Skip to Content

Changes for page eMagiz Security Guide

Last modified by Waria on 2026/06/04 13:44
From version 47.1
edited by Waria
on 2026/06/04 12:22
Change comment: There is no comment for this version
To version 28.1
edited by Erik Bakker
on 2023/01/02 10:10
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.waria
1 +XWiki.ebakker
Content
... ... @@ -1,5 +1,5 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -In this fundamental, we will delve into the security perspective of the eMagiz landscape. We'll explore the cloud setup, data protection, and more to understand the role security plays in each part of the eMagiz architecture. Let's dive in!
2 +In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
3 3  
4 4  Should you have any questions, please get in touch with academy@emagiz.com.
5 5  
... ... @@ -10,41 +10,34 @@
10 10  == 2. Key concepts ==
11 11  
12 12  * Protecting your data is a joint responsibility between eMagiz and you
13 -* The registry containing deployable flows is read-only for clients
13 +* The repository is read-only for clients
14 14  * Data in the Cloud is kept within your VPC
15 -* The portal is behind an MFA check
15 +* Production data in the portal is behind an MFA check
16 16  
17 17  == 3. eMagiz Security Guide ==
18 18  
19 -In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims at clarifying the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
19 +In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
20 20  
21 21  === 3.1 Architectural setup eMagiz ===
22 22  
23 23  eMagiz consists of various components communicating to develop the process layer and subsequently run the message layer as secure and stable as possible for our customers.
24 24  
25 -
26 -
27 -1. In the eMagiz integration project, various flows are created that work together to realize the integration. The different types are shown on the top of the picture below.
28 -2. Your customized flows are combined with a base image (which contains framework components to make the flows work) and are deployed into a runtime (java-based application container).
25 +1. In the eMagiz integration project, various flows are created that work together to realize the integration. The different types are shown on the top of the picture below: Entry, Exits, Offramps, onramps, and routing flows.
26 +2. These flows are then deployed together with a specific build number (contains framework components to make these flows work) into a runtime (java based application container).
29 29  3. These runtimes run on Cloud machines that contain Cloud templates (all required components to make the Cloud machine operational such as OS, Java runtime version, and more).
30 30  
29 +The top part of the picture depicts the eMagiz repository. All relevant (open-source) libraries needed to run flows on a connector are stored within this repository.
31 31  
31 +To prevent unauthorized access to this repository, the following measures have been taken
32 32  
33 -Your flows are stored within a registry so deployments can be managed efficiently. To prevent unauthorized access to this repository, the following measures have been taken:
33 +* Client runtimes can access the repository via a username/password combination through a one-way SSL connection (encrypted) and read the contents of the repository
34 +* eMagiz developers that need to upload bundles can access the repository through a one-way SSL connection (encrypted)
35 +* A bitbucket pipeline will be created soon to enable automatic updates. This data pipeline will also need a unique username/password combination along with the fact that the connection itself is a one-way SSL connection (encrypted)
36 +* The repository is read-only for clients. This means that even if someone gets their hands on a username/password combination, they do not have sufficient rights to alter anything in the repository. They can only read the data that is kept in the repository.
34 34  
35 -
36 -* Deploy agents can access the registry and can read the contents belonging to your eMagiz integration project only.
37 -* Client runtimes can read specific flows within the registry as provided by the deploy agent to deploy the flows
38 -* When running your eMagiz integration project in the cloud, security during communication between eMagiz and the registry is taken care of by the eMagiz cloud.
39 -* When running your eMagiz integration project on-premises, you will have to make sure that your server is running Docker and the eMagiz deploy agent so the server can access the registry successfully and securely.
40 -* A bitbucket pipeline can access the registry to update the provided base image that is needed to run all your flows. This pipeline cannot access your flows, only the libraries used to build your flows.
41 -* Connections to the registry are always one-way SSL (encrypted) and all access is secured with a unique username/password combination.
42 -* As mentioned above, the registry is read-only for agents and client runtimes. This means that even if someone gets their hands on a username/password combination, they do not have sufficient rights to alter anything in the registry. They can only read the data that is kept in the registry.
43 -
44 -
45 45  [[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--definition-emagiz-model.png]]
46 46  
47 -=== 3.2 Security Guidelines - Cloud ===
40 +=== 3.2 Security Guidelines * Cloud ===
48 48  
49 49  In this section, we take a closer look at the cloud setup in general. Here we will focus on high-level security measurements because we already specified security measurements at the data level.
50 50  
... ... @@ -199,7 +199,7 @@
199 199  
200 200  To prevent the error message if it occurs is sent straight back to the client, you can configure the front end of the API Gateway, so that correct HTTP Status codes are given back to the client, including a descriptive message.
201 201  
202 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users||target="blank"]].
195 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users.WebHome||target="blank"]].
203 203  ==== 3.5.3 Event Streaming ====
204 204  
205 205  Within the Event Streaming solution, eMagiz provides Event Streaming users, and topics can be created.
... ... @@ -211,9 +211,8 @@
211 211  
212 212  These are all security measures to prevent third parties from getting unauthorized access to the data stored on the topics.
213 213  
214 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management||target="blank"]].
207 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management.WebHome||target="blank"]].
215 215  
216 -
217 217  === 3.6 eMagiz iPaaS Portal ===
218 218  
219 219  The eMagiz portal provides access to users to manage their eMagiz integration configurations. It provides access to all the features to develop, deploy and manage integrations across Test, Acceptance, and Production environments.
... ... @@ -222,8 +222,8 @@
222 222  
223 223  ===== 3.6.1.1 User access to https://my.emagiz.com =====
224 224  
225 -Users can be added with their email address by the eMagiz Partner Manager or by their company contact, upon which the user gets an email to sign in. A temporary password is created and emailed, which has to be changed at the first login to the iPaaS portal. In addition, users are connected to organizations in eMagiz.
226 -In the administration section of the user, upon first login an MFA configuration needs to be executed by the user so they can access models to which they have been granted rights. Typical authenticators on a smartphone can be used, such as Google Authenticator. For more information, check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-security-add-mfa.WebHome||target="blank"]]. An MFA response is required for model owners to manage the permissions on a model level. See the following sections for more details on these functions.
217 +Users can be added with their email address by the eMagiz Partner Manager, upon which the user gets an email to sign in. A temporary password is created and emailed, which has to be changed at the first login to the iPaaS portal. In addition, users are connected to organizations in eMagiz.
218 +In the administration section of the user, an MFA token can be used to enable the Multifactor Authentication on a user level. Typical authenticators on a smartphone can be used, such as Google Authenticator. An MFA response is required for model owners to manage the permissions on a project level and any Edit activity in Production environments. See the following sections for more details on these functions.
227 227  
228 228  ===== 3.6.1.2 Users access to Integration Projects =====
229 229  
... ... @@ -231,7 +231,7 @@
231 231  
232 232  ===== 3.6.1.3 User authorizations to Integration projects. =====
233 233  
234 -Every integration project has a model owner who can distribute rights across functionalities and environments. The picture below shows the various options available across the Integration Life Cycle (ILM) Phases Capture through Manage. In addition, the model owner manages the user permissions and needs to have the MFA authentication level passed before making any changes (which is asked of the model owner upon login).
226 +Every integration project has a model owner who can distribute rights across functionalities and environments. The picture below shows the various options available across the Integration Life Cycle (ILM) Phases Capture through Manage. In addition, the model owner manages the user permissions and needs to have the MFA authentication level passed before making any changes.
235 235  
236 236  * When Edit permission is granted on an ILM phase, all the sub-options are configurable
237 237  * View rights mean that all options can be viewed only
... ... @@ -304,12 +304,11 @@
304 304  
305 305  ==== 3.8.4 Data management ====
306 306  
307 -For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [[fundamental>>doc:Main.eMagiz Academy.Fundamentals.fundamental-traceability-in-emagiz||target="blank"]]. For more concrete information on how to implement it within an eMagiz flow you could check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink||target="blank"]] and this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving||target="blank"]]. All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
308 -
299 +For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [fundamental](fundamental-traceability-in-emagiz.md). For more concrete information on how to implement it within an eMagiz flow you could check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink.WebHome||target="blank"]] and this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving.WebHome||target="blank"]]. All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
300 +
309 309  === 3.9 Compliancy ===
310 310  
311 -* eMagiz is currentlty ISO-27001 certified.
312 -* eMagiz is currently SOC2 Type 2 certified.
303 +* eMagiz has the ISO-27001 certification at this moment.
313 313  
314 314  === 3.10 Other ===
315 315  
... ... @@ -324,26 +324,5 @@
324 324  * Protecting your data is a joint responsibility between eMagiz and you
325 325  * The repository is read-only for clients
326 326  * Data in the Cloud is kept within your VPC
327 -* The portal is behind an MFA check
328 -
329 -== 5. Suggested additional readings ==
330 -
331 -* [[Fundamental (Navigation)>>doc:Main.eMagiz Academy.Fundamentals.WebHome||target="blank"]]
332 -** [[eMagiz Cloud (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-cloud-inner-workings||target="blank"]]
333 -** [[Traceability (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-traceability-in-emagiz||target="blank"]]
334 -* [[Crash Courses (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.WebHome||target="blank"]]
335 -** [[Crash Course Platform (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.WebHome||target="blank"]]
336 -*** [[Security - Add MFA (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-security-add-mfa.WebHome||target="blank"]]
337 -*** [[Portal Security - Basic (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-manage-portal-security-basic||target="blank"]]
338 -** [[Crash Course API Gateway (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.WebHome||target="blank"]]
339 -** [[Configure Roles and Users (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users||target="blank"]]
340 -** [[Crash Course Event Streaming (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.WebHome||target="blank"]]
341 -** [[User Management (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management||target="blank"]]
342 -* [[Novice Level (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Novice.WebHome||target="blank"]]
343 -** [[eMagiz Cloud Management (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.WebHome||target="blank"]]
344 -*** [[Cloud Templates Explained (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.novice-emagiz-cloud-management-cloud-templates-explained||target="blank"]]
345 -* [[Advanced Level (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.WebHome||target="blank"]]
346 -** [[Data Management (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.WebHome||target="blank"]]
347 -*** [[Data Sink (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink||target="blank"]]
348 -*** [[Long Term Archiving (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving||target="blank"]]
318 +* Production data in the portal is behind an MFA check
349 349  )))((({{toc/}}))){{/container}}{{/container}}