Security Considerations
The initial configurations of TrustGraph have the following security characteristics:
| Boundary | Condition | Consideration |
|---|---|---|
| External access | It is necessary to consider the external access in the TrustGraph deployment:
| Ensure you understand whether TrustGraph services are exposed to the network outside of your host, and always verify you understand the network security controls applied by your cloud environment. |
| Service credentials | Internal services such as Cassandra and Pulsar are deployed without service-level credentials, relying on network isolation to prevent unauthorised access. Workspace isolation provides structural data separation through per-workspace pub/sub queues and storage partitioning. | For complex multi-tenant environments consider understanding the extra security features which are available in services. See Workspaces & Data Isolation for details on the data separation model. |
| Gateway authentication | The API gateway enforces authentication on all requests using Authorization headers. Two credential types are supported: API keys (long-lived tokens with a tg_ prefix) and username/password login which issues temporary JWT tokens. | Pay close attention to user access control management. Ensure that API keys are handled and distributed only through secure channels. Prefer username/password authentication for ordinary users so that only temporary tokens are in circulation. |
| IAM bootstrap token | On first cold start, TrustGraph creates an initial security account using the IAM_BOOTSTRAP_TOKEN environment variable. This token is only used for initial setup — once the system is running, additional accounts can be created and tokens changed through the workbench. | Treat the bootstrap token as a sensitive credential. In Pulumi-based deployments it is auto-generated and retrievable via pulumi stack output. For compose deployments, choose a strong token value. Consider rotating or replacing the bootstrap credentials once the system is operational. |
Enterprise Support
Enhanced security support for TrustGraph is available from KnowNext at https://knownext.io. See also Security for the broader security architecture and enterprise IAM capabilities.