Data Protection in PubSub+ Cloud
Management, monitoring, and messaging data are the types of data that flow through PubSub+ Cloud. It's important to know that the management, monitoring, and messaging data take separate and well-defined paths. Logically, PubSub+ Cloud is split into two data planes called the control plane (for management and monitoring data) and a messaging plane (for messaging data). For more information, see Control Plane Data and Messaging Plane Data.
All data (whether it is management or messaging data) is secure and encrypted while stationary or in transit. For more information about data encryption, see Encryption.
The following diagram shows how the planes logically look in a typical deployment:
As you can see in the previous diagram, there is a clear separation between the control plane data [management and monitoring (metadata and logs) data] and the messaging plane [messaging data (events, messages, files, any artifacts that are part of event payload)]. The diagram shows the event broker services in a Customer-Controlled Region as an example, but the separation of control plane and messaging plane data is the same in any type of deployment.
In the diagram, it also shows a Kubernetes clusters and depicts how the Mission Control Agent handles management data between the event broker services and Solace Home Cloud. This architecture keeps the management/monitoring data separate from the messaging data. For information about the various data flows, see Data Flows within a Customer Environment.
One important aspect to consider regarding messaging data is the sovereignty of the data. This comes down to the where the data resides in a geographical location. Since the PubSub+ Cloud platform can be geographically diverse, it's a good idea to consider this as part of your overall security and data strategy. To address this, you can deploy to a Dedicated Region based on geography. For more information, see Data Sovereignty.
Data Flows within a Customer Environment
There are different categories of data involved in a deployment of event broker services. The data can be categorized as management, monitoring, and messaging data.
- Management Data
- Management data to management data is sent between the Mission Control Agent, Solace Home Cloud, and event broker services. Management data includes configuration information for event broker services and metadata that is sent back to Solace through secure ports. For more information, see Control Plane Data.
- Monitoring Data
- Monitoring data (statistics and event broker logs) are sent to a central monitoring service (Datadog) through secure ports. Transmission of monitoring data is via secure HTTP. Datadog agents use SEMP-based calls to collect statistics and logs from the event broker services. In most cases, monitoring data is one-way, but for users that use dashboards in Datadog, the monitoring data is configurable via a connection – hence it is shown as two-way data flow. For more information, see Control Plane Data.
- Messaging Data
- Messaging data (which includes events, payloads of messages) refers to the information between the event broker services and the publishing and subscribing client applications. No customer data leaves the customer environment if the client applications connect from within the same VPC/VNet. Messaging data is resident within the customer's perimeter (in their VPC/VNet). For more information, see Messaging Plane Data.
- Any messages transmitted between client applications and the event broker services are secured using encryption, by default. Data stored in the VPC/VNet is encrypted. For about data encryption, see Encryption.
Control Plane Data
The control plane consists of both management and monitoring data. Management data uses secure SEMP calls to perform tasks such as configuring event broker services, configuring certificates for PubSub+ Cloud, and communicating with the Mission Control Agent. Monitoring data encompasses gather monitoring statistics and logs, which is done using Datadog agents on each event broker (this means there are three Datadog agents in a High-Availability service). The statistics and logs that Datadog agents collect use SEMPv2 based interfaces.
The Control Plane uses secure HTTPS calls to make API calls to cloud vendors to configure DNS records and manage compute instances (EC2 Instances, Virtual Machines, etc.).
The management data from the control plane occurs within a secured communication channel with the Solace Home Cloud and the central monitoring service. Solace uses this data to manage and monitor the health of the event broker services. Management data comes from various functions that include following:
- User interactions with the PubSub+ Cloud Console to create and manage event broker services. The creation of an event broker service is handled ultimately by the Mission Control Agent deployed in the same VPC/VNet.
- User interactions from the Broker Manager, which directly connects to an event broker service.
- Collection of metadata and logs that are sent to the centralized monitoring service. The monitoring information is sent between Solace Home Cloud and the user.
Information from event broker services is collected to monitor the health of the event broker services. For information on the logs collected, see Event Broker Service Logs.
Messaging Plane Data
The messaging plane contains the events, data, and payload of the messages that is transported between the event broker services and client applications. It's important to note since messaging data exists in its own plane, the data is not accessible from the control plane.
- For more information, see Event Broker Services.
- For more information about the protocols and APIs used for messaging, see Open APIs & Protocols.
All data on the PubSub+ Cloud is encrypted and includes management, monitoring, and messaging data. Encryption occurs to data that is in transit (transmitted via events and messages) and at rest (stored in persistent storage for Queues). Any logs, management data, or statistics collected are also encrypted.
Encryption is a consideration for data in transit and when it's stored. Sensitive data is treated with additional care on PubSub+ Cloud. For more information about encryption in the security architecture, see the following sections:
Encryption of Data in Transit
Data that is transmitted between the client applications (both publishers and subscribers) and the event broker services is secure. This is the default setting whenever event broker services are created in PubSub+ Cloud.
By default, the messaging data that is brokered by the event broker services between publishers (producers) and subscribers (consumers) is secured in the following manner:
- event broker services use messaging protocols and ports that are secured with TLS 1.2 (default)
- non-encrypted protocols (plain-text ports) are available for configuration to support legacy applications, but are disabled by default; plain-text, non-encrypted protocols are not recommended for production environments
- certificates are regularly updated and whenever Security Advisory concerns require resolution
Data at Rest
Data at rest is any data that is stored on Message Spools (virtual storage, persistent storage, external persistent storage). Encryption occurs on disks online and used as backups to provide a layered approach of encryption to ensure that the data remains protected at all times. All disks are encrypted by default and is not optional. Any storage services (for example, S3, databases, etc.) use server-side encryption.
On Public Regions and Dedicated Regions, all data at rest is encrypted using AES-256 and is provided by the cloud vendor's Key Management Service (KMS). Data that is stored follow these principles:
- Use cloud vendor Key Management Service (KMS) to achieve disk encryption using AES-256
- At-rest encryption is always enabled and is not optional
Sensitive data is always encrypted before storage using AES-256
Messaging data is only stored on encrypted spool disks in the same cloud region as the event broker service
For Customer-Controlled Regions, Solace recommends that encrypted storage be utilized for storage.
Encryption of Sensitive Data
Sensitive data, like passwords are hashed using BCrypt and credentials are encrypted using AES-256.
Data sovereignty refers to the laws and governance that the collection and storage of data adheres to, which is based on the nation where the data resides or is collected. Since the data is separated into two planes, the sovereignty of the data is as follows:
Messaging data remains with the event broker services, it adheres to the laws of the geographical region where the event broker services are deployed. The sovereignty of messaging data is a common use case for security regulations and this can be decided by the customer.
To address messaging data sovereignty requirements, Solace recommends the event broker services be installed in a private network (e.g., Kubernetes cluster in a VPC/VNet) in the region where the data must be. For example, if the data must stay within a particular geographical region, deploy the event broker services in that geographical region using private network. For more information about VPC/VNet isolation, see VPC/VNet Isolation.
Management data comprises of logs, statistics, and metadata. The metadata is utilized and stored by the Solace Home Cloud and PubSub+ Cloud Console (including Event Portal, Insights, and Cluster Manager), which is referred to as the regional site. A third-party centralized monitoring service (Datadog) collects and stores operational logs, metrics, and statistics that are used for centralized monitoring from the Home Cloud.
Though less common is the sovereignty of management data, but if this is a requirement, Solace offers different regional sites from which you can choose.
Using different regional sites for the Home Clouds gives you these benefits or capabilities:
- allows you to store your data in a specific geographic location
- enables you to adhere to the laws of the country where the site resides [e.g., comply with regulatory requirements for personal identifiable information (PII) ] or address data sovereignty concerns
- potentially minimize latency depending on the geographic location and network topology from which you users connect
The following table shows you the URL (where
<custom_domain>is the string for your custom domain) to use to connect to the PubSub+ Cloud Console for each regional site and the location where the Home Cloud resides.
Regional Site Cloud Console URL Cloud Console URL (SSO-enabled) Location of Home Cloud
United States of America
The regional site in Australia (AUS) currently supports only Dedicated Regions and Customer-Controlled Regions. Public Regions are not supported.