Security For Cloud And On-Premises Deployment
Security for Cloud andOn-Premises Deployment
Table of ContentsExecutive Summary . 3Introduction . 4The Mendix Platform. . 4Mendix Security at a High Level. . 4Mendix Cloud versus Private Cloud versus On-Premises Deployment. . 4Security Measures for Mendix Runtime. 5Application Security defined in the Mendix Modeler . 6Application-Level Security & Application Model Consistency . 6Module-Level Security . 7Logging Throughout the Application Lifecycle. . 8Identity and Access Management. . 8User Management and Provisioning . 83rd Party Identity Management Solutions . 9Authentication . 9Multi-Tenancy . 9Security for Cloud Deployment Through Mendix Cloud. . 10High-Level Deployment Architecture . 10Cloud Portal . 11Network Integration . 12Backup . 12Disaster Recovery . 13Upgrades & Patches . 13Data Ownership. 13Infrastructure-as-a-Service (IaaS) Providers . 13Compliance. . 13Periodic Security Audits and Penetration Test. . 13Recommended Mendix On-Premises Deployment Architecture. . 14Training and Documentation. . 15Further Information. . 15Security for Cloud and On-Premise Deployment 2
Executive SummaryMendix offers anindustry-leading high-productivityapplication Platform-as-a-Servicefor organizations to build web and mobile applications. Being aplatform provider, it is of utmost importance to ensure that theplatform itself, the applications built on the platform and the cloudoperations to run the platform meet the highest securitystandards. The Mendix Platform contains a runtime environmentincluding the Mendix Runtime, and a set of components to design,develop, deploy and manage apps. In addition, the platform offersgovernance services like Mendix ID for identity & accessmanagement and services to manage the environments on whichthe apps run.Security ensured for cloud andon-premises deploymentMendix offers the platform as a service in the cloud, but alsosupports on-premises deployments with the same product.Security measures in the Mendix Platform and for development ofapps are equal. The difference is that for on-premisesdeployments, the customer is responsible for implementing therecommended deployment architecture and security-relatedplatform and application administration activities.Enterprise-ready securityThe Mendix Platform meets enterprise-level requirements forsecurity and addresses security measures on multiple levels ofgranularity, including multi-tenancy aspects: The Mendix Runtime handles known security threats The Mendix Modeler supports application securitysettings to define roles and authorizations Mendix ID supports identity & access management.Mendix can also integrate with third-party identitymanagement solutions. The Mendix Cloud Portal supports app management,deployment and monitoring. Mendix complies to SAP security and compliancerequirements as Mendix is an SAP Solution Extensionpartner.Mendix cloud deployment andcontainment of environmentsThe Mendix Platform deployment architecture is based on CloudFoundry. Cloud Foundry is the industry-standard cloud applicationplatform which is used by SAP, IBM, Pivotal, and GE, amongothers. Cloud Foundry logically separates Mendix applicationsusing containers, that includes an (optional) Test, Acceptance andProduction environment, each running in their own AppEnvironment. This App Environment also includes firewall-, webserver- and database services. The purpose of an AppEnvironment is to contain the behavior and consumption of anenvironment, shielding other environments (and apps) from eachother.Backup and disaster recoveryAll data (model, database and file storage) is automatically backedup, on a daily basis as a minimum. For enterprise applications, datareplication and real-time backups are in place. Backups are storedin secure, geographically dispersed locations. Mendix offersdisaster recovery services that include high availability acrossmultiple availability zones, horizontal scaling of App Environmentsand auto recovery in the event of an unexpected outage.Additionally, a fallback environment can be made available whichdelivers data replication and real-time backups allowing companiesto resume operations from a different physical location.Organization-level security measuresMendix, as an organization, embeds security in companyprocesses by adopting a representative subset of Annex A controlsfrom the ISO/IEC 27001:2013 Information Security ManagementSystem standard. Mendix has achieved ISAE 3402 Type II andSOC 1 Type II assurance reports, and is ISO/IEC 27001:2013certified with 113 Annex A controls in scope. In addition, a CSA starself-assessment is available for customers. An independentauditing firm periodically performs security audits. Furthermore, aleading IT security firm performs penetration tests on the MendixPlatform on a monthly basis. Penetration tests are based onOWASP and the ISSAF (Information Systems Security AssessmentFramework) and OSSTMM (Open Source Security TestingMethodology Manual).Application lifecycle loggingThe Mendix Platform logs relevant activities during the appdelivery cycle, from requirements management, to development,deployment and application monitoring to ensure compliance withcustomers’ requirements for auditability.Security for Cloud and On-Premise Deployment 3
IntroductionThis paper addresses the security aspects of Mendix Platformdeployments for Mendix Cloud, private cloud and on-premisesenvironments. The scope is restricted to security aspects of thedeployment architecture rather than security aspects related toService Organization Control, and ISO certification audits.The Mendix Platform, as a whole, is audited for organizational andtechnical security periodically. In this whitepaper, we willspecifically zoom into the following platform components: theMendix Runtime, Mendix ID, the Desktop Modeler and the CloudPortal, as these components are most relevant in the context ofplatform- and application-level security.The MendixPlatformMendix Security ata High LevelThe Mendix Platform is a completely integrated platform tomanage the entire software development lifecycle of designing,building, deploying and managing apps. The Mendix Platformcontains a runtime environment, the Mendix Business Server anda set of components to design, develop, deploy and manageapps. In addition, the platform offers governance services likeMendix ID for identity & access management and services tomanage the environments that the apps are running on.These components are integrated and connected through thePlatform Portal: Projects – A collaborative environment to manageapp development projects Desktop Modeler and Web Modeler – Themodeling environments to build apps using visualmodels Team Server – The central repository to manage andversion app models App Store – A marketplace for Apps, AppServices,Widgets and Libraries Cloud Portal – A portal to deploy, manage andmonitor Apps on the Mendix Cloud.The Projects module, the App Store and the Cloud Portal arebuilt with the Mendix platform itself, so that the security measuresof the core platform, implemented in the Mendix Runtime,automatically apply to these components as well. The TeamServer is built on top of Subversion (SVN), a proven, secure andwidely adopted solution for software versioning and revisioncontrol. The Team Server is automatically configured through theProjects module.The Mendix Runtime is developed in Java and is responsible forthe interpretation and execution of models at runtime.Mendix applications are implemented by a large variety ofcompanies to support numerous and varied businessprocesses. All these different Mendix users share the critical needfor their applications to be secure and accessible.Mendix is used by large enterprises and public sector organizationsthat deal with highly confidential information. For example, justicedepartments, healthcare organizations, banks and insurancecompanies rely on Mendix to manage online transactions, storemedical, insurance or legal data, enable international financialtraffic and regulate other mission-critical processes and informationflows.Mendix Cloud versusPrivate Cloud versus OnPremises DeploymentFlexible Deployment Options,Depending on Your IT StrategyApps developed on the Mendix Platform can be deployed to usersin various ways. Whether your company decides to run applicationsand store data in the Mendix Cloud, private cloud, or to use yourown infrastructure depends on your company’s strategy, decisionsand policies regarding cloud computing. Your choice may beinfluenced by the nature of the application(s) to be built. In somesectors and countries, it also depends on laws and regulations.Your choice for the Mendix Cloud, private cloud or on-premisesdeployment will define who is primarily responsible for the securitymeasures to be put in place. To provide an overview of the securitymeasures that Mendix offers – as an integral part of the platform aswell as within the cloud infrastructure – both deployment optionsare described below.Security for Cloud and On-Premise Deployment 4
Mendix CloudMendix Cloud is the infrastructure provided and operated byMendix to run the Mendix Platform and the applications deployedto the Mendix Cloud. The configuration is standardized,optimized and fully automated. Mendix Cloud facilitatesadministrators with fast one-click deployment of applications andtools to manage and monitor apps in a very user-friendly way.Besides the standard security measures applied, we offer thepossibility to extend the security measures with additional predefined services to meet specific customer requirements.Private cloudAs Mendix uses Cloud Foundry as a deployment platform and isalso compatible with Kubernetes, any private cloud like SAPCloud Platform, IBM Cloud, Microsoft Azure or Pivotal CloudFoundry can be used to deploy Mendix applications. The securityof a private cloud deployment depends on the security measuresthat are in place within the selected private cloud and yourorganizational measures.Mendix On-PremisesMendix on premises is a local installation of the Mendix Runtimewithin your own company’s infrastructure. The security of onpremises installation depends on the security measures andcontrols that are in place within your organization’s privateinfrastructure. Mendix has achieved excellent results in realizingoptimally secure infrastructure for Mendix applications incooperation with in-house IT specialists.Security Measuresfor Mendix RuntimeThis section describes specific security measures that areimplemented in the core Mendix Runtime. These measures applyto both deployment in the Mendix Cloud, private cloud and onpremises, as the same runtime architecture is used.The architecture of the Mendix Runtime consists of three layers: UI layer Logic layer Data layerThe UI layer is implemented in the Mendix Client as JavaScriptlibraries running in the browser. For hybrid mobile applications, theUI layer runs in a native Cordova container. The Logic and Datalayers are implemented in the Mendix Runtime (the MendixRuntime itself is developed in Java and runs on a JVM). TheMendix Runtime can be deployed either in the Mendix Cloud oron-premises. Figure 1 depicts the Mendix Runtime architecture.Figure 1. Mendix Runtime ArchitectureWithin the Mendix Client, measures against JavaScript basedsecurity threats such as Cross Site Scripting are implemented. Thisprevents other websites / web applications running in the samebrowser from obtaining sensitive information (e.g. cookies). TheMendix Runtime addresses server-side security threats, such asSQL Injection and Code Execution. By default, a requestoriginating from any client (including the Mendix Client) isperceived as untrusted.Mendix app developers do not need to take these technical securityaspects into consideration when building Mendix apps, as theplatform handles this as a service. Obviously, this does not meanthat developers do not have to consider security at all. Applicationlevel authorization and access rights need to be configured in theapplication model by the app developer.Each operation within the Mendix Runtime is called an “action”.The Mendix Runtime provides many pre-defined actions, such astriggering and executing workflows, evaluating business rules, etc.To prevent any bypasses of the technical security mechanisms,these actions are implemented on the lowest levels of the MendixRuntime and can not be changed by app developers.The core interface of the Runtime - responsible for the execution ofany action - has a security matrix that contains all executableactions and data access rules per user role. The data access rulesare applied at runtime when a query is sent to the database. Thisensures that only data within the boundary of the access ruleconstraint will be retrieved.Security for Cloud and On-Premise Deployment 5
Application Securitydefined in the MendixModelerOut of the box, the Mendix Platform provides role-based useraccess to applications built with Mendix. Applications in Mendixconsist of one or more modules. A module typicallyhas a functional scope (e.g. items, customers, orders, etc.) and isself-contained so that modules can be re-used in multipleapplications. Due to the distinction between applications andmodules, security aspects are defined on both levels. Applicationlevel security settings apply to all the modules within theapplication. Module-level settings are specific to each module.more module roles. Module roles define a role on a module levele.g. “order entry” or “approver”. This means that users with thatuser role have all the access rights that are defined for thosemodule roles. End users of your application only see the user rolesand not the module roles. So only user roles can be assigned to anend user, while module roles are assigned to user roles. A user roleaggregates multiple access rights on data, pages and microflows(the graphical designer to model logic) from the module roles.Application-level security &application model consistencyThe Mendix Platform supports configurable integrity checks forsecurity on all relevant aspects of applications deployed on theplatform. Mendix checks the consistency of the security settingsas well. For example, a person who is allowed to see a certain UIelement that lists data from a table must also be authorized toview the data associated with that UI element.Depending on the stage of development, application and integritychecks can be applied more or less stringently. This isadvantageous in development and prototype contexts to avoidunnecessary activities regarding consistency and security in thepreproduction stage. Security levels ‘Off’ and ‘Prototype / demo’are only allowed for apps deployed to a development and/or localtest environment, not for deployments in productionenvironments. Deployment to the Mendix Cloud (except forSandboxes) requires the ‘Production’ security level and completeconfiguration of all security settings.Figure 2. Application project securityoverview and consistencycheckFigure 3. User rolesAnonymous usersMendix supports log in to applications by anonymous users throughconfiguration of a specific role for this purpose.Password policyPassword policies can be defined flexibly e.g. configuring passwordstrength, characters sets allowed / prescribed and password expirypolicies. A password policy can also be defined by the organizationwhen implementing SSO authentication using for example SAML orOpenID. Additionally, two factor authentication can be enabledwithin the Mendix Cloud for sensitive activities. Two factorauthentication can also be added anywhere within a Mendixapplication to further secure access to the app or parts of the app.File accessAccess rights for file storage and use of images in Mendixapplications are fully configurable.User RolesAn end user of the application is assigned one or more user rolesby an administrator or provisioned automatically from a (3rd party)identity & access management solution that can be integratedwith an app. The user then gets all access rights that these userroles represent. Within the user role, it is possible to assign usermanagement rights for this particular role as well, so that usersassigned to this user role can then manage access rights for otherusers with selected role(s). This feature is relevant to support adelegated administration concept. Every user role has one orSecurity for Cloud and On-Premise Deployment 6
Module-level securityBecause the application modules are self-contained, the securitymodel for pages, microflows (that execute actions), entities anddata sets is defined in the module itself.Module rolesMendix distinguishes module roles in addition to user roles sothat the module, including its roles, can be reused in differentapplications and/or published to the App Store.Module-level security settingsAt the module level, the security logic is separated from theapplication logic, which allows for easy accessibility,maintenance and validation of security settings even for lesstechnical users. All security settings are managed from theMendix Modeler to define access rights for:Pages/UIPage access defines for each module role which applicationpages users with this module role can access. The navigationitems (menu bars/buttons) are optimized so that it only showsitems directing to pages to which the user has access.Page access takes the shape of a matrix showing pages andmodule roles. For each combination, the developer can indicatewhether or not the module role has access to thepage. This information can also be edited within a page using theproperty ‘Visible for’.Figure 5. Modular security settings for MicroflowsThis information can also be edited within a microflow using theproperty ‘Allowed roles’.Entity Access & Access RulesEntity access defines for each module role whether users with thisrole are authorized to Create, Read, Update and/or Delete objectsof the entity. Entity access is configured with access rules thatapply to entities. Each access rule in turn applies to a (set of)module role(s). The access rules of an entity define what a user isallowed to do with objects of the entity. Users can be allowed tocreate and/or delete objects, and to view and/or edit membervalues. A member is an attribute or an association of an entity.Furthermore, the data sets of objects available for viewing, editingand removing can be limited by means of an XPath constraint.Every access rule is applicable to one or more module roles. Anaccess rule grants certain access rights to those roles. Rules areadditive, which means that if multiple access rules apply to thesame module role, all access rights of those rules are combined forthat module role. This feature is applied for example whenapplications are configured for multi-tenant usage.Figure 4. Modular security settings for UIMicroflows/LogicMicroflows are used to visually define business and process logic.Microflow Access defines which microflows can be executed byusers with a certain module role. The navigation items (menubars/buttons) are optimized so that it only shows microflows thatthe user has access to.Microflow access is managed within a matrix of microflows andmodules roles. For each combination developers can indicatewhether or not the module role has access to the microflow.Figure 6. Object security ruleSecurity for Cloud and On-Premise Deployment 7
Logging throughout theApplication LifecycleMendix applies extensive logging of the whole applicationlifecycle. Not only logging for actions performed by the MendixRuntime, but also the activities during design, development anddeployment are logged, so there’s a full audit trail of all relevantactivities, who has executed them and when these activities wereexecuted.Requirements management loggingThe Projects module in the Mendix platform supports the definitionof requirements in the form of user stories. Mendix logs actionsrelated to the user stories so that it’s traceable who defined whichrequirements.Design time loggingThe integrity of the application being developed is monitored bythe Team Server, which allows you to link all change commitswithin Mendix apps to specific user stories and users. Thisenables you to trace who has developed which part of yourapplication, and for what reason.Deployment loggingThe Cloud Portal is the component that, amongst other functions,handles the deployment of application packages (calleddeployment archives in Mendix). Activities pertaining todeployment in the Cloud Portal include deployment and staging ofapps across environments. In addition, backup and restore actionsare logged, so there’s full traceability of the administrative tasksperformed.Runtime application loggingIdentity & AccessManagementUser Management andProvisioningMendix offers MxID, a user management and provisioning serviceas part of Mendix Cloud. MxID is built on the Mendix Platform andhence inherits all security measures from the platform. MxIDprovides an administration portal for the management of useraccess and authentication.Companies, that are tenantson the Mendix CloudApart from the company profile and settings, Mendix supports thedefinition of Company Admins who can assign permissions to usersfollowing a delegated administration concept. One or moreadministrators can be identified per tenant who, in turn, can performcertain administrative tasks in the tenant according to thepermissions granted.App User ManagementBased on policy rules, users are assigned a user role within anapplication. MxID automatically reads the user roles from theapplication.3rd Party Identity ManagementSolutionsThe built-in security role and authentication mechanisms in theMendix Runtime, as described in the previous paragraph, supportintegration with other 3rd party identity managers such as MicrosoftActive Directory and SAP IDM using protocols like LDAP(Lightweight Directory Access Protocol) or Kerberos.The Mendix Runtime offers the option to log user behavior andobject manipulations, enabling audit trails to the lowest level.Aside from the standard log details (such as active users, etc.),the Mendix Modeler allows you to add custom logging, and evento add active alerts based on bespoke integrity triggers. Logs arepersistently stored in log files. Mendix offers an API to subscribe tolog events. Mendix also integrates with 3rd party tools like RSA forencrypted storage of log files in environments where securelogging and auditing is required.Security for Cloud and On-Premise Deployment 8
AuthenticationAuthentication of users and services to access Mendix apps ishandled through MxID by default. MxID applies the OpenIDstandard.is through a username and password. Other options like tokens arealso possible. Authorization for APIs is derived from authorizationsdefined in the application model. For authentication, Mendixsupports the following technical implementations: HTTP authenticationNote: For on-premises deployments, the MxID cloud service isnot available. In this case, user names and passwords can bedefined within the application. This option is typically used for“single app” deployment. For deployments of multiple apps,Mendix supports integration with local active directory (AD) andfederation services or other Identity & Access Managementsolutions.Single Sign-OnThe Mendix Runtime also supports Single Sign-On (SSO)standards like SAML 2.0 and OpenID and provides APIs to otherauthentication mechanisms that might be implemented bycustomers, such as implementing two-factor authentication (e.g.via text message codes or tokens).Like user management and provisioning, authentication can alsobe integrated with 3rd party Identity & Access Managementsolutions.User Name & PasswordsPasswords in Mendix can only be stored in a hashed format.Mendix supports multiple hashing algorithms. If a user fails tologin with right password three times, the user account is blockedautomatically for a minimum of 10 minutes.An administrator can manually override such blockage byresetting the password.Web Services, REST Services & APIsJust like for users, system or service interfaces must beauthenticated in the context of the attached role as well. Thedefault option is through a username and password. Web Service Security standards Custom defined authentication mechanismincluding JavaThese options make it possible to apply identity propagation.Multi-TenancyMendix offers out-of-the-box support for developing multitenantapplications. Multitenant apps in Mendix sharethe same database, application logic and user interface. Applicationlogic can be extended with tenant-specific logic.Also, the user interface can be styled per tenant. Tenants aredefined by identifying companies in the Mendix IdentityManagement module MxID. The company / tenant ID is used to: Define a tenant-aware object model for the application.Tenant-level access to domain objects is configuredusing XPath definitions. This restricts access to thoseapplication object instances for the company that theuser belongs to. Define tenant-specific Microflows and configure accessrights to implement tenant-level application- and processlogic. Apply tenant-specific styling of the user interface bymaking the cascading style sheets (CSS) dependent oncompanies defined in MxID.Tenants can be custom defined in the application as well by usingidentifiers like division, country, site, etc.Security for Cloud and On-Premise Deployment 9
Figure 7. Multi-tenancySecurity for clouddeployment throughMendix CloudMendix Cloud is the infrastructure provided and operated byMendix to run the Mendix platform and applications built on theplatform. Mendix Cloud also offers MxID as well as a Cloud Portalto manage users and for deploying, monitoring and managingapps across environments.High-Level DeploymentArchitectureDeploying your application on the Mendix Cloud takes place on aMendix Cloud Node that Mendix provisions for your company in acloud datacenter from one of the Infrastructure-as-a-Service(IaaS) providers that Mendix works with (see paragraph on IaaSProviders below).that includes an (optional) Test, Acceptance and Productionenvironment, each running in their own App Environment. This AppEnvironment also includes firewall, web server, and databaseservices. Mendix Cloud Nodes run on Cloud Foundry containers.The purpose of an App container is to contain the behavior andconsumption of an environment and shield other environments (andapps) from each other.As each App Environment has its own dedicated web server andfirewall services, Mendix supports customizationon an App Environment level through the Cloud Portal withoutaffecting other App Environments. For example, the customization ofrequest handlers for a specific App Environment is not compromisedby the demands and desires of other Mendix customers.The Mendix Runtime is connected to a dedicated database for theApp Environment. The database is only accessible by this specificMendix Runtime instance.ContainmentA Cloud Node is a grouping of virtual and autonomous instancesof the Mendix runtime, dedicated to your companySecurity for Cloud and On-Premise Deployment 10
The App Environment setup allows test, acceptance andproduction instances of the same application to operate identicallybut independently. Because the App Environments are fullystandardized, Mendix
to resume operations from a different physical location. Organization-level security measures . measures to be put in place. To provide an overview of the security . SQL Injection and Code Execution. By default, a request originating from any client (including the Mendix Client) is .
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
UNIT 5: Securing the Cloud: Cloud Information security fundamentals, Cloud security services, Design principles, Policy Implementation, Cloud Computing Security Challenges, Cloud Computing Security Architecture . Legal issues in cloud Computing. Data Security in Cloud: Business Continuity and Disaster
sites cloud mobile cloud social network iot cloud developer cloud java cloud node.js cloud app builder cloud cloud ng cloud cs oud database cloudinfrastructureexadata cloud database backup cloud block storage object storage compute nosql
He is authorized (ISC)2 Certified Cloud Security Professional (CCSP) and Certificate of Cloud Security Knowledge (CCSK) trainer. Regarding to cloud assessment, Rafael has conducted corresponding security assessment and audit, including public and private cloud security review, cloud appli
