AppDat Zero Trust Architecture #
The AppDat platform operates as a “Zero Trust” environment, where all applications are run in isolation with no implicit trusted networking between applications or application appliances like databases. To achieve this “Zero Trust” security architecture, AppDat employs several key pieces of technology to handle the following:
Diagram #
User Authentication #
User authentication is handled by the AppDat Auth Service which has direct integration to several specific identity providers: launch , supporting different NIST 800-63-3 Identity Assurance Levels launch or IALs.
| IAL | Description | Identity Providers |
|---|---|---|
| IAL1 | Attributes, if any, are self-asserted or should be treated as self-asserted. | Google , Login.gov , ORCID |
| IAL2 | Either remote or in-person identity proofing is required. IAL2 requires identifying attributes to have been verified in person or remotely using, at a minimum, the procedures given in SP 800-63A launch . | Login.gov |
| IAL3 | In-person identity proofing is required. Identifying attributes must be verified by an authorized CSP representative through examination of physical documentation as described in SP 800-63A. | NASA |
AppDat integrated Identity Providers #
NASA identities #
- IAL3
AppDat primary identity provider integration is with the current NASA authoritative identity provider service (Launchpad). Should NASA change it’s authoritative identity provider service, AppDat will migrate to align with the agency.
Login.gov identities #
- IAL2
- IAL1
AppDat is directly integrated with GSA’s login.gov launch identity provider for U.S. citizens.
ORCID identities #
- IAL1
ORCID launch is a not-for-profit organization focused on connecting research to researchers. Many NASA funded researchers utilize ORCID for an “ORCID Id” which is a unique, persistent identifier free of charge to researchers.
Google identities #
- IAL1
AppDat is directly integrated with Google’s Identity Provider Service launch .
User Authorization #
AppDat’s endpoint authorization data is managed within the AppDat Auth Service . Application owners can provision and deprovision user authorization to specific application endpoint(s), as well as manage all user application roles launch and user groups launch from within the AppDat Auth Service user interfaces or API.
Authorization enforcement is either handled by the application, or by the AppDat Gatekeeper service.
Device Authentication #
Device Authorization #
Context based access control #
In addition to the nominal identity based authorization, the AppDat Gatekeeper service also supports user request context based access controls such as originating IP address, geographical location, and endpoint (device) security posture.
Audit logging #
AppDat provides a robust logging framework, by default, for all AppDat hosted applications. The AppDat Logging service collects audit logs for the following:
- User management
- User Application access
- Service usages