Data Protection in PubSub+ Cloud
Management, monitoring, and messaging data are the types of data that flow through PubSub+ Cloud. It's important to know that the management, monitoring, and messaging data take separate and well-defined paths. Logically, PubSub+ Cloud is split into two data planes called the control plane (for management and monitoring data) and a messaging plane (for messaging data). For more information, see Control Plane Data and Messaging Plane Data.
All data (whether it is management or messaging data) is secure and encrypted while stationary or in transit. For more information about data encryption, see Encryption.
The following diagram shows how the planes logically look in a typical deployment:
As you can see in the previous diagram, there is a clear separation between the control plane data [management and monitoring (metadata and logs) data] and the messaging plane [messaging data (events, messages, files, any artifacts that are part of event payload)]. The diagram shows the event broker services in a customer-controlled region as an example, but the separation of control plane and messaging plane data is the same in any type of deployment.
In the diagram, it also shows a Kubernetes clusters and depicts how the Mission Control Agent handles management data between the event broker services and Solace Home Cloud. This architecture keeps the management/monitoring data separate from the messaging data. For information about the various data flows, see Data Flows within a Customer Environment.
One important aspect to consider regarding messaging data is the sovereignty of the data. This comes down to the where the data resides in a geographical location. Since the PubSub+ Cloud platform can be geographically diverse, it's a good idea to consider this as part of your overall security and data strategy. To address this, you can deploy to a dedicated region based on geography. For more information, see Data Sovereignty.
There are different categories of data involved in a deployment of event broker services. The data can be categorized as management, monitoring, and messaging data.
- Management Data
- Management data to management data is sent between the Mission Control Agent, Solace Home Cloud, and event broker services. Management data includes configuration information for event broker services and metadata that is sent back to Solace through secure ports. For more information, see Control Plane Data.
- Monitoring Data
- Monitoring data (statistics and event broker logs) are sent to a central monitoring service (Datadog) through secure ports. Transmission of monitoring data is via secure HTTP. Datadog agents use SEMP-based calls to collect statistics and logs from the event broker services. In most cases, monitoring data is one-way, but for users that use dashboards in Datadog, the monitoring data is configurable via a connection – hence it is shown as two-way data flow. For more information, see Control Plane Data.
- Messaging Data
- Messaging data (which includes events, payloads of messages) refers to the information between the event broker services and the publishing and subscribing client applications. No customer data leaves the customer environment if the client applications connect from within the same VPC/VNet. Messaging data is resident within the customer's perimeter (in their VPC/VNet). For more information, see Messaging Plane Data.
- Any messages transmitted between client applications and the event broker services are secured using encryption, by default. Data stored in the VPC/VNet is encrypted. For about data encryption, see Encryption.
The control plane consists of both management and monitoring data. Management data uses secure SEMP calls to perform tasks such as configuring event broker services, configuring certificates for PubSub+ Cloud, and communicating with the Mission Control Agent. Monitoring data encompasses gather monitoring statistics and logs, which is done using Datadog agents on each event broker (this means there are three Datadog agents in a High-Availability service). The statistics and logs that Datadog agents collect use SEMPv2 based interfaces.
The Control Plane uses secure HTTPS calls to make API calls to cloud vendors to configure DNS records and manage compute instances (EC2 Instances, Virtual Machines, etc.).
The management data from the control plane occurs within a secured communication channel with the Solace Home Cloud and the central monitoring service. Solace uses this data to manage and monitor the health of the event broker services. Management data comes from various functions that include following:
- User interactions with the PubSub+ Cloud Console to create and manage event broker services. The creation of an event broker service is handled ultimately by the Mission Control Agent deployed in the same VPC/VNet.
- User interactions from the PubSub+ Broker Manager, which directly connects to an event broker service.
- Collection of metadata and logs that are sent to the centralized monitoring service. The monitoring information is sent between Solace Home Cloud and the user.
Information from event broker services is collected to monitor the health of the event broker services. For information on the logs collected, see Event Broker Service Logs.
The messaging plane contains the events, data, and payload of the messages that is transported between the event broker services and client applications. It's important to note since messaging data exists in its own plane, the data is not accessible from the control plane.
- For more information, see Event Broker Services.
- For more information about the protocols and APIs used for messaging, see Open APIs & Protocols.
All data on the PubSub+ Cloud is encrypted and includes management, monitoring, and messaging data. Encryption occurs to data that is in transit (transmitted via events and messages) and at rest (stored in persistent storage for Queues). Any logs, management data, or statistics collected are also encrypted.
Encryption is a consideration for data in transit and when it's stored. Sensitive data is treated with additional care on PubSub+ Cloud. For more information about encryption in the security architecture, see the following sections:
Data that is transmitted between the client applications (both publishers and subscribers) and the event broker services is secure. This is the default setting whenever event broker services are created in PubSub+ Cloud.
By default, the messaging data that is brokered by the event broker services between publishers (producers) and subscribers (consumers) is secured in the following manner:
- event broker services use messaging protocols and ports that are secured with TLS 1.2 (default)
- non-encrypted protocols (plain-text ports) are available for configuration to support legacy applications, but are disabled by default; plain-text, non-encrypted protocols are not recommended for production environments
- certifications are regularly updated and whenever Security Advisory concerns require resolution
Data at rest is any data that is stored on Message Spools (virtual storage, persistent storage, external persistent storage). Encryption occurs on disks online and used as backups to provide a layered approach of encryption to ensure that the data remains protected at all times. All disks are encrypted by default and is not optional. Any storage services (S3, databases, etc.) use server-side encryption.
On Solace-controlled regions, all data at rest is encrypted using AES 256 and is provided by the cloud vendor's Key Management Service (KMS). Data that is stored follow these principles:
- Use cloud vendor Key Management Service (KMS) to achieve disk encryption using AES 256
- At-rest encryption is always enabled and not optional
Sensitive data is always encrypted before storage using AES-256
Messaging data only stored on encrypted spool disks in the same cloud region as the event broker service
For customer-controlled regions, Solace recommends that encrypted storage be utilized for storage.
Sensitive data, like passwords are hashed using BCrypt and credentials are encrypted using AES 256.
Data sovereignty refers to the laws and governance that the collection and storage of data adheres to, which is based on the nation where the data resides or is collected. Since the data is separated into two planes, the sovereignty of the data is as follows:
- Since messaging data remains with the event broker services, it adheres to the laws of the geographical region where the event broker services are deployed. This can be decided by the customer - not Solace.
- Management data comprises of logs, statistics, and metadata. The metadata is utilized by the PubSub+ Cloud Console (including Event Portal, Insights, and Cluster Manager). A centralized monitoring service (Datadog - third-party) collects and stores logs and statistics. Both are stored in the United States of America and adhere to the laws in the United States of America.
To address data sovereignty requirements, Solace recommends the event broker services be installed in a private network (e.g., Kubernetes cluster in a VPC/VNet) in the region where the data must be. For example, if the data must stay within a particular geographical region, deploy the event broker services in that geographical region using private network. For more information about VPC/VNet isolation, see VPC/VNet Isolation.