Overview
SnapLogic’s Standard Encryption protects Account credentials. It uses an organization level asymmetric key pair managed by SnapLogic for account data encryption. When you create an Account, the IIP encrypts sensitive properties, such as passwords, in the browser using your organization's public key as the encryption key. When you save the Account, the IIP passes the encrypted data over a HTTPS connection to the control plane. The control plane stores the encrypted Account information in a secure S3 bucket that utilizes server-side encryption for data at rest. When an executing Pipeline needs the Account information, the Snaplex node retrieves it from the SnapLogic control plane. The Snaplex node decrypts the data using the Org’s private key but does not persist the credentials locally. Account data is not stored or transported over the wire in an unencrypted form
Organizations using self-managed Snaplexes (Groundplexes) can subscribe to Enhanced Encryption or Secrets Management if additional security is required:
With Enhanced Encryption, the Organization does not share the private key with SnapLogic. The private key stays on the Groundplex nodes, so the control plane cannot decrypt the account credentials.
With Secrets Management, the Organization stores credentials in a third-party secrets manager. SnapLogic Accounts contain only the information necessary to access the secrets manager.
Note that Enhanced Encryption and Secrets Management do not protect against misuse by people within your organization. Each organization should make sure that only authorized persons have access to credentials.
| Panel | ||||
|---|---|---|---|---|
| ||||
In this Section
|
Secure Connections
A client (JCC, REST client, or Java code) that
triggers Pipeline execution (with Triggered or Ultra Tasks) or the SnapLogic public API must
support TLS 1.2.
If the HTTP client does not support TLS 1.2, users will not be able to
access the endpoints.
SnapLogic uses the default settings defined in lib/security/java
.
y for security within the JRE for all outbound requests
from a pipeline. Learn more from the Java documentation. For Windows users, the security file will be
defined in the
JAVA_HOME environment variable.
| bgColor | #ebf7e1 |
|---|---|
| borderStyle | solid |
In this Section
| Child pages (Children Display) | ||
|---|---|---|
|
| Info | ||
|---|---|---|
| ||
Starting from the 4.21 release, SnapLogic Cloudplex instances are on Java 11. If you use a combination of Java 8 and Java 11 across your Snaplex nodes, then we recommend you to have an unlimited JCE key size. |
|
|
|
Disable External Process Creation
To further enhance
SnapLogic platform security,
these additional security measures are in place:
On Cloudplexes managed by SnapLogic, the creation of external processes is disabled from untrusted Snaps. Some snaps like database bulk loaders which require external process creation are trusted. Script snaps for example cannot use a Popen call to create a child process. On self-managed Snaplexes (Groundplexes), external process creation from Snaps is enabled by default. It can be disabled if required by contacting support@snaplogic.com.
Disable read/write access to files in the Snaplex installation folder from Snaps while executing
Pipelines. Impacted folders are in the
$SL_ROOTdirectory and includebin,cloudops,dropbox,lib,run, andbroker. Theprocdirectory (on Linux nodes) is not readable or writable
through Snaps. If your existing Pipelines need to access log files, then we recommend that you create a sibling log file that is stored outside of the associated Snaplex installation folder.
OWASP Compliance
SnapLogic security is enhanced with the recommended OWASP security headers:
Strict-Transport-Security
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options
Content-Security-Policy
Referrer-Policy