Skip to main content

Security Model

Objective

Define trust boundaries, core controls, and current implementation posture for Cyprob EE.

Trust Boundaries

  • User boundary: authenticated users vs unauthenticated access.
  • Tenant boundary: organization-level data separation.
  • Execution boundary: control plane vs worker runtime.
  • Secret boundary: application runtime vs secret storage backend.

Control Domains

1. Authentication and Session Security

  • Login and token issuance via POST /api/v1/auth/login.
  • Token refresh and logout endpoints are defined and versioned.
  • Session lifecycle controls are available (list/revoke sessions).

2. Authorization and Tenant Isolation

  • Route model supports secure-by-default registration.
  • Org-scoped and permission-scoped endpoints are explicitly declared.
  • Organization context is enforced for org-scoped APIs.

3. Secret Management

  • Production model supports Vault-based secret retrieval.
  • Static KV secrets are production-ready.
  • Dynamic database credentials are optional for higher-security environments.

4. Auditability

  • Operational and security events are designed to be auditable.
  • Deployment and admin workflows should retain execution evidence.
  • Audit trails must be connected to compliance/SIEM processes where required.

5. Data Protection Posture

  • Database and deployment model are structured for controlled access.
  • Multi-tenant operational model requires strict org-level access checks.
  • Backup/restore procedures must preserve confidentiality and integrity controls.

Current Implementation Notes (Important)

  • Plugin execution is currently YAML-centric in the active implementation.
  • WebAssembly sandbox execution is a target architecture direction and should not be represented as generally available until implementation is completed and validated.

Threat Assumptions

  • Internal users may make configuration mistakes.
  • Restricted networks reduce but do not eliminate insider risk.
  • Compromised credentials remain a primary risk; short token TTL and session controls are mandatory.
  • Misconfigured integrations can bypass intended data-flow boundaries.

Security Baseline Checklist

  • TLS enabled for external ingress.
  • Strong password and account policy enforced.
  • Vault auth model hardened (no root token in production).
  • Org/role mappings reviewed before go-live.
  • Audit retention and review process defined.
  • Backup encryption and restore drill completed.

Limitations

  • Security posture depends on deployment hardening discipline.
  • Compliance claims must be mapped to customer-specific controls and evidence.

Next Action

Continue with POC Playbook to validate security and operational assumptions during evaluation.