent straight back to the client, you can configure the front end of the API Gateway, so that correct HTTP Status codes are given back to the client, including a descriptive message.
194 194  
195 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users||target="blank"]].
210 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [microlearning](../microlearning/crashcourse-api-gateway-configure-roles-and-users.md)
211 +
196 196  ==== 3.5.3 Event Streaming ====
197 197  
198 198  Within the Event Streaming solution, eMagiz provides Event Streaming users, and topics can be created.
... ... @@ -204,9 +204,8 @@
204 204  
205 205  These are all security measures to prevent third parties from getting unauthorized access to the data stored on the topics.
206 206  
207 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management||target="blank"]].
223 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [microlearning](../microlearning/crashcourse-eventstreaming-user-management.md)
208 208  
209 -
210 210  === 3.6 eMagiz iPaaS Portal ===
211 211  
212 212  The eMagiz portal provides access to users to manage their eMagiz integration configurations. It provides access to all the features to develop, deploy and manage integrations across Test, Acceptance, and Production environments.
... ... @@ -215,8 +215,8 @@
215 215  
216 216  ===== 3.6.1.1 User access to https://my.emagiz.com =====
217 217  
218 -Users can be added with their email address by the eMagiz Partner Manager or by their company contact, upon which the user gets an email to sign in. A temporary password is created and emailed, which has to be changed at the first login to the iPaaS portal. In addition, users are connected to organizations in eMagiz.
219 -In the administration section of the user, upon first login an MFA configuration needs to be executed by the user so they can access models to which they have been granted rights. Typical authenticators on a smartphone can be used, such as Google Authenticator. For more information, check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-security-add-mfa.WebHome||target="blank"]]. An MFA response is required for model owners to manage the permissions on a model level. See the following sections for more details on these functions.
233 +Users can be added with their email address by the eMagiz Partner Manager, upon which the user gets an email to sign in. A temporary password is created and emailed, which has to be changed at the first login to the iPaaS portal. In addition, users are connected to organizations in eMagiz.
234 +In the administration section of the user, an MFA token can be used to enable the Multifactor Authentication on a user level. Typical authenticators on a smartphone can be used, such as Google Authenticator. An MFA response is required for model owners to manage the permissions on a project level and any Edit activity in Production environments. See the following sections for more details on these functions.
220 220  
221 221  ===== 3.6.1.2 Users access to Integration Projects =====
222 222  
... ... @@ -224,7 +224,7 @@
224 224  
225 225  ===== 3.6.1.3 User authorizations to Integration projects. =====
226 226  
227 -Every integration project has a model owner who can distribute rights across functionalities and environments. The picture below shows the various options available across the Integration Life Cycle (ILM) Phases Capture through Manage. In addition, the model owner manages the user permissions and needs to have the MFA authentication level passed before making any changes (which is asked of the model owner upon login).
242 +Every integration project has a model owner who can distribute rights across functionalities and environments. The picture below shows the various options available across the Integration Life Cycle (ILM) Phases Capture through Manage. In addition, the model owner manages the user permissions and needs to have the MFA authentication level passed before making any changes.
228 228  
229 229  * When Edit permission is granted on an ILM phase, all the sub-options are configurable
230 230  * View rights mean that all options can be viewed only
... ... @@ -232,7 +232,7 @@
232 232  * Model owners are assigned to integration projects by eMagiz Administrators
233 233  * An audit trail is kept of the changes made in the project permission structure
234 234  
235 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--access-rights.png]]
250 +<p align="center">[[image:fundamental-emagiz-security-guide--access-rights.png||]]</p>
236 236  
237 237  ===== 3.6.1.4 Partner user access to Client environments =====
238 238  
... ... @@ -253,9 +253,9 @@
253 253  
254 254  * In all the relevant parts of the integration project, developers can version the changes made. The type (major, minor, or patch) can be indicated and commented on to describe the change. Once the version is created, that particular version will be available for Deployment and is then kept in the history of changes on a low level. Both are illustrated in the pictures below.
255 255  
256 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--create-new-version.png]]
271 +<p align="center">[[image:fundamental-emagiz-security-guide--create-new-version.png||]]</p>
257 257  
258 -[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--history-pages.png]]
273 +<p align="center">[[image:fundamental-emagiz-security-guide--history-pages.png||]]</p>
259 259  
260 260  * On a CDM level, the same functionality exists to indicate the version type incl. comments. All changes to the CDM model are logged in an audit trail that can help understand what changes are made by who in case of error resolution. The CDM is also protected by the permission structure of the Integration project.
261 261  
... ... @@ -297,12 +297,11 @@
297 297  
298 298  ==== 3.8.4 Data management ====
299 299  
300 -For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [[fundamental>>doc:Main.eMagiz Academy.Fundamentals.fundamental-traceability-in-emagiz||target="blank"]]. For more concrete information on how to implement it within an eMagiz flow you could check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink||target="blank"]] and this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving||target="blank"]]. All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
301 -
315 +For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [fundamental](fundamental-traceability-in-emagiz.md). For more concrete information on how to implement it within an eMagiz flow you could check out this [microlearning](../microlearning/advanced-data-management-data-sink.md) and this [microlearning](../microlearning/advanced-data-management-long-term-archiving.md). All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
316 +
302 302  === 3.9 Compliancy ===
303 303  
304 -* eMagiz is currentlty ISO-27001 certified.
305 -* eMagiz is currently SOC2 Type 2 certified.
319 +* eMagiz has the ISO-27001 certification at this moment.
306 306  
307 307  === 3.10 Other ===
308 308  
... ... @@ -312,30 +312,17 @@
312 312  
313 313  During these tests, the pentester will try to achieve goals (penetration of the target system on various levels) by undertaking various means. Such a test can help determine whether a system is vulnerable to attack if the defenses were sufficient and which defenses (if any) the test defeated. In addition, eventual findings from those tests are dealt with conforming to the corrective action processes in our ISMS.
314 314  
329 +===== Practice =====
330 +
315 315  == 4. Key takeaways ==
316 316  
317 317  * Protecting your data is a joint responsibility between eMagiz and you
318 318  * The repository is read-only for clients
319 319  * Data in the Cloud is kept within your VPC
320 -* The portal is behind an MFA check
321 -
322 -== 5. Suggested additional readings ==
336 +* Production data in the portal is behind an MFA check
323 323  
324 -* [[Fundamental (Navigation)>>doc:Main.eMagiz Academy.Fundamentals.WebHome||target="blank"]]
325 -** [[eMagiz Cloud (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-cloud-inner-workings||target="blank"]]
326 -** [[Traceability (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-traceability-in-emagiz||target="blank"]]
327 -* [[Crash Courses (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.WebHome||target="blank"]]
328 -** [[Crash Course Platform (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.WebHome||target="blank"]]
329 -*** [[Security - Add MFA (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-security-add-mfa.WebHome||target="blank"]]
330 -** [[Crash Course API Gateway (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.WebHome||target="blank"]]
331 -** [[Configure Roles and Users (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users||target="blank"]]
332 -** [[Crash Course Event Streaming (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.WebHome||target="blank"]]
333 -** [[User Management (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management||target="blank"]]
334 -* [[Novice Level (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
335 -** [[eMagiz Cloud Management (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.WebHome||target="blank"]]
336 -*** [[Cloud Templates Explained (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.novice-emagiz-cloud-management-cloud-templates-explained||target="blank"]]
337 -* [[Advanced Level (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.WebHome||target="blank"]]
338 -** [[Data Management (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.WebHome||target="blank"]]
339 -*** [[Data Sink (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink||target="blank"]]
340 -*** [[Long Term Archiving (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving||target="blank"]]
341 -)))((({{toc/}}))){{/container}}{{/container}}
338 +</div>
339 +</div>
340 +</div>
341 +
342 +{{/html}}
fundamental-emagiz-cloud-inner-workings--customer-level-overview-double-lane.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +65.2 KB
Content
fundamental-emagiz-security-guide--access-rights.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +9.1 KB
Content
fundamental-emagiz-security-guide--api-gateway-portal-feedback.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +14.7 KB
Content
fundamental-emagiz-security-guide--create-new-version.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +23.6 KB
Content
fundamental-emagiz-security-guide--data-orchestration.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +160.8 KB
Content
fundamental-emagiz-security-guide--definition-emagiz-model.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +63.3 KB
Content
fundamental-emagiz-security-guide--history-pages.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.marijn
Size
... ... @@ -1,0 +1,1 @@
1 +22.5 KB
Content