Architecture and Security

Architecture

  • Single Tenant - Private Cloud Instance ( GC, Azure, AWS )

    24/7/365 availability, EU/US/ASIA region deployment options

  • Private Database & private Cloud Storage Bucket Automated Daily Backups

  • Secure

    SSL on all clients, Data Encryption, Private Encryption key possible

  • Default Authentication

    Token based with SHA256 HMAC signature

  • Enterprise Authentication Options – Single Sign On (SSO)

    Microsoft On Premise AD, Azure AD, OAuth 2.0, Google Identity

  • On Premise Deployment Possible

    Kubernetes is used as the container based orchestrator

  • Deployment

    Kubernetes cluster setup with 4 nodes required

  • Hardware Configuration Master Node reference sample

    1 master: Ryzen 3, 8 GB DDR4 RAM, 128 GB SSD

  • Hardware Configuration Worker Node reference sample

    3 workers: Ryzen 7, 16 GB RAM, 512 GB SSD

  • Storage

    rook and ceph by default, but can be any bucket/object storage supported by K8S

Continuous Delivery

Alt text

Continuous Integration Workflow

Alt text

Technology Stack

Alt text

Private Enterprise Container Architecture Diagram

Alt text

Security & Federation

Single Sign On - Requirements

  • Identity infrastructure that supports

  • WS-Federation (Passive Requestor Profile)

  • SAML 2.0

  • Fully encrypted communication (HTTPS)

  • Most used supported systems

  • Microsoft Active Directory Federation Services

  • Microsoft Azure Active Directory

  • Email to be setup as a claim in the trust

  • The user’s company email address or other suitable contact email address

  • Claim type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Requires FieldAP Private Enterprise Space option

Simplified SSO diagram

Alt text

Typical SSO onboarding process

  1. Customer provides XML metadata for federation

  2. The FieldAP Private Enterprise Space is configured

  3. FutureOn enables SSO with metadata from customer

  4. FutureOn gives the URL for the federation XML metadata to use in the trust configuration

  5. The organization sets up the trust based on the XML metadata

  6. The SSO is verified and tested

  7. Solution is ready to use

Google Cloud Security

  • Google Data Centers Certification

  • SSAE16 / ISAE 3402 Type II

  • SOC 1
  • SOC 2
  • SOC 3
  • ISO 27001
  • ISO 27017
  • ISO 27018

  • PCI DSS v3.1

  • Data Encryption

  • Cloud Platform services automatically encrypt data before it is written to disk. For example, the data for each Cloud Storage object is encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.

  • Customer Key Management is possible

  • More Information : www.cloud.google.com/security/compliance

MS Azure Cloud Security

  • MS Azure Data Centers Certification

  • SOC 1

  • SOC 2
  • SOC 3
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • ISO 9001
  • WCAG 2.0

  • and more

  • Data Encryption

  • Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware.

  • More Information : www.microsoft.com/en-us/trustcenter/compliance/complianceofferings