Data is NOT #Encrypted between the Boomi Molecule Nodes and the NFS storage.
Hello Boomi fans !
I'll let you in on a #secret:
The data between the #boomi Molecule Nodes and the NFS storage is NOT #encrypted:
Let’s get one thing straight:
Boomi is a brilliant product.
The Boomi Customer must deploy the Boomi product such that it meets the Enterprise Requirements.
The Customer Security Officer
together with the Customer Infrastructure Team
together with the Boomi Solution Architect
must collaborate to provide a Secure, Scalable, Maintainable and Reliable Integration Infrastructure.
Clarify the problem statement:
Most organizations (Boomi Customers) require End-to-End Encryption.
In the context of Integration, Encryption is required at different layers. For this article, I am looking at just two:
Encrypt #data “in transit” while data is moved from one system to the other, using HTTPS, SFTP, AS2 and so on.
Encrypt #data “at rest” while data is kept in a target system using a Database, Disk and so on.
1. The Boomi Runtimes (Atoms, Molecules) send Metadata to the Boomi Platform.
This data is encrypted (in transit) over HTTPS.
2. External Systems make inbound calls to the web services exposed by the Boomi Runtimes. Generally, these are encrypted (in transit).
3. The Boomi Runtimes make outbound calls to remote resources.
Generally, these are encrypted (in transit).
4. The Boomi Runtimes save data locally on disks.
Generally, these disks are encrypted (at rest).
5. The Boomi Molecules need Network Storage (NFS or SMB).
Generally, these disks are encrypted (at rest).
6. Other Internal resources like Database or FTP.
Generally, these are encrypted (at rest).
7. Boomi connects to the Network Share, using the NFS protocol on Linux or the SMB protocol on Windows. Traffic to the Network Share is transmitted as clear text across the LAN.
Over the past 8 years that I have been working with the Boomi products,
I collaborated with dozens of large enterprises,
I delivered numerous in-depth assessments,
and I have not seen one Boomi Customer that solved this challenge before we worked together.
I also consulted two other esteemed Boomi Architects and they have the same experience.
Hence, the title for this article :)
Soo... is this a problem?
I would say: Yes. A big one.
The Boomi Molecule Nodes send the #message #payload and #logs as clear text to the NFS until it gets purged, usually after 30 days.
领英推荐
Does this affect Processes
- running in general mode? Yes
- running in general mode and using parameter “Purge Data Immediately”? Yes
- running in bridge mode? Yes
- running in low latency mode? No. No logs or message payloads are generated in this mode.
Am I affected?
If I use the Boomi Atoms? No problem.
If I use the Boomi Molecules? Most probably Yes
If I use the Boomi Private Cloud? I don’t know.
If I use the Boomi Public Cloud? I don’t know.
How do I check if my organization is exposed?
Check how many network cards (NIC) you have configured for your VM running the Boomi Molecule Node. If you have just one network card, probably you are at risk.
Under Windows, use Device Manager / Network adapters -> Do not count VPN Adapters :)
Under Linux, use: lspci | grep 'Network\|Ethernet'
About Network Share encryption:
Boomi and Network Shares have been around for a long time,
but support for connection (in transit) encryption is still limited.
Microsoft recently introduced encryption for the SMB protocol with version 3.0.
Microsoft Azure Files do NOT support encryption in transit, at the time of writing this article.
And this is the main solution used by Boomi Clients in Azure.
Some vendors like NetApp provide in transit encryption for NFS communication.
Even if we have some limited technical capabilities, the #performance of the connections drops so much that it makes this approach prohibitive.
About the solution:
Unfortunately there is no Click and Save solution for this one.
Some Boomi Molecule installations can be adjusted, other have to be completely reinstalled.
Encrypting the connection to the NFS is not practical at this time due to technology limitations and huge performance penalties.
If you want me to write an article about how to solve this challenge, let me know by voting:
I will write an article if more than 100 people need to know.
Now go BoomIT !
Reference: