Skip to Content

Changes for page eMagiz Security Guide

Last modified by Erik Bakker on 2024/08/20 08:53
From version 7.1
edited by eMagiz
on 2022/06/13 09:33
Change comment: There is no comment for this version
To version 25.1
edited by Erik Bakker
on 2022/06/13 14:11
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,0 +1,1 @@
1 +eMagiz Security Guide
Parent
... ... @@ -1,0 +1,1 @@
1 +WebHome
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.marijn
1 +XWiki.ebakker
Content
... ... @@ -1,19 +1,8 @@
1 -{{html wiki="true"}}
2 -<div class="ez-academy">
3 - <div class="ez-academy_body">
4 -<div class="doc">
5 -
6 -
7 -
8 -= eMagiz Security Guide =
9 -
1 +{{container}}{{container layoutStyle="columns"}}(((
10 10  In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
11 11  
12 12  Should you have any questions, please get in touch with academy@emagiz.com.
13 13  
14 -* Last update: February 17th, 2022
15 -* Required reading time: 15 minutes
16 -
17 17  == 1. Prerequisites ==
18 18  
19 19  * Some context on cloud functionality will be helpful.
... ... @@ -25,8 +25,6 @@
25 25  * Data in the Cloud is kept within your VPC
26 26  * Production data in the portal is behind an MFA check
27 27  
28 -
29 -
30 30  == 3. eMagiz Security Guide ==
31 31  
32 32  In this fundamental, we will zoom in on how the various parts of the eMagiz landscape can be viewed from a Security perspective. We will look at the Cloud, on-premises, data within eMagiz, external communication, and the portal during our journey. After this journey, you should have a solid understanding of what role security plays in each of the parts of the eMagiz architecture. Note that protecting your data is a joint responsibility between eMagiz and you. This fundamental aims to clarify the security measures eMagiz has taken in the eMagiz platform. This way, you can assess the eventual additional steps you need to take to ensure that the eMagiz service cooperates securely with the rest of your application and integration landscape.
... ... @@ -48,7 +48,7 @@
48 48  * A bitbucket pipeline will be created soon to enable automatic updates. This data pipeline will also need a unique username/password combination along with the fact that the connection itself is a one-way SSL connection (encrypted)
49 49  * The repository is read-only for clients. This means that even if someone gets their hands on a username/password combination, they do not have sufficient rights to alter anything in the repository. They can only read the data that is kept in the repository.
50 50  
51 -<p align="center">[[image:fundamental-emagiz-security-guide--definition-emagiz-model.png||]]</p>
38 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--definition-emagiz-model.png]]
52 52  
53 53  === 3.2 Security Guidelines * Cloud ===
54 54  
... ... @@ -59,7 +59,7 @@
59 59  The picture below shows a standard double-lane setup of an eMagiz instance within the eMagiz Cloud. A single-lane design looks similar but only consists of one core machine.
60 60  This gives insight into how messages flow through the Cloud, which measures are taken for monitoring and auto-healing, and where data is temporarily stored 'in transit.'
61 61  
62 -<p align="center">[[image:fundamental-emagiz-cloud-inner-workings--customer-level-overview-double-lane.png||]]</p>
49 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-cloud-inner-workings--customer-level-overview-double-lane.png]]
63 63  
64 64  We want to use this picture to explain specific components within the Cloud from a security perspective. We will start at the outside and work our way inwards.
65 65  
... ... @@ -86,7 +86,7 @@
86 86  * Monitoring
87 87  * Notification options
88 88  
89 -Making sure you are on the latest cloud template version guards yourself against vulnerabilities in older versions of Java and OS, for example. In addition, it gives the user more options for monitoring the health of the cloud environment reducing the risk of a loss of availability of data (promptly) without compromising the integrity of the data. For more information on what cloud templates are and how to control and update them, please check out this [microlearning](../microlearning/novice-emagiz-cloud-management-cloud-templates-explained.md).
76 +Making sure you are on the latest cloud template version guards yourself against vulnerabilities in older versions of Java and OS, for example. In addition, it gives the user more options for monitoring the health of the cloud environment reducing the risk of a loss of availability of data (promptly) without compromising the integrity of the data. For more information on what cloud templates are and how to control and update them, please check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.novice-emagiz-cloud-management-cloud-templates-explained.WebHome||target="blank"]].
90 90  
91 91  ==== 3.2.5 Carwash ====
92 92  
... ... @@ -130,7 +130,7 @@
130 130  
131 131  Support engineers can see more to analyze problems on a lower level.
132 132  
133 -All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the Cloud via the eMagiz portal. For more information on how please see the [eMagiz Cloud Management](../microlearning/novice-emagiz-cloud-management-index) course.
120 +All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the Cloud via the eMagiz portal. For more information on how please see the [[eMagiz Cloud Management>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.WebHome||target="blank"]] course.
134 134  
135 135  ===== 3.3.2.1 Rights for installing =====
136 136  
... ... @@ -148,7 +148,7 @@
148 148  
149 149  Let us first look at the data "in transit." This is the process phase where data is interchanged between flows within the eMagiz platform. This data interchange goes (i.e., from entry to onramp or offramp to exit) via the orchestration of the JMS server on the messaging layer. This is nicely shown in the picture below.
150 150  
151 -<p align="center">[[image:fundamental-emagiz-security-guide--data-orchestration.png||]]</p>
138 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--data-orchestration.png]]
152 152  
153 153  Data "in transit" is temporarily stored on an encrypted filesystem with the help of encryption algorithms.
154 154  For the Cloud, eMagiz uses the AES-256 encryption algorithm.
... ... @@ -193,7 +193,7 @@
193 193  
194 194  As you can see in the picture shown below, the roles are defined so that the Read role can only access two integrations available for this specific API Gateway. If a client has insufficient rights, they will receive a 401 Unauthorized
195 195  
196 -<p align="center">[[image:fundamental-emagiz-security-guide--api-gateway-portal-feedback.png||]]</p>
183 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--api-gateway-portal-feedback.png]]
197 197  
198 198  ===== 3.5.2.2 External IDP =====
199 199  
... ... @@ -207,8 +207,7 @@
207 207  
208 208  To prevent the error message if it occurs is sent straight back to the client, you can configure the front end of the API Gateway, so that correct HTTP Status codes are given back to the client, including a descriptive message.
209 209  
210 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [microlearning](../microlearning/crashcourse-api-gateway-configure-roles-and-users.md)
211 -
197 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-configure-roles-and-users.WebHome||target="blank"]].
212 212  ==== 3.5.3 Event Streaming ====
213 213  
214 214  Within the Event Streaming solution, eMagiz provides Event Streaming users, and topics can be created.
... ... @@ -220,7 +220,7 @@
220 220  
221 221  These are all security measures to prevent third parties from getting unauthorized access to the data stored on the topics.
222 222  
223 -For more information on how this precisely can be configured via the eMagiz platform, please check the following [microlearning](../microlearning/crashcourse-eventstreaming-user-management.md)
209 +For more information on how this precisely can be configured via the eMagiz platform, please check the following [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Event Streaming.crashcourse-eventstreaming-user-management.WebHome||target="blank"]].
224 224  
225 225  === 3.6 eMagiz iPaaS Portal ===
226 226  
... ... @@ -247,7 +247,7 @@
247 247  * Model owners are assigned to integration projects by eMagiz Administrators
248 248  * An audit trail is kept of the changes made in the project permission structure
249 249  
250 -<p align="center">[[image:fundamental-emagiz-security-guide--access-rights.png||]]</p>
236 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--access-rights.png]]
251 251  
252 252  ===== 3.6.1.4 Partner user access to Client environments =====
253 253  
... ... @@ -268,9 +268,9 @@
268 268  
269 269  * In all the relevant parts of the integration project, developers can version the changes made. The type (major, minor, or patch) can be indicated and commented on to describe the change. Once the version is created, that particular version will be available for Deployment and is then kept in the history of changes on a low level. Both are illustrated in the pictures below.
270 270  
271 -<p align="center">[[image:fundamental-emagiz-security-guide--create-new-version.png||]]</p>
257 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--create-new-version.png]]
272 272  
273 -<p align="center">[[image:fundamental-emagiz-security-guide--history-pages.png||]]</p>
259 +[[image:Main.Images.Fundamental.WebHome@fundamental-emagiz-security-guide--history-pages.png]]
274 274  
275 275  * On a CDM level, the same functionality exists to indicate the version type incl. comments. All changes to the CDM model are logged in an audit trail that can help understand what changes are made by who in case of error resolution. The CDM is also protected by the permission structure of the Integration project.
276 276  
... ... @@ -312,7 +312,7 @@
312 312  
313 313  ==== 3.8.4 Data management ====
314 314  
315 -For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [fundamental](fundamental-traceability-in-emagiz.md). For more concrete information on how to implement it within an eMagiz flow you could check out this [microlearning](../microlearning/advanced-data-management-data-sink.md) and this [microlearning](../microlearning/advanced-data-management-long-term-archiving.md). All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
301 +For more information on the conceptual ideas behind data management within the eMagiz platform, you can look at this [fundamental](fundamental-traceability-in-emagiz.md). For more concrete information on how to implement it within an eMagiz flow you could check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-data-sink.WebHome||target="blank"]] and this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Data Management.advanced-data-management-long-term-archiving.WebHome||target="blank"]]. All the information within the data sink and the long-term archiving solution is kept within the same VPC in the Cloud and can only be accessed by authorized parties.
316 316  
317 317  === 3.9 Compliancy ===
318 318  
... ... @@ -326,8 +326,6 @@
326 326  
327 327  During these tests, the pentester will try to achieve goals (penetration of the target system on various levels) by undertaking various means. Such a test can help determine whether a system is vulnerable to attack if the defenses were sufficient and which defenses (if any) the test defeated. In addition, eventual findings from those tests are dealt with conforming to the corrective action processes in our ISMS.
328 328  
329 -===== Practice =====
330 -
331 331  == 4. Key takeaways ==
332 332  
333 333  * Protecting your data is a joint responsibility between eMagiz and you
... ... @@ -334,9 +334,4 @@
334 334  * The repository is read-only for clients
335 335  * Data in the Cloud is kept within your VPC
336 336  * Production data in the portal is behind an MFA check
337 -
338 -</div>
339 -</div>
340 -</div>
341 -
342 -{{/html}}
321 +)))((({{toc/}}))){{/container}}{{/container}}
fundamental-emagiz-security-guide--data-orchestration.png
Author
... ... @@ -1,1 +1,0 @@
1 -XWiki.marijn
Size
... ... @@ -1,1 +1,0 @@
1 -160.8 KB
Content