Architecture
Dasera is deployed as a SaaS application and leverages the power of Amazon Web Services (AWS) to provide the best possible scale & security for our customers. The application utilizes the following specific technologies:
- AWS Elastic Kubernetes Service (EKS) and Docker allow us to securely deploy & manage containerized applications using Kubernetes. This lets each customer have their own dedicated tenant whose resources are 100% segmented from other customers.
- Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service that allows us to quickly and easily manage our DNS records.
- AWS RDS PostgreSQL provides us with a highly available and secure database solution, and allows us to easily scale our databases up or down as needed. Each customer tenant has its own dedicated PostgreSQL database, and your data is never accessible by other customers. We use database encryption to ensure that all of your data is stored securely.
- AWS Key Management Service (KMS) allows us to securely encrypt sensitive customer data such as database credentials, and store the keys to your tenant’s RDS PostgreSQL database.
- TLS 1.3 ensures that all traffic to and from the application is encrypted while in transit.
- AWS CloudTrail stores all critical application alerts and security events published by Dasera.
Networking & Sampling
Clients connect to the Dasera console via web browser using a tenant-specific hostname. We use an Application Load Balancer for SSL offloading and to route requests to the server. This ALB is the only public ingress to our SaaS environment.
Your Dasera tenant will may initiate connections to the internet for the following needs:
- As part of regular scanning activities, by connecting to the data stores that you have configured within the Dasera application. These connections originate from a list of static IP addresses which can be used as a whitelist.
- As the result of Dasera policies enforcing workflow to destinations such as AWS SNS, Google Pub/Sub, generic webhook, and/or your email server of choice.
- Importing employee-specific data of your choosing from an external Employee Directory such as Okta Universal Directory.
We also take additional steps to ensure the security of our customers' data by never storing the data samples used by our analysis. This allows us to ensure that your data remains secure and private at all times.
Summary
The above architecture design ensures that Dasera:
- Can analyze all interactions within your data store, regardless if the interaction is via BI tools, SQL clients, or SQL command lines. All BI tools and SQL clients ultimately result in a SQL query within the data store, and all those queries get logged.
- Will not block any query from executing.
- Will not slow down the execution of any query.
- Does not write to your data store.
- Stores only metadata, and does not retain copies of any sensitive data samples