Deployment options
The Data Productivity Cloud provides users with flexible deployment options tailored to their specific requirements, which can be understood broadly as two models: Full SaaS and Hybrid SaaS. Each deployment model offers distinct features and benefits, allowing organizations to choose the option that best aligns with their needs and infrastructure preferences. Each deployment model also comes with its own security considerations.
Full SaaS deployment
In Full SaaS, Matillion manages the entire infrastructure, including agent deployment and security measures. Users benefit from a hassle-free experience, as Matillion ensures seamless updates and robust security protocols. The Matillion-hosted agent serves as the backbone, handling execution tasks and securely accessing customer secrets stored in the Matillion Hosted Vault.
The architecture for this deployment model can be seen below.
Security considerations
Authentication mechanisms
It's crucial to ensure strong authentication mechanisms between Matillion containers (where Matillion software components run) and hosted agents. Matillion employs secure authentication protocols to prevent unauthorized access, ensuring robust security for data and system integrity.
Role-Based Access Control (RBAC)
Matillion agents can be optionally granted limited access to a user's Cloud account by supplying Matillion with IAM (Identity and Access Management) credentials. When implementing RBAC, it's essential to follow the principle of least privilege, assigning roles and permissions judiciously to restrict access only to necessary resources and functionalities.
Hybrid SaaS deployment
Hybrid SaaS empowers users to deploy and manage their own execution agents within their private cloud infrastructure. This option grants users full control over security measures, network isolation, and access controls. Users can implement stringent security measures, including network segmentation and access restrictions, to safeguard their data effectively.
Security considerations
Network isolation
Implement strict network isolation for customer-hosted agents to minimize exposure. Consider deploying these agents within a dedicated network segment or virtual private cloud (VPC) for use only with the Data Productivity Cloud. Agents require network access to all resources you intend to utilize, alongside outbound internet connectivity to Matillion's control plane.
Access controls
Utilize robust access controls at the network and system levels to restrict unauthorized access to customer-hosted agents. Ensure that only trusted users and systems have the necessary permissions. Employ the least privilege model to restrict access to only essential resources and functionalities.
Secure communication
Establish secure communication channels between Matillion instances and customer-hosted agents. Employ encrypted protocols, such as TLS (TLSv1.2 or higher), and encrypted websocket connections to ensure data security during transmission.
Regular updates
Agents will automatically receive security updates from Matillion on a regular basis – do not block this automatic update mechanism. f you need to disable automatic updates, make sure to keep up to date with the latest version manually. Additionally, keep access keys/secrets secure, including periodic rotation if required, to maintain robust security practices.