Sep 2023

Intelligent Data
Management Cloud (IDMC)

Architecture and Security Overview

 Agenda

• Introductions
• IDMC Architecture
• Security Considerations
• Q&A

2 2 © Informatica. Proprietary and Confidential.

 DATA CONSUMERS

ETL Developer Data Engineer Citizen Integrator Data Scientist Data Analyst Business Users

Intelligent Data Management Cloud

DISCOVER & ACCESS & CONNECT & CLEANSE & MASTER & GOVERN & SHARE &
UNDERSTAND INTEGRATE AUTOMATE TRUST RELATE PROTECT DEMOCRATIZE

DATA DATA API & APP DATA MDM & 360 GOVERNANCE & DATA
CATALOG INTEGRATION INTEGRATION QUALITY APPLICATIONS PRIVACY MARKETPLACE

10K+ Metadata-Aware Connectors

AI-Powered Metadata Intelligence & Automation

Connectivity
Metadata System of Record

DATA SOURCES
Real-time /
SaaS Apps On-premises
Sources + Sources + Streaming
Mainframe Applications Databases IoT Machine Data Logs Sources

4 © Informatica. Proprietary and Confidential.

 50,000+ Metadata-aware Connections

REST

5 © Informatica. Proprietary and Confidential.

 Informatica PODs Globally

UK1
(eu-west-2)
CAC1 EMC1
EMW1 (germany-west-central)
(ca-central-1) (eu-west-1)
USW1-2
(us-west-1)
USW1, USW3, USW5 USE2, USE4, USE6 APNE2
(us-west-2) (us-east-1) (japan-east)
USW1-1, USW3-1 APNE1
(west-US-2) (japan-east)
EMSE1
(uae-north)
APSE2
(south-east-asia)

APSE1
(ap-south-east-2)
APAUC1
(australia-central)

6 © Informatica. Proprietary and Confidential.

 Network Architecture
Customer
VNET Public
IDMC

AES Encryption (256 bit)

Services

Cloud Apps Firewall

Multi-tenant

Metadata
Secure Agent
Group (TLS 1.2) Web Client

Design
Admin
Other SaaS Apps
Logic
Pushdown
User
ERP Cloud CRM Compute Cluster (optional)
HTTPS: 443
(Outbound)

On-Premises
On-Prem

Mainframe Application Databases

Servers Metadata
(TLS 1.2)

Documents Data Hadoop

Warehouse Secure Agent
Group (on-prem)

7 © Informatica. Proprietary and Confidential.

Best Practices, Principles
& Certifications
 IDMC Security and Defense in Depth
Shared Responsibility Cloud Security Model

The level of security provided for

customers and their data is
achieved not through a single
control, but through multiple,
overlapping layers. Informatica
embeds security in every layer of
the infrastructure stack and in
every aspect of accessing and
processing cloud integration
data.

9 © Informatica. Proprietary and Confidential.

 Informatica Software And Development Practices
Informatica SDLC Practices
Secure Software Development Lifecycle

• Security Architecture Design Reviews

• Secure Coding Procedures: Documentation, testing, reviews.
change controls to our software. Follow OWASP standards.
• Manual Code Reviews: Functional and design reviews, manual
code reviews by lead engineers/architects. Automated
notifications at check-in.
• Vulnerability and License Compliance: Static, Dynamic,
Third-Party Library source code analysis; risk-based
remediation.
• Manual Penetration Testing: Trusted third-parties every major
product release, Informatica teams every minor release.
• Responsible Disclosure Program: Security researcher discrete
disclosure and Hall Of Fame.

10 © Informatica. Proprietary and Confidential.

 Certifications and Independent Verifications
Third-party attestations, memberships, and industry certifications
relevant to the IDMC platform
11 © Informatica. Proprietary and Confidential.
Additionally, Informatica partners with 3rd party
consulting and security expert firms to assess IDMC
security performing analysis, penetration and
vulnerability tests…
Security Features
 Encryption Overview
Firewall

IDMC
Services

Cloud Apps

Encryption in Encryption at Rest

Encryption in
Transit Transit
AES encryption (256 bit)

Business data Metadata

(Connector (HTTPS
transport layer + TLS1.2)
protocol)

HTTPS: 443
(Outbound)
Secure Agent
No Inbound
Firewall ports

13 © Informatica. Proprietary and Confidential.

 Encryption Protocols
• Secure Agent authenticates with the IDMC host first using a 10 SSL handshake and a digital certificate (Informatica
managed)
• All communication from the Secure Agent to the IDMC host is TLS 1.2 encrypted using AES256-SHA (256 bit) cipher
• Encryption in Transit is unique per Secure Agent and each IDMC Service
• When connecting to sources/targets via connectors, Informatica leverages the underlying transport layer of these
connector communication protocols. Customer data is transmitted encrypted via Transport Layer Security (TLS) using AES
(256 bit) cipher
• No inbound firewall ports needed
- The Secure Agent creates a virtual socket connection to communicate to IDMC through port 443 for all outbound communication

14 © Informatica. Proprietary and Confidential.

 Key Management Options
IDMC uses Organization-level AES-256 symmetric encryption keys (Tenant Keys) to encrypt all metadata and data at rest and in transit
These keys can be managed in two mutual exclusive ways:

Informatica Managed Customer Managed Key (CYOK)

Firewall

INFA POD KMS INFA POD KMS Customer KMS

(depends on cloud provider) (depends on cloud provider) (your cloud provider of choice)

Generated and stored in the IDMC POD key management

service (KMS). To prevent malicious access, the keys are The customer creates its keys, and they are never exposed to Informatica regardless
encrypted using a master key that is stored in the INFA POD of their use in the cloud
cloud provider's KMS The customer controls the full key lifecycle and can instantly revoke keys at any time
INFA POD and customer KMS need to be implemented in the same cloud provider

15 © Informatica. Proprietary and Confidential.

 Key Management: Informatica Managed Keys
• Key isolation: IDMC generates a dedicated set of keys per
tenant (ORG)
Dedicated Customer Key per Org
• Key rotation: these tenant keys are rotated once a year in
Key Rotation Policies conformance with NIST 800-57 Part 1 Rev 5 guidelines
IDMC
Customer Managed Rotation interval
• Key rotation interval: additionally, IDMC provides a feature in
Services
which the customer can manage the current keys via API
- CUSTOMER can initiate and adjust the rotation intervals

INFA POD KMS

(depends on ecosystem)

AES encryption (256 bit)

Metadata
(TLS 1.2)
Secure Agent
HTTPS: 443
(Outbound)

16 © Informatica. Proprietary and Confidential.

 Key Management: Customer Managed Keys (CYOK)
• Customer generates master keys in their own KMS
Customer key lifecycle full control
service in their cloud provider
Ability to revoke keys • Informatica utilizes this key to encrypt tenant specific
data keys (which its encrypted version it’s stored in
No data surrendered to 3rd parties
INFA KMS)
IDMC • IDMC periodically pings customer KMS vault. If the key
Services
is revoked, suspended or deleted, operations will cease
and no data could be read
INFA POD KMS • Key lifecycle ownership: customer controls their entire
(depends on ecosystem)
key lifecycle: generates keys in their KMS service,
Customer KMS
(your cloud provider of choice)

AES encryption (256 bit) establish rotation policies, etc…

Metadata
• Ability to revoke keys: customer has the ability to
(TLS 1.2) revoke encryption keys in the event of a security event
Notice this does not Secure Agent or incident (halting Informatica from access to their
apply to MDM data
(which continues to use data stored on IDMC)
Informatica Managed
Firewall
Keys)
HTTPS: 443
(Outbound)
• Full control on data access: customer can control their
encryption keys in the event an external party compels
Informatica to surrender their data
17 © Informatica. Proprietary and Confidential.
 Data Storage Overview
Logically separated (per tenant) • Depending on which services you use and how you
configure them, Data Repository will contain:
Encrypted (same as metadata repository)
- Master Data (in case of MDM/360 services)
IDMC - Partial Profiled Data (in case of Data Governance & Catalog,
Services
Data Marketplace or Data Quality services)

• Data isolation: all data is logically separated per tenant

INFA POD KMS by schema separation and specific tenant encryption
(depends on ecosystem)
keys
AES encryption (256 bit)
• Full encryption: data repository is encrypted using the
Metadata mechanisms and algorithms previously described
(TLS 1.2)
(Informatica or customer managed key, key isolation,
Secure Agent
key rotation, etc…)
HTTPS: 443
(Outbound) - Notice MDM data only supports Informatica Managed Keys

18 © Informatica. Proprietary and Confidential.

 Private Connectivity
IDMC
Services

Express
Route/Direct
Connect

AES encryption (256 bit)

VPN/Private Links

Secure Agent

ExpressRoute lets you create private connections DirectConnect lets you create private connections VPN/Private Links are point to point connections
between Azure datacenters and infrastructure that’s on between AWS datacenters and infrastructure that’s on between infrastructures that maybe on your premises
your premises or in a co-location environment your premises or in a co-location environment or in a co-location environment

ALL OPTIONS AVOID USE OF PUBLIC INTERNET

20 © Informatica. Proprietary and Confidential.

IDMC Service Architecture – PrivateLink (logical view)
Customer IDMC

AES Encryption (256 bit)

AWS VPC Services

Customer Tenant
EC2

Multi-tenant
Metadata
(TLS 1.2)

Other SaaS Apps PrivateLink * Secure Agent

Group
PrivateLink **

ERP Cloud CRM

HTTPS: 443
(Outbound)

Direct Connect *
On-Premises

Design
Admin
Firewall
On-Prem
Web Client

Mainframe Application Databases

Servers Metadata
(TLS 1.2)
User
Documents Data Hadoop
Warehouse Secure Agent
Group (on-prem)

* Customer Managed ** Informatica Managed

 User Authentication / Authorization Overview
IDMC
Services
• The platform supports a variety of authentication
mechanisms:
- password-based
Service1
Front end

Service2 - SSO-based
AES encryption (256 bit)
- Certificate-based
ServiceN
- Token-based

• IDMC supports all external Identity Providers (IdP)

Trusted IP Range compliance with SAML 2.0
Secure Agent
• IdPs allow to extend auth capabilities, such as:
- Single Sign On (SSO)
Identify / Access - Multi-Factor Authentication (MFA)
SAML 2.0 Provider
(User Access)
• User logins can be restricted to trusted IP address ranges
User Web Client
Single Sign On (typically using VPN) to enable stringent security

Multi-Factor Authentication

23 © Informatica. Proprietary and Confidential.

 Connection Objects
• Connections provide access to data in cloud and on-
premise applications, platforms, databases, and flat files.
They specify the location of sources, lookup objects, and
targets that are included in a task
• When you configure a connection, the connection
becomes available for use within the organization. If you
use sub-organizations and you want a connection to be
available to multiple sub-organizations, create the
connection in each sub-organization
• Depending on the connection type you are creating, you
will be asked different parameters and properties to
provide in order to be able to connect to that endpoint
• When you configure a connection for most connection
types, you specify the runtime environment for the
connection. The runtime environment must contain an
agent that is running. This agent will be used to test the
connection on the connection details object

25 © Informatica. Proprietary and Confidential.

 Connection Properties Storage
• You can configure where to store the connection
properties for your organization and sub-organizations
• You can store connection properties in either of the
following locations:
- Informatica POD: Informatica will store your connection
properties and fully manage this storage
- Local Secure Agent: if you need the connection properties to
reside within your firewall, you can choose ONE local secure
agent to store your connection properties

• You can change where you want to store connection

properties. When you do this, IDMC moves the connection
properties to the appropriate location you selected

26 © Informatica. Proprietary and Confidential.

 Informatica POD Storage
IDMC

AES Encryption (256 bit)

Services

IDMC
POD

• When you store connection properties in your Informatica POD, the

Firewall
connection properties are always available. IDMC backs up
connection properties regularly as part of standard backup
procedures
• This connection properties information is encrypted and protected
following the same standards Informatica uses for data at-rest Secure Secure Secure
storage (as described before) and configured for your ORG: Agent 1 Agent 2 Agent 3

- Customer manager key (CYOK)

SECURE AGENT GROUP
- Informatica managed (AES-256 symmetric encryption keys and key rotation
mechanisms)

27 © Informatica. Proprietary and Confidential.

 Informatica Local Secure Agent Storage

• You have to choose one only secure agent to store the connections information. This agent must ALWAYS be running and
accessible. This makes this secure agent a SPOF for your ORG
• Connection properties are stored in the following local SA directory (this cannot be shared location with other secure agents):
<Secure Agent installation directory>/apps/Data_Integration_Server/data

• Customers need to manage credentials data back up process. It is strongly recommended to conduct backups regularly to
prevent loss of data
• IDMC uses CBC (Cipher Block Chaining) mode 256 AES encryption to store the connections
• IDMC generates an encryption key to secure connection properties stored with a Secure Agent. You can use a randomly
generated password or you can enter a custom password as the basis for the encryption key
• Use a custom password when you want to update the encryption key periodically. You can change the custom password
when you want to update the encryption key
• Connection properties cannot be stored with the local Secure Agent for organizations subject to FedRAMP
28 © Informatica. Proprietary and Confidential.
Summary
IDMC Security Architecture Diagram
IDMC is built on microservices-based technology architecture and cloud native frameworks. The diagram below shows all major
components of the IDMC security domain and lays out the areas of metadata and data persistence and data movement

IDMC
Services Informatica managed
Cloud runtime / Serverless Business data Cloud Apps
(optional) (HTTPS)
Multi-tenant
ORG

Business data
(HTTPS + TLS1.2)
Service1
Front end

Service2
Business data
Data +
(HTTPS)
ServiceN
Metadata
AES encryption (256 bit)
(HTTPS HTTPS HTTPS: 443
+ TLS1.2) (Outbound)
SAML 2.0 Provider Customer managed Secure Agent
(Windows, Linux)
(optional) Firewall
HTTPS Onprem or Cloud hosted (IaaS)
Connector Encrypted Connections logs Proxy
Design & Log retrieval Access REST
Administration Data Preview HTTPS/SSH (optional) Clients
SFTP/TLS
User
Identify / Access Access
Business data
Customer Tenant (HTTPS)
On-Premises
Compute Cluster CDI-e
User Web Client (optional)

Data Application Databases

Warehouse Servers
 IDMC – A Secure Platform for you
Encryption Key Management Traffic Routing Authentication

Encryption at Rest Customer Managed Network Capabilities*

SSO (Single Sign On)
Metadata & Data Full control in your KMS DirectConnect/ExpressRoute
Token Based
AES-256 Bit Ability to revoke/destroy keys
PrivateLink (Currently on AWS)
Certificate Based
Encryption at Transit Informatica Managed VPN
SAML 2.0 Based
Different Encryption keys Automatic Rotation every Year
per IDMC Service Connector Level (Azure
Synapse/Snowflake etc.)
Customer controlled Key Rotation MFA (Multi Factor
TLS 1.2 encrypted using
Authentication)
AES256-SHA (256 bit)
cipher
Envelope Encryption Data Storage

No Inbound Firewalls Two levels of Master Keys
Https SSL Long Polling Master Key Stored in AWS
KMS/Azure Key Vault
*Note - Network and Logically Separated per Tenant
Infrastructure related
capabilities have
Data and Metadata Encryption
customer dependencies

31 © Informatica. Proprietary and Confidential.

Thank you