May 19, 2022
How Imply Polaris takes a security-first approach
A primer for developers on security tools and controls available in Imply Polaris
Data security is a top priority for us. At Imply, we go to great lengths to ensure the confidentiality, integrity, and availability of your data.
With the release of Imply Polaris, a fully managed Database-as-a-Service built from Apache Druid, we took a security-first approach in all aspects of the product development and management.
In this blog, I’ll unpack our comprehensive approach to our security best practices which are focused on five core principles.
Number One: Authentication
When it comes to security, ensuring the identity of the users who are accessing your data is the first step. Imply Polaris requires authentication at the API gateway across all Imply APIs and services using OAuth2 to ensure no access goes unauthenticated. As for users logging into the Polaris web app, Polaris easily integrates with any identity provider (IdP) leveraging either SAML 2.0 or OIDC to provide single sign-on (SSO). Users can enjoy transparent and secure access to Polaris leveraging their central IdP for seamless SSO integration, improving end user experience, and facilitating quick and secure management of user access for administrators.
Through its built-in authentication service, Polaris can also provide secure authentication making it easy to enable one or more of the available built-in password policies, configuring multi-factor authentication (MFA), and more.
Security is built on top of ensuring the identity of users interacting with Imply Polaris. We store all secrets/keys within AWS Managed Services. and we periodically rotate these secrets/keys to align with industry best practices for Key Management.
Number Two: Authorization
Once users are authenticated, you want to control who can access what. Imply Polaris’s centralized role-based access control allows administrators to manage authenticated users through groups and roles. Whether you are manually assigning group membership, or mapping users to a centralized IdP, Imply Polaris simplifies the process of enabling granular role-based access control (RBAC) for all users.
With centralized authorization management, administrators can quickly understand who can access what and implement coherent access policies across all functions provided by Polaris.
When it comes to authorization, the bottomline is Polaris makes it easy to manage who and what can access data, manage data cubes, query data directly with SQL, or see visualizations.
Number Three: Backup
Backing up your data is fundamental in protecting against threat actors, human error, natural disasters and more. Properly backing up data ensures that when disaster strikes, you know that your data remains safely archived and available.
With Imply Polaris, you don’t have to worry about remembering to take (and restore) backups. That’s because Imply Polaris/Druid implements automatic backups with shared data in S3/object storage. As a result, Imply Polaris/Druid automatically protects and restores the latest state of the database even if you lose your entire cluster
Operationally, this makes things easier for developers by providing a “hands-free” data recovery approach.
Number Four: Encryption
With Imply Polaris, we’ve extended this “hands-free approach” by abstracting away the underlying infrastructure as well as taking on the difficult and time-consuming facets of database management.
For example, data encryption comes standard out of the box.
Encryption in Transit/Transport (TLS)
Imply Polaris automatically encrypts all data in motion using Transport Layer Security (TLS) 1.2, the industry standard for strong transport encryption.
Encryption at Rest
Imply Polaris also automatically encrypts all stored data using fips 140 series compliant algorithms (AES-256 encryption). In a nutshell, encryption at rest is a protection layer to guarantee that the written files or storage is only visible once decrypted by an authorized process/application.
Number Five: Monitoring / Alerting
The Imply Polaris infrastructure includes a robust security stack for 24/7 monitoring and alerting. This provides continuous vulnerability, secure configuration, and application behavior monitoring, all of which raise alerts if an anomaly is detected.
A core component of this security stack involves Cloud Security Posture Management (CSPM). This suite of security tools is designed to identify misconfiguration issues and compliance risks in the cloud. With these tools, Polaris is able to monitor and receive rapid notification of misconfigurations impacting security. Within Imply Polaris, we have implemented standardized security hardening and maintain compliance with CIS Amazon Web Services Foundations Benchmarks in the hosted environment and cloud infrastructure.
Our commitment to industry best security practices
As we’re rapidly developing and expanding Imply Polaris’s functionality, we’ll equally be ramping up our security efforts. We’ll be expanding our security capabilities and building out additional compliance frameworks that already include:
- American Institute of Certified Public Accountants (AICPA) SOC 2® – SOC for Service Organizations: Type 1 report. Our SOC 2® audit encompassed validation of the design of Imply’s controls relating to security, availability, and confidentiality. Compliance in each of these Trust Service Criteria requires adherence to common control criteria defined in the AICPA TSP Section 100.
- HIPAA – Imply Polaris was independently evaluated for HIPAA compliance based on AICPA AT-C 105 and AT-C 205 examination standards attesting that Imply’s controls are designed in conformance with HIPAA/HITECH requirements and the issuance of a Type 1 Attestation.
Next, we will be pursuing internationally recognized security compliance certifications (ISO 27001).
The bottomline is that we’re focusing on making sure that every new capability we add to Imply Polaris is backed by the level of security protection you expect of a service provider with whom you entrust your data.