Features & Responsibilities Matrix
All security features that are available on e6data are listed below, along with the responsibility for configuring and managing each.
Network Access Controls
| Feature | Cloud | Responsibility |
|---|---|---|
Deploy into an EKS Cluster that you manage and secure. By default is no ingress allowed to the data plane. | AWS | Deployed by the user, using Terraform & Helm templates provided by e6data. |
Authenticated access from users or clients to the e6data control plane UI and APIs | AWS | Credentials to access UI & Personal Access Tokens for APIs to be generated by users. |
Private access (or private link) from the data plane to the e6data control plane | AWS | Deployed by the user, using Terraform & Helm templates provided by e6data. |
IP access lists to control access to e6data control plane UI and APIs over the internet | AWS | Only Kubernetes management access between the e6data control plane and data plane. Any other access should be provided by users. |
Ingress for 3rd party querying tools to access the engine. | AWS | User should enable Kubernetes Ingress for external connectors. |
User and Group Management
| Feature | Cloud | Responsibility |
|---|---|---|
Use the cloud service provider identity management for seamless integration with cloud resources | AWS | e6data |
Single Sign-On with identity provider integration (you can enable MFA via the identity provider) | AWS | Can be configured in the e6data console. |
Service principals or service accounts to manage application identities for automation | AWS | e6data |
User account locking to temporarily disable a user’s access to e6data | AWS | e6data |
Role-based access controls to provide least required privileges for users/groups. | AWS | Configured by user. |
Access Management
| Feature | Cloud | Responsibility |
|---|---|---|
Fine-grained permission-based access control to all e6data objects including workspaces, catalog, clusters and queries | AWS | Users should configure access to their team members. |
Secure API access with personal access tokens with permission management | AWS | e6data provides unique tokens in the Console for secure access. |
Segment users, workloads and data with different security profiles in multiple workspaces | AWS | Use separate workspaces where possible to segment users who need access to different data sources. |
Data Security
| Feature | Cloud | Responsibility |
|---|---|---|
Encryption of control plane data at rest | AWS | e6data (enabled by default) |
Encryption in transit of all communications between the e6data control plane and customer data plane | AWS | e6data (enabled by default) |
Workload Security
| Feature | Cloud | Responsibility |
|---|---|---|
Manage code versions effectively with repos | AWS | e6data |
Built-in secret management to avoid hardcoding credentials in code | AWS | e6data |
Managed data plane docker image regularly updated with patches, security scans and basic hardening | AWS | e6data |
Contain costs, enforce security and validation needs with cluster policies | AWS | e6data |
Immutable short-lived infrastructure to avoid configuration drift | AWS | e6data |
Enhanced hardening with security monitoring and vulnerability reports of managed data plane images | AWS | e6data |
Auditing & Logging
| Feature | Cloud | Responsibility |
|---|---|---|
Comprehensive and configurable audit logging of activities of e6data users | AWS | Logged by e6data. Can be consumed by users through Console or API. |
Logging of run queries | AWS | Logged by e6data. Can be consumed by users through Console or API. |
e6data infrastructure logging | AWS | Logged by e6data. Can be consumed by users through Console or API. |
Security Certifications
| Certification | Cloud |
|---|---|
ISO 27001 | AWS |
ISO 27017 | AWS |
ISO 27018 | AWS |
ISO 27701 | AWS |
SOC 2 Type 1 | AWS |
Last updated