Documentation
  • Introduction
    • How It Works
    • Architecture & Data Flow
    • Why another Agent?
    • eBPF Concepts
    • Use Cases
  • Deployment
  • Qtap
    • Getting Started
    • System Requirements
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
      • Kubernetes Manifest
    • Configuration
      • Storage Configuration
      • Traffic Processing with Plugins
      • Traffic Capture Settings
      • Configuration Examples
  • Qplane
    • Getting Started
      • Create an Account
      • Install Qtap
      • Review your Dashboards
    • Installation
      • Linux Binary
      • Docker Container
      • Helm Chart
    • Configuration
  • Security & Compliance
  • License
  • Appendix
    • Qcontrol (Beta)
    • Java
    • Object Storage
      • Google Cloud Storage
    • S3 Credentials for Qtap using Kubernetes Secrets
  • FAQ
Powered by GitBook
On this page
  • Security Architecture Overview
  • Implementation Journey
  • Phase 1: Initial Testing
  • Phase 2: Proof of Concept
  • Phase 3: Production Implementation
  • Data Protection Strategies
  • Access Control
  • Compliance Frameworks
  • GDPR Considerations
  • HIPAA Considerations
  • PCI DSS Considerations
  • SOC 2 Considerations

Security & Compliance

This guide provides a comprehensive overview of security and compliance considerations when implementing Qpoint across different stages of adoption. From initial testing to production deployment, we'll cover best practices for securing your environment, protecting sensitive data, and maintaining compliance with regulatory requirements.

Security Architecture Overview

Qpoint's architecture is designed with security at its core, following several fundamental principles:

  1. Data Sovereignty: Sensitive payload data never leaves your environment

  2. Local Processing: Traffic analysis happens where connections originate

  3. Separation of Concerns: Clear distinction between metadata and payload content

  4. Minimal Privilege: Components operate with only the permissions they require

  5. Defense in Depth: Multiple security controls at different layers

The key components of Qpoint's security architecture include:

  • Qtap Agent: Runs with elevated privileges on hosts to capture traffic, but is isolated and follows least privilege principles

  • Control Plane (optional): Handles configuration management with strict authentication and authorization

  • Event Storage: Contains anonymized metadata (not sensitive payload content)

  • Object Storage: Customer-controlled storage for sensitive payload data, which never leaves your environment

This architecture ensures that sensitive data remains under your control at all times, while still providing the visibility and analytics capabilities that make Qpoint valuable.

Implementation Journey

Phase 1: Initial Testing

Security Goals:

  • Validate core functionality in a controlled environment

  • Understand security implications without exposing production data

  • Establish baseline security configurations

Recommended Approach:

  1. Deploy in an Isolated Environment

    • Use a dedicated test/development environment

    • Implement network isolation to prevent unintended data exposure

    • Use ephemeral test resources that can be easily decommissioned

  2. Start with Local-Only Configuration

    • Deploy with stdout event and object stores for initial testing

    • Sample configuration:

    version: 2
    services:
      event_stores:
        - id: console_stdout
          type: stdout
      object_stores:
        - id: console_stdout
          type: stdout
    stacks:
      default_stack:
        plugins:
          - type: debug
            config:
              mode: summary
    tap:
      direction: egress
      ignore_loopback: false
      http:
        stack: default_stack
  3. Security Review and Assessment

    • Document required privileges and how they're used

    • Review container security and kernel module interactions

Phase 2: Proof of Concept

Security Goals:

  • Implement secure object storage for sensitive payload data

  • Test integration with existing security controls

  • Validate compliance with internal security policies

Recommended Approach:

  1. Set Up Secure Object Storage

    • Deploy a private MinIO instance or configure an existing S3-compatible storage solution

    • Implement proper authentication and authorization

    • Enable encryption at rest and in transit

    • Sample configuration:

    object_stores:
      - id: secure_storage
        type: s3
        endpoint: minio.internal-domain.com:9000
        bucket: qpoint-sensitive-data
        region: us-east-1
        access_url: https://minio.internal-domain.com:9000/{{BUCKET}}/{{DIGEST}}
        insecure: false # Ensure TLS is enforced
        access_key:
          type: env
          value: S3_ACCESS_KEY
        secret_key:
          type: env
          value: S3_SECRET_KEY
  2. Implement Access Controls

    • Create dedicated service accounts with minimal permissions

    • Configure bucket policies to restrict access to authorized users and services only

    • Implement IAM roles for Kubernetes-based deployments

    • Set up object lifecycle policies for automatic data retention management

  3. Transitioning to Cloud-Connected Mode (Optional)

    • Evaluate the security implications of connecting to Qpoint's cloud control plane

    • Implement network security controls (firewalls, proxies) to restrict outbound connections

    • Configure authentication using dedicated tokens stored in secrets management

    • Remember: Even in cloud-connected mode, sensitive payloads remain in your environment

  4. Document Security Posture

    • Create a security architecture diagram showing data flows and security controls

    • Document all security configurations and their rationales

    • Perform a threat modeling exercise to identify and address potential risks

Phase 3: Production Implementation

Security Goals:

  • Implement enterprise-grade security controls

  • Ensure compliance with regulatory requirements

  • Establish monitoring and incident response procedures

Recommended Approach:

  1. Enterprise-Grade Object Storage

    • Migrate to a production-ready storage solution (AWS S3, Google Cloud Storage, etc.)

    • Implement strict access controls with regular key rotation

    • Enable comprehensive audit logging

    • Configure fine-grained bucket policies

    For AWS S3:

    object_stores:
      - id: production_s3
        type: s3
        endpoint: s3.amazonaws.com
        bucket: organization-qpoint-payloads
        region: us-east-1
        access_url: https://s3.amazonaws.com/{{BUCKET}}/{{DIGEST}}
        insecure: false
        access_key:
          type: env
          value: AWS_ACCESS_KEY_ID
        secret_key:
          type: env
          value: AWS_SECRET_ACCESS_KEY
  2. Secure Kubernetes Deployment

    • Use Kubernetes secrets for storing sensitive configuration

    • Implement network policies to restrict pod communication

    • Configure resource limits and quotas

    • Implement pod security policies

    # Example for configuring S3 credentials as Kubernetes secrets
    kubectl create secret generic s3-credentials \
      --from-literal=access-key='YOUR_ACCESS_KEY' \
      --from-literal=secret-key='YOUR_SECRET_KEY' \
      -n qpoint
  3. Integration with Enterprise Security Systems

    • Connect to SIEM systems for centralized security monitoring

    • Implement alerts for potential security anomalies

    • Integrate with identity management systems

  4. Compliance Documentation

    • Create documentation demonstrating compliance with relevant regulations

    • Implement regular compliance audits

    • Ensure data retention policies align with regulatory requirements

Data Protection Strategies

Object Storage Security

Payload data captured by Qtap is sent directly to your object storage. It may contain sensitive information, including:

  • Authentication tokens and credentials

  • Personally identifiable information (PII)

  • Financial or healthcare data

  • Proprietary business information

To protect this data:

  1. Encryption

    • Enable server-side encryption for all stored objects

    • Use strong encryption algorithms (AES-256)

    • Manage encryption keys securely, preferably using a KMS

  2. Access Control

    • Implement least privilege access policies

    • Use IAM roles or service accounts rather than long-lived access keys

    • Enable MFA for human access to stored data

    • Regularly audit access patterns and permissions

  3. Network Security

    • Restrict network access to storage endpoints

    • Use VPC endpoints or private connections where possible

    • Implement IP-based restrictions

  4. Data Lifecycle Management

    • Define retention periods based on compliance requirements

    • Implement automated expiration policies

    • Consider implementing object versioning for audit purposes

Event Data Security

While event data is anonymized and doesn't contain sensitive payload content, it still requires protection:

  1. Data Minimization

    • Configure Qpoint to capture only necessary metadata

    • Avoid including sensitive information in URLs or paths

  2. Secure Transmission

    • Ensure TLS encryption for all connections to Pulse

    • Verify certificate validity and implement certificate pinning

  3. Anonymization Verification

    • Periodically review event data to ensure no sensitive information is being included

    • Implement data scrubbing for any potentially sensitive fields

Access Control

Implement comprehensive access controls across all Qpoint components:

  1. Control Plane Access

    • Implement RBAC with clearly defined roles

    • Use SSO integration where available

    • Regularly audit user access and remove unnecessary privileges

    • Implement session timeouts and automatic logouts

  2. Agent Deployment Security

    • Secure registration tokens using secrets management

    • Rotate tokens regularly

    • Use separate tokens for different environments

  3. Object Storage Access

    • Restrict read access to only those who require it

    • Create separate credentials for different environments

    • Implement IP-based restrictions where possible

Compliance Frameworks

GDPR Considerations

For organizations processing EU citizen data:

  1. Data Sovereignty

    • Ensure object storage is located in appropriate regions

    • Document data flows and processing activities

    • Consider impact of cross-border data transfers

  2. Data Subject Rights

    • Implement processes to identify and retrieve specific user data

    • Ensure ability to delete specific data when required

    • Consider data minimization in capture configuration

  3. Implementation Recommendations

    • Configure specific retention periods

    • Implement comprehensive audit logging

    • Document legal basis for processing

HIPAA Considerations

For healthcare organizations:

  1. Protected Health Information (PHI)

    • Ensure PHI in payloads remains within compliant storage

    • Implement BAAs with storage providers

    • Configure appropriate access controls and encryption

  2. Audit Requirements

    • Implement comprehensive access logging

    • Establish regular review procedures

    • Document all security measures

  3. Implementation Recommendations

    • Use HIPAA-compliant storage solutions (e.g., AWS S3 with appropriate configurations)

    • Implement automatic encryption for all data

    • Configure strict access controls with MFA

PCI DSS Considerations

For organizations processing payment card data:

  1. Cardholder Data Environment

    • Define CDE boundaries and how Qpoint interacts with them

    • Ensure payment card data is properly secured

    • Consider implementing additional data masking

  2. Network Segmentation

    • Implement strict network controls

    • Consider deploying Qpoint agents with different configurations in and out of CDE

  3. Implementation Recommendations

    • Configure payload filtering to avoid capturing full card data

    • Implement strict retention policies

    • Ensure comprehensive audit logging

SOC 2 Considerations

For organizations concerned with service provider security:

  1. Security Controls Documentation

    • Document all security measures implemented

    • Establish regular review procedures

    • Implement change management processes

  2. Monitoring and Alerting

    • Configure alerts for security anomalies

    • Implement comprehensive logging

    • Establish incident response procedures

  3. Implementation Recommendations

    • Implement comprehensive monitoring

    • Document all access controls

    • Establish clear security policies and procedures

Sample Configurations

Secure AWS S3 Configuration

object_stores:
  - id: secure_s3
    type: s3
    endpoint: s3.amazonaws.com
    bucket: organization-secure-qpoint
    region: us-east-1
    access_url: https://s3.amazonaws.com/{{BUCKET}}/{{DIGEST}}
    insecure: false
    access_key:
      type: env
      value: AWS_ACCESS_KEY_ID
    secret_key:
      type: env
      value: AWS_SECRET_ACCESS_KEY

Secure Google Cloud Storage Configuration

object_stores:
  - id: secure_gcs
    type: s3
    endpoint: storage.googleapis.com
    bucket: organization-secure-qpoint
    region: us-central1
    access_url: https://storage.cloud.google.com/{{BUCKET}}/{{DIGEST}}
    insecure: false
    access_key:
      type: env
      value: GCS_ACCESS_KEY
    secret_key:
      type: env
      value: GCS_SECRET_KEY

Secure MinIO Configuration

object_stores:
  - id: secure_minio
    type: s3
    endpoint: minio.internal-domain.com:9000
    bucket: qpoint-secure
    region: us-east-1
    access_url: https://minio.internal-domain.com:9000/{{BUCKET}}/{{DIGEST}}
    insecure: false
    access_key:
      type: env
      value: MINIO_ACCESS_KEY
    secret_key:
      type: env
      value: MINIO_SECRET_KEY

By following this guide, you can implement Qpoint in a secure and compliant manner, ensuring that sensitive data remains protected while still gaining the valuable visibility that Qpoint provides.

PreviousConfigurationNextLicense

Last updated 1 month ago