Protecting your self-hosted Foundry installation(保护您的自托管 Foundry 安装环境)¶
Palantir Foundry is designed to provide secure collaboration in almost any environment, from the cloud to the edge. If you are running Foundry outside of Palantir’s managed SaaS platform, such as in your own datacenter or on your own cloud, observe the following guidance for protecting your installation.
Physical access¶
If your Foundry installation is deployed on bare-metal hardware, such as in a datacenter, it is crucial you implement strong physical security controls. Access to servers running Foundry should be restricted to authorized personnel, have time-bound and documented access, and follow industry best practices.
As physical security is foundational to information security, unauthorized access to the hardware running Foundry could allow an adversary the opportunity to perform various attacks and subvert security controls.
Data encryption¶
To maintain information security, your data must be encrypted both at rest and in transit.
Data at rest¶
While all data in Foundry is encrypted at-rest using application-level encryption, you should encrypt all underlying servers and storage devices used in your Foundry installation.
- You should use an industry-standard encryption solution for full-disk encryption. This could include open source projects (such as LUKS ↗), commercially available software, hardware implementations like self-encrypting drives, or solutions offered by cloud service providers.
- You should store cryptographic key material in hardware, such as a hardware security module (HSM).
- You should use strong cryptographic standards for disk encryption, such as AES-256 or AES-128.
Data in transit¶
All data transmitted between your clients and Foundry should be protected using strong encryption protocols and ciphers.
- You should use a valid certificate issued by a trusted certificate authority with a lifespan of 90 days, up to a maximum lifespan of one year.
- You should only support connections using transport layer security (TLS) versions 1.2 or higher.
- You should only support strong TLS cipher suites. You should adjust this based upon compatibility and security needs.
- We recommend using elliptical curve Diffie-Hellman exchange (ECDHE) with CHACHA-POLY1305 or AES-{128-256} in GCM mode. CBC-mode cipher suites should be avoided where possible.
Identity security¶
Single sign-on¶
You should centrally manage identities in your single sign-on provider.
- All users should be required to use named accounts. Accounts should not be shared.
- You should require strong multi-factor authentication for all users. Where possible, modern technologies like FIDO2 should be used. SMS- or email-based multi-factor authentication should not be used.
Credential hygiene¶
You should require your users to have strong credential hygiene. Passwordless authentication is strongly recommended.
- You should require your users to have a sufficiently strong, long, and unique password for access.
- You should not let your users reuse their password with other services outside your environment.
- You should require your users to rotate passwords if they are accidentally entered on an unauthorized domain.
Zero trust¶
You should use modern zero trust technologies to protect your Foundry installation.
- You should use zero trust technologies to only allow access to authorized users on the basis of identity and device health and verification.
- You should deny access to your Foundry installation from untrusted, unhealthy, or unknown devices.
Network security¶
Network segmentation¶
Your Foundry installation should be highly segmented from the rest of your environment.
- Network isolation should be implemented using firewalls or other technology. An allowlist of approved protocols, ports, and subnets should be used to gate access to services.
- You should deny all inbound traffic by default to your Foundry installation.
- You should only expose your Foundry installation to the minimum set of networks where possible. It is not recommended to expose your Foundry installation to the public Internet without additional controls in place, such as intrusion detection systems and web application firewalls.
- You should silo off your Foundry installation in a dedicated private network (VLAN/subnet).
Egress controls¶
Network traffic originating from your Foundry installation should be strictly controlled.
- You should require all network connections from Foundry to be gated by a proxy or other network security device.
- You should maintain an allowlist of permitted destinations by IP or domain to which your Foundry installation can connect.
- You should deny all other network access by your Foundry installation.
Network security¶
You should use network security controls to protect your Palantir Foundry installation.
- You should use network security controls, such as intrusion detection systems, to identify anomalous activity.
- You should use firewalls to identify and block network exploitation or attack attempts.
- You should use data-loss prevention (DLP) technologies to look for unauthorized data transfers.
- You should collect network security logs from your networks to identify anomalous activity.
Infrastructure security¶
Server hardening¶
The servers used for your Foundry installation should be hardened using industry-standard configuration guidance such as CIS or NIST controls.
- You should only use a modern, supported operating system.
- You should perform aggressive vulnerability management and patching on the hosts used for your Foundry installation. Critical security vulnerabilities should be patched in 30 days or less.
Host security¶
You should use host security controls to protect your Foundry installation.
- You should collect audit and security logs from your hosts to identify anomalous activity.
- You should use host-based security controls, such as intrusion detection systems, to identify anomalous activity.
- You should use data-loss prevention (DLP) technologies to look for unauthorized data transfers.
Privileged access¶
You should strictly control privileged access to your Foundry installation.
- The backend infrastructure hosting your Foundry installation should be restricted to be accessible exclusively via dedicated bastion servers or jump hosts.
- Multi-factor authentication should be required for all infrastructure or cloud-level access to your Foundry installation.
Backups¶
You should take periodic full-disk backups of your Foundry installation for organizational continuity purposes.
- Foundry has a service (“Rescue”) that is designed to perform application backups and restoration.
- You should minimally perform full-disk backups of Rescue service data. It is highly recommended to perform full-disk backups of all Foundry hosts.
- You should encrypt your backups and ensure they are stored in a durable and/or offline location. Ransomware and other malicious actors typically try to destroy backups before performing other malicious actions.
- You should test your backup and restoration process at least annually.
Application patching¶
You should apply security patches to your Foundry installation as soon as possible.
- If your Foundry installation is Apollo-connected, your Foundry installation will automatically receive security updates. These updates generally do not require action from you.
- If you do not use Apollo, you should apply security updates as soon as they are made available. Critical security vulnerabilities should be patched in 30 days or less.
中文翻译¶
保护您的自托管 Foundry 安装环境¶
Palantir Foundry 旨在几乎任何环境中(从云端到边缘)提供安全的协作。如果您在 Palantir 托管的 SaaS 平台之外运行 Foundry,例如在您自己的数据中心或您自己的云上,请遵循以下指南来保护您的安装环境。
物理访问¶
如果您的 Foundry 安装环境部署在裸金属硬件上(例如在数据中心内),实施严格的物理安全控制至关重要。对运行 Foundry 的服务器的访问应仅限于授权人员,实行限时访问并做好记录,同时遵循行业最佳实践。
物理安全是信息安全的基础,未经授权访问运行 Foundry 的硬件可能会让攻击者有机会执行各种攻击并破坏安全控制。
数据加密¶
静态数据¶
虽然 Foundry 中的所有数据都使用应用级加密进行静态加密,但您应对 Foundry 安装环境中使用的所有底层服务器和存储设备进行加密。
- 您应使用行业标准的加密解决方案进行全盘加密。这可以包括开源项目(如 LUKS ↗)、商用软件、自加密驱动器等硬件实现,或云服务提供商提供的解决方案。
- 您应将加密密钥材料存储在硬件中,例如硬件安全模块(HSM)。
- 您应使用强加密标准进行磁盘加密,例如 AES-256 或 AES-128。
传输中的数据¶
客户端与 Foundry 之间传输的所有数据都应使用强加密协议和密码套件进行保护。
- 您应使用由受信任的证书颁发机构签发的有效证书,有效期为 90 天,最长不超过一年。
- 您应仅支持使用传输层安全协议(TLS) 1.2 或更高版本的连接。
- 您应仅支持强 TLS 密码套件。您应根据兼容性和安全需求对此进行调整。
- 我们建议使用椭圆曲线 Diffie-Hellman 密钥交换(ECDHE) 结合 CHACHA-POLY1305 或 GCM 模式下的 AES-{128-256}。应尽可能避免使用 CBC 模式的密码套件。
身份安全¶
单点登录¶
您应在单点登录提供商中集中管理身份。
- 应要求所有用户使用实名账户。账户不得共享。
- 您应要求所有用户使用强多因素认证。在可能的情况下,应使用 FIDO2 等现代技术。不应使用基于短信或电子邮件的多因素认证。
凭据安全规范¶
您应要求用户遵守严格的凭据安全规范。强烈建议使用无密码认证。
- 您应要求用户设置足够强、足够长且唯一的访问密码。
- 您不应允许用户在环境外的其他服务中重复使用其密码。
- 如果密码被意外输入到未授权的域名中,您应要求用户轮换密码。
零信任¶
您应使用现代零信任技术来保护您的 Foundry 安装环境。
- 您应使用零信任技术,仅基于身份、设备健康状况和验证来允许授权用户访问。
- 您应拒绝来自不受信任、不健康或未知设备对 Foundry 安装环境的访问。
网络安全¶
网络分段¶
您的 Foundry 安装环境应与环境的其余部分进行高度隔离分段。
- 应使用防火墙或其他技术实施网络隔离。应使用已批准协议、端口和子网的白名单来控制对服务的访问。
- 默认情况下,您应拒绝所有进入 Foundry 安装环境的入站流量。
- 您应尽可能仅将 Foundry 安装环境暴露给最小范围的网络。不建议在没有入侵检测系统和 Web 应用防火墙等额外控制措施的情况下,将 Foundry 安装环境暴露于公共互联网。
- 您应将 Foundry 安装环境隔离在专用的私有网络(VLAN/子网)中。
出站控制¶
应严格控制源自 Foundry 安装环境的网络流量。
- 您应要求来自 Foundry 的所有网络连接都通过代理或其他网络安全设备进行网关控制。
- 您应维护一份按 IP 或域名列出的允许目标白名单,供 Foundry 安装环境连接。
- 您应拒绝 Foundry 安装环境的所有其他网络访问。
网络安全¶
您应使用网络安全控制措施来保护您的 Palantir Foundry 安装环境。
- 您应使用入侵检测系统等网络安全控制措施来识别异常活动。
- 您应使用防火墙来识别并阻止网络漏洞利用或攻击企图。
- 您应使用数据防泄漏(DLP) 技术来排查未经授权的数据传输。
- 您应从网络中收集网络安全日志,以识别异常活动。
基础设施安全¶
服务器加固¶
用于 Foundry 安装环境的服务器应使用 CIS 或 NIST 控制等行业标准配置指南进行加固。
- 您应仅使用受支持的现代操作系统。
- 您应对用于 Foundry 安装环境的主机执行严格的漏洞管理和补丁更新。关键安全漏洞应在 30 天或更短时间内修复。
主机安全¶
您应使用主机安全控制措施来保护您的 Foundry 安装环境。
- 您应从主机收集审计和安全日志,以识别异常活动。
- 您应使用基于主机的安全控制措施(如入侵检测系统)来识别异常活动。
- 您应使用数据防泄漏(DLP) 技术来排查未经授权的数据传输。
特权访问¶
您应严格控制对 Foundry 安装环境的特权访问。
- 托管 Foundry 安装环境的后端基础设施应限制为仅可通过专用堡垒机或跳板机访问。
- 对 Foundry 安装环境的所有基础设施级或云级访问都应要求多因素认证。
备份¶
出于组织业务连续性的目的,您应定期对 Foundry 安装环境进行全盘备份。
- Foundry 提供了一个名为“Rescue”的服务,专门用于执行应用备份和恢复。
- 您至少应对 Rescue 服务数据执行全盘备份。强烈建议对所有 Foundry 主机执行全盘备份。
- 您应对备份进行加密,并确保将其存储在持久和/或离线位置。勒索软件和其他恶意行为者通常会在执行其他恶意操作前尝试破坏备份。
- 您应至少每年测试一次备份和恢复流程。
应用补丁更新¶
您应尽快为 Foundry 安装环境应用安全补丁。
- 如果您的 Foundry 安装环境已连接 Apollo,它将自动接收安全更新。这些更新通常不需要您采取任何操作。
- 如果您不使用 Apollo,则应在安全更新发布后尽快应用。关键安全漏洞应在 30 天或更短时间内修复。