Security

Owned by Ruth Stento
Last updated: Mar 31, 2023 by John Brinckwirth
2 min read

Overview

SnapLogic’s Standard Encryption protects Account credentials. It uses an organization level asymmetric key pair managed by SnapLogic for account data encryption. When you create an Account, the IIP encrypts sensitive properties, such as passwords, in the browser using your organization's public key as the encryption key. When you save the Account, the IIP passes the encrypted data over a HTTPS connection to the control plane. The control plane stores the encrypted Account information in a secure S3 bucket that utilizes server-side encryption for data at rest. When an executing Pipeline needs the Account information, the Snaplex node retrieves it from the SnapLogic control plane. The Snaplex node decrypts the data using the Org’s private key but does not persist the credentials locally. Account data is not stored or transported over the wire in an unencrypted form

Organizations using self-managed Snaplexes (Groundplexes) can subscribe to Enhanced Encryption or Secrets Management if additional security is required:

  • With Enhanced Encryption, the Organization does not share the private key with SnapLogic. The private key stays on the Groundplex nodes, so the control plane cannot decrypt the account credentials.

  • With Secrets Management, the Organization stores credentials in a third-party secrets manager. SnapLogic Accounts contain only the information necessary to access the secrets manager. 

Note that Enhanced Encryption and Secrets Management do not protect against misuse by people within your organization. Each organization should make sure that only authorized persons have access to credentials.



In this Section



Secure Connections

A client (JCC, REST client, or Java code) that triggers Pipeline execution (with Triggered or Ultra Tasks) or the SnapLogic public API must support TLS 1.2. If the HTTP client does not support TLS 1.2, users will not be able to access the endpoints.

SnapLogic uses the default settings defined in lib/security/java.security within the JRE for all outbound requests from a pipeline. Learn more from the Java documentation. For Windows users, the security file will be defined in the JAVA_HOME environment variable.

  • TLS 1.2 is supported. TLS 1.0 and TLS 1.1 are no longer industry-standard security protocols and are no longer supported.

  • SSLv3 and MD2/RSA ciphers having a key size less than 1024 are disabled by default.

Disable External Process Creation

To further enhance SnapLogic platform security, these additional security measures are in place:

  • On Cloudplexes managed by SnapLogic, the creation of external processes is disabled from untrusted Snaps. Some snaps like database bulk loaders which require external process creation are trusted. Script snaps for example cannot use a Popen call to create a child process. On self-managed Snaplexes (Groundplexes), external process creation from Snaps is enabled by default. It can be disabled if required by contacting support@snaplogic.com.

  • Disable read/write access to files in the Snaplex installation folder from Snaps while executing Pipelines. Impacted folders are in the $SL_ROOT directory and include bin, cloudops, dropbox, lib, run, and broker. The proc directory (on Linux nodes) is not readable or writable through Snaps. If your existing Pipelines need to access log files, then we recommend that you create a sibling log file that is stored outside of the associated Snaplex installation folder.

OWASP Compliance

SnapLogic security is enhanced with the recommended OWASP security headers:

  • Strict-Transport-Security

  • X-XSS-Protection

  • X-Frame-Options

  • X-Content-Type-Options

  • Content-Security-Policy

  • Referrer-Policy

 

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.