CloudSoda Data Intelligence module provides a unified view of all on-premises and cloud storage environments through its Controller and Agent components. This whitepaper delves into the architecture and security aspects of the CloudSoda Data Intelligence module, providing an overview of how it collects information about your infrastructure, software security, and firewall settings.
Data Integrity
CloudSoda's Data Intelligence module is designed to provide actionable insights and analytics on storage environments, both in the cloud and on-premises. To achieve this, we maintain a strict focus on data integrity and access controls.
Our solution requires minimal permissions to access your storage:
- For on-premises storage via SMB or NFS, we only need read-only access over local connections.
- For S3 buckets, we utilize an access token and secret token with Read Only permission to ensure secure access.
- For Azure Blob Storage, we require read and list permissions. Please refer to our related documentation for more details.
It's essential to note that the CloudSoda Data Intelligence module does not have the capability to delete, rename, or move files. Any operations requiring these actions are handled by the CloudSoda Data Orchestration module, ensuring a clear separation of responsibilities and minimizing potential security risks.
Software Access and Firewall
The CloudSoda Data Intelligence Controller can be deployed on-premises or in a cloud environment, providing customers with flexibility and choice.
To ensure seamless communication between the Data Intelligence Controller and external services, the following ports and software packages are used (see Appendix A for detailed information):
Figure 1 depicts the ports and software packages that CloudSoda uses when communicating with external services.
The Data Intelligence Controller utilizes specific ports and network connections to perform three primary tasks:
- Administration: This involves deploying, upgrading, and monitoring CloudSoda.
- Management: Monitoring the status of the Agents and sending them operation requests.
- Web UI and API: The Controller offers both a graphical user interface and an application programming interface for utilizing the platform.
Administering CloudSoda offers many benefits to customers, such as easy installation, software patching and updates, and simplified troubleshooting. Additionally, the system gathers vital information about the health of CloudSoda software and hardware to help maintain optimal performance. No customer data is collected during this process.
Scanning files and objects
If you use a CloudSoda Agent for NFS/SMB, then the Agent needs access to all the ports indicated in Figure 2 to perform file operations successfully.
In contrast, when accessing cloud storage, CloudSoda does not require any firewall exceptions. Ports 80/443 are used by CloudSoda Data Intelligence module to establish a connection with cloud storage targets.
Web UI
To use CloudSoda Data Intelligence web UI, port 80 must be open to access the software. It can be accessed via port 443, but we need to deploy a reverse proxy with certificate provided by the customer.
REST API
To use CloudSoda Data Intelligence module API, port 8085 must be open to access the interface. It can be accessed via port 443, but we need to deploy a reverse proxy with certificate provided by the customer.
CloudSoda Data Intelligence Agent
Comments
0 comments
Please sign in to leave a comment.