Security Architecture

User Management

Robust User management is supported. All business configurable data management is supported. This will be determined by client needs. Nominated client resources will add/edit/delete users to the system. A document describing how this is accomplished will be provided with the system.

Platform Architecture

The CST platform is comprised of a set of separately deployable containers working together to provide robust infrastructure and intelligent functionality. The application is clustered and deployed for high availability in an active/active failover strategy.

The system provides several input mechanisms that allow clients to pass in data into the system. In addition, the platform consists of tools that allow it to interact and PULL data from a varied range of data sources.

All software components are self-contained applications deployed in containers, The containers are managed by a cluster management tool which provides deployment, scaling, and maintenance mechanisms.

The application is environment-agnostic and can be deployed on-premise (bare-metal) as well as on IaaS (cloud) providers.

On the server, Intel Xeon processors are preferred as they offer the client the best ‘bang for your buck’ and are more than capable of running the workloads involved with the application. However, any server capable of running Linux, virtualized or otherwise, is acceptable.

On the client, access is predominantly web-based so processor type is largely irrelevant. CST works with its clients to define the architecture that best suits an implementation.

The web-based approach means that clients can deploy once and users can be located in diverse locations. Clients can leverage their WAN

Platforms clustering strategy

Data Collection & Connectivity

The CST platform supports adapters for connection to all types of data sources including JDBC, ODBC, MS SQL, MySQL, Oracle, Mongo, PostgreSQL, Amazon Relational DB, Google Analytics, Heroku, Cassandra, and Neo.

Note that the system can collect date from sensors, remote drones, and biometric data both structured and unstructured. The data collection approach used will depend on the industry and the specific needs of the client.

All CST adapters are standards-based industrial strength components with rich design time introspection capabilities. Also, note that custom adapters can be included where required.

OLAP/MOLAP connectivity is supported providing the connecting tool supports HDFS. Such tools include Kyvosand Kylin2. Please note that the CST platform uses cutting edge technology in this area. CST also deploys a Relational Dimensional Model to provide multi-dimensional reporting capabilities at the user’s fingertips. It is in the way the reporting is indexed. Unlike a typical OLAP model where all permutations of the data are pre-calculated, relational dimensional model stores the data in a relationship based structure making it easier to search and provide results at runtime much quicker than a typical OLAP implementation.

The CST platform uses a set of “pipes and adapters” to ingest both semi-structured and unstructured data. The platforms adapters will deploy NLP (Natural Language Processing) and OCR was required to convert unstructured data to a baseline reportable format, in context. The platform stores its data in JSON format and leverages “Streaming” technologies to analyze the data at the ingestion point. This is far more accurate and efficient than analyzing at rest as it gives the system an opportunity to compare what it already knows (data already in the system) with data it does not (data being ingested).

The CST platform uses a set of “pipes and adapters” to ingest both semThe CST platform deploys HADOOP as its core distributed processing component and supports the use of both hives for SQL like querying of data and PIG for data flow processing. The platform exposes APIs to allow developers HIVE and PIG access to the data at rest and in transit.

Platform Security

Granular user management is supported by access authentication to data level authorization at both user and group levels. In addition, the platform’s security API is able to integrate with client authentication systems.

Single sign-on is supported using a CST platform adapter. Clients will need to provide their existing single sign-on details for integration.

In addition to LDAP, the CST platform also supports OpenLDAP, ApacheDS (both LDAP implementation). It also supports JumpCloud for cloud deployments in a SAAS model. It can also be integrated with SecureAuth using JWT tokens in all tiers.

In addition to LDAP, the CST platform also supports OpenLDAP, ApacheDS (both LDAP implementation). It also supports JumpCloud for cloud deployments in a SAAS model. It can also be integrated with SecureAuth using JWT tokens in all tiers.

  • Flexible REST layer access control (User/Role-based; on aliases, indices, and types).
  • Flexible transport layer access control (User/Role-based; on aliases, indices, and types)
  • Document-level security (DLS): Retrieve only documents matching criteria.
  • Field Level Security (FLS): Filter out fields/sourceparts from a response
  • HTTP authentication (Basic, Proxy header, SPNEGO/Kerberos, Mutual SSL/CLIENT-CERT)
  • Flexible authentication backends (LDAP(s)/Active Directory, File based, Proxy header, Native Windows through WAFFLE)
  • Flexible authorization backends (LDAP(s)/Active Directory, File based, Native Windows through WAFFLE)
  • Node-to-node encryption through SSL/TLS (Transport Layer)
  • Secure REST layer through HTTPS (SSL/TLS)
  • X-Forwarded-For (XFF) support
  • Authorization Audit logging

Note that credentials are passed encrypted to the data layer for authorization of services and data access. Security controls are in place at the individual data item level.

Security tokens can be embedded into offline reports. However, note that ANY document security approach is only as good as users want it to be. As an example, a secure report CAN be shared with third parties. ALL CST platform security components are built to ISO/IEC 27001 standards.

The platform supports encryption both for data at rest and in transit. All access to data is secure and audited. Web users access the platform using multi-level security authentication while data based authorisation is used to restrict users to what autonomy is configured. In addition, all CST deployed components are tested for the following web application vulnerabilities:

  • Cross-Site Scripting
  • SQL Injection
  • Path Disclosure
  • Denial of Service Attack
  • Code execution
  • Memory kidnap and corruption
  • Data Breach
  • File Inclusion – remote and Local
  • Buffer overflow.
  • Secure REST layer through HTTPS (SSL/TLS)

 

Note: Web application security is also monitored at a code level using OWASP embedded software to analyze code for vulnerabilities before deployment in the CST test and E-UAT servers.

The existence of client Firewalls do NOT affect the architecture of the CST platform. As long as secure access is configured behind the client’s DMZ, and only authorised users/clients are allowed in the DMZ, the applications security management infrastructure will handle access to the application itself.

The platform provides security with a multi-tiered approach. Web application security is implemented to safeguard the application while document level security is implemented to safeguard the data. Authorisation validation at runtime ensures only users (based on their autonomy) have access to specific data. Application security is enforced for each component of the architecture.

CST aims to catch ANY security vulnerabilities before shipping software to clients. However, as we know new vulnerabilities are exposed in the industry frequently. CST will provide security updates and additional monitoring tools where appropriate. Security patches are mandatory and outside of the normal software upgrade path.

Technical Support

Technical support can be provided remotely by providing access to CST to the specified environment for updates and maintenance purposes. This process is already tried and tested with several clients. CST records all interaction with clients in an issue tracking software that can be shared with clients for issue tracking.

While on-site support can be provided, it is the goal of CST that its software is easy enough to use that continued on-site support is unnecessary. However where applicable CST can provide what we call “forward deployed engineers” on site to help with all aspects of the platform including updates. Training will also be provided to clients so clients can self-support the application.

CST is here to help its clients. We do not limit how many phone calls or email requests we receive from clients. We believe that client interaction supports innovation and so we welcome client criticism and suggestions as much as possible. This has already proven true in our past interactions with clients.

Training

CST provides 2 levels of training for this platform:

  • High-level on-site training
  • Detailed off-site technical and business training.

High-level training will be done as soon as the platform is installed in the client environment while detailed business and technical training will be done just before the project goes LIVE. This will provide clients self- sufficiency in the configuration and monitoring and usage of the platform in its entirety.

In addition, CST provides continuous interaction with clients to improve knowledge and awareness of current technologies. The idea is to add value to the clients while using input from clients to feed into the CST R&D effort.

Note: CST has established training centers in the UK and Dubai (UAE).