Securing Private Clouds

Private Clouds inherently provide better security than their public counterparts. Nevertheless, many dimensions must be taken into account in order to make them as secure as possible. Intalio|Cloud brings many innovations to address them.

On-Premises Deployment

First and foremost, Intalio|Cloud can be deployed on-premises (Cf. Deployment Options), in the customer's own datacenter or in a co-location facility. This deployment model allows existing security systems and applications to be leveraged, including authentication tools, virtual private networks, intrusion detection applications, data encryption systems, etc.

Hardware Virtualization

Another critical element of Intalio|Cloud's secure computing architecture is the use of hardware virtualization for the purpose of multi-tenancy (Cf. On Multi-Tenancy). This level of virtualization, unlike any other, relies on a "share-nothing" model that dramatically reduces the risk of cross-tenant contamination should the virtual machine of one tenant be compromised.

Database Segregation

When using hypervisor multi-tenancy (Cf. Intalio Multi-Tenancy Architecture), each tenant gets assigned its own database server. This architecture reduces the risk of unauthorized database access in the event that an improperly secured application would make the database vulnerable to SQL code injection or similar forms of attack.

Code Injection Prevention

When using application server multi-tenancy (Cf. Intalio Multi-Tenancy Architecture), the risk of external attack can be reduced by preventing code injection at the database middleware layer. For this purpose, the Intalio|XRM proprietary object-relational middleware layer implements advanced mechanism for code injection prevention, detection, and remediation.

Single Sign-On

Intalio|Cloud provides an open Single Sign-On (SSO) infrastructure that can be integrated with virtually any directory service such as LDAP or Microsoft Active Directory. All components of Intalio|PaaS and Intalio|SaaS support Single Sign-On, and login credentials stored in the User Database are systematically encrypted. This infrastructure is based on Jasig CAS (Learn More).

Multi-Factor Authentication

Intalio|Cloud's Single Sign-On infrastructure can be integrated with third-party authentication mechanisms in order to support multi-factor authentication, using a combination of passwords, tokens, biometrics, or certificates. Specific authentication mechanisms can be implemented at the application level or at the tenant level.

Password Lifecycle Management

Intalio|Cloud automates the lifecycle management of passwords by allowing custom rules to be specified in order to enforce password strength for user-created passwords, requiring users to change their passwords on a regular basis, and automating the re-generation of forgotten login credentials.

Active User Session Management

Intalio|Cloud provides an integrated user session management interface allowing systems administrators to monitor all active sessions, link sessions to IP addresses, and remotely terminate sessions. Any end user can also check how many active sessions use his/her login credentials, and the last time he/she logged onto the platform.

Role-Based Access Control

All user interactions enabled by Intalio|Cloud are subject to Role-Based Access Control (RBAC). Individual users can have multiple roles, and entitlements related to objects managed by Intalio|Cloud can be defined for object instances owned by the user, the user and his/her team, the user and his/her team and sub-team, or all object instances.

Rule-Based Access Control

Additionally, entitlements can be defined through Rule-Based Access Control, using a Business Rules Engine. This mechanism allows the creation of Chinese walls between organizations, and the implementation of Separation of Duty (SoD) policies. Business rules are defined using easy-to-use wizards and can be applied to the content of objects.

Universal Entitlement Management

Intalio|Cloud enables the definition and enforcement of entitlements for new applications developed with Intalio|PaaS, as well as for existing applications deployed on top of Intalio|IaaS. A single administration interface can be used to manage all access control policies and rules, across all applications.

Process-Driven Service Entitlement

Intalio|Cloud automates the creation of security policies for Web Services endpoints based on process definitions. As a result, Web Services bound to business processes can only be invoked by the processes they relate to, and only in the contexts that have been defined by explicit process models. This features requires the deployment of ObjectSecurity OpenPMF.

Secure Application Server

Intalio|Cloud is built on a hardened version of the Intalio|Jetty application server. It includes an improved Security Manager, a Webapp Verifier, Webapp Barriers that isolate applications from the server and from each other, Secure Logging, and a Watchdog that monitors application and container resource usage in real-time.

Embedded Firewall

Applications deployed with hypervisor multi-tenancy (Cf. Intalio Multi-Tenancy Architecture) can embed a software firewall configured per application instance. The embedded firewall is based on Linux iptables (Learn More). Additionally, applications deployed with application server multi-tenancy can restrict service from or to specific IP addresses.

SSL Encryption

Intalio|Cloud supports the SSL/TLS cryptographic protocols (Learn More) for a variety of applications, including support for the HTTPS and SFTP communication protocols. For this purpose, Intalio|Cloud embeds the OpenSSL toolkit (Learn More), which offers support for SSL v2/v3 and TLS v1.

VPN Access

Applications deployed with hypervisor multi-tenancy (Cf. Intalio Multi-Tenancy Architecture) can support remote VPN access.

WS-Security Support

The Service Oriented Architecture that is part of Intalio|PaaS provides support for the WS-Security extension to SOAP. It also provides support for WS-I Basic Profile, WS-Policy, WS-Trust, and WS-SecureConversation (Learn More). This infrastructure is based on Apache Rampart (Rampart).