New York, NY 10036
| OneCloud Security Architecture
Accommodates virtually any integration pattern with native bi-directional integration.
100% code free functions that support today's EPM, BI and SoR applications.
Ease of use with a visual and intuitive point-and-click interface.
Control and actionable insight to enhance how critical business applications are managed.
Seamless connectivity that unifies on-premise and cloud applications.
Approval workflow so data can be approved before it is moved.
System transparency that eliminates shadow IT and unmanaged custom code.
It is trusted by leading companies in security, tech, health-care, finance, transportation and manufacturing.
OneCloud Reference Architecture
"one of the first things we did as a company was to become soc 1 and soc 2 compliant. not just because it matter to our clients, but because it matters to us. we want to do things right."
- Ryan curtin, CTO
Figure 1 - OneCloud Reference Architecture
In a nutshell
OneCloud allows companies and their business users that leverage Performance Management (EPM), Business Intelligence (BI), and System of Record (SoR) technologies to easily control, monitor, automate, and integrate their business-critical applications that coexist on-premise and in the cloud.
Product and Solution Focus Areas
Native and bi-directional integration, automation, and approval workflow with support for the most widely used technologies including Oracle [ARCS/EPBCS/PBCS/ FCCS/PCMCS/ EDMCS/HCM/OAC/OFC/HFM/Essbase], IBM PA, Host Analytics, Anaplan, Tableau, Workday, NetSuite, Salesforce, Workiva, Blackline, relational technologies, and more.
Leveraging the power of Amazon Web Services (AWS) and OneCloud’s unique iPaaS architecture, OneCloud efficiently integrate and automate cloud and on-premise applications while conforming to comprehensive enterprise architecture standards and strict IT security policies.
Each layer of the OneCloud’s architecture is engineered to protect client data and provide access control to the sensitive systems that OneCloud will interface with. Bottom line, OneCloud addresses the requirements of today’s modern enterprise architecture, is SOC1 and SOC2 compliant, and in many cases, exceeds the required Cloud certifications.
Users securely interface with the OneCloud service over the HTTPS (TLS 1.2) protocol via web and mobile-enabled devices. Running within the OneCloud host is the primary application, an AES-enabled database that securely houses the application metadata as well as a queue to manage communication and task execution on remote OneCloud service agents. While agents are external, they are controlled by the OneCloud host to execute discrete tasks that make up a workflow chain.
In summary, the OneCloud architecture has the following key components (see diagram below):
The secure browser-based end-user interface to build, run and administer integrations.
The central OneCloud multi-tenant cloud service hosted in Amazon Web Services (AWS).
Remote execution agents for interfacing with cloud and on-premise applications.
What sets OneCloud apart?
The diagram on the left shows a landscape of an enterprise systems that has morphed into a disjointed union of applications and processes. The diagram on the right shows how OneCloud streamlines and transform the integration points of these applications and create a manageable, controllable and scalable environment.
OneCloud execution agents, known as GroundRunners, are hosted on-premise and interface with applications that are both inside and outside a client network. GroundRunners have a light resource footprint and support Microsoft Windows, LInux, macOS, and Oracle Solaris operating systems on physical and virtual computing resources. GroundRunners perform all the required automation and integration tasks that range from running a simple operating system command to native application operations such as loading or retrieving data. It should be noted that a OneCloud GroundRunner must be hosted on an operating environment that can access the OneCloud service.
If there is no requirement to access on-premise systems, then a OneCloud GroundRunner is not required. In this case, integration tasks are executed by a OneCloud CloudRunner that is hosted by OneCloud.
Please see the following table that provides deployment considerations when using OneCloud CloudRunners and GroundRunners.
OneCloud GroundRunners and CloudRunners
OneCloud is hosted on Amazon Web Services (AWS) and OneCloud's network is operating within a Virtual Private Cloud (VPC) on AWS. This virtual firewall allows OneCloud to control traffic into and out of the system. At a more granular level, OneCloud services are hosted within subnets* of the VPC that are both public and private. The VPC acts as a DMZ whereby the public subnet contains services that can be accessed by the outside network, and the private subnet contains services that can only be accessed from within the public subnet.
Requires installation on a computing environment inside the corporate firewall that can interface with the external OneCloud service via port 443.
Microsoft Windows, Linux, Oracle Solaris, macOS
Hosting, management and installation of the GroundRunner is the responsibility of the client.
OneCloud CloudRunners are a part of the overall OneCloud service, and therefore OneCloud's responsibility.
With the use of a GroundRunner, no customer data will ever be transmitted through OneCloud's cloud service.
CloudRunners interface directly with supported cloud technologies. As such, data will be transmitted through OneCloud's service.
On-premise and cloud integration
Yes - Full and seamless integration with both on-premise and cloud applications.
No - Integration only between cloud providers.
Native use of published applications APIs
Yes - Depending on the on-premise system, OneCloud BizApps will leverage different API interfaces and for cloud technologies, OneCloud will only use the published REST APIs that securely transmit data via HTTPS (TLS 1.2).
Yes - OneCloud BizApps only use the published REST APIs of the corresponding cloud provider that securely transmit data via HTTPS (TLS 1.2).
Figure 2 - OneCloud Host running on Amazon Web Services
* A subnet is an isolated block of IP addresses that can either be public or private. Public subnets contain servers that need to be accessed directly via the public Internet, while internal services are hosted on private subnets that do not accept public traffic. In the case of OneCloud, all services within the public subnet are only accessible via HTTPS requests on a single port (443).
Remote Application Security
Operating System Security
Amazon Web Services (AWS) data centers are located in regions across the world, with the highest standards in security and availability. Physical access to the data centers is restricted by multiple levels of authentication, with regular audits to restrict access only to those employees with legitimate business needs. Power systems are designed to be redundant, and both backup power supplies and generators are on standby in the event of an electrical failure. To learn more about AWS security, please visit: https://aws.amazon.com/security/
Database Layer Security
Access to the OneCloud application layer is protected via native authentication (username/password) and to tie into corporate security identity management systems, OneCloud supports SAML (Security Assertion Markup Language) that enables third-party SAML providers such as OKTA to manage external LDAP directories. Additionally, OneCloud password policies can be set to enhance security so users use strong passwords with an expiration date.
As an additional level of security, OneCloud also offers IP white-listing to optionally restrict end-user access to the OneCloud application only to designated IP address ranges.
Another aspect of application security are the remote cloud and on-premise applications that OneCloud GroundRunners or CloudRunners interface with. To this end, all metadata associated with user credentials and other secrets are fully encrypted at a level of AES-256 and stored in a separate secure storage system leveraging HashiCorp’s Vault technology.
Access to OneCloud requires a valid email address and the email address acts as the OneCloud user name. OneCloud is a multi-tenant Cloud application where clients are granted exclusive access to a “Client Org”. A OneCloud user can belong to one or more organizations ("Org"). Within an Org, there are two types of users:
Administrators - Designated for administrators of a OneCloud Org. These users have full access to all aspects of a OneCloud deployment within a particular Org.
User - A standard user where access to a OneCloud Org depends on belonging to one or more groups tailored for a particular Org.
For non-admin OneCloud users, OneCloud provides the ability to establish granular access to the various OneCloud application components. Setting up a security profile starts with creating a security group that users are then assigned to. Fine-grain application access is then assigned to the group with the following controls:
Depending on the remote application and its respective connection parameters, OneCloud supports the following authentication methods which are stored as "secrets" in Vault: basic authentication (username/password), vendor-issued certificates, CA-Signed certificates and OAuth 2.0.
Figure 3 - OneCloud's use and storage of secrets
OneCloud GroundRunner access privileges to computing resources can be tightly managed and controlled. GroundRunners run inside the corporate firewall as a service directly on the operating system where they are hosted. Given that the executables run as a service, they need to be started under a particular “service account” that has the appropriate privileges to the operating system or other shared resources.
To ensure that data transmission between systems is completely secure, all traffic to, and from OneCloud is encrypted with the TLS 1.2 protocol using 2048-bit certificates. In addition, communication between internal OneCloud applications are encrypted to ensure that all transmissions are sent from a legitimate source.
Both OneCloud's GroundRunners and CloudRunners support the direct exchange of data whereby agents can download and exchange files over a communication channel using the same TLS 1.2 protocol in addition to a JSON Web Token (JWT). GroundRunners also support direct agent-to-agent data exchange and is configurable to enable or disable this option and control the listening port (default 8821).
GroundRunners also work with a corporate proxy to create a secure channel that is directed by corporate IT to communicate with the OneCloud host.
Data Transmission Security
OneCloud Application Security
Database servers are hosted within private subnets. These databases cannot be accessed directly from the public Internet and only services within the OneCloud VPC are able to connect to the OneCloud databases. All connections to databases are password-protected, and only the necessary ports are accessible. To prevent data loss, OneCloud's databases are highly redundant and distributed across multiple data centers to prevent data loss in the event of a systemic failure.
OneCloud databases are backed-up daily. These database snapshots are stored in Amazon’s Simple Storage Service (S3) at an encryption level of AES-256 across multiple regions, ensuring an added layer of secure redundancy. OneCloud backup restoration process is tested on a monthly basis on a replica of the production environment.
Regular releases and patches are made with zero downtime, and no impact on user data. Scheduled maintenance tasks, on the other hand, such as database and server upgrades, will happen outside of business hours. During these maintenance windows, users may not be able to login to the system, but previously scheduled processes will be executed and reported normally. Users will be provided with at least one week’s notice for scheduled maintenance tasks.
GroundRunners will also periodically check for new upgrades. When an upgrade is detected, the new binaries are automatically downloaded using the stringent secure transport layer. Alternatively new binaries are also available through OneCloud’s web interface and can be downloaded and deployed manually. To prevent man-in-the-middle attacks, new binaries are signed and encrypted.
Workspaces allow a OneCloud client Org to be segmented for different use cases that address different business requirements such as finance, sales operations and consolidation.
None / Read / Write / Admin
Environments are used to split Workspaces into separate areas such as Dev / Test / Production.
None / Read / Write / Admin
Note: A user must be designated as a Workspace Admin in order to promote Chains between environments.
Chains are a collection of Tasks and belong to an Environment in a Workspace.
None / Read / Write / Execute / Admin
Users can belong to one or more groups within a OneCloud client Org.
Groups are additive where finer control is defined by the order of the group. This approach enables access to be provided and then subsequently qualified for each subsequent group that a user belongs to.
Administrators have full access to an entire OneCloud client Org.
In the above table, Read access or greater provides the ability to see OneCloud audit history.
Managing Data and Metadata
Data masking can optionally be enabled at an organization level or an individual command basis. Data masking can provide an extra layer of security in the event any command produces outputs that should not be logged or human readable.
Any file resource, output or workflow attachment leverages Amazon EBS encryption controlled by the AWS Key Management Service (KMS). All resources are encrypted using the AES 256-bit encryption technique that uses a 256-bit key to encrypt and decrypt all data or files.
The OneCloud cloud service only stores metadata at an encryption level of AES-256. For the purpose of understanding, metadata is data that describes and gives information about data. The metadata that the OneCloud cloud service stores is broken out as follows:
Design metadata such as configuration of Workspaces, Chains and Tasks.
Security metadata such as user access and roles.
Audit metadata such as change history for any component including Workspaces, Chains, File Resources, Schedules and Security.
Runtime metadata such as Chain and Task run history as well as any logs produced by the Server, CloudRunners, and/or GroundRunners.
Any data transmissions that are performed by OneCloud are performed by CloudRunners and/or GroundRunners. These components interface directly with the cloud applications such as Anaplan, Salesforce, IBM Planning Analytics, Oracle EPM Cloud, Tableau etc. and on-premise applications such as Oracle Hyperion or SQL Server via the native client application interface or API.
Depending on how a OneCloud Chain is designed, it is possible that a particular task might produce an ephemeral staging flat file known as an "Output". If the output is generated by a CloudRunner, then the staging output is stored at an encryption level of AES-256 on an AWS EBS volume. If the output is generated by a GroundRunner, then the staging output is ephemerally stored on the file system of the GroundRunner host which determines the encryption level.
Lastly, it should be noted that OneCloud workflow attachments are ephemeral and disappear after the workflow has completed. If a file associated to a workflow is to be preserved, then it should be saved to a cloud drive such as Google Drive or BOX or an on-premise file system.
Commands are the building blocks of OneCloud automation workflows (chains). A command is a single task that is pre-configured to perform an operation on a system. When building a command, the user links it with a connection in order to choose where the command is executed.
A linear sequence of commands that represents an automation workflow. Chains can be scheduled, run manually, or even triggered externally via the OneCloud API. Each chain allows a user to build commands based on conditional logic. Commands can also be grouped within a chain, and execute either serially or in parallel.
A connection consists of a resource (i.e. a server) that is pre-configured to run a certain type of command and the credentials associated with connection to a particular application (i.e. login information for a SaaS platform). Connections can be configured to use either a Linux or Windows environment. Commands are aware of which connections they need to run (for example, a command that can run only in a Windows environment), and cannot be created until an appropriate connection is configured. Connections can be enabled and disabled for certain OneCloud Workspaces and Environments.
Environments are used to manage the life-cycle of your chains. Chains can be moved between environments, and variables can be set per environment. The most common example is using a development environment to test your chain, and when you are happy with the results, you can promote the chain into a production environment.
Resources are files that are managed within the OneCloud platform. They be can attached to commands as inputs, and even support variable replacement for extensibility and re-usability throughout a user's workflows.
GroundRunner / CloudRunner
GroundRunners and CloudRunners are the agents that carry out commands and send the results to the OneCloud service. CloudRunners are managed by OneCloud, whereas GroundRunners operate on-premise within a corporate firewall.
In the context of OneCloud, variables are inputs that can be set during design and runtime. Variables defined on a workspace can be used across chains that belong to that workspace, and variables defined in a chain can be used locally by the chain's commands. In addition, commands can use a variety of system-level (for example, current time) and metadata variables (chain name, environment, etc).
Outputs are artifacts from previous Commands and can have the following types: Strings, Integers, Lists, Dates, JSON, Maps, File. They will appear as variables in subsequent commands in a chain.
A grouping of related workflows that encapsulates multiple environments. In addition, workspaces can store variables that can be used within chains and commands.
The OneCloud service and OneCloud CloudRunners are 100% hosted on Amazon Web Services (AWS). The relationship between OneCloud and Amazon is often referred to as a Shared Responsibility Model. whereby AWS is responsible for protecting the global infrastructure for services that run in the Cloud and OneCloud retains control of the security which protects the content of platform applications, systems, and networks.
In more granular detail, this means that AWS is responsible for the Security of the Cloud as they operate, manage and control the components from the host operating system and virtualization layers down to the physical security of the facilities in which the services operate. Moreover, AWS provides multiple data protection services such as encryption, security groups and multi-factor authentication capabilities.
Accordingly OneCloud is responsible for the Security in the Cloud as OneCloud makes use of the AWS services described above. In this regard, OneCloud assumes responsibility and management of the guest operating system, including updates and security patches, and other associated application software as well as the AWS firewall. OneCloud is also responsible for deploying, configuring and maintaining security baselines within the available services through the proper use of encryption, security groups access assignments and permissions
As an attestation of the above, OneCloud is SOC1/SOC 2, Type II compliant and audit reports are available upon request under NDA. The most recent audit was performed by the firm KirkpatrickPrice (https://kirkpatrickprice.com/) in November 2018. In addition, OneCloud is GDPR compliant and has obtained the EU-US Privacy Shield Certification.
To learn more about OneCloud security, please contact firstname.lastname@example.org and a summary SOC3 report of OneCloud's SOC status is available at: https://onecloud.io/security. To learn more about AWS security, please visit: https://aws.amazon.com/security.
Publish Date: 02.01.2019
Rev no: 02
Technical data subject to modification and delivery subject to availability. Any liability that the data and illustrations are complete, actual or correct is excluded. Designations may be trademarks and/or copyrights of the respective company, the use of which by third parties for their own purposes may infringe the rights of such owner.
All rights reserved, including intellectual property rights. Changes to technical data reserved. Delivery subject to availability. Any liability that the data and illustrations are complete, actual or correct is excluded. Designations may be trademarks and/or copyrights of the respective company, the use of which by third parties for their own purposes may infringe on the rights of such owner. For further information see http://www.onecloud.io
©2019 OneCloud, Inc.