Secure Architecture

CTERA InsightAI is a robust and secure analytics platform designed to provide advanced visualization and insights into data usage, activity, and security within the CTERA Global File System. Operating as a multi-tenant SaaS solution hosted in a CTERA-owned AWS account, its architecture is built around core principles of security, scalability, and tenant isolation. This ensures that each customer's data is processed, stored, and accessed with the utmost care and compliance, regardless of deployment mode.

CTERA InInsightAI sight uses a unidirectional data flow, which ensures secure communication from customer environments to the Insight platform. Metadata and audit logs are uploaded via HTTPS using TLS 1.3, ensuring encryption and integrity during transfer. This unidirectional model eliminates the need for inbound connections from the Insight service into customer networks, significantly reducing the attack surface and ensuring strict network isolation. This secure flow of data underpins the platform’s ability to process sensitive customer information safely and efficiently.

Data segregation is foundational to CTERA InsightAI’s design. Each customer is provisioned with a private dropzone S3 bucket configured with encryption at rest using AES-256 and strict access controls. Short-term AWS Security Token Service (STS) tokens are issued to the CTERA Portal, which uses these tokens to securely upload metadata and logs into the dropzone. This approach ensures that access to customer data is tightly scoped and periodically refreshed, mitigating exposure risks. These private buckets form the basis of tenant isolation, guaranteeing that no data is shared or accessible between tenants.

Tenant Isolation and Advanced Authentication

To reinforce tenant isolation, each customer is allocated a dedicated big-data processing pipeline and a separate database. These independent resources ensure that tenant data remains logically and operationally segregated, preventing unauthorized access or interference. Leveraging AWS-native big-data services, these pipelines enable efficient and scalable ingestion, transformation, and analysis of customer metadata. They support both real-time and batch processing workflows, providing tailored analytics to meet tenant-specific needs while maintaining isolation.

CTERA InsightAI employs industry-standard authentication protocols to protect tenant data. Single Sign-On (SSO) is implemented via OAuth2 and OpenID Connect (OIDC), seamlessly integrating with the CTERA Portal and utilizing Keycloak as the Identity Provider. This centralized authentication mechanism ensures that only authorized users can access customer dashboards. Role-based access control (RBAC) further restricts access to tenant-specific data. Additionally, short-lived OIDC tokens validated by the Apache Superset-based dashboard application enhance security by reducing the risk of credential compromise.

Zero Trust

The platform assumes no implicit trust between any two components, regardless of network location. Every interaction — user-to-service, service-to-service, and service-to-cloud — is authenticated and authorized independently:
No network-level trust – Services in the same cluster, namespace, or subnet do not trust each other by default. Every call carries a verifiable identity that the receiving service validates before processing the request.
Continuous verification – Tokens and certificates are short-lived. Trust is re-established at every interaction rather than inherited from a prior session.
Microsegmentation – Network policies restrict each tenant namespace to a strict allow list of permitted traffic. Only explicitly defined communication paths are open, limiting lateral movement.
Scoped credentials everywhere – Cloud resources are accessed through identity federation with temporary, scoped credentials. No component holds static keys, passwords, or shared secrets.

Least Privilege

Every identity, human or machine, is granted the minimum set of permissions required for its specific function:

• Per-service cloud roles – Each workload binds to a unique cloud IAM role with permissions scoped to exactly the resources it needs. The ingestion pipeline, for example, can write to its tenant's storage path but cannot read analytics indices or access secrets belonging to other services.
• Tenant-scoped data access – User tokens carry embedded tenant and portal claims. The analytics engine uses these claims to dynamically restrict which indices and documents a query can reach. No standing administrative role exists that permits querying across tenant boundaries.
• Operator access boundaries – CTERA platform operators have access to observability and deployment tooling, monitoring dashboards, GitOps pipelines, but do not have access to customer data through the user interface or directly through the analytics indices. Operational access is governed by SOC 2 controls and all sessions are logged.
• Ephemeral administrative access – Privileged infrastructure access is performed through a session manager with no standing permissions. Sessions are IAM-authenticated, MFA-enforced, and fully logged.

Compliance and Resilience

Adhering to SOC2 standards, CTERA Insight meets rigorous security, availability, and confidentiality requirements, reflecting its commitment to maintaining trust and compliance. This includes regular third-party penetration testing, comprehensive auditing of system access and administrative actions, and proactive monitoring through AWS Security Hub and GuardDuty. These measures reassure customers that their data and insights are managed securely and align with industry best practices.

CTERA Insight is designed for resilience and high availability, leveraging redundant AWS infrastructure to eliminate single points of failure. Regular data backups and disaster recovery plans ensure that operations can quickly resume without data loss in the event of an outage.

The activation process generates a unique API access token for each customer, establishing a secure communication channel between the CTERA Portal and the Insight service. By employing encrypted communication and secure token-based authentication, the setup process is both user-friendly and resistant to attack vectors.

For authentication and authorization, CTERA InsightAI employs Keycloak as the Identity Provider (IdP), enabling SSO via OAuth2 and OpenID Connect (OIDC). This integration allows users to authenticate through the CTERA Portal and securely access their dashboards without managing separate credentials. OIDC tokens issued by Keycloak ensure secure and role-based access to tenant-specific resources while minimizing security risks associated with credential management.

A per-tenant Dropzone in Amazon S3 is provisioned for each customer, acting as a secure and isolated repository for storing uploaded metadata and audit logs. These buckets are configured with encryption at rest using AES-256, and access is tightly controlled through short-lived STS credentials. The use of per-tenant buckets guarantees that data from different tenants remains segregated, ensuring privacy and compliance.

Each tenant is also assigned a dedicated big-data database and processing pipeline, which are used to analyze and derive insights from the collected metadata. These pipelines, implemented with AWS-native big-data services, handle both real-time and batch processing to deliver timely and comprehensive analytics. By allocating separate resources for each tenant, the architecture enforces strong isolation and prevents cross-tenant data access or interference.