Data Flow on Virtual Appliance

Protecting Data with Modern Security Practices

GRAX allows organizations to take complete ownership and control of their Salesforce data by capturing and storing it in environments that they own and operate. This creates the most effective way to meet the most stringent of regulatory requirements by capturing and preserving 100% of their data’s Digital Chain of Custody.

This document is intended to answer questions regarding GRAX application security. This document also explains access control and encryption across web services that are sending data to and from the GRAX application. Note that this document is provided for informational purposes only. It represents GRAX’s current product offering and practices as of the date of issue of this document (November 1, 2021).

1. Environments Overview

GRAX installs into two distinct, customer owned-environments. An instance of the GRAX application is deployed for each customer in a segregated and secured private network that has its own private processing instance, database, search index, and a private connection to the at-rest object data store provided by the customer.

The diagram below illustrates a high-level description of data flow between various services used by GRAX. Arrows pointing in only one direction represent a one-way data flow. Arrows pointing in both directions denote data flowing bi-directionally between the two services. The rest of this document will describe the various security measures used to protect data both in-transit and at-rest.

Screen Shot 2021-06-16 at 12.08.12 pm.pngScreen Shot 2021-06-16 at 12.08.12 pm.png

2. Salesforce Application Environment

GRAX is compatible with Salesforce Sales & Service Cloud environments, and supports the storage of custom objects from 3rd party data sources such as Marketing Cloud (via Sales Cloud) and other applicable sources. GRAX absorbs the security configuration set in each Salesforce instance, including those utilizing Salesforce Shield.

2.1 GRAX Managed Package

The GRAX Managed package installs into each Salesforce application instance (Salesforce Environment) and pushes data to the GRAX Runtime application and storage environment. The GRAX Managed Package:

  • Communicates directly with the GRAX application in AWS via a RESTful API
  • Encrypts and transmits data in both directions with the GRAX application in AWS using SSL/TLS 1.2
  • Uses Salesforce’s identity and access management infrastructure through Salesforce users, profiles, and permission sets
  • Compatible with Salesforce Shield

All interactions with the GRAX AWS application are protected with these additional layers of security (beyond encryption):

  • JSON Web Tokens (JWTs) (section 1.2)
  • Tokenized headers (section 1.3)

2.2 Recommended Security Configurations:

  • Configure IP restrictions/login IP addresses for the GRAX Service user (define restricted IPs in Salesforce for regional IP address ranges that transmit from AWS servers)
  • Limit Salesforce user access and access to the dedicated AWS application’s account
  • Disable and re-enable GRAX Login Access for support in Salesforce only as needed

2.3 JSON Web Tokens

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. JWT Tokens are used to authorize gateway access. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

2.4 Token-Based Authentication

Token based authentication works by ensuring that each request to a server is accompanied by a signed token, which the server verifies for authenticity, only responding to verified requests. The use of tokens has many benefits compared to traditional methods such as cookies:

  • Tokens are stateless - the token is self-contained and contains all the information it needs for authentication
  • Tokens can be generated from anywhere - token generation is decoupled from token verification allowing for the option to handle the signing of tokens on a separate server
  • Fine-grained access control - within the token payload GRAX specifies user roles and permissions as well as resources that the user can access

3. GRAX Application Environment

GRAX installs as a series of AWS Cloudformation Stacks in a customer’s AWS Account, together representing a conventional “application”. The GRAX application serves as the primary data orchestration engine that transmits data from a customer’s GRAX Salesforce Managed Package to the customer-owned GRAX Data Storage Environment. The GRAX Application is/has:

  • Deployed in the customer’s AWS Account
  • Data encrypted in transit using SSL/TLS1.2
  • Salesforce to AWS communication secured by HTTPS
  • Granular access controls (powered by AWS-Salesforce)
  • Private VPCE (AWS VPC to S3)
  • Runtime application supports trusted IP restrictions
  • Mutual Certificate Authentication (SF<->GRAX)
  • Private EC2 Instances
  • Ephemeral Storage
  • Full application and access audit logging

The GRAX Application is deployed behind an AWS WAF, restricting network traffic to SFDC IPs only on specific endpoints. We use native controls provided by the AWS Application Load Balancer to restrict traffic to Port 443 only and rely on the security inherent in the VPC that all the data assets are deployed into; these are deployed without any exposure to connections from outside the network.

The application that receives requests from Salesforce is protected at the network layer by the rules in the route tables and load balancer that prohibit any non-HTTPS traffic. The application server is configured to serve only HTTPS on known endpoints, which handles authentication and authorization of requests using industry standard protocols.

GRAX application logging is aggregated by the AWS Cloudwatch service. No Salesforce field data or sensitive information is ever stored in logs.

3.1 SSL Encryption

SSL is a cryptographic protocol that provides end-to-end encryption and integrity for all web requests. Apps that transmit sensitive data should enable SSL to ensure all information is transmitted securely. This service uses Server Name Indication (SNI), an extension of the TLS protocol, which allows for AWS to terminate SSL on its router. Details on AWS SSL encryption can be found here.

3.2 AWS Elasticsearch / Opensearch

In order to provide the fastest and most usable experience for end users of GRAX we index data that has been backed up using an AWS Elasticsearch domain. This is the basis of rapid data-retrievability in GRAX Search. AWS Elasticsearch is a managed service that GRAX uses to deploy, operate, and scale Elasticsearch clusters. AWS integrates Elasticsearch functionality into your GRAX application, without having to set up or manage servers. Here are some highlights about AWS ES:

  • Hosted entirely on Amazon AWS platform
  • Resides within AWS VPC
  • Supports separate logical cluster per customer/company
  • Data in transit encrypted using SSL/TLS1.2

The data that is stored in the AWS Elasticsearch Domain does have the potential to contain sensitive data that might reside in your Salesforce instance, this would be controlled by the backup and archive policies that you configure in the GRAX application.
An AWS ES cluster is assigned a unique, randomized subdomain known only to the customer, supporting HTTPS by default and providing encryption of all traffic in transit via recent TLS encryption algorithms. GRAX also utilizes AWS KMS for ElasticSearch, meaning all data is encrypted at-rest. This feature encrypts the following:

  • Indices
  • Elasticsearch logs
  • Swap files
  • All other data in the application directory
  • Automated snapshots

The encryption feature relies on the AWS Key Management Service to store and manage your encryption keys using an AES-256 algorithm to perform the encryption.

The AWS Elasticsearch Domain (analogous to a cluster) is provisioned and managed by the AWS Elasticsearch service inside a VPC that is created specifically for the customer runtime instance. We utilize IAM access control policies to restrict the user access to this data service to the GRAX “instance role” only. This service is not accessible by any other user, including GRAX Support.

On top of this network level isolation and the user controls, the service is also configured with a Domain Access Policy that is specific to this individual deployment as well. This resource based access policy allows or denies access to a given URI request.

3.2.1 Data Profile

GRAX stores the most recent copy of every Salesforce record in Elasticsearch, meaning this service may contain PII or other priviledged information.

3.2.2 Access Controls

All AWS Elasticsearch clusters are provisioned with a unique, randomized URL and have HTTP Basic Authentication enabled by default, using a randomly generated set of credentials. Under this scheme, it would take the world’s fastest supercomputer around 23.5 quadrillion years to guess.

3.2.3 Encrypted Communications

All AWS Elasticsearch clusters support SSL/TLS for encryption in transit. We use industry standard strength encryption to ensure your data is safe over the wire. We also take full advantage of node-to-node encryption, meaning data and requests are encrypted even when moving between nodes in the same cluster.

3.2.4 Encrypted At Rest

AWS Elasticsearch clusters are provisioned on hardware that is encrypted at rest by default. In addition to Amazon’s physical security controls, this means your data is safe from physical theft.

3.2.5 Network Isolation

All ElasticSearch clusters are only accessible from inside the deployed AWS VPC wherein the only consumer is the GRAX EC2 instance. By default, protecting the VPC is a custom-built, high-performance layer 7 routing proxy and a tightly controlled AWS firewall.

3.3 Amazon Simple Storage Service (S3)

GRAX connects Amazon Simple Storage Service (S3) to GRAX applications using an IAM role and policy. No access - unless granted elsewhere by an AWS admin on your team - is allowed to the S3 bucket. By default, only bucket and object owners have access to the Amazon S3 resources they create. S3 supports multiple access control mechanisms, as well as encryption for both secure transit and secure storage at rest. In addition, GRAX ensures that your enterprise is built with a dedicated S3 space. S3 security and access management implementation details can be found here.

3.3.1 Data Profile

GRAX stores every historical version of every backed-up Salesforce record in S3, meaning this service likely will contain PII or other priviledged information.

3.3.2 Access Controls

The Identity and Access Management (IAM) services offered by AWS helps define what a user or other entity is allowed to do in an account. This process is often referred to as authorization. Permissions are categorized as permissions policies and permissions boundaries. Most permission policies are JSON policy documents in AWS that, when attached to an identity or resource, define their permissions. A permissions boundary is an advanced feature that allows you to use policies to limit the maximum permissions that a principal can have. These boundaries can be applied to AWS organizations or to IAM users or roles. For more information about policy types and uses, see GRAX’s Virtual Appliance Console Setup documentation here.

3.3.3 Private Communications

GRAX uses private routing via Amazon's Virtual Private Cloud (VPC) Endpoint service to route information between S3 and the VPC. Details on Amazon VPCE management here.

3.3.4 Encrypted At Rest

Organizational policies, or industry or government regulations, often require the use of encryption at rest to protect its data. GRAX supports encryption of data at rest using aws:kms or AES256. Details can be found here.

3.3.5 GDPR

The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance. AWS environments make it possible to stay in compliance with GDPR requirements. Details can be found here.

4. Sentry Exception Collection

Sentry (sentry.io) is utilized by the GRAX application for collection, correlation, and analysis of exception-level events in the GRAX runtime. This information contains zero secret, protected, or identifiable information beyond instance hostname and application name. This data is commingled between customers and runtimes, and access to the analytics platform is tightly controlled by internal GRAX change-management processes.

5. GRAX Management Plane and Telemetry

The GRAX management platform (colloquially “GRAX HQ”) grants zero data-level access to customer data stores, and simply exposes AWS-level management information to GRAX Engineers.

The GRAX application sends telemetry data during normal operations. This data contains no secret, protected, or identifiable information. The data collected and stored within the management plane is limited to SFDC object names, backed up record counts, backup frequency, and error states. Very little value other than performance of the GRAX application and potentially installed SFDC packages can be discerned from this information. This telemetry data is commingled with telemetry data from other customers and other runtimes, and access to the datastore is tightly controlled by internal GRAX change-management processes.

Want to learn more?

For more information, check out our Security & Compliance Overview here. To arrange for a discussion with the GRAX security team, contact your GRAX Account Executive or GRAX Sales ([email protected]).