0% found this document useful (0 votes)

291 views22 pages

2024 IDMC Security Architecture Whitepaper

Uploaded by

416jrt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

291 views22 pages

2024 IDMC Security Architecture Whitepaper

Uploaded by

416jrt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 22

Intelligent Data Management Cloud

Security Architecture Overview

White Paper
2024
Table of Contents
Shared Responsibility Model ............................................................................................................................................... 3

Security “To” the Cloud.................................................................................................................................. 3

Security “Of” the Cloud .................................................................................................................................. 4

Security “In” the Cloud................................................................................................................................... 4

Security Architecture Overview ........................................................................................................................................... 4

IDMC Architecture Components..................................................................................................................... 5

Security of Customer Environment and Data ...................................................................................................................... 6

Identity and Access Management .................................................................................................................. 6

Authentication............................................................................................................................................................... 6
Access Provisioning ..................................................................................................................................................... 6
Role Based Access and Provisioning Least Privilege .................................................................................................. 7

Sub-organizations ........................................................................................................................................ 8
Transport Layer Security ...................................................................................................................................................... 8

Encryption Key Management ......................................................................................................................... 8

Data Transmission Security ........................................................................................................................... 8

Encryption for Data in Transit ........................................................................................................................ 9

Metadata Layer Security ...................................................................................................................................................... 9

Metadata and Persistence ............................................................................................................................ 9

Encryption for Data at Rest .......................................................................................................................... 10

Customer Managed Encryption Keys ............................................................................................................ 10

Application and Service Layer Security ............................................................................................................................. 10

Service Messaging Encryption ..................................................................................................................... 10

Application Connection Encryption............................................................................................................... 10

IDMC Cloud Storage ................................................................................................................................................... 10
Local Secure Agent ..................................................................................................................................................... 10
Secrets Manager Configuration Service ..................................................................................................................... 11

Process States and Integration Variables ...................................................................................................... 11

Data Preview Functionality .......................................................................................................................... 11

Informatica Secure Development Practices ................................................................................................... 11

Securing Coding Procedures ...................................................................................................................................... 11
Software Security Training.......................................................................................................................................... 12
Security Architecture Design Reviews ........................................................................................................................ 12
Automated Code Reviews........................................................................................................................................... 12
Manual Code Review .................................................................................................................................................. 12

|1
Static Analysis Scans (SAST) ..................................................................................................................................... 13
Software Composition Analysis (SCA) ....................................................................................................................... 13
Dynamic Analysis Scans............................................................................................................................................. 13
Manual Penetration Testing........................................................................................................................................ 13
Platform Layer Security ...................................................................................................................................................... 13

Customer-Managed Secure Agent ................................................................................................................ 14

Secure Agent Authentication ....................................................................................................................... 14

Secure Agent Fingerprinting ........................................................................................................................ 15

Communication Protocol ............................................................................................................................ 15

Secure Agent Release Packages .................................................................................................................. 15

Network Layer Security ...................................................................................................................................................... 16

Web Application Firewall ............................................................................................................................. 16

Extended Detection and Response ............................................................................................................... 16

IP Allow Lists ............................................................................................................................................. 16

PrivateLink Connection (AWS and Azure) ...................................................................................................... 17

Governance and Operational Controls............................................................................................................................... 17

Security Model ........................................................................................................................................... 17

Decentralized Development ......................................................................................................................... 17

Data Center Security ................................................................................................................................... 17

Vulnerability and Patch Management ........................................................................................................... 17

Responsible Disclosure Program ................................................................................................................. 18

Security Operations Center and Response Team............................................................................................ 18

High Availability and Disaster Recovery ........................................................................................................ 18

Global Footprint ......................................................................................................................................... 18

Certifications and Compliance ..................................................................................................................... 18

SOC1 Type II ................................................................................................................................................................ 19
SOC2 Type II (Scoped to IICS/IDMC; DaaS, and Axon products) ............................................................................... 19
UK Cyber Essentials (Scoped to systems and personnel within the United Kingdom) ............................................. 20
GxP / HIPAA Other ..................................................................................................................................................... 20
Compliance with Applicable Law ............................................................................................................................... 20

|2
Shared Responsibility Model
In today's digital landscape, cloud technology has revolutionized the way we store, access, and
manage data. In this paradigm, the traditional boundaries of security have blurred, requiring a
collaborative effort between cloud service providers and valued customers. This shared
responsibility model is a fundamental principle that underpins the protection of customer data
and digital assets. As we explore Informatica’s security architecture, it is important to clarify the
role(s) of all stakeholders involved, including our customers, our host providers and Informatica
plays in fortifying the security of our cloud-based solutions.

As it pertains to Informatica’s Intelligent Data Management Cloud (IDMC),the shared

responsibility model consists of three roles:
• Customer Responsibility - Security “To” the cloud
• Informatica Responsibility - Security “In” the cloud
• Cloud Host Responsibility - Security “Of” the cloud

Figure 1

Security “To” the Cloud

Customers play a pivotal role in the Shared Responsibility model. This responsibility
encompasses the protection of the customer’s data center, network infrastructure and any
associated components. Customers are also accountable for configuring and managing identity
and access controls, ensuring that only authorized individuals have appropriate privileges.
Additionally, customers must oversee the protection and proper configuration of sources and
targets within their cloud deployment. This comprehensive responsibility not only includes
maintaining data security but also enforcing security policies that align with industry-specific
compliance standards. There are some additional aspects of security “to” the cloud which are
also the responsibility of our valued customers. These additional control responsibilities can be
found in our SOC1 and SOC2 documents under the “Complementary User Entity Controls
(CUEC).”

|3
Security “Of” the Cloud
Our cloud hosted solution utilizes our cloud ecosystem partners, Amazon Web Services (AWS),
Microsoft Azure (Azure), Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI)
who bear the vital responsibility of ensuring the robustness and reliability of the cloud
infrastructure. As our infrastructure partner, Informatica inherits controls from our ecosystem
which includes physical and environmental security, redundancy of data centers, and high
availability of their cloud services.

Security “In” the Cloud

At Informatica we are dedicated to maintaining the highest standards of security to protect our
environment as well as our customer data and environments. This whitepaper will provide in
depth details of how Informatica is managing its commitment and responsibility of security “in”
the cloud.

Security Architecture Overview

Informatica understands how critical information security is to businesses. Informatica
implements security as a foundational design principle for IDMC. IDMC adheres to industry best
practices for security with broad support for global regulatory and compliance requirements.
IDMC embeds security in every layer of the technology stack and aspect of accessing and
processing data. This is achieved through a “Defense-in-Depth1” approach to security as noted
below in Figure 2.

Figure 2

1
Defense in depth is a security strategy that leverages multiple security measures to protect an
organization's assets. This ensures that if one line of defense is compromised, additional layers exist as a
backup to ensure that threats are stopped along the way.

|4
IDMC Architecture Components
IDMC is built on a microservices-based technology architecture and cloud native frameworks.
The following figure shows all major components of the IDMC security domain and highlights
the areas of metadata and data persistence and data movement.
IDMC Security Architecture Diagram

Figure 3

The IDMC solution contains services that both users and system account access. Services
include, but are not limited to, Data Integration, Application Integration, API Manager, Data
Quality, and Data Governance and Catalog. These services are built on microservices and multi-
tenant repositories on the back end with a common login page and user interface shell on the
front end. Users interact with IDMC via a web client through the HTTPS protocol for design time
activities.
The customer employee acting as an administrator for their tenant configures and manages the
security of the customer organization. Integration developers and business users use the web-
based visual designer and wizard tools of IDMC to design integration and data management
flows. The metadata that defines these designs is stored in a multi-tenant metadata repository
in the IDMC solution. Unique tenant IDs and tenant specific encryption keys are used to ensure
separation of the metadata across tenants. The multi-tenant data repository backend is used for
securely storing customer metadata on the IDMC solution.2

2
The majority of IDMC services only store metadata in the customer’s tenant. Cloud Integration Hub
customers can choose to store data in their IDMC tenant but is only done at customer request. By default,
customers host their own databases. MDM customer data is stored in the customer’s tenant and is
protected by the same safeguards described in this document.

|5
The Informatica runtime environments (Secure Agent, Elastic Cluster, and Serverless) execute
customer-authored integrations and processes. They connect, transform, and move the data
between source and target data applications in batch, real time, and streaming integration
patterns. Customer-managed runtime environments (Secure Agent, Elastic, and Serverless) can
be deployed within the customer security context, whether it is in an on-premises environment
or the customer’s cloud VPC3 4. The Informatica-managed cloud runtime is deployed on the
IDMC solution.

Security of Customer Environment and Data

Identity and Access Management
Controlling and auditing user access can often prevent security problems. Identity and access
management helps administrators and security personnel pinpoint and analyze any issues that
arise. Informatica provides rich support for enterprise user identity and access management.

Authentication
IDMC supports the following authentication mechanisms: password-based, SSO-based,
certificate-based, and token-based authentication. Multi-factor authentication mechanisms,
such as trusted IP address ranges, also enable rigorous user authentication.
For native password-based authentication, user credentials are hashed and securely stored in
the IDMC solution. Administrators of the customer organization can configure policies for
password strength and rotation to suit their business needs.
IDMC supports web SSO-based SAML 2.0 providers, which includes support for technologies
such as Okta, Azure AD, ADFS or any 3rd party IDP provider that supports SAML protocol for
authentication and authorization. Additionally, IDMC also supports service-to-service
authentication using short lived token-based authentication (OAuth 2.0). This allows customers
to configure service account specific job configuration.

Access Provisioning
The IDMC org, sub-org, project, and folder constructs enable the customer’s administrators to
effectively secure and govern the structure of their IDMC artifacts and intellectual property.
Access to projects and folders can be controlled by permissions to ensure separation of work
and to ensure authorized access only.
IDMC supports fine-grained access management at the asset type level and at every asset level.
Access to asset types is managed through privileges at the administrator level, and access to
asset levels is managed through permissions at the asset level. Access is enabled at both org
and sub-orgs. The org and sub-org administrators can also manage the user, user role, or user
group that can access asset types in IDMC. For example, an administrator can configure create,

3
While our whitepaper cites Virtual Private Cloud (VPC) which is an Amazon Web Services term, IDMC is
a cloud agnostic solution.
4
Secure Agent runtimes can be deployed in customer on-premises or cloud VPC environments. Elastic
and Serverless runtimes can be deployed in supported customer cloud VPC environments.

|6
read, update, delete, run, and set permissions for a user ID, user role, and/or user group for all
the Mapping tasks in IDMC.
Similarly at each asset level in IDMC, permissions can be set to manage read, update, delete,
execute, and change access for users, user roles, and user groups. IDMC additionally supports
SCIM protocol for users auto-provisioning in a sub-org via Okta and Azure AD.

Role Based Access and Provisioning Least Privilege

Administrators can assign different roles to users to maintain the principle of least privilege.
Users can be granted access to only the capabilities needed to perform their function. The
administrators can control who does what, so that some users are managing project and folder
structure, some are designing, some are running jobs, and so on (which could allow for strict
separation of duties, essential for enterprises with demanding SDLC requirements). IDMC
provides predefined roles to facilitate user role assignment for most common needs and
custom roles for administrators to define new roles to meet the unique needs of their
organization.
When an IDMC org or sub-org is configured with a customer’s IDP via SAML protocol, the IDMC
user role and user group are synced with customers enterprise user role and user group set up
based on one-time user role and user group mapping defined by administrator for that org
during IDMC SAML setup.
The following figure illustrates the Role Based Access Control (RBAC) model of the IDMC
platform. In this example, the Administrator role has access to all assets including security
configuration, while the Designer and Service Consumer roles have only limited privileges and
permissions needed to perform their functions.

Figure 4

Role privileges grant users access to asset types. Access control lists (ACL) in conjunction with
RBAC, allow organizations to control permissions at the asset level in IDMC.

|7
Sub-organizations
Administrators can create sub-organizations to easily classify and group users (very common to
segment users according to their line-of-business). Segregating users in this way allows
different departments (or other logical grouping of users) to see only their relevant work. The
administrator can also assign licenses for each organization and sub-organization and can
create delegated administrators. Privilege levels are configured to allow only specified users to
exercise administrator-like functions without giving them full administrative control.
The figure below illustrates the Informatica “delegated admin” function. The example shows the
parent organization defining policies for the environment, including authentication options,
licenses, logging options, job execution compute, and content distribution options. The
delegated admins can then be created and given control over each of their subordinate
organizations, creating any additional policies they deem necessary as long as the policies do
not conflict with the core policies configured by the parent administrator.
The delegated admin function easily enables customers to extend integration services to
downstream enterprise users. Additionally, this helps to promote reuse and best practices
across departments through Integration Competency Center (ICC) initiatives.

Figure 5

Transport Layer Security

Encryption Key Management
IDMC uses organization-level AES-256 symmetric encryption keys (tenant keys) to encrypt
sensitive data at rest and in transit. By default, these tenant keys are rotated annually in
conformance with NIST 800-57 Part 1 Rev 5 guidelines. However, customers can choose to
configure key rotation for 90, 120, or 180 days. When a key is rotated, the new key is used for
subsequent encryption requests, and the old key is preserved to decrypt previously encrypted
data.

Data Transmission Security

Data transmission security is a key aspect of securing customer data and metadata. When
processing data, the Secure Agent communicates with both the IDMC solution and customer
data stores/SaaS applications (as illustrated in Figure on page 5).

|8
The Secure Agent initiates communication with Informatica’s Intelligent Data Management
Cloud through a secure channel initially authenticated through a shared secret credential. No
inbound firewall ports need to be opened at the customer site for their Secure Agent to
communicate with the IDMC solution. The Secure Agent code communicates with the host and
uses port 443 for all outbound communication, including via proxy. The Secure Agent avoids
data loss and transport delays by checking for availability before connecting. The Secure Agent
also performs network resiliency checks and retains full audit and session logs for configurable
duration to support troubleshooting and audits. Additionally, logs can be sent to a customer’s
centralized logging systems to comply with security and regulatory requirements.

Encryption for Data in Transit

To defend against man-in-the-middle attacks, the communication channel between the
customer deployed Secure Agent and Informatica Cloud must be authenticated to maintain its
integrity, as well as ensure transport encryption. All communication from the Secure Agent to
the IDMC solution is encrypted through Transport Layer Security (TLS) 1.2 using AES256-SHA
(256 bit) cipher.
The Secure Agent connects to source and target data stores and cloud applications using
connectors. Connectors are configured by customers and support a variety of secure
communication protocols such as HTTPS, SFTP, and FTPS. Informatica leverages the underlying
transport layer of these connector communication protocols to ensure that customer data is
transmitted securely across data stores and applications. Customer data is encrypted via
Transport Layer Security (TLS) 1.2 by default and is customer-configurable to lower versions if
needed.
See Service Messaging Encryption for further information about encrypting data in-transit
between the Secure Agent and Informatica Cloud.

Metadata Layer Security

Metadata and Persistence
The metadata within the IDMC solution can include details such as data mappings, processes,
application connection details, object definitions, and transformation rules.
IDMC has the following categories of metadata:
• Organizational and User/Security Metadata – Describes the structure of the
organization; defines users and groups and their privileges, permissions, and license
information; and tracks audit logs. The audit logs are extremely detailed and provide a
total record of user logins and activity sorted by time of day.
• Design Metadata – Defines integration tasks and processes, including data
synchronization, data replication, mappings and templates, task flows, process
definitions, and connectors.
• Runtime Metadata – Contains agent definition data and other information crucial for
runtime activities, like connection and schedule information and job and process logs
and states.

|9
User access controls are closely tied to metadata that details user actions within the system.
Role-based controls grant users access to the metadata and specific functions. All IDMC
services adhere to contractual obligations for the retention and disposition of the above
metadata. See https://www.informatica.com/legal.html for further information.

Encryption for Data at Rest

Any data persisted in the customer’s IDMC multi-tenant data5 repository is encrypted using the
AES encryption algorithm which uses a 256-bit key. The key is unique to the customer tenant. By
default, the key is rotated once a year, but customers can configure it to be rotated every 90,
120, or 180 days.

Customer Managed Encryption Keys

IDMC has the ability to support Customer Managed Keys. While Informatica uses strong
encryption practices, customers may want to utilize their own encryption keys to safeguard their
data. With this feature, a customer can hold their encryption keys and maintain the authority to
encrypt and decrypt their data within our cloud environment. This gives our customers
confidence that customer data remains confidential and protected, even from Informatica as the
service provider.

Application and Service Layer Security

Service Messaging Encryption
Each service-level message is encrypted uniquely for each service by the Secure Agent and the
Encryption in Transit protocol, thus creating two layers of encryption on all communications
between the IDMC solution and the Secure Agent. See Encryption for Data in Transit for more
information.

Application Connection Encryption

Informatica empowers users to configure secure connections to data stores, such as customer
databases and SaaS applications, in three different methods: (i) stored in the cloud within IDMC,
(ii) stored within the locally hosted Secure Agent (iii) stored within a customer configured
Secrets Manager (or Vault). These storage options can be managed using the IDMC Web client.

IDMC Cloud Storage

Connectors credentials to data stores and applications (along with the connection metadata)
are stored securely using unique tenant-specific encryption keys.

Local Secure Agent

This option can be selected if users require credentials to be stored within the confinement of
their firewalls and adhere to their security requirements. A specific run-time pattern is required
to configure this option. See Customer-Managed Secure Agent for more information.

5
This does not include customer data stored within the MDM solution. For information about the MDM
purposes, refer to Security and Compliance Overview: Customer 360.

| 10
Secrets Manager Configuration Service
Users are also allowed option of credential storage within the customers enterprise Secrets
Manager (or Vault). Customers have the ability to configure this if they prefer a centralized
storage and management mechanism (rotation) for all of their credentials. This is a flexible
option which customers can utilize this on a per connection basis. The current supported Secret
Managers are documented in our IDMC Product Availability Matrix6.

Process States and Integration Variables

Process state information that is needed for process recovery is stored on the IDMC solution to
allow long-running processes and the recovery of such processes. Similarly, integration
mapping variables are stored on the IDMC solution to keep track of data integration logic. State
information can include aspects of payload data and is persisted temporarily and cleaned up as
processing is completed.

Data Preview Functionality

A key aspect of customer data processing is data transformations as defined by customer
integration logic. Some IDMC services provide data preview capability for customers to
effectively develop and debug their data integration logic. Similarly, customers can view process
data elements via the web interfaces for debugging purposes. This capability allows customers
to view a subset of their business data through the web client at one or more stages of data
transformation. The desired transformed customer data is directly fetched from the Secure
Agent/Process Server, cached in memory7, and rendered via the web client. Customer business
data is not persisted on the IDMC solution to enable this functionality. The data preview feature
is enabled by default and can be disabled by the administrator to comply with a customer’s
security policy. While this feature provides effective means to debug the developmental process,
Informatica recommends data preview should be disabled for customer production
organizations.

Informatica Secure Development Practices

Informatica designed, implemented, and enforced rigorous software development practices as
part of its overall security posture. This process is assessed several times annually by globally
recognized auditors. This section describes the different security elements of Informatica’s
SDLC processes.

Securing Coding Procedures

Informatica follows secure coding procedures that are based on Open Web Application Security
Project® (OWASP) recommendations for developing software. Informatica’s secure coding
procedures provide a framework for the thorough documentation, testing, and evaluation of all
coding changes made to our software. The secure coding procedures mitigate risks to

6
IDMC’s Product Availability Matrix (PAM) can be found at https://docs.informatica.com/integration-
cloud/data-integration/current-version/introduction/informatica-resources/informatica-product-
availability-matrices.html
7
Data Preview data is cached in memory for the session of the user. The data is not stored on disk and is
immediately deleted on termination of the session.

| 11
Informatica’s production applications and infrastructure that could threaten stability, resiliency,
security, regulatory compliance, and availability. These procedures are applicable to the entire
workforce at Informatica and pertain to any modifications made in production environments.
These environments predominantly consist of hardware, system software, application software,
communication equipment, as well as all documentation and procedures related to the
operation and maintenance of these systems.
These secure coding procedures are defined around the following OWASP recommended
controls:
• Input Validation • Output Encoding
• Authentication and Password Management • Session Management
• Access Control • Cryptographic Practices
• Error Handling and Logging • Data Protection
• Communication Security • Data Security
• File Management • Memory Management
Informatica enforces secure coding procedures as part of our policies and procedures which
are part of Informatica’s mandatory security awareness training for all applicable personnel and
role-specific security training for our R&D organization.

Software Security Training

All Informatica development teams are required to complete annual software security training
that covers all secure coding and design practices. Training is provided through Informatica’s
learning management system and other methods, as necessary.

Security Architecture Design Reviews

Security architecture reviews are continuously performed on Informatica products by our Global
Security, Product Security, and Engineering teams. This is, by design, built into our change
workflow and tooling, and is therefore automatically triggered based on change criteria.
Automated Code Reviews
Informatica has implemented globally recognized Automated Secure Code reviews in our
development pipeline as part of our efforts to ensure best practices for systematic code
reviews. These automated code reviews come into play whenever code is checked. This
process not only identifies publicly known security vulnerabilities but also identifies
vulnerabilities introduced through custom-developed code and adheres to best coding
practices. Additionally, it identifies potential points of security breaches.

Manual Code Review

During the regular development cycle, the engineering team conducts functional and design
reviews of product components. During the code development phase, all code that’s checked in
to the source code repository goes through manual code reviews by lead engineers and
architects to ensure adherence to strict security guidelines and to identify gaps for immediate
remediation. Production check-ins for any emergency bug fix goes through strict scrutiny and
code reviews to ensure proper and expected behavior.

| 12
Static Analysis Scans (SAST)
Informatica secures propriety code through the integration of an industry leading SAST solution
into our SDLC process. This integration ensures regular security gate checks, identifies security
vulnerabilities, maintains a risk driven inventory of all identified security vulnerabilities, and
alerts all key stakeholders of those vulnerabilities. Additionally, this allows for continuous
learning and improvement. The detected vulnerabilities are governed through our vulnerability
management process.

Software Composition Analysis (SCA)

Informatica uses a SCA solution to further secure our cloud products. This helps detect security
vulnerabilities included in third-party libraries. The detected vulnerabilities are also governed
through our vulnerability management process.

Dynamic Analysis Scans

Informatica uses third-party commercial DAST to perform continuous dynamic analysis scans
on its services in production. The detected vulnerabilities are governed through our vulnerability
management process.

Manual Penetration Testing

Informatica uses various internal and external application penetration testing teams to perform
regular manual penetration testing on its products. Our Manual Application pen testing teams
perform regular application security assessments / pen tests monthly with every release.
Additionally, an external third-party performs a product penetration test at least once a year
which can be shared with our customers. Customers can contact their Informatica account
executives to get the executive summary of this third-party pen test.

Platform Layer Security

In IDMC, the runtime environment is responsible for processing data. The Secure Agent and the
other available runtime environments play a major role in securing customer data and
applications and contains several security features. The Secure Agent supports microservice
characteristics like pluggable engines, load balancing, scalability, and high availability. It
consists of data integration, process server, and mass ingestion engines, and other services as
well as connectors to external data sources These components enable the execution of batch,
streaming, and real-time integrations, as well as other aspects of data management like data
quality and data cataloging.
The deployment of the runtime environment is flexible for customers. They can deploy the
Secure Agent on-premises or on a public cloud, such as AWS, Azure, GCP and OCI. Additionally,
they can choose to have the runtime environment managed by Informatica on the IDMC
solution. The following figure…

| 13
Figure 6

Customer-Managed Secure Agent

Customer-managed Secure Agent deployments can accomplish ground-to-ground, cloud-to-
ground, and cloud-to-cloud integrations. With customer-managed Secure Agents either on-
premises or a public cloud service such as AWS or Azure, the customer has full control of their
deployed Secure Agent runtimes. No inbound firewall ports need to be opened at the customer
site for the customer managed Secure Agents to operate successfully (though outbound 443
traffic will be required to designated Informatica IP addresses associated with the POD that
their org is deployed on)8.
For customer-managed deployments, the Secure Agent is downloaded by the customers and
placed in a location that best fits customer requirements. The IDMC solution verifies the Secure
Agent binaries and associated payload before the binaries get downloaded and deployed in the
customer environment.

Secure Agent Authentication

The Secure Agent is attached to the customer organization at the time of its registration. The
Secure Agent installer uses token-based authentication to complete the registration. When
registering the Secure Agent, the customer needs to supply the token generated at the time of
the Secure Agent installation. Note that the key has a limited lifespan and if exceeded, a new
Secure Agent installation token will be required. Customers can also optionally configure a
proxy server at the time of Secure Agent registration for its communication with cloud
applications. Upon successful authentication, the Secure Agent will be attached to the
customer’s IDMC organization.
After the Secure Agent is attached to the customer organization, it downloads binaries
associated with services and connectors that the customer is licensed for, and it initiates the
corresponding service engines. The agent also downloads any updates to engines or packages
associated with the connectors during the customer subscription and service upgrade life cycle.

8
For more information about IDMC IP addresses, see
https://knowledge.informatica.com/s/article/524982.

| 14
The binaries sent to the customer’s Secure Agent are signed and hashed, preventing man-in-the-
middle attacks.

Secure Agent Fingerprinting

Administrators have the option of enabling Secure Agent Fingerprinting. This functionality acts
as a digital signature and is generated by using the Machine ID of the virtual machine being
utilized for the Secure Agent. The Secure Agent's fingerprinting 9capability offers an added layer
of security to the existing transport layer controls making it significantly harder for malicious
actors to compromise the command channel or inject unauthorized commands.

Communication Protocol
The communication between the customer-managed Secure Agent and IDMC is initiated by the
Secure Agent (located within the customer environment). The Secure Agent continuously
communicates with IDMC. There are two types of communication:
1. System Communication – This type of communication occurs between IDMC and the
Secure Agent and is always on-going. This communication is used to establish
connection between IDMC and the Secure Agent to determine the health of the Secure
Agent, to send runtime execution instructions to the Secure Agent, to monitor the
progress of a job, as well as to perform lifecycle management activities like connector
package updates and Secure Agent upgrades.

2. User-initiated Communication – This type of communication is initiated by the customer.

Only a customer authorized or provisioned user can initiate this type of communication
with the Secure Agent through the IDMC web client. This communication is used to fetch
agent and job session logs from Secure Agent hosts for troubleshooting purposes, to
validate connections with source and target systems, as well as to fetch schema or data
from source and target systems while authoring and validating integrations.

Secure Agent Release Packages

IDMC has monthly releases on a predetermined schedule10. Informatica will periodically have a
major release during which the customer-managed Secure Agent is upgraded. Similar to the
initial download of the Secure Agent, multiple validation and authentication checks are
performed prior to the upgrade . The following figure…:

9
Steps to configure Secure Agent Fingerprint can be found at the following Knowledge article –
Fingerprint Authentication Properties.
10
For information about upcoming IDMC releases and upgrade schedules, please visit
https://status.informatica.com.

| 15
Figure 7

Network Layer Security

Web Application Firewall
The IDMC product perimeter is monitored and protected by an Intelligent Web Application
Firewall (WAF) for malicious traffic and anomalous activity. Implementing a WAF allows
Informatica to dynamically protect web applications by filtering, monitoring, and blocking
certain HTTP traffic based on customized rule sets between a web application and its client
endpoints.

Extended Detection and Response

Throughout the IDMC infrastructure, Informatica has deployed Extended Detection and
Response (XDR) agents. XDR provides real-time visibility into potential threats. It unifies and
correlates data from multiple sources, such as endpoints, networks, and cloud environments
empowering our security team to proactively identify and mitigate security risks before they
escalate.

IP Allow Lists
IDMC Administrators can configure specific IP ranges authorization to access their org. By
defining specific IP addresses that are granted access, customers create a virtual perimeter
against unauthorized entry and potential threats. This approach significantly reduces the attack
surface, minimizing the risk of malicious actors.

| 16
PrivateLink Connection (AWS and Azure)
Informatica supports AWS and Azure PrivateLink. This provides private connectivity between
customer managed Secure Agents deployed in their AWS or Azure Virtual Private Cloud (VPC)
and the Informatica Cloud without exposing their traffic to the public internet11.

Governance and Operational Controls

Security Model
IDMC security architecture is logically divided into IDMC Platform and Cloud-Native
infrastructure layers. This layered, holistic security structure provides resistance to attack and
resiliency against failure. The following figure…

Figure 8

Decentralized Development
Microservices have segregated development teams for which access is managed with least
privilege. The overall build is centralized by a non-development operations team. This allows
Informatica to secure deployment ensuring no single set of developers have access to full
release.

Data Center Security

Informatica products are available in multiple data centers across the globe. Each data center
uses redundant power and cooling systems to ensure that uptime and SLAs are met. Data
centers are protected 24x7 using state-of-the-art security systems.

Vulnerability and Patch Management

Informatica scans its cloud infrastructure on a continuous basis. Identified vulnerabilities are
reported to the security stakeholders on a scheduled cadence who work with the Quality
Assurance (QA) team to ensure that patches are available and can be applied during the

11
Requires the respective IDMC org to be deployed on an IDMC POD running on AWS or Azure
infrastructure. Each cloud provider may vary with additional requirements to utilize PrivateLink and can be
found respectively here: AWS PrivateLink Requirements ; Azure PrivateLink Requirements.

| 17
scheduled maintenance windows. In case of urgent or zero-day vulnerabilities, the Operations
and QA teams coordinate to ensure available patches can be expedited and applied. Visit
https://www.informatica.com/legal.html for more information about vulnerability management
and SLAs.

Responsible Disclosure Program

Informatica has established a responsible disclosure program, also known as a bug bounty
program. This initiative invites ethical hackers, security researchers, and the public to report any
potential vulnerabilities or security concerns they come across within our software. This effort
helps Informatica identify and address vulnerabilities, thereby reducing the risk of malicious
exploitation and enhancing the overall security of our cloud software.

Security Operations Center and Response Team

Informatica’s Security Operations Center (SOC) team is at the forefront of safeguarding our
cloud operations. The SOC team is comprised of dedicated professionals who maintain 24/7
surveillance, real-time threat detection, and swift incident response capabilities.

High Availability and Disaster Recovery

Each Informatica cloud data center uses (n+1) configuration at all levels of infrastructure. If
there is a system failure at any time, another system is assigned in lieu of the failed system.
Each data center is paired with disaster recovery region. In case of catastrophic failure, the
primary region will be failed over to a disaster recovery region.12, 13

Global Footprint
Informatica cloud data centers are available globally providing our customers a choice for their
provisioned IDMC Orgs, often required when the customer is subject to data residency
regulations. Informatica provides points-of-delivery (PODs)14 in North America (US West, US
East, Canada), EMEA (Ireland, Germany, UK, UAE and France) and APJ (Australia, Singapore, and
Japan).

Certifications and Compliance

The security of customer data is a critical objective of the IDMC platform. Informatica
established a risk-based information security program protecting Informatica and its customers’
data security and privacy.
Three principles govern Informatica’s information security program to earn and maintain
customers’ trust:

12
See https://knowledge.informatica.com/s/article/524982 for required information about configuring
firewalls for DR PODs.
13
See the Security Addendum listed on https://www.informatica.com/legal.html for information about
RTO and RPO periods.
14
Informatica’s Point of Delivery (POD’s) cloud data centers are across the four major cloud providers
AWS, Azure, Google Cloud and Oracle. More details of these PODs can be found at
https://docs.informatica.com/cloud-common-services/pod-availability-and-networking/current-
version.html.

| 18
1. Maintain a safe, secure, and compliant ecosystem for customer data.
2. Provide Informatica and customers a trustworthy environment to conduct business.
3. Consistently maintain applicable security controls, certifications, and regulatory
compliance.
The security program focuses efforts and resources across the following areas:

• Application and Infrastructure Security • Brand Reputation Management

• Identity and Access Management • Incident Response Services
• Information Protection • Threat and Vulnerability Management
• Supply Chain Risk Management • Training and Awareness
• Consulting & Enablement Services • Business Continuity and Disaster Recovery
• Privacy Protection • Governance, Risk & Compliance

Informatica has adopted specific security framework elements, processes and controls derived
from known industry standards such as the National Institute of Standards and Technology
(NIST) and the International Organization for Standardization (ISO) that are applicable to the
types of data processed and stored by Company, the industry and regulatory environment in
which Company participates, and the geographic locations in which the Company conducts
business.

Informatica has developed, implemented, and applied a proven approach to identifying,

measuring, managing, and reporting information security and privacy related risks applicable to
the organization through its Security and Privacy Risk Management Program. This risk
management program is used globally throughout the Company and with partners or third
parties that have access to Company systems or manage, store, or process information on
Company’s behalf.
Informatica has voluntarily undertaken, and/or is required by contractual obligation to perform
in accordance with the below listed standards, which are measured through internal security
teams and champions, third parties, and external assessments partners such as AICPA
accredited external audit firms.

SOC1 Type II
These reports are designed to meet the needs of users who need assurance about the controls
at a service organization relevant to financial controls, operations, and IT and business
processes that are tied to their financial reporting. These reports are intended to be used by
Customers’ external auditors.

SOC2 Type II (Scoped to IICS/IDMC; DaaS, and Axon products)

These are internal controls reports capturing how a company safeguards customer data and
how well those controls are operating in accordance with in-scope Trust Services Criteria. These
reports are intended to be used by Customers.

| 19
UK Cyber Essentials (Scoped to systems and personnel within the United
Kingdom)
The Cyber Essentials Assessment is a set of baseline technical controls produced by the UK
Government and industry to help organizations, large and small, public, and private, improve
their defenses and publicly demonstrate their commitment to cybersecurity.

GxP / HIPAA Other

Informatica is HIPAA control validated for its handling of protected health information (PHI) in
accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
This report provides Informatica's commitment to data privacy and security compliance to
protect sensitive healthcare information and implement the necessary administrative, physical,
and technical safeguards to ensure compliance with HIPAA regulations. (Scoped to IICS/IDMC;
DaaS products)

Informatica's software can be used in industries that are subject to GXP regulations, such as the
pharmaceutical and healthcare industries, but it is not itself subject to GXP regulations.
Informatica develops solutions that are designed to help its customers comply with GXP
regulations. For example, Informatica's MDM SaaS solution includes features that support data
validation, data quality monitoring, and audit trail creation and management, which are all
critical components of GXP compliance.

Informatica also provides documentation and guidance to its customers on how to configure
and use its products in a way that complies with GXP regulations. (Scoped to MDM SaaS
products)

Compliance with Applicable Law

Informatica’s data privacy program is designed to comply with all applicable privacy laws in the
jurisdictions where we do business, including the General Data Protection Regulation, the
California Consumer Privacy Act, and other state, national and international laws. The program
addresses both how we use personal data that we control in the operation of our enterprise and
how we protect and process personal data on behalf of customers via our services. The
program is managed in accordance with a set of policies, procedures, and standards governing
program elements including data management, risk assessment, employee training and
awareness, consent management, incident response, vendor management, and internal
governance and reporting.

Informatica classifies data per our data classification policy and consistently applies
protections per that classification; observes privacy principles such as transparency, purpose
limitation, and data minimization; honors the rights of data subjects, complies with data
localization and transfer requirements; analyzes, determines lawful basis for, and records
processing activities; and negotiates and honors contractual and statutory obligations with
respect to both vendors processing data on our behalf and customers on whose behalf we
process data.

| 20
Worldwide Headquarters 2100 Seaport Blvd., Redwood City, CA 94063, USA Phone: 650.385.5000, Toll-free in the US: 1.800.653.3871
IN09_1217_3407 www.informatica.com linkedin.com/company/informatica twitter.com/Informatica
© Copyright Informatica LLC 2023. A current list of Informatica trademarks is available on the web at
https://www.informatica.com/trademarks.html.
The information in this documentation is subject to change without notice. If you find any problems in this documentation, please report
them to us in writing at Informatica LLC 2100 Seaport Blvd. Redwood City, CA 94063.

INFORMATICA LLC PROVIDES THE INFORMATION IN THIS DOCUMENT "AS IS.” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION
OF NON-INFRINGEMENT.

REVISION Q4 2023

SnowProCore Exam Study Guide 011425 COF C02
No ratings yet
SnowProCore Exam Study Guide 011425 COF C02
14 pages
Snowflake CCMCN Case Study 04-18-2023 Final
No ratings yet
Snowflake CCMCN Case Study 04-18-2023 Final
3 pages
Profisee Datasheet Integrator 8.5x11
No ratings yet
Profisee Datasheet Integrator 8.5x11
1 page
Rakesh Kumar - 21554244 - Big Data - Assessment 2
No ratings yet
Rakesh Kumar - 21554244 - Big Data - Assessment 2
23 pages
Data Virtuality Best Practices
No ratings yet
Data Virtuality Best Practices
18 pages
Informatica Big Data Management Course Agenda
100% (2)
Informatica Big Data Management Course Agenda
4 pages
Data Migration Deloitte Solution-Siemens
No ratings yet
Data Migration Deloitte Solution-Siemens
2 pages
Data Quality Administration Guide
No ratings yet
Data Quality Administration Guide
210 pages
Microsoft Dynamics GP 2013 Implementation
From Everand
Microsoft Dynamics GP 2013 Implementation
Victoria Yudin
No ratings yet
Best Practices For Implementing Cloud Data Governance and Catalog
100% (1)
Best Practices For Implementing Cloud Data Governance and Catalog
45 pages
Cloud Data Warehouse
No ratings yet
Cloud Data Warehouse
7 pages
Resume - Tanmoy Munshi PDF
No ratings yet
Resume - Tanmoy Munshi PDF
2 pages
IN 1040 DataDiscoveryGuide en PDF
No ratings yet
IN 1040 DataDiscoveryGuide en PDF
215 pages
Modul 9 - Data Warehousing and Business Intelligence - DMBOK2
No ratings yet
Modul 9 - Data Warehousing and Business Intelligence - DMBOK2
59 pages
DMF-1220 Data Management Fundamentals Practice Questions
No ratings yet
DMF-1220 Data Management Fundamentals Practice Questions
13 pages
Modern Data Warehouse Architecture
No ratings yet
Modern Data Warehouse Architecture
25 pages
Alteryx + Snowflake Retail Solutions
No ratings yet
Alteryx + Snowflake Retail Solutions
19 pages
Structured Approach To Bi Testing
No ratings yet
Structured Approach To Bi Testing
13 pages
Data Governance Final v2
100% (1)
Data Governance Final v2
514 pages
Using Axon Data Governance With Enterprise Data Catalog
No ratings yet
Using Axon Data Governance With Enterprise Data Catalog
11 pages
DAMA Notes
No ratings yet
DAMA Notes
157 pages
Chapter 7 Data Security - DONE DONE DONE
No ratings yet
Chapter 7 Data Security - DONE DONE DONE
41 pages
Azure Data Factory
No ratings yet
Azure Data Factory
3,167 pages
Lab 8 - Securing Azure Data Platforms
No ratings yet
Lab 8 - Securing Azure Data Platforms
8 pages
Data Governance A Conceptual Framework in Order To Prevent Your Data Lake From Becoming A Data Swamp
No ratings yet
Data Governance A Conceptual Framework in Order To Prevent Your Data Lake From Becoming A Data Swamp
45 pages
Dimensional Model Data Warehouse Overview
No ratings yet
Dimensional Model Data Warehouse Overview
2 pages
ETL QA Sample Scenario V3
100% (2)
ETL QA Sample Scenario V3
3 pages
Introduction To Cloud Databases: Lecturer: Dr. Pavle Mogin
No ratings yet
Introduction To Cloud Databases: Lecturer: Dr. Pavle Mogin
23 pages
Most Important Power Bi Q&A
No ratings yet
Most Important Power Bi Q&A
14 pages
Data Warehouse ETL Testing Best Practices
No ratings yet
Data Warehouse ETL Testing Best Practices
6 pages
NDMO - Data and Privacy Regulatory Sandbox - Guideline
No ratings yet
NDMO - Data and Privacy Regulatory Sandbox - Guideline
13 pages
09.azure Synapse Analytics Services
No ratings yet
09.azure Synapse Analytics Services
23 pages
Data Governance Concepts
No ratings yet
Data Governance Concepts
13 pages
Insurance DataWare House Design Vechiles
No ratings yet
Insurance DataWare House Design Vechiles
2 pages
Collibra Data Governance Center
No ratings yet
Collibra Data Governance Center
14 pages
Swetha Solipuram Resume
No ratings yet
Swetha Solipuram Resume
4 pages
The Complete Buyers Guide To A Semantic Layer
No ratings yet
The Complete Buyers Guide To A Semantic Layer
17 pages
Data Prep Ebook Snowflake 1
No ratings yet
Data Prep Ebook Snowflake 1
8 pages
CSU Information Assets: Identification Guide
100% (1)
CSU Information Assets: Identification Guide
10 pages
Advanced Data Warehousing
No ratings yet
Advanced Data Warehousing
295 pages
Axon Data Governance - The Playbook For Information Segmentation (2021)
No ratings yet
Axon Data Governance - The Playbook For Information Segmentation (2021)
27 pages
$100+ MILLION 5-8% / PRACTICE: Eliminated Risk Sap Erp/Crm
No ratings yet
$100+ MILLION 5-8% / PRACTICE: Eliminated Risk Sap Erp/Crm
1 page
Data Governance
No ratings yet
Data Governance
45 pages
Data Quality 101 Webinar
No ratings yet
Data Quality 101 Webinar
52 pages
Metadata Management On A Hadoop Eco-System: Whitepaper by
No ratings yet
Metadata Management On A Hadoop Eco-System: Whitepaper by
12 pages
Architecture Basics Guide Dataiku
No ratings yet
Architecture Basics Guide Dataiku
31 pages
10190-Move and Improve With Oracle Analytics Cloud-Presentation - 287
No ratings yet
10190-Move and Improve With Oracle Analytics Cloud-Presentation - 287
69 pages
How To Build A Self-Service Data Analytics Stack Final - Google Docs Pdxule
No ratings yet
How To Build A Self-Service Data Analytics Stack Final - Google Docs Pdxule
12 pages
Lab - Qlik Replicate Oracle To Azure Synapse
No ratings yet
Lab - Qlik Replicate Oracle To Azure Synapse
23 pages
Dmbok - Bi & DW
No ratings yet
Dmbok - Bi & DW
33 pages
Data Architect or ETL Architect or BI Architect or Data Warehous
No ratings yet
Data Architect or ETL Architect or BI Architect or Data Warehous
4 pages
DMF 1220
No ratings yet
DMF 1220
6 pages
SQL Replication Basic
No ratings yet
SQL Replication Basic
22 pages
06.introduction To Data Factory
No ratings yet
06.introduction To Data Factory
26 pages
Data Architecture Is Composed of Models
No ratings yet
Data Architecture Is Composed of Models
7 pages
Data Modeling ER
33% (3)
Data Modeling ER
89 pages
Pentaho Data Integration Cookbook - Second Edition
From Everand
Pentaho Data Integration Cookbook - Second Edition
María Carina Roldán
No ratings yet
The Definitive Guide to Data Integration: Unlock the power of data integration to efficiently manage, transform, and analyze data
From Everand
The Definitive Guide to Data Integration: Unlock the power of data integration to efficiently manage, transform, and analyze data
Pierre-yves Bonnefoy
No ratings yet
AppDynamics Third Edition
From Everand
AppDynamics Third Edition
Gerardus Blokdyk
No ratings yet
HDInsight Essentials - Second Edition
From Everand
HDInsight Essentials - Second Edition
Rajesh Nadipalli
No ratings yet
Lecture No - 10-11 - Network Security (REVISED)
No ratings yet
Lecture No - 10-11 - Network Security (REVISED)
50 pages
Vyatta VPN Router W/ PreSharedKey & GreenBow IPsec VPN Software Configuration
No ratings yet
Vyatta VPN Router W/ PreSharedKey & GreenBow IPsec VPN Software Configuration
14 pages
Ict Graded Project
No ratings yet
Ict Graded Project
9 pages
Chapter 1-The Cybersecurity Cube
No ratings yet
Chapter 1-The Cybersecurity Cube
3 pages
150X Bitwarden Password Private by Xfservice
No ratings yet
150X Bitwarden Password Private by Xfservice
3 pages
Ethical Hacking Syllabus 2024
No ratings yet
Ethical Hacking Syllabus 2024
4 pages
ION - Administration Guide
No ratings yet
ION - Administration Guide
116 pages
Security Mapping On Prem Cloud v3
100% (2)
Security Mapping On Prem Cloud v3
1 page
Networks Security Quiz - March 2024 With Answers
No ratings yet
Networks Security Quiz - March 2024 With Answers
8 pages
2025 Cybersecurity Best Practices For Ransomware
No ratings yet
2025 Cybersecurity Best Practices For Ransomware
32 pages
Network Security-OSI
No ratings yet
Network Security-OSI
5 pages
Seminar Report On Cyber Terrorism 2012-2013: Dept. of Electrical & Electronics Engg. 1 G.P.T.C, Muttom
100% (1)
Seminar Report On Cyber Terrorism 2012-2013: Dept. of Electrical & Electronics Engg. 1 G.P.T.C, Muttom
21 pages
Assignemnt of Blockchain in Education
No ratings yet
Assignemnt of Blockchain in Education
3 pages
Sana AI Security Whitepaper
No ratings yet
Sana AI Security Whitepaper
5 pages
Network Security Essentials: Fifth Edition by William Stallings
No ratings yet
Network Security Essentials: Fifth Edition by William Stallings
39 pages
Otway Rees Protocol
No ratings yet
Otway Rees Protocol
4 pages
Practical No 12
No ratings yet
Practical No 12
2 pages
Prelim Task Performance in Airline/Flight Operations Management
No ratings yet
Prelim Task Performance in Airline/Flight Operations Management
7 pages
Electronics 13 02876
No ratings yet
Electronics 13 02876
15 pages
Cyber Security and Block Chain Advancements and Challenges in Digital Security
No ratings yet
Cyber Security and Block Chain Advancements and Challenges in Digital Security
3 pages
Help Oauth Microsoft
No ratings yet
Help Oauth Microsoft
9 pages
UP Electronics Digital Signature Form PDF
No ratings yet
UP Electronics Digital Signature Form PDF
5 pages
ESET New Product 2024
No ratings yet
ESET New Product 2024
3 pages
Chapter 2
No ratings yet
Chapter 2
10 pages
Building IPSEC VPNS Using Cisco Routers: © 2003, Cisco Systems, Inc. All Rights Reserved. SECUR 1.0 - 9-1
No ratings yet
Building IPSEC VPNS Using Cisco Routers: © 2003, Cisco Systems, Inc. All Rights Reserved. SECUR 1.0 - 9-1
118 pages
Wireless Threats and Attacks2
100% (1)
Wireless Threats and Attacks2
38 pages
Experiment No 10
No ratings yet
Experiment No 10
2 pages
How To Set Pin Code Authentication On Access Control Device IVMS
No ratings yet
How To Set Pin Code Authentication On Access Control Device IVMS
4 pages
CNS unit-3-II
No ratings yet
CNS unit-3-II
14 pages
Cryptography and Network Security
No ratings yet
Cryptography and Network Security
15 pages