Security Reference
Comprehensive security architecture and configuration guide
Security Architecture
Data Protection
Encryption in Transit
External Communication:
| Feature | Configuration |
|---|---|
| Protocol | TLS 1.3 |
| Forward Secrecy | Perfect Forward Secrecy (PFS) |
| Cipher Suites | Strong ciphers only |
| HSTS | Enabled |
Internal Communication:
- Istio service mesh with mutual TLS (mTLS)
- Encrypted service-to-service communication
- Certificate-based service authentication
- Automatic certificate rotation
Encryption at Rest
Managed Cloud:
- Azure-managed encryption for all storage
- PostgreSQL database encryption (TDE)
- Azure Storage encryption
- Redis persistence encryption
Self-Hosted:
- Leverage cloud provider encryption (AWS, Azure, GCP)
- Kubernetes encrypted secrets
- Encrypted persistent volumes
- Customer-managed encryption keys (BYOK) supported
Data Privacy
Data Residency:
| Deployment | Location |
|---|---|
| Managed Cloud | EU (Azure Germany) |
| Private Azure | Customer-selected region |
| Self-Hosted | Customer infrastructure |
Data Isolation:
- GraphPolaris connects to your graph database
- Your graph data remains in your infrastructure
- Only metadata stored in GraphPolaris infrastructure
- Multi-tenant isolation (organization-level)
Network Security
Perimeter Security
Managed & Private Azure Deployments:
- Azure Web Application Firewall (WAF)
- DDoS protection (Azure DDoS Protection)
- Rate limiting
- IP allowlisting (enterprise feature)
Self-Hosted:
- Kubernetes Network Policies
- Ingress controller with WAF capabilities
- Customer-managed firewall rules
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: graphpolaris-default-deny
namespace: graphpolaris
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-gateway
namespace: graphpolaris
spec:
podSelector:
matchLabels:
app: client-gateway
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: istio-system
ports:
- protocol: TCP
port: 3000
Service Mesh Security
Istio Configuration:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: graphpolaris
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: graphpolaris-authz
namespace: graphpolaris
spec:
action: ALLOW
rules:
- from:
- source:
principals:
- "cluster.local/ns/graphpolaris/sa/client-gateway"
Application Security
Secure Development Practices
Code Quality:
- TypeScript for type safety
- Static code analysis (ESLint, SonarQube)
- Dependency vulnerability scanning
- Regular security audits
Input Validation:
- Server-side validation for all inputs
- XSS (Cross-Site Scripting) prevention
- CSRF (Cross-Site Request Forgery) protection
- SQL/Cypher injection prevention
Session Management
Secure Sessions:
| Feature | Configuration |
|---|---|
| Storage | Redis (encrypted) |
| Timeout | 8 hours (configurable) |
| Idle Timeout | 30 minutes |
| Cookie Flags | HttpOnly, Secure, SameSite |
Token Security:
- JWT tokens for API authentication
- Short-lived access tokens (15 minutes)
- Refresh token rotation
- Token revocation support
API Security
# Rate limiting configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/limit-rps: "100"
nginx.ingress.kubernetes.io/limit-connections: "50"
Secrets Management
Kubernetes Secrets
# Create encrypted secrets
kubectl create secret generic graphpolaris-secrets \
--namespace graphpolaris \
--from-literal=jwt-secret=$(openssl rand -base64 32) \
--from-literal=encryption-key=$(openssl rand -base64 32) \
--from-literal=db-password=<secure-password>
RBAC for Secrets:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader
namespace: graphpolaris
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["graphpolaris-secrets"]
verbs: ["get"]
Azure Key Vault (Private Azure)
# Store secrets in Key Vault
az keyvault secret set \
--vault-name kv-graphpolaris \
--name jwt-secret \
--value $(openssl rand -base64 32)
# Enable managed identity access
az keyvault set-policy \
--name kv-graphpolaris \
--object-id <managed-identity-id> \
--secret-permissions get list
Secret Rotation
# Kubernetes secret rotation with External Secrets
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: graphpolaris-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: azure-key-vault
kind: ClusterSecretStore
target:
name: graphpolaris-secrets
data:
- secretKey: jwt-secret
remoteRef:
key: jwt-secret
Audit Logging
Events Logged
| Category | Events |
|---|---|
| Authentication | Login, logout, failed attempts |
| Authorization | Access denied, role changes |
| Data Access | Graph connections, queries |
| Admin Actions | User management, config changes |
Log Format
{
"timestamp": "2024-01-15T10:30:00Z",
"level": "info",
"event": "user.login",
"userId": "user-123",
"organizationId": "org-456",
"ip": "192.168.1.1",
"userAgent": "Mozilla/5.0...",
"success": true
}
Log Retention
| Deployment | Retention |
|---|---|
| Managed Cloud | 90 days |
| Self-Hosted | Customer-configured |
SIEM Integration
# Fluentd configuration for SIEM
apiVersion: v1
kind: ConfigMap
metadata:
name: fluentd-config
data:
fluent.conf: |
<source>
@type tail
path /var/log/graphpolaris/*.log
tag graphpolaris.*
</source>
<match graphpolaris.**>
@type forward
<server>
host siem.company.com
port 24224
</server>
</match>
Vulnerability Management
Dependency Scanning
Automated Scanning:
- Daily dependency vulnerability scans
- Automated security updates for critical vulnerabilities
- Container image scanning
- SBOM (Software Bill of Materials) available
Tools Used:
- Dependabot (dependencies)
- Trivy (container scanning)
- Snyk (vulnerability detection)
Update Cadence
| Severity | Response Time |
|---|---|
| Critical | < 24 hours |
| High | < 72 hours |
| Medium | Next release |
| Low | Quarterly |
Compliance
GDPR Compliance
Data Subject Rights:
- Right to access
- Right to rectification
- Right to erasure
- Right to data portability
Technical Measures:
- EU data residency (Managed Cloud)
- Data Processing Agreement available
- Privacy by design principles
Security Controls Mapping
| Control | Implementation |
|---|---|
| Access Control | RBAC, OAuth, SSO |
| Encryption | TLS 1.3, mTLS, AES-256 |
| Audit Logging | Centralized logging |
| Incident Response | Documented procedures |
| Backup | Automated, encrypted |
Incident Response
Security Contact
| Type | Contact | SLA |
|---|---|---|
| General Inquiries | Contact us | 48 hours |
| Security Incidents | Contact us | 24 hours |
| Enterprise | Direct channel | 4 hours |
Response Process
- Detection - Automated monitoring and alerting
- Triage - Severity assessment
- Containment - Isolate affected systems
- Investigation - Root cause analysis
- Remediation - Fix and patch
- Recovery - Restore services
- Post-Incident - Review and improve
Penetration Testing
Scope
- External network testing
- Web application testing
- API security testing
- Authentication testing
Reports
Penetration test reports available under NDA for enterprise customers. Contact your account representative.
Security Checklist
Pre-Deployment
- Network policies configured
- Secrets stored securely
- TLS certificates valid
- RBAC policies defined
- Logging enabled
- Backup configured
Post-Deployment
- Security scan completed
- Access tested and verified
- Monitoring alerts configured
- Incident response tested
- Documentation updated