跳转至

Security Overview

Security and governance(安全与治理)

Palantir helps organizations solve real-world problems using powerful, secure software platforms. For more than a decade, we’ve worked with customers in the most secure and highly-regulated industries to build software for their most sensitive data. Today, security and privacy remain the cornerstone of our product development, company culture, and internal operations.

The Palantir platform is used by healthcare providers, financial institutions, utility providers, manufacturers, telecoms, airlines, and pharmaceutical companies around the globe to handle their most sensitive workflows. The Palantir platform was built for security-conscious customers who need the capability to handle financial data, Personally Identifiable Information (PII), Protected Health Information (PHI), Controlled Unclassified Information (CUI), and even classified government data in a secure and compliant manner. Palantir's security infrastructure meets regulatory requirements across industries and continents by aligning with frameworks like HIPAA, GDPR, and ITAR.

As our software powers mission-critical operations across major corporations and governments alike, our threat model focuses on defeating attacks by highly resourced, technical, and persistent adversaries. To defeat these adversaries, we take a highly opinionated stance and enforce a high minimum bar of security for all our customers. For example, multi-factor authentication has been mandatory for all our managed Software as a Service (SaaS) platform customers for years.

:::callout{theme="success" title="Palantir Learning portal"} Understand data protection with a learn.palantir.com course ↗. :::

Platform security

The Palantir platform has security as a core development philosophy. The Palantir security model enables strict enforcement of granular access controls with transparency and usability to build a collaborative and trusted ecosystem:

  • Strict enforcement: Ensures users only have access to data that they have been authorized to interact with.
  • Granular controls: Powerful enough to achieve flexible levels of access control granularity.
  • Transparency: Enables users to reason about who has access to what resource and why.
  • Usability: Empowers users to reason about and manage access controls with confidence.

The Palantir security model encompasses both authentication and authorization. Authentication verifies the identity of a user, while authorization grants access based on a user’s attributes and permissions.

Data security in the Palantir platform is guaranteed through a combination of mandatory and discretionary controls. Mandatory controls propagate along with each unit of data or resource type, via Palantir's sophisticated provenance and lineage capabilities. Discretionary permissions are granted to users on individual resources, in the form of roles with different operations (for example, view or edit). In addition, granular row or column-level controls based on a user’s attributes can be put in place on resources too.

Data and resources in the Palantir platform are organized in Projects. Users belong to Organizations, and are organized in groups managed within the platform or through external identity providers. Organizations are one form of mandatory controls applied to Projects that enforce strict silos between groups of users and resources. Therefore, users of one Organization cannot access the resources of another Organization unless sharing protocols have explicitly been configured.

For highly sensitive data, markings are another form of mandatory controls that can be applied to data or resources that require special protection (for example, PII or financially sensitive data). Users must have special permission to discover or access such data, in addition to Organization membership.

Enterprise security

We reject the notion of gating, pay-walling, or upselling core security controls like audit logging, single sign-on, and multi-factor authentication. Whether you are a small business or a federal agency, you get access to every core enterprise security feature in the standard Palantir offering:

  • Mandatory encryption of all data, both in transit and at rest, that uses robust, modern cryptography standards.
  • Strong authentication and identity protection controls, including single sign-on and multi-factor authentication.
  • Strong authorization controls, including mandatory and discretionary access controls.
  • Robust security audit logging for detecting and investigating potential abuse.
  • Highly extensible information governance, management, and privacy controls to meet the needs of any use case.

Infrastructure security

If you are using our managed SaaS platform, Palantir’s hosted infrastructure has additional layers of security controls to help protect your data:

  • Robust security architecture built around principles of zero trust, least privilege, and defense-in-depth.
  • Enforced security baseline configurations with rigorous change management and security monitoring processes.
  • Strong network security hardening and segmentation.
  • Host-based and network-based intrusion detection systems to detect and defeat anomalous activity.
  • Aggressive infrastructure and application vulnerability management and patching, with industry-leading SLAs.
  • Web application firewall (WAF) inspection of incoming web requests to detect and block attacks.
  • Security monitoring at every layer of the environment, including users, hosts, networks, and applications.

Additional security resources

Palantir has a SafeBase Trust Center page ↗ to house all security documentation and information. You can use SafeBase to help answer questions related to our security standards and procedures. SafeBase includes security whitepapers, policies, pen test reports, compliance information, certifications (such as SOC and ISO), and more.

Existing and prospective customers under NDA can request access to additional non-public materials.

Conclusion

Palantir cares deeply about the security outcomes of our customers, and we are committed to transparency about our security practices and program. We stand resolute in continuously improving our security, data protection, and privacy controls to give you the most effective means of protecting your data possible.


中文翻译


安全概览

安全与治理

Palantir 帮助各类组织借助强大且安全的软件平台解决现实世界中的问题。十多年来,我们与最安全、监管最严格的行业客户合作,为其最敏感的数据构建软件。如今,安全与隐私仍然是我们产品开发、公司文化和内部运营的基石。

Palantir 平台被全球范围内的医疗保健提供商、金融机构、公用事业供应商、制造商、电信公司、航空公司和制药公司用于处理其最敏感的工作流程。该平台专为注重安全的客户设计,这些客户需要以安全合规的方式处理财务数据、个人身份信息(PII)、受保护健康信息(PHI)、受控非机密信息(CUI)甚至政府机密数据。Palantir 的安全基础设施通过遵循 HIPAA、GDPR 和 ITAR 等框架,满足跨行业和跨地区的监管要求。

由于我们的软件为大型企业和政府的任务关键型运营提供支持,我们的威胁模型专注于抵御来自资源丰富、技术高超且坚持不懈的对手的攻击。为击败这些对手,我们采取高度明确的立场,并为所有客户强制执行高标准的最低安全要求。例如,多年来,我们所有托管软件即服务(SaaS)平台客户都必须使用多因素认证。

:::callout{theme="success" title="Palantir 学习门户"} 通过 learn.palantir.com 课程 ↗ 了解数据保护。 :::

平台安全

Palantir 平台将安全作为核心开发理念。Palantir 安全模型通过透明性和易用性,严格实施细粒度的访问控制,从而构建协作且可信的生态系统:

  • 严格实施: 确保用户仅能访问其被授权交互的数据。
  • 细粒度控制: 足够强大,可实现灵活级别的访问控制粒度。
  • 透明性: 使用户能够了解可以访问什么资源以及为什么
  • 易用性: 使用户能够自信地理解和管理访问控制。

Palantir 安全模型涵盖身份验证和授权。身份验证用于确认用户身份,而授权则根据用户的属性和权限授予访问权限。

Palantir 平台中的数据安全通过强制性控制和自主性控制的结合来保证。强制性控制通过 Palantir 复杂的溯源和沿袭能力,随每个数据单元或资源类型传播。自主性权限以不同操作(例如查看或编辑)的角色形式授予用户对单个资源的访问权。此外,还可以基于用户属性对资源实施细粒度的行级或列级控制。

Palantir 平台中的数据和资源按项目(Project)组织。用户属于组织(Organization),并通过平台内部或外部身份提供商管理的组进行组织。组织是应用于项目的一种强制性控制形式,用于在用户组和资源之间实施严格隔离。因此,除非明确配置了共享协议,否则一个组织的用户无法访问另一个组织的资源。

对于高度敏感的数据,标记(Markings)是另一种强制性控制形式,可应用于需要特殊保护的数据或资源(例如 PII 或财务敏感数据)。用户除了拥有组织成员身份外,还必须获得特殊权限才能发现或访问此类数据。

企业安全

我们拒绝将审计日志记录、单点登录和多因素认证等核心安全控制功能设置为门槛、付费墙或追加销售。无论您是小型企业还是联邦机构,都可以在标准 Palantir 产品中访问所有核心企业安全功能:

  • 对所有数据(传输中和静态时)强制加密,使用稳健的现代加密标准。
  • 强大的身份验证和身份保护控制,包括单点登录和多因素认证。
  • 强大的授权控制,包括强制性和自主性访问控制。
  • 稳健的安全审计日志记录,用于检测和调查潜在滥用行为。
  • 高度可扩展的信息治理、管理和隐私控制,满足任何用例的需求。

基础设施安全

如果您使用我们的托管 SaaS 平台,Palantir 的托管基础设施还提供额外的安全控制层,以帮助保护您的数据:

  • 围绕零信任、最小权限和纵深防御原则构建的稳健安全架构
  • 强制执行的安全基线配置,配合严格的变更管理和安全监控流程。
  • 强大的网络安全加固和分段。
  • 基于主机和网络的入侵检测系统,用于检测并阻止异常活动。
  • 积极的基础设施和应用程序漏洞管理与修补,具备行业领先的服务水平协议(SLA)。
  • 对传入 Web 请求进行Web 应用防火墙(WAF) 检查,以检测和阻止攻击。
  • 在环境的每一层(包括用户、主机、网络和应用程序)进行安全监控

其他安全资源

Palantir 设有 SafeBase 信任中心页面 ↗,用于存放所有安全文档和信息。您可以使用 SafeBase 来解答与我们的安全标准和流程相关的问题。SafeBase 包含安全白皮书、政策、渗透测试报告、合规信息、认证(例如 SOC 和 ISO)等。

已签署保密协议(NDA)的现有客户和潜在客户可以申请访问其他非公开材料。

结论

Palantir 深切关注客户的安全成果,并致力于透明地公开我们的安全实践和计划。我们坚定不移地持续改进安全、数据保护和隐私控制,为您提供最有效的数据保护手段。