/
Security Management

Security Management

Owned by Chelsi Volpe (Unlicensed)
May 16, 2023
2 min read

  • What inbound and outbound ports are required to be opened? What protocols, overall, does Conduit use?

    • Conduit management console uses ports 80 or 443. If SSL was requested during install, port 443 should be specified.

    • JDBC/ODBC/Thrift endpoint uses port 10002. This is the "data" endpoint used by PowerBI or other consumers. Data endpoint is also secured if SSL is selected during install, so communication is encrypted. 

    • The network protocol for all endpoints is “http(s)”, including OData and REST API endpoints.

  • Concerning Conduit's caching feature, how is data stored? Is it encrypted? Can a client provide their own key for encryption?

    • Cached data is stored in parquet files on a disk located on the respective virtual machine (VM) but currently not encrypted. If a compute cluster, like a Spark or GPU engine, is attached to Conduit, the disks of those VMs are used for storing the parquet files with an HDFS file system deployed. Encryption support with client provided key during deployment is currently on our roadmap.

  • Outside of Conduit's caching feature, is any client data stored within Conduit? How are those credentials for connectors stored? Are they encrypted? 

    • The only other client artifacts stored in Conduit are service account credentials/secrets for data sources where Pass-through is not available or selected for the Authentication mode. These secrets are encrypted and stored in Conduit’s internal database, with a key that is generated during deployment time and stored in a flat file on the VM (protected by a ssh key). Currently on our roadmap is to allow the deployer to specify a key during install, used for  both protecting these secrets as well as encrypting the parquet files. Client certificates or KeyVault or other managed services for storage are also on our roadmap and will be prioritized based upon customer demand. BPTech’s Product team has ample experience with all kinds of “Vault” type products.

  • Does Conduit allow for any communication over unsecured channels or is everything required to flow over encrypted channels (i.e.: https vs. http)?

    • At deployment time, a SSL can be selected and so Conduit will generate a Certbot SSL certificate and enforce all communications via “https” (SSL). If SSL is not selected or if CertBot install fails (which can happen on AWS installs that do not have a friendly DNS for the URLs, or if for some reason port 80 is blocked during install), then deployment falls back to no SSL and plain “http” is used for all protocol transfer communications. As a Professional Services exercise, a customer provided SSL certificate can be deployed and configured for all data and management endpoints.