Customer Roles and Responsibilities for Security

The following table summarizes the security responsibilities based on the deployment architecture chosen.  The exact responsibilities differ based on the environment that the customer (you) has chosen for the deployment environment. For more information about deployment architectures, see Security Architecture for Solace Cloud.

In particular, the responsibilities are different between:

  • Solace-controlled environments. This includes Public Clusters (shared infrastructure) and Dedicated Clusters (not shared; reserved for a single customer).
  • Customer-Controlled Clusters. This includes customer-owned cloud regions and on-premises customer-owned networks, such as Kubernetes clusters.

The following tables summarize the responsibilities of the customer and Solace for security-related tasks.

Infrastructure and Networking Security Responsibilities

The following table describes the security responsibilities of various aspects of a deployment and components in the security architecture.

Task Description Ownership Responsibility Notes
Solace Customer

Security updates for the Solace Home Cloud and Solace Cloud Console.

Public Clusters and Dedicated Clusters

Solace

 

The Solace Home Cloud and Solace Cloud Console are in Solace-controlled infrastructure and therefore security updates and upgrades are managed by Solace.

 

Customer-Controlled Clusters

Solace

 

Coordination with Datadog (third-party service) to maintain and update the central monitoring service.

Public Clusters and Dedicated Clusters

Solace

 

The central monitoring service (Datadog) collects logs, metrics, and statistics from Event Broker Service. Solace handles all interactions with Datadog that are related to Solace Cloud .

 

Customer-Controlled Clusters

Solace

 

Deploying and upgrading the Mission Control Agents

Public Clusters and Dedicated Clusters

Solace

 

Solace manages upgrades to the Mission Control Agent for event broker services in Public Clusters and Dedicated Clusters.

Customer-Controlled Clusters

Solace

Customer

Deploying the Mission Control Agent in a Customer-Controlled Cluster is the customer's responsibility. Solace automatically updates the Mission Control Agent periodically.

Security updates to Event broker services

Public Clusters and Dedicated Clusters

Solace

 
  • For the Solace Event Broker Service software version, Solace and customer coordinate to determine when the best time to perform the upgrade with the customer update it. The lead time required is usually two weeks.
  • In customer-controlled environments, the customer is responsible for monitoring for product notices and request upgrades when they are available; this includes taking appropriate actions as required.

Customer-Controlled Clusters

Solace

 

Security for networking and network access of the event broker service (e.g., maintenance of NAT, load balancers)

Public Clusters and Dedicated Clusters

Solace

Customer

Solace manages the network access for dedicated-customer regions and manages security updates for the Solace-controlled parts of the network.

Customer-Controlled Clusters

 

Customer

If the client applications can connect from within a customer's private network, the customer is responsible for managing access to those applications, managing security updates, and configuring their network so that the client applications can access event broker services.

Configuring VPC/VNet routes as required between the event broker services and client applications

Public Clusters and Dedicated Clusters

Solace

Customer

In Public Clusters, Solace is responsible for configuring, monitoring and resolving issues with VPC peering.

Peering between Dedicated Clusters or Public Clusters and customer VPCs requires that the customer assist with configuration and provide Solace with the required access to the customer network. In this scenario, Solace is responsible for maintaining only the Public Cluster and Dedicated Cluster parts of the network.

For Dedicated Clusters, Solace exchanges custom routes between the Dedicated Clusters using one of the Networking Options for Dedicated Cluster Deployments supported by Solace.

VPN connectivity is not supported for Dedicated Clusters.

Customer-Controlled Clusters

 

Customer

In Customer-Controlled Clusters, the customer is responsible for configuring, monitoring, and resolving issues with VPC peering and VPN connectivity.

Peering between Public Clusters or Dedicated Clusters, and customer VPCs requires that the customer assist with configuration and provide Solace with the required access to the customer network. In this scenario, Solace is responsible for maintaining only the Public Cluster or Dedicated Clusters.

The customer is responsible for coordinating with their infrastructure teams to configure secure connectivity (VPC/VNet peering , VPN, Transit Gateway, etc.) between where the client applications reside and event broker services in the Kubernetes cluster. This may also include configuring load balancers, gateways, and NAT access.

Network infrastructure security of the client messaging applications

Public Clusters and Dedicated Clusters

 

Customer

The security infrastructure that the client application runs on is managed by the customers.

 

Customer-Controlled Clusters

 

Customer

Security of the infrastructure where the event broker services are deployed (including Kubernetes clusters and the supporting infrastructure). This includes security maintenance updates.

Public Clusters and Dedicated Clusters

Solace

 

Solace ensures that the most recent security measures and best practices are implemented to address on-going security threats for the infrastructure where the event broker services run.

For a summary of the various processes in place and best practices, see Operational Procedures and Policies and Additional Steps and Best Practices for Security.

Customer-Controlled Clusters

Solace

Customer

The customer is responsible for setting up, managing, securing, and maintaining their private region (VPC/VNET) for the Kubernetes cluster.

Solace pushes updated Docker images where event broker services are deployed. In Customer-Controlled Clusters, the customer is responsible for monitoring for product notices and requesting upgrades when they are available; this includes taking appropriate actions as required.

User Control Responsibilities

The users (customers) are responsible for establishing their own system of internal control and enforcing those controls. It is not feasible for all trust services criteria to be solely achieved by Solace. User control encompasses access from users, which includes both people and client application access.

Task Description Ownership Responsibility Notes
Solace Customer

The security and integrity of data stored and processed in facilities, infrastructure, and environments

Public Clusters and Dedicated Clusters

 

Customer

The event broker services run on Solace-controlled infrastructure. The data in on the messaging plane portion of the event broker services is not accessible to Solace. Any data stored or captured by the client applications are under the customer's control.

Customer-Controlled Clusters

 

Customer

The event broker services run on customer-controlled infrastructure. Any data stored or captured by the client applications are under the customer's control.

Managing access to the customer's Solace Cloud account (configuring access such as adding/deleting users, review, implementation of logical access security measures, and single sign-on access)

 

Public Clusters and Dedicated Clusters

 

Customer

  • The customers is responsible for managing the appropriate access (credentials, roles) for their users in their Solace Cloud account.
  • The customer is responsible for adding or removing users for their Solace Cloud account.
  • The customer is responsible for performing periodic review of their access and configuration in their Solace Cloud account.
  • The customer is responsible for enabling OpenID and integrating with their Identity Provider for Single Sign-On (SSO) and/or Multi-factor Authentication (MFA).
  • Customers who use OpenID Connect (OIDC) can deploy appropriate auditing controls for logging of their users when accessing the OpenID Identity Provider.
  • Customers using Dedicated Clusters are responsible for reviewing and approving the security configuration of the VPC/VNet as well as access to the event broker services.

The customer can contact Solace as required for assistance for access issues. For more information about integrating with OpenID Connect , see Configuring Single Sign-On with OpenID Connect

Customer-Controlled Clusters

 

Customer