Protecting your on-premise data connector(保护本地数据连接器(on-premise data connector))¶
Palantir Foundry is designed to provide secure collaboration in almost any environment, from the cloud to the edge. If you are running a Foundry data connector agent outside of Palantir’s managed SaaS platform, such as in your own data center or on your own cloud, follow the guidance on this page to protect your installation.
Physical access¶
If your Foundry data connector agent is deployed on bare-metal hardware, such as in a data center, it is crucial to implement strong physical security controls. Access to servers running a Foundry data connector agent should be restricted to authorized personnel only.
Any access to Foundry servers should be time-bound, documented, and follow industry best practices. Unauthorized access to the hardware running Foundry could allow an adversary the opportunity to perform various attacks and subvert security controls.
Data encryption¶
The Foundry data connector agent implements object-level encryption as part of the data ingestion process. The data connector receives cryptographic key material from the Foundry platform, encrypts the object, and submits it to the Foundry API for ingestion and storage.
Data in transit¶
All data transmitted between the data connector and the Foundry API is encrypted using strong encryption protocols and ciphers.
Network security¶
Network segmentation¶
It is important to segment and separate your Foundry data connector installation from the rest of your environment. Below is a list of best practices for accomplishing this.
- Implement network isolation using firewalls or other technology.
- Use an allowlist of approved protocols, ports, and subnets to gate access to services.
- Deny all inbound traffic by default to your data connector installation.
- Expose your Foundry data connector installation only to the minimum set of networks possible.
- Silo off your Foundry data connector installation in a dedicated private network (VLAN/subnet).
- Maintain a proper inventory of network requirements for the Foundry data connector, which will incorporate all the source data systems from which your organization will be ingesting data. This will be highly variable based on your needs.
Egress controls¶
It is important to strictly control network traffic originating from your Foundry data connector installation with egress (outbound) controls.
- Maintain an allowlist of permitted destinations by IP or domain to which your Foundry data connector installation can connect.
- Deny all other network access by your Foundry data connector installation.
Network security controls¶
Use network security controls to protect your Palantir Foundry data connector installation.
- Use intrusion detection systems to identify anomalous activity.
- Use firewalls to identify and block network exploitation or attack attempts.
- Collect network security logs from your networks to identify anomalous activity.
Infrastructure security¶
Server hardening¶
Harden the servers used for your Foundry data connector installation using industry-standard configuration guidance such as CIS or NIST controls.
- Only use a modern, supported operating system.
- Perform aggressive vulnerability management and patching on the hosts used for your Foundry installation.
- Critical security vulnerabilities should be patched in 30 days or less.
Host security¶
Use host security controls to protect your Foundry data connector installation.
- Collect audit and security logs from your hosts to identify anomalous activity.
- Use host-based security controls, such as intrusion detection systems, to identify anomalous activity.
- Use data-loss prevention (DLP) technologies to look for unauthorized data transfers.
Privileged access¶
It is important to strictly control privileged access to your Foundry data connector installation.
- The backend infrastructure hosting your Foundry data connector installation should be restricted to be accessible exclusively via dedicated bastion servers or jump hosts.
- Multi-factor authentication should be required for all infrastructure or cloud-level access to your Foundry data connector installation.
Application patching¶
The Foundry data connector includes the ability to self-update to the latest supported version, minimizing the maintenance requirements for your operational staff.
中文翻译¶
保护本地数据连接器(on-premise data connector)¶
Palantir Foundry 旨在为几乎所有环境(从云端到边缘端)提供安全协作能力。如果您在Palantir托管的软件即服务(SaaS)平台之外运行Foundry数据连接器代理(data connector agent),例如部署在您自有数据中心或自有云环境中,请遵循本页指南保护您的部署实例。
物理访问(Physical access)¶
如果您的Foundry数据连接器代理部署在裸机硬件(例如数据中心内的服务器)上,实施强物理安全管控至关重要。运行Foundry数据连接器代理的服务器应仅允许授权人员访问。
任何对Foundry服务器的访问都应设置时效、留存记录,并遵循行业最佳实践。未经授权访问运行Foundry的硬件可能会让攻击者有机会实施各类攻击,破坏安全管控机制。
数据加密(Data encryption)¶
Foundry数据连接器代理在数据摄入(data ingestion)流程中内置了对象级加密(object-level encryption)能力。数据连接器从Foundry平台获取加密密钥材料,对对象进行加密后,提交至Foundry API完成数据摄入与存储。
传输中数据(Data in transit)¶
数据连接器与Foundry API之间传输的所有数据,均采用高强度加密协议与加密算法进行加密。
网络安全(Network security)¶
网络分段(Network segmentation)¶
您需要将Foundry数据连接器部署环境与其余网络环境进行分段隔离,以下是实现该目标的最佳实践列表: * 使用防火墙或其他技术实现网络隔离。 * 采用已获批协议、端口和子网的白名单(allowlist)机制管控服务访问权限。 * 默认拒绝所有指向数据连接器部署环境的入站流量。 * 仅向最少必要网络范围暴露Foundry数据连接器部署环境。 * 将Foundry数据连接器部署环境隔离在专用私有网络(VLAN/子网)中。 * 妥善记录Foundry数据连接器的网络需求清单,其中需涵盖您的组织将要从中摄入数据的所有源数据系统,该清单会根据您的实际需求存在较大差异。
出站控制(Egress controls)¶
通过出站(外发)控制严格管控从Foundry数据连接器部署环境发起的网络流量十分重要。 * 维护Foundry数据连接器部署环境可连接的允许目标IP或域名白名单。 * 拒绝Foundry数据连接器部署环境的所有其他网络访问请求。
网络安全管控(Network security controls)¶
使用网络安全管控措施保护您的Palantir Foundry数据连接器部署环境。 * 使用入侵检测系统(intrusion detection system)识别异常活动。 * 使用防火墙识别并阻断网络利用或攻击尝试。 * 收集您所在网络的网络安全日志以识别异常活动。
基础设施安全(Infrastructure security)¶
服务器加固(Server hardening)¶
参考CIS、NIST管控标准等行业通用配置指南,对用于部署Foundry数据连接器的服务器进行加固。 * 仅使用仍在支持周期内的现代操作系统。 * 对用于部署Foundry的主机执行严格的漏洞管理与补丁更新流程。 * 关键安全漏洞需在30天内完成补丁修复。
主机安全(Host security)¶
使用主机安全管控措施保护您的Foundry数据连接器部署环境。 * 收集主机的审计与安全日志以识别异常活动。 * 使用基于主机的安全管控措施(例如入侵检测系统)识别异常活动。 * 使用数据防泄露(data-loss prevention, DLP)技术排查未授权数据传输行为。
特权访问(Privileged access)¶
严格管控Foundry数据连接器部署环境的特权访问十分重要。 * 承载Foundry数据连接器部署环境的后端基础设施,应仅允许通过专用堡垒服务器(bastion server)或跳转主机(jump host)访问。 * 所有对Foundry数据连接器部署环境的基础设施或云层面访问,都应要求多因素认证(multi-factor authentication)。