Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
latest (16.2.0) 16.1.0 16.0.0 15.4.0 15.3.0 15.2.0 15.1.0 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads

Secure Deployment Guidelines

This page gives an overview of security best practices for self-managed deployment of Ataccama products. We strongly recommend following these guidelines in order to minimize the risk of data loss.

Deployment preparation

The following section applies to infrastructure preparation. Therefore, the items described here fall within the responsibility of the customer.
Network segmentation

  • Make sure your network is properly segmented to improve resistance against data breaches and other attacks.

    If ONE is installed using Ansible, this is implemented as one of the installation prerequisites. For more details, refer to automated-deployment-preconditions.adoc, section Networking.
System hardening
Close unused ports

Review all open ports in accordance with Ataccama requirements. Make sure to restrict access to any port that is not used by your deployment.

If ONE is installed using Ansible with firewall management enabled, this is implemented as one of the installation prerequisites.

For more details, refer to automated-deployment-preconditions.adoc, section Networking. For a list of all ports used, see Ports.
User access

  • Prevent anonymous access to shared drives, FTPs, and so on.

  • Do not use universal user accounts with broad access permissions when deploying Ataccama products.

  • Do not run Ataccama products on accounts with root access or admin privileges. Use low-privilege user accounts instead.

    If ONE is installed using Ansible, access to all applications is by default behind Keycloak authentication. ONE modules run in the context of unprivileged users, which is also managed by Ansible.

Installation procedure and configuration

Database encryption

Make sure your data at rest is encrypted, especially the databases used for storing sensitive data.

Ataccama is not responsible for implementing this recommendation.
Remove default users

Replace all default application users, such as test users, with accounts tailored to the customer’s deployment.

For more information, see Overview, mdm:mdm-webapp-security-configuration.adoc, and rdm:configuring-rdm-authorization.adoc.
Store credentials in encrypted form

  • Do not store credentials in unencrypted TXT files. Do not write them down anywhere.

  • Change the default encryption passphrases after installation.

    If ONE is installed using Ansible, this is not covered by the installation process and needs to be additionally configured. For more information, see encrypting-passwords.adoc.
Secure all communication channels

Make sure all communication, regardless of the protocol used, is protected by TLS.

If ONE is installed using Ansible, this is not covered by the installation process and needs to be additionally configured. For more information, see TLS Configuration.
Enable authentication on all interfaces

All interfaces and endpoints should use some level of authentication.

If ONE is installed using Ansible, this is implemented during the installation process.
Remove sample projects

Sample projects included with Ataccama modules are intended for demonstration purposes and should not be used in production environments.

System access logging and auditing

Use auditing features to monitor user actions in applications.

See Audit Configuration, security-and-audit.adoc, configuring-audit-log.adoc, and setting-up-rdm-auditing.adoc.
Error logging

Monitor error logs for exceptions.

If ONE is installed using Ansible, this is covered by the default observability stack: OpenSearch, OpenSearch Dashboards, and Grafana. For more information about error monitoring in RDM, see rdm:tracking-data-and-system-errors-in-rdm.adoc.
Avoid using custom SQL

Features allowing the use of custom SQL queries are disabled by default and should be used with caution.

Specifically, this concerns row filters on RDM permissions. Editable row filters should be enabled only when absolutely necessary. See rdm:setting-permissions-in-rdm.adoc.
User access

We recommend enabling multi-factor authentication for high-privilege accounts.

An exception to this is using multifactor authentication for SSH access during installation. For ease of use, we recommend disabling it until the installation is finished.

Was this page useful?