Challenge
Adapting to the demands of continuously changing environments requires the enterprise to have a flexible and robust data integration platform. Informatica provides a variety of data integration solutions for the enterprise to achieve its strategic goals. Different industries have varying level of security requirements. Different data integration architectures create new set of security challenges. In order to protect information assets and comply with regulatory requirements, challenges arising from the security aspect of the data integration activities need to be addressed swiftly.
Description
This document focuses on the security dimension of the Informatica client tools and explains how Desktop Virtualization solutions, such as Terminal Services and Citrix, can be used to harden the Informatica data integration platform. Desktop Virtualization solutions provide security and agility while maximizing productivity for Informatica users. Advances in mobile computing have introduced new security challenges. As the number of Informatica developers, administrators and operators who use laptops for performing their duties increase, potential theft and loss of laptops pose security risks. Desktop Virtualization can play an important role to mitigate these risks.
Informatica products offer flexibility to implement different data integration architectures. Each implementation creates a different set of security challenges. First, it is important to explore some of the security challenges in different implementation scenarios. Outsourcing is a technology trend that has unique security requirements. For example, a team of off-shore developers in India may need to connect to the Informatica servers based in North America. The communication over Wide Area Network (WAN) can be exposed to risk of breach. Therefore, additional configuration steps may be necessary to ensure security.
The key premise of Desktop Virtualization for Informatica client tools is to provide access to the production, test and development Informatica environments only through the Terminal Server or Citrix Server hosting the Informatica client tools. By hosting the Terminal Server or Citrix Server and Informatica Server within the same controlled data center environment and in the same trusted network, network intrusion threats are diminished. To isolate and secure the network connection between the Informatica Server and the Terminal Server or Citrix Server, VPN can be used. Ports to allow debugging of mappings need to be available in case VPN is used.
Desktop Virtualization Environment
Before getting into the details of various Desktop Virtualization options, it would be useful to discuss planning for the Desktop Virtualization environment. Informatica recommends a dedicated server environment for hosting Informatica client tools to maintain control over responsiveness. Whether using Terminals Services or Citrix, capacity planning for the server hosting Informatica client tools should be done in advance of the Desktop Virtualization implementation.
The first step is to collect information about Informatica users’ work patterns. Based on the type of users, such as administrators, developers and operators, there will be different work patterns and work times for each group. For example, the administrator group might use the browser-based Informatica Administrator tool. The developer group might use PowerCenter Designer or Informatica Developer to open large mappings that require CPU and memory resources. The operator group might only use the PowerCenter Workflow Monitor to watch the batch cycle during night. Once the work pattern for each type of user group is determined, the high-level resource consumption for each group should be calculated. This information should be used for making estimates about the server.
The capacity planning guidelines for the server include allocating percentage of a CPU per user, allocating a working set amount of memory per user and allocating a disk spindle for every 20 to 30 simultaneous users. A separate controller is recommended for the OS running on the server. 64-bit OS is recommended to take advantage of the memory resources of the server. The server should have additional sockets to handle future growth for CPU and memory. Furthermore, server farms can be deployed if a single server is not sufficient to meet the responsiveness requirements of the Informatica users. Server farms also provide redundancy by eliminating a single point of failure.
Network bandwidth plays important role in determining the user experience. High-speed network connectivity should be chosen between the server and users. Any network traffic over a public network would introduce latency. For SSL connections, default TCP port 443 should be open on the firewall between the server and users.
Terminal Services Guidelines
Terminal Services (Remote Desktop Services in Windows Server 2008 R2) has been utilized by numerous Informatica customers for Desktop Virtualization and for addressing the security risks that arise from network connectivity over WAN. By securing Informatica client tools in a data center and providing access over Transport Layer Security (TLS), Terminal Services helps organizations meet regulatory compliance requirements. Network speeds have continuously improved to provide a responsive user experience for Terminal Services users. Combined with the security advantages and low implementation costs, using Terminal Services for accessing Informatica client tools offer a strong alternative to direct installation of the Informatica client tools on end-user workstations and laptops.
Dedicated Terminal Server hosting the Informatica client tools should be secured to allow only Informatica client tools to be executed and to prevent installation of other software. This includes preventing users from running the command prompt, browsing the network or browsing the computer. If Informatica command line interfaces are needed, these could be executed using a restricted command prompt option that allows only commands, such as infacmd, pmcmd and pmrep. By restricting access to the Start Menu and Networking Items, back doors to the operating system would be closed.
White-list approach to executable programs that are allowed to run on the Terminal Server provides additional security. Enabling “Run Only Specified Applications” setting and adding Informatica client tools to the list prevents all other programs from running. Additionally, Software Restriction Policies should be used to block unauthorized applications, scripts and macros from running on a Terminal Server. Through Group Policy on the Terminal Server, the administrator can allow or deny use of the Informatica client tools for groups of users.
Another way to restrict users to access only Informatica client tools running on the Terminal Server is to configure TS RemoteApp. This functionality is available in Windows Server 2008 R2 and allows users to double-click on a file on their workstation to launch Informatica client tools hosted on the Terminal Server. This eliminates the need for the user to launch Informatica client tools within another desktop. Instead, Informatica client tools are launched from the user’s desktop and are ready to use immediately. If there are any user issues during the interaction with Informatica client tools, the TS RemoteApp session would terminate.
Network connection vulnerabilities can be addressed by securing the client connections to the Terminal Server running Informatica client tools. At the core of eliminating network connection vulnerabilities lies a secure but fast data stream between the clients and the Terminal Server. There are key Windows components to use for this purpose including Remote Desktop Protocol (RDP) encryption levels, server authentication mechanisms and the Credential Security Service Provider.
To avoid interception of the network traffic between the Informatica users’ workstations and Terminal Servers running Informatica client tools, FIPS-compliant encryption should be used. FIPS (Federal Information Processing Standard) compliant encryption uses Triple Data Encryption Standard (DES) for encrypting the TLS traffic, RSA for the public key exchange and Secure Hashing Algorithm (SHA-1) for the TLS hashing. Terminal Server can be configured to use FIPS-compliant encryption using Group Policies or Terminal Server configuration.
Protecting the credentials of the users is necessary for the security of the Informatica environment as well as the entire network. User credentials may be compromised if rogue servers impersonate the Terminal Server which the user is trying to connect. To validate the identity of the server, TLS should be configured. By using asymmetric encryption, TLS will authenticate the server and share a session key for securing the connection. As a result of authenticating the server and using session keys valid only for the duration of the sessions, session theft can be avoided.
Reversely, to protect the Terminal Server and the Informatica client tools from malicious connections, only workstations with Network Layer Authentication (NLA) should be allowed to connect to the Terminal Server. This can be enforced by using Group Policies. The CredSSP (Credential Security Service Provider) is the technology that supports NLA. The CredSSP passes the user credentials to the Terminal Server via a secure channel. If the Terminal Server is configured to accept connections from a workstation, it will start to build a session for the user. This prevents extraction of credentials using sniffing and using them to establish unauthorized connections to the Informatica client tools.
Citrix Guidelines
Citrix provides XenApp product for centralizing applications and controlling access to applications. Informatica customers leverage Citrix for enhancing reliability, maintainability and security of Informatica client tools. To ensure secure access to servers and to meet regulatory requirements, Citrix offers cryptographic modules that are FIPS 140 compliant. By configuring TLS for Citrix, server authentication, client authentication and encrypted connections can be achieved.
With the advent of off-shore development facilities for Informatica customers, Citrix has been adopted early by a large number of customers. When Informatica client tools are hosted on the Citrix server, only mouse clicks and keystrokes transit the network between data center and Informatica users. Centralized password control, multi-factor authentication, and encrypted delivery features of Citrix eliminate sensitive data loss over WAN.
Compared to Terminal Services which use Remote Desktop Protocol (RDP), Citrix uses Independent Computing Architecture (ICA) protocol to present resources to users. ICA Protocol can be configured to provide secure and optimal performance for connections over WAN. In a Citrix deployment for Informatica client tools, access to RDP can be restricted to provide access to the Citrix server only through ICA.
To secure the Citrix server, protection of the BIOS with passwords is needed. Moreover, USB blockers should be installed to minimize security risks from USB devices. Enabling alerts to monitor metrics on the server is a proactive method to defend the Citrix server. There are Intrusion Detection Systems that can be leveraged for signature detection and anomaly detection to monitor the network. Disaster recovery plans should be put in place to ensure the Citrix server is able to host the Informatica client tools under any circumstance. Change management policies should be put in place to handle upgrades and installation of hotfixes for the Informatica client tools.
In order to secure the network connections to the Citrix Server, several components of the Citrix deployment should be configured. By default, the inbound port on Citrix servers is 1494 and the outbound port is allocated dynamically when ICA session is established. When session reliability for ICA sessions is configured, traffic is tunneled through Common Gateway Protocol that uses port 2598. Therefore, it is important to note that ports 1494 and 2598 should be opened only to inbound traffic.
Session reliability allows Informatica users to maintain their sessions active even though network connectivity is temporarily severed. This is similar to Informatica timeout setting for resilience. Session reliability is established by using “Seconds to keep sessions active” parameter which is set to 180 seconds by default. Extending the amount of time to keep the sessions active may create vulnerabilities. Therefore, Informatica recommends changing this setting carefully.
Some of the other ICA client settings that can be configured to make the ICA sessions more secure is using SSL/TLS for communications, not allowing user passwords to be saved, using two-factor authentication such as smart card, and disabling client device mapping such as hard drives and the clipboard. TLS protocols are enabled in two places: when an Informatica client tool is published, TLS is enabled on the Citrix server side. From the user workstations that act as clients to the Citrix server, TLS can also be enabled.
SecureICA is another Citrix security functionality that can be used for internal networks. SecureICA is not recommended for connecting to Informatica client tools over a public network. Unlike TLS encryption, SecureICA does not provide server authentication. Therefore, when connecting over a public network, sensitive data may be intercepted and rerouted to a rogue server.
Hardware- and software-based SSL proxy allows remote users to access Informatica client tools that are hosted on the Citrix server to traverse the firewall without the need to open additional ports. A proxy server accepts connection requests from Informatica users and redirects the request to the Citrix server hosting Informatica client tools. The proxy server adds another layer of security to the network connection. This is especially important for preventing network intrusions and protecting the integrity of the communication between Informatica users and Informatica client tools.
Citrix XenApp policies should be used in cooperation with Windows Group Policies to control connections based on user, group, IP range and client names. Integration with Active Directory Group Policies also enables rapid Informatica user on-boarding. Furthermore, policies can even be used to optimize performance by setting bandwidth limits, feature availability and latency reduction. Using application publishing policies, a subset of Informatica client tools can be made available to groups of users. For example, Informatica administrators can have access to a full set of Informatica client tools whereas Informatica operators can have access to only Workflow monitors.
Finally, activity monitoring capabilities offered by Citrix should be used for recording sessions when needed. This will increase accountability and provide an audit trail for regulatory compliance. Other monitoring tools such as PowerCenter Proactive Monitoring, IBM Tivoli and HP OpenView could be used along with Citrix health checks to detect any suspicious activity in the Informatica environment. Concurrent connections on the server can be monitored and even limited for maximizing performance. As additional server capacity is added, limit on concurrent connections can be increased.
Conclusion
When the Informatica data integration platform is exposed to internal and external threats due to the sensitive nature of the enterprise data assets, it might be necessary to take drastic steps to prevent any type of network intrusion and compromise of information. One of these steps may be to block direct access to the Informatica client tools and provide access only through Desktop Virtualization solutions, such as Terminal Services or Citrix. This would also mean removing the Administrator privilege from local workstations so that users cannot install Informatica client tools on their own. TCP port forwarding on the Informatica server might be turned off to prevent users from running client tools through ssh tunnels. Hosting the Informatica client tools in the same data center as the Informatica server and providing TLS encrypted network access to the Informatica environment will certainly help the enterprise comply with regulations.