Datapipe Access Control Model for AWS
Datapipe’s Access Control Model for AWS brings a deeper level of trust and security specifically focused on protecting and safeguarding an enterprise’s virtual infrastructure.
DACMA lets enterprise businesses take advantage of Datapipe’s AWS managed services without requiring them to hand over the administrator-level credentials – the model also allows for an enhanced level of security and control through role based access and tracking, clearly establishing and tracking the accountability and actions of all users.
Key elements of DACMA include:
- Complete Control of Data: Traditionally, when working with a managed services provider, an enterprise must hand over their administrator level credentials or root level credentials and API keys to enable that MSP to run and manage the virtual environment. DACMA removes this requirement. Through AWS Trust Relationships and Security Token Service (STS) software, Datapipe is able to effectively manage an enterprise’s system without the enterprise having to hand over administrative-level credentials to Datapipe, credentials that are difficult to take back once given out. This gives the enterprise complete control over their virtual infrastructure and data with the ability to pull user privileges at will.
- Role-based Access: DACMA also enables role-based access within a system. This gives the enterprise and Datapipe the ability to control who has access to certain data with ease. Role-based access helps enterprises adhere to compliance requirements and DACMA helps businesses achieve this easily and with a high degree of customization.
- Accountability: With DACMA, all system access and activities are tied back to unique user names without the hassle of managing a long list of AWS users. This identity information is tagged to all actions taken by users and visible to both the enterprise and Datapipe via CloudTrail. Accountability within the system ensures the enterprise is meeting compliance requirements and also enables detection and response ensuring nefarious actions won’t go undetected.
- Two-Factor Authentication: DACMA requires two-factor authentication for Datapipe employees to login to the Datapipe SSO. An additional layer of security is enforced by also requiring two-factor authentication for Datapipe employees trying to access the enterprise’s AWS account.
- Credential Security: DACMA was built with key protection as a fundamental tenant. Datapipe support personnel never see or directly access their own AWS login credentials. Logins are automated and personnel keys are never exposed. They are stored encrypted in a password vault protected by a high security Hardware Security Module and extensive auditing, access control, and reporting. These security features ensure that for every step of the login process, account keys are secured and protected.
All of DACMA’s security measures for platform security are used by default for all of Datapipe’s Managed AWS clients. Datapipe also offers additional instance based security protection measures including intrusion detection and threat management, data encryption for all sensitive data and web application firewall to protect against internet-based threats.
DACMA is seamless. It requires no extra steps or oversight once it is set up. Once implemented, DACMA dramatically reduces the risk of a disruption of service or data breach due to unauthorized access of an AWS environment by Datapipe.