Runtime security

In this microlearning, we will explore the crucial role of the runtime in eMagiz architecture, especially, focusing on how security is managed at this level. We will examine the differences between on-premise and cloud deployments, highlighting key aspects such as access rights and security measures. By the end, you will have a clear understanding of how to safeguard your data, while, at the same time, be able to make a distinction between on-premise and cloud deployments.

Should you have any questions, please contact academy@emagiz.com.

1. Prerequisites

• Intermediate knowledge of the eMagiz platform

2. Key concepts

This microlearning centers on runtime security.

• With runtime security, we mean: The measures that are taken to secure the information and related data on runtime level

3. Runtime security

A key part of the eMagiz architecture is the runtime. The runtime holds all flows related to a particular process or system. Without runtimes to run your flows on there would be no processing of data. In this microlearning, we will zoom in on the runtime level to discern how the security is governed. While doing this we will make a distinction between on-premise and cloud deployments.

• The key aspects are:
  • The security measures differ when comparing an on-premise deployment with a cloud deployment
  • Having appropriate rights is key
  • When running on-premise the security becomes a joint-effort
  • Normal users cannot access the install base in the eMagiz Cloud but execute actions on the eMagiz Cloud via the portal

As one can imagine anyone with access to the machines where runtimes are running on can compromise the availability, integrity, and confidentiality of data. eMagiz offers two locations where eMagiz runtimes can be installed. Per location, specific security measures are discussed that should be taken to ensure the availability, integrity, and confidentiality of the data.

3.1 On-premise

On-premise means that the runtimes are running on a machine outside the direct control of eMagiz. This means that the machine is running under the control of the customer that implements eMagiz within their IT landscape.

Because the machine is outside the direct scope of control of eMagiz it becomes a joint effort between eMagiz and you as a customer to make sure that not everyone can access this machine. This becomes even more important when working with file-based actions as part of your integration.
Advice would be to govern this via an IDP (i.e. Azure AD) so you can set up roles that have access to the machine or parts of the machine (i.e. some files).

3.1.1 Rights for installing

To install a runtime on an on-premise you need sufficient rights to execute (batch) programs. This means that the user needs administrator rights on that specific machine to correctly install the runtime.

3.1.2 Rights for running

In Windows, a service account is needed to be able to run a Windows Service (in this case the runtime you have installed). This service account is different compared to the user that does the installing of the runtime.
There are two options on this level:

• Use the local system account. This account has sufficient rights to run the service and can therefore be used for everything. Less work to configure, more impact on the integrity of data when the account gets compromised.
• Use a specific service account per runtime. This way you limit the power of users to a specific runtime making you less vulnerable if this account gets compromised.

In Linux, the service will be running under the local system account as per default.

3.2 Cloud

In the eMagiz cloud, the access is restricted to those who have a legitimate reason to access it based on the SLA level agreements between customers and eMagiz. This means support engineers, consignment employees, and your bus owner have access to your specific cloud setup.
This access is per role furthermore limited. This means that consignment employees and bus owners can only see the logging of the runtimes on the machine and the ability to start/stop machines.

Support engineers can see more to analyze problems on a lower level.

All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the cloud via the eMagiz portal. For more information on how please see eMagiz Cloud Management.

3.2.1 Rights for installing

To install a runtime in the cloud you need sufficient rights within the Deploy phase of eMagiz.

3.2.2 Rights for running

The VPC in the cloud runs on a Linux environment. Therefore the same logic applies as specified above for Linux systems. In Linux, the service will be running under the local system account as per default.

4. Key takeaways

• The approach to security differs between on-premise and cloud deployments. Each environment requires tailored measures to ensure data protection.
• Proper rights and permissions are essential for both installing and running eMagiz runtimes. Managing these rights effectively helps maintain security and operational integrity.
• On-Premise Security is a Joint Effort: When using on-premise deployments, securing the runtime is a collaborative task between eMagiz and the customer, especially in controlling machine access and file-based actions.
• Cloud Access is Restricted and Controlled: In the eMagiz cloud, access is limited to only authorized roles based on specific agreements. Normal users cannot access the install base in the eMagiz Cloud, but can execute actions on the eMagiz Cloud via the portal.

5. Suggested Additional Readings

If you are interested in this topic and want more information please check out these links:

• Fundamentals (Navigation)
  • eMagiz Security Guide (Explanation)
• Novice Level (Menu)
  • eMagiz Cloud Management (Navigation)
• Runtime security (Search Result)