Secure Architecture

CTERA Insight is a robust and secure analytics platform designed to provide advanced visualization and insights into data usage, activity, and security within the CTERA Global File System. Operating as a multi-tenant SaaS solution hosted in a CTERA-owned AWS account, its architecture is built around core principles of security, scalability, and tenant isolation. This ensures that each customer's data is processed, stored, and accessed with the utmost care and compliance, regardless of deployment mode.

CTERA Insight uses a unidirectional data flow, which ensures secure communication from customer environments to the Insight platform. Metadata and audit logs are uploaded via HTTPS using TLS 1.3, ensuring encryption and integrity during transfer. This unidirectional model eliminates the need for inbound connections from the Insight service into customer networks, significantly reducing the attack surface and ensuring strict network isolation. This secure flow of data underpins the platform’s ability to process sensitive customer information safely and efficiently.

Data segregation is foundational to CTERA Insight’s design. Each customer is provisioned with a private “dropzone” S3 bucket configured with encryption at rest using AES-256 and strict access controls. Short-term AWS Security Token Service (STS) tokens are issued to the CTERA Portal, which uses these tokens to securely upload metadata and logs into the dropzone. This approach ensures that access to customer data is tightly scoped and periodically refreshed, mitigating exposure risks. These private buckets form the basis of tenant isolation, guaranteeing that no data is shared or accessible between tenants.

Tenant Isolation and Advanced Authentication

To reinforce tenant isolation, each customer is allocated a dedicated big-data processing pipeline and a separate database. These independent resources ensure that tenant data remains logically and operationally segregated, preventing unauthorized access or interference. Leveraging AWS-native big-data services, these pipelines enable efficient and scalable ingestion, transformation, and analysis of customer metadata. They support both real-time and batch processing workflows, providing tailored analytics to meet tenant-specific needs while maintaining isolation.

CTERA Insight employs industry-standard authentication protocols to protect tenant data. Single Sign-On (SSO) is implemented via OAuth2 and OpenID Connect (OIDC), seamlessly integrating with the CTERA Portal and utilizing Keycloak as the Identity Provider. This centralized authentication mechanism ensures that only authorized users can access customer dashboards. Role-based access control (RBAC) further restricts access to tenant-specific data. Additionally, short-lived OIDC tokens validated by the Apache Superset-based dashboard application enhance security by reducing the risk of credential compromise.

Compliance and Resilience

Adhering to SOC2 standards, CTERA Insight meets rigorous security, availability, and confidentiality requirements, reflecting its commitment to maintaining trust and compliance. This includes regular third-party penetration testing, comprehensive auditing of system access and administrative actions, and proactive monitoring through AWS Security Hub and GuardDuty. These measures reassure customers that their data and insights are managed securely and align with industry best practices.

CTERA Insight is designed for resilience and high availability, leveraging redundant AWS infrastructure to eliminate single points of failure. Regular data backups and disaster recovery plans ensure that operations can quickly resume without data loss in the event of an outage.

The activation process generates a unique API access token for each customer, establishing a secure communication channel between the CTERA Portal and the Insight service. By employing encrypted communication and secure token-based authentication, the setup process is both user-friendly and resistant to attack vectors.

For authentication and authorization, CTERA Insight employs Keycloak as the Identity Provider (IdP), enabling SSO via OAuth2 and OpenID Connect (OIDC). This integration allows users to authenticate through the CTERA Portal and securely access their dashboards without managing separate credentials. OIDC tokens issued by Keycloak ensure secure and role-based access to tenant-specific resources while minimizing security risks associated with credential management.

A per-tenant Dropzone Bucket in Amazon S3 is provisioned for each customer, acting as a secure and isolated repository for storing uploaded metadata and audit logs. These buckets are configured with encryption at rest using AES-256, and access is tightly controlled through short-lived STS credentials. The use of per-tenant buckets guarantees that data from different tenants remains segregated, ensuring privacy and compliance.

Each tenant is also assigned a dedicated big-data database and processing pipeline, which are used to analyze and derive insights from the collected metadata. These pipelines, implemented with AWS-native big-data services, handle both real-time and batch processing to deliver timely and comprehensive analytics. By allocating separate resources for each tenant, the architecture enforces strong isolation and prevents cross-tenant data access or interference.