Wiki source code of Runtime security
Last modified by Eva Torken on 2023/08/24 11:17
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{container}}{{container layoutStyle="columns"}}((( | ||
| 2 | A key part of the eMagiz architecture is the runtime. The runtime holds all flows related to a particular process or system. Without runtimes to run your flows on there would be no processing of data. In this microlearning, we will zoom in on the runtime level to discern how the security is governed. While doing this we will make a distinction between on-premise and cloud deployments. | ||
| 3 | |||
| 4 | Should you have any questions, please contact [[academy@emagiz.com>>mailto:academy@emagiz.com]]. | ||
| 5 | |||
| 6 | == 1. Prerequisites == | ||
| 7 | |||
| 8 | * Intermediate knowledge of the eMagiz platform | ||
| 9 | |||
| 10 | == 2. Key concepts == | ||
| 11 | |||
| 12 | This microlearning centers on runtime security. | ||
| 13 | |||
| 14 | With runtime security, we mean: The measures that are taken to secure the information and related data on runtime level | ||
| 15 | |||
| 16 | * The key aspects are: | ||
| 17 | ** The security measures differ when comparing an on-premise deployment with a cloud deployment | ||
| 18 | ** Having appropriate rights is key | ||
| 19 | ** When running on-premise the security becomes a joint-effort | ||
| 20 | ** Normal users cannot access the install base in the eMagiz Cloud but execute actions on the eMagiz Cloud via the portal | ||
| 21 | |||
| 22 | == 3. Runtime security == | ||
| 23 | |||
| 24 | A key part of the eMagiz architecture is the runtime. The runtime holds all flows related to a particular process or system. Without runtimes to run your flows on there would be no processing of data. In this microlearning, we will zoom in on the runtime level to discern how the security is governed. While doing this we will make a distinction between on-premise and cloud deployments. | ||
| 25 | |||
| 26 | * The key aspects are: | ||
| 27 | ** The security measures differ when comparing an on-premise deployment with a cloud deployment | ||
| 28 | ** Having appropriate rights is key | ||
| 29 | ** When running on-premise the security becomes a joint-effort | ||
| 30 | ** Normal users cannot access the install base in the eMagiz Cloud but execute actions on the eMagiz Cloud via the portal | ||
| 31 | |||
| 32 | As one can imagine anyone with access to the machines where runtimes are running on can compromise the availability, integrity, and confidentiality of data. eMagiz offers two locations where eMagiz runtimes can be installed. Per location, specific security measures are discussed that should be taken to ensure the availability, integrity, and confidentiality of the data. | ||
| 33 | |||
| 34 | === 3.1 On-premise === | ||
| 35 | |||
| 36 | On-premise means that the runtimes are running on a machine outside the direct control of eMagiz. This means that the machine is running under the control of the customer that implements eMagiz within their IT landscape. | ||
| 37 | |||
| 38 | Because the machine is outside the direct scope of control of eMagiz it becomes a joint effort between eMagiz and you as a customer to make sure that not everyone can access this machine. This becomes even more important when working with file-based actions as part of your integration. | ||
| 39 | Advice would be to govern this via an IDP (i.e. Azure AD) so you can set up roles that have access to the machine or parts of the machine (i.e. some files). | ||
| 40 | |||
| 41 | ==== Rights for installing ==== | ||
| 42 | |||
| 43 | To install a runtime on an on-premise you need sufficient rights to execute (batch) programs. This means that the user needs administrator rights on that specific machine to correctly install the runtime. | ||
| 44 | |||
| 45 | ==== Rights for running ==== | ||
| 46 | |||
| 47 | In Windows, a service account is needed to be able to run a Windows Service (in this case the runtime you have installed). This service account is different compared to the user that does the installing of the runtime. | ||
| 48 | There are two options on this level: | ||
| 49 | |||
| 50 | * Use the local system account. This account has sufficient rights to run the service and can therefore be used for everything. Less work to configure, more impact on the integrity of data when the account gets compromised. | ||
| 51 | * Use a specific service account per runtime. This way you limit the power of users to a specific runtime making you less vulnerable if this account gets compromised. | ||
| 52 | |||
| 53 | In Linux, the service will be running under the local system account as per default. | ||
| 54 | |||
| 55 | === 3.2 Cloud === | ||
| 56 | |||
| 57 | In the eMagiz cloud, the access is restricted to those who have a legitimate reason to access it based on the SLA level agreements between customers and eMagiz. This means support engineers, consignment employees, and your bus owner have access to your specific cloud setup. | ||
| 58 | This access is per role furthermore limited. This means that consignment employees and bus owners can only see the logging of the runtimes on the machine and the ability to start/stop machines. | ||
| 59 | |||
| 60 | Support engineers can see more to analyze problems on a lower level. | ||
| 61 | |||
| 62 | All other users don't have access to the cloud setup as there is no need for access because they can perform the relevant actions on the cloud via the eMagiz portal. For more information on how please see [[eMagiz Cloud Management>>doc:Main.eMagiz Academy.Microlearnings.Novice.eMagiz Cloud Management.WebHome||target="blank"]]. | ||
| 63 | |||
| 64 | ==== Rights for installing ==== | ||
| 65 | |||
| 66 | To install a runtime in the cloud you need sufficient rights within the Deploy phase of eMagiz. | ||
| 67 | |||
| 68 | ==== Rights for running ==== | ||
| 69 | |||
| 70 | The VPC in the cloud runs on a Linux environment. Therefore the same logic applies as specified above for Linux systems. In Linux, the service will be running under the local system account as per default. | ||
| 71 | |||
| 72 | == 4. Key takeaways == | ||
| 73 | |||
| 74 | * The key aspects are: | ||
| 75 | ** The security measures differ when comparing an on-premise deployment with a cloud deployment | ||
| 76 | ** Having appropriate rights is key | ||
| 77 | ** When running on-premise the security becomes a joint-effort | ||
| 78 | ** Normal users cannot access the install base in the eMagiz Cloud but execute actions on the eMagiz Cloud via the portal | ||
| 79 | |||
| 80 | == 5. Suggested Additional Readings == | ||
| 81 | |||
| 82 | If you are interested in this topic and want more information please check out the [[Security Guide>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-security-guide||target="blank"]]. | ||
| 83 | |||
| 84 | )))((({{toc/}}))){{/container}}{{/container}} |