Security Considerations

The initial configurations of TrustGraph have the following security characteristics:

Boundary	Condition	Consideration
External access	It is necessary to consider the external access in the TrustGraph deployment: Docker Compose / Podman Compose: You should take care when using such a deployment to a box which is directly addressable from the internet. It is possible that services will be directly accessible from the internet without authentication. Scaleway: The Kubernetes deployment does not have any external access enabled. Access is only possible through `kubectl` port-forwarding using your Kubernetes credentials. OVHcloud: The Kubernetes deployment does not have any external access enabled. Access is only possible through `kubectl` port-forwarding using your Kubernetes credentials. AWS EC2: The provided configuration has a security group configuration which does not permit external access. AWS RKE: The provided configuration has a security group configuration which does not permit external access.	Ensure you understand whether TrustGraph services are exposed to the network outside of your host, and always verify you understand the network security controls applied by your cloud environment.
Service credentials	Services such as Cassandra and Pulsar are deployed without security credentials, relying on network isolation to prevent unauthorised access	For complex multi-tenant environments consider understanding the extra security features which are available in services
Gateway authentication	Out-of-the-box, there is no authentication on the API gateway	Consider setting `GATEWAY_TOKEN`, and using a token in API calls. Alternatively protect the gateway with a custom authentication gateway for external access.

Boundary

Condition

Consideration

External access

It is necessary to consider the external access in the TrustGraph deployment:

Docker Compose / Podman Compose: You should take care when using such a deployment to a box which is directly addressable from the internet. It is possible that services will be directly accessible from the internet without authentication.
Scaleway: The Kubernetes deployment does not have any external access enabled. Access is only possible through `kubectl` port-forwarding using your Kubernetes credentials.
OVHcloud: The Kubernetes deployment does not have any external access enabled. Access is only possible through `kubectl` port-forwarding using your Kubernetes credentials.
AWS EC2: The provided configuration has a security group configuration which does not permit external access.
AWS RKE: The provided configuration has a security group configuration which does not permit external access.

Ensure you understand whether TrustGraph services are exposed to the network outside of your host, and always verify you understand the network security controls applied by your cloud environment.

Service credentials

Services such as Cassandra and Pulsar are deployed without security credentials, relying on network isolation to prevent unauthorised access

For complex multi-tenant environments consider understanding the extra security features which are available in services

Gateway authentication

Out-of-the-box, there is no authentication on the API gateway

Consider setting `GATEWAY_TOKEN`, and using a token in API calls. Alternatively protect the gateway with a custom authentication gateway for external access.

Enterprise Support

Enhanced security support for TrustGraph is available from KnowNext at https://knownext.io.