Security and Privacy

Usage Engine is built with a strong focus on security and has a password policy that conforms to NIST 800-63B. It provides the following security features: 

• Token based authentication. 
• Role base access control. 
• OIDC Identity Provider. 
• Encryption at rest – using tools to encrypt the data before writing it to storage.  
• Encryption at transit – Using TLS encryption (note – a few agents/protocols still do not provide TLS. If encryption at transit is needed for such features, it must be enabled in the networking layer). 
• Immutable images, scanned with image scanners for CVEs. 
• Automated certificate management, using the cert-manager tool to integrate with CA. 

Token Based Authentication

Our web UIs and the following agents and profiles uses token based authentication:

• HTTP/2 Client Agent(3.0)
• Archive (3.0)
• Web Service (3.0)

Role Based Access Control

To be able to operate Usage Engine, you need to be defined as a user in the system, and these permissions are configured in the Access Controller. Your access to various applications is defined by the access group that you are assigned to.  The Execute permission means that members of an access group can view and read the information in that application.  While the Write permission means that the members can perform change or create action in that application. 

See Access Controller(3.0) for more information.

OIDC Identity Provider

It is possible to configure Usage Engine to take on the role of the 'identity provider' (IdP) in the OpenID Connect Authorization Code Flow described in https://openid.net/specs/openid-connect-core-1_0.html.

Access control to OIDC authenticated applications is integrated in role model, see OIDC Identity Provider(3.0) for more information.

Encryption at Rest

When running in AWS, Usage Egnine stores data persistently in RDS, EFS and optionally MemoryDB. All these services support encryption at rest. The default Terraform templates provided as part of the product are configured to use encryption at rest. MemoryDB is configured by the customer. It is recommended to configure it with encryption at rest if sensitive information will be stored in it.

See Assets and Services(3.0) for more information.

Encryption at Transit

The following agents and profiles use TLS:

• Diameter(3.0)
• Email(3.0)
• FTPS(3.0)
• HTTP/2 Client Agent(3.0)
• HTTP/2 Server Agent(3.0)
• LDAP(3.0)
• SNMP(3.0)
• Diameter Routing (3.0)
• Security (3.0)

and the system interfaces use HTTPS and TLS.

Immutable images

Usage Engine is delivered as docker images that are being scanned for any potential CVEs before being made available for download.

Automated certificate management

Use of cert-manager is recommended for deployment in private cloud or AWS, but can be disabled if needed.

See System Requirements - Private Cloud(3.0), Pre-installation (3.0) for more information.