A look at Platform Security
Intro
Understanding the platform as the centralizing tool for all information, it is critical to ensure the privacy and security of the data stored and/or managed within it.
In a shared environment of resources, the safe sending and receiving of data must be guaranteed by authenticating the elements that generate the data from which the platform is powered and the applications that will read from it.
The platform users will be either people or applications, so there is a need to classify the type of access according to the role each plays within the system, limiting the information that each of the users will be shown, the reports and dashboards that they can see and the actions they can perform within the platform.
Security is a key part of the platform. The platform fully complies with current regulations on security and data protection, as well as with the National Security Scheme.
The platform can provide authentication, authorization (by roles) and encryption (encrypted information) mechanisms, both in the information transfer from systems and devices to the platform, and in the consumption of stored information. This guarantees the confidentiality and integrity of the stored information.
Functionalities
Security and privacy of the platform is guaranteed at various levels:
Access profiles: platform access supports role differentiation. Thus, you can easily manage which users have access to what information.
Authentication of the Platform clients: supporting various protocols.
Data privacy: this allows to configure levels of privacy in the information. By default, the information (ontologies) can be either public or private, that is to say, visible to everyone or only to that ontology's "owner". The platform also allows each ontology's owner to provide certain users with permissions to read, write or both on their ontologies, or if they prefer to even decide to make their ontologies public so as to make them visible to all users of the platform, thus promoting the collaboration.
Secure, confidential communication: the platform can be configured to support only SSL communication. The platform will be configured to support communication with certificates at the identification and authentication level, and act. These certificates may be issued by any authorized certifying entity.
Extensibility: for scenarios requiring specific security configurations, and as an additional feature, the platform allows the development of plugins to adapt the platform security (for example, for SSO).
Identity Manager
All the elements of the platform are secured by an Identity Manager so that, by default, it provides the platform's native security model based on OAuth2, but is extensible by means of plugins to connect to the existing directory or authentication services demanded by the organization.
We offer 2 flavors of this Identity Manager:
Base: custom development on Spring Cloud Security: Base IM
Advanced: built on Keycloak. More on: Advanced IM
Roles
The platform supports different roles depending on the use that each user will make of it and their information.
The contemplated roles are:
Administrator: Corresponds to a platform administrator.
Analytics: DataScientist profile, enabling specific tools.
DataViewer: Data query profile and dashboard visualizations
Developer: Project developer on the platform.
DevOps and Operations: Support profiles for development and project operations on the platform.
Partner: Platform partner, is the owner of a joint marketing product.
SysAdmin: System Administrator. Can make certain configuration changes.
User: User without privileges, can basically check items that other users have authorised her to.
Projects and Realms
The platform as an element of support for the development of applications, provides the concepts of Project and Realm.
A Project provides a group of users involved in the same development project with a collaborative environment on the platform where they share the different elements associated to the project (data entities, device modelsd Dashboards ...). Associated with the project, they can create what is called Realm. A Realm provides authentication and profiling infrastructure to the project, including:
Definition of the specific roles of the project (independent of those of the platform).
Import of users who can use the project (from platform or corporate directory).
Association of users to project roles.
OAuth login service to integrate with the application login.
In this way, projects developed on the platform are freed from integrating with the organization's authentication services.
Ontology attributes encryption
The Platform allows encrypting the data stored in the attributes of the ontologies.
To use this:
In the ontology it has to be marked as containing encryptable attributes, through the Wizard.
Each attribute to be encrypted must be marked as such in the ontology creation wizard.
When a data from an encrypted ontology arrives at the broker, it is in charge of encrypting the attributes marked as such.
The Platform offers a base implementation of Encryptor on Platform, which is the part responsible for encrypt / decrypt actions, which uses the following:
128-bit AES encryption, more specifically AES / CBC / PKCS5PADDING
The encryption key (KEY) and initialization vector (IV) are loaded from an internal platform configuration file, and the same values ​​are used for all ontologies
The Encryptor part can be replaced with the plugin mechanism offered by the platform (See https://onesaitplatform.atlassian.net/wiki/spaces/OP/pages/448856078), being able to develop a part that connects to an HSM such as Key Vault to obtain encryption and IV keys externally and securely.