Security Model
Provide Security Without Sacrificing Performance
InterSystems products provide flexible and robust security capabilities while minimising the burden on application performance and development. Our products are designed to support secure application deployment in three ways, by:
- Securing the product environment itself
- Making it easy for developers to build security features into their applications
- Ensuring that our products work effectively with - and do not compromise - the security of the operating environment
Authentication
The security of our products is based on Authentication. Authentication is how users (humans, devices, other applications) prove that they are who they say they are. Our products support a number of authentication mechanisms (LDAP, Kerberos, direct passwords, OpenAM, and OpenID), and include support for two-factor authentication as needed.
Authorisation
Authorisation determines what resources a user is allowed to use, view, or alter. Assignation and management of privileges (including role-based and application-based privileges) are easily accomplished through APIs, and interactive applications. Also we support row and column level security, as well as RBAC.
Encryption
We provide mechanisms for encrypting both data-at-rest and data-in-motion. Data-at-rest encryption encrypts the entire database, including indexes. Our products will detect if the underlying hardware supports acceleration for encryption algorithms and uses them. In addition we support data-element encryption to encrypt highly sensitive information. Those can even be re-encrypted at runtime.
Auditing
In our products, all system and application events are recorded in a tamper-proof append-only log, which is compatible with any query or reporting tool that uses SQL to review and analyse audit records. In addition to the built-in auditing events, customers can store application specific events as well.
Reliability
Shorten Planned and Unplanned Downtime
Keeping your data intact and your important applications up and running 24×7 matters. InterSystems IRIS provides several options for high availability (HA) and disaster recovery (DR), including clustering, virtualisation HA, and an elegant, easy-to-implement technology for database mirroring.
Database Mirroring
A database mirror is a logical grouping of two InterSystems IRIS systems. Upon startup, the mirror automatically designates one of these two physically independent systems as the primary system; the other one automatically becomes the backup system. Mirrored databases are synchronised from the primary to the backup failover member in real time through a TCP channel.
Sharded database architectures require setting up a database mirror for each shard, thereby eliminating any single point of failure. Deploying in a cloud environment will require some extra configuration steps to ensure automatic redirection of incoming traffic to the primary node.
With database mirroring, application recovery time is typically reduced to seconds. The use of mirroring also enables minimal (or even zero) downtime upgrades.
Using Database Mirroring for Disaster Recovery
An asynchronous mirror member can be set up at a remote site, and updated in near real time. If the primary data center fails, your data will not be lost. Disaster recovery when both members are deployed in a public cloud is dependent on the provider capabilities, but can be achieved by setting up asynchronous members in different “regions,” or even between clouds from different providers.
Clustering and Virtualisation
Clustered systems are typically dependent on shared disk access, but with only one system active at a time. If the active system fails, InterSystems IRIS is automatically started on another server that takes over the processing responsibilities. Users must sign back on to the new server, which may cause a noticeable delay. Virtualisation HA works in much the same way.