Recommendations

Data security

TLS (Transport Layer Security) is used to secure communication between clients (browsers) and Global Production Overview services. By default, TLS is enabled for all Global Production Overview services.

Global Production Overview does not encrypt any communication between client and application itself. The server certificates need to be handled in the Nexeed IAS Gateway. Keep in mind that the browser being used needs to trust the given CA (certification authority) as well in order to be able to communicate with Global Production Overview services.

TLS can be disabled by configuration. Do not consider this for production purposes!

Service meshes

Service meshes are state-of-the-art technology to secure all communication within and between Kubernetes clusters. They typically intercept and redirect traffic to/from the Pods using proxy containers injected into the application Pods. These proxies can then secure communication between Pods using mTLS. In such scenarios, the service mesh control plane manages the complex and error-prone certificate management for the various mTLS connections, while being transparent to the actual application workloads.

The installation and configuration of a service mesh is the responsibility of the cluster operator and is not part of the NEXEED IAS installation process. A service mesh can be used to secure communication between Global Production Overview services and NEXEED IAS modules running in the same cluster.

GPO requires communication between pods for clustering purposes and may therefore require mTLS configuration to be set to permissive in service meshes like istio.Please note that GPO requires communication between pods for clustering purposes and may therefore require mTLS configuration to be set to permissive in service meshes like istio.