Skip to main content

BYOC Security Model

The Ververica Cloud: Bring Your Own Cloud deployment option uses zero-trust, first-design principles to ensure you control security policies and have full observability. The key security features include:

  • Least-Privilege Access Model: Grants only the minimum necessary permissions to each component or user. This reduces the risk of unauthorized access or misuse. For example, only specific processes can read or write to certain data locations.
  • Identity-Based Authentication: Access to resources and services is controlled based on verified identities, ensuring that only authenticated users or systems can interact with the platform.
  • Isolation: Isolates different components of the system (user infrastructure and Ververica's services) from one another, reducing the impact of potential issues or security breaches.
  • Fine-Grained Authorization Policies: Users can define detailed rules specifying who or what has access to specific resources or actions. For example, one service might only have access to read a database, while another can modify it.
  • Short-Lived Credentials: Credentials are temporary and expire after a short duration, limiting the window for potential misuse if they are compromised.
  • User-Controlled Security Policies: Users can define and enforce their own security policies, such as encryption standards, access controls, and compliance measures.
  • Full Observability: Users have complete visibility into the system's performance, activities, and security status, enabling them to monitor and troubleshoot effectively.

How Can BYOC Help You Comply with Zero Trust?

The Zero Trust model is reshaping how organizations approach security, emphasizing the idea that breaches should always be considered possible, trust should never be implicit, and verification is always required. Ververica's BYOC deployment option is designed to meet these Zero Trust specifications, ensuring security at every level of your cloud infrastructure.

Before deploying BYOC, Ververica recommends reviewing the following principles and considerations to guide your Zero Trust design.

Policy Control, Observability, and Sovereignty Principles

In a zero-trust architecture, you retain full control over policy administration, observability, and security policies. The vendor is treated as a third party to ensure compliance with NIST 800-207.

Key Questions to Consider:

  • Who controls the vendor-customer connectivity policies?
  • Who owns and controls data access policies?
  • How can all parties gain full observability at all levels?

Ververica provides an agent that operates within your cloud, establishing a one-way connection to the control plane. This setup ensures you maintain full control over connectivity with Ververica’s control plane. The agent integrates seamlessly with your existing security and observability tools, such as AWS VPC Flow Logs. All data processing and movement occur locally within your cloud, fully decoupled from third-party control planes, ensuring complete data sovereignty.

Least-Privilege Access

The principles of least privilege (PoLP) dictates that users, applications, systems, or processes should only have the minimum access needed to perform their specific tasks or functions. This reduces the potential damage from accidental errors, security breaches, or malicious activity.

Key Questions to Consider:

  • How much control does the vendor need to have in your technology stack?
  • How does vendor insure a least-privilege access design?
  • Who owns observability and other auxiliary systems?

When considering which services vendors like Ververica should have access to, the answer should always be the bare minimum required for the vendor's services to function. You must scrutinize designs closely by repeatedly asking: "Does the vendor truly need this access to deliver its core business function?

When considering the access rights of external vendors like Ververica, ensure they have the bare minimum permissions required to deliver core services. Avoid granting overly broad permissions to prevent expanding the trust surface unnecessarily. For instance, avoid giving vendors control over networking, compute, or storage services unless absolutely necessary, as this expands the potential attack surface.

In shared IaaS or CaaS environments, granular access control is more challenging, but it’s critical to limit vendor access to the minimum necessary.

Kubernetes Workloads

Kubernetes is the industry standard for orchestrating containerized workloads. Ververica’s data plane software is designed to integrate with existing Kubernetes infrastructure without requiring elevated privileges. By creating non-privileged Kubernetes namespaces for each tenant, Ververica ensures that integration with your monitoring tools is seamless and portable.

You can collect logs and metrics from the containers within these Kubernetes clusters while maintaining tenant-specific isolation. Communication with the control plane occurs through agents for each tenant, ensuring a secure, isolated environment for each workload.

Breach Isolation

Planning for a breach is essential to meeting zero-trust requirements. Breach isolation involves detecting and containing unauthorized access or data exfiltration without affecting other components of the system.

Key Questions to Consider:

  • How can you ensure breach isolation, identity-based authentication, and dynamic authorization?
  • Who owns authentication and authorization services?
  • How can you enforce granular access control?

Ververica ensures breach isolation by maintaining complete separation of service chains between tenants. Each Ververica tenant (workspace) is assigned its own dedicated access, managed through Role-Based Access Control (RBAC). This includes a dedicated agent, a specific set of services, and exclusive data storage. A single service chain is designed to serve only one tenant, ensuring complete isolation. This design guarantees that a breach in one tenant does not impact others.

Key measures for breach isolation include:

  • Authentication and authorization services are fully owned and managed by you, not Ververica, giving you full security control.
  • Dynamic authorization with ephemeral or rotating access tokens mitigates the risks associated with credential breaches.
  • Granular access control policies are under your control, allowing you to define specific third-party access URLs and API calls for tenant storage.

Ververica integrates with cloud-native services for authentication and authorization, such as OpenID Connect (OIDC) and security token services. This approach avoids managing these services while ensuring that you retain full control over your data and security policies.

Ververica’s BYOC deployment option provides the flexibility and security needed to meet Zero Trust principles. By maintaining full control over policies, observability, access rights, and breach isolation, Ververica enables you to ensure that your cloud infrastructure meets the highest security standards, while keeping your data and services isolated from third-party vendors.