Network Security Requirements

The infrastructure that runs the OSDU Data platform must have limited outbound connectivity to the Internet.

How this is accomplished will vary by cloud provider. But it is important that individual containers, services, and hosts cannot make arbitrary connections to arbitrary outside IP addresses on arbitrary ports.

Network security controls

Egress

What network egress requirements are there for OSDU Data Platform services? E.g., if the data platform needs to/wants to connect to an outside data source, what network security requirements does the Operator impose?

Example controls include:

• Whitelisted domains and/or IP ranges.
• Proxying outbound HTTPS requests through an Operator-supplied proxy.
  • For example, if the Load Service calls the Search Service, can that HTTPS API call pass through an HTTPS proxy.
• Egress to the Operator's on-premises network via a dedicated VPN channel
• Some operators want to block all outbound connection to internet IPs

Ingress

Connections inbound are usually monitored.

• What level of logging / information is required for inbound connections?

Transit

What network security controls are required inside the internal cloud network (e.g., between services)?

Operator Input

• Wintershall Dea: And the Server(s) will have restrictions to access the Internet, at least it will be strictly controlled. HTTPS outbound only connections are possible. 2) The Deployment run in our on-premises Datacenter(s), here we have only Proxy-based Internet-Access for Servers. HTTPS outbound should be also no problem when it’s agreed.
• ExxonMobil: It is a requirement to have any outbound HTTPS pass through a proxy.
• Shell: WAF or L7 security inbound is required.