Security architecture

Flexter reference architecture and security best practices

Flexter sample implementation (Azure single node)


Overview

Flexter is installed on premise. It is not SaaS.

Flexter is a command line utility. It can be accessed after logging in over SSH.

Flexter also ships with a RESTful API. The API is disabled by default but can be optionally enabled.

Flexter can also be accessed via a web browser to display information such as the ER diagram and source to target maps. The UI is optional and can be installed on request.

Flexter users

The users you set up for Flexter are not end users who use the application on a daily basis. A Flexter user is used to run Flexter jobs on a schedule. Flexter users reflect a specific function, e.g. a user for operations (error logs), a user for development, or a user for production.

Binaries

Binaries can be downloaded by security credentials and installed by a server administrator. Only a server administration should have the rights to replace them. The download packages also should be verified with their checksum to see if any modification was done before installing them.

SSH

SSH access can be restricted by internal network or VPN.

Each user will have their own credentials to access SSH.

Standard best practices for working with SSH should be applied

  • Do not expose common user names such as root, admin, sysadmin etc.
  • Change port 22
  • Use strong key/pairs
  • Disable plain password option

API / Browser

Some recommended best practices to secure API / Browser access:

  • Restrict access by networks
  • Restrict access by client IP address
  • Enable an HTTPS proxy to encrypt messages

PostgreSQL database

Some recommended best practices to secure PostgreSQL access:

  • Restrict access by networks
  • Restrict access by client IP address
  • Encrypted all connections (PostgreSQL has TLS/SSL options)

The PostgreSQL database only stores metadata such as the mappings between XML elements and target table columns. It does not store the data itself.

Connection details

If you are using a relational database such as Oracle or Snowflake as the target you will need to provide Flexter with connection details and logins.

We recommend using a third party tool such as Hashicorp Vault to store credentials, which can then be sent by parameter to Flexter.

Restrict access to data sources and data targets based on the principle of least privilege.

  • For relational databases as sources only grant read permissions to tables that hold your XML.
  • For relational databases as targets only grant write permissions to the target schema.

Internet connectivity

Binaries can be downloaded from the Sonra repository. If no internet connection is available on the Flexter server we can make the binaries available offline.

PII

You can obfuscate personal data with Paranoid, our open source tool for overwriting personal data. https://pypi.org/project/PARANOID/