LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • SaaS Architecture
  • Supported Authentication Methods
  • Security Measures in SAML-Based Authentication
  • Encryption and Key Management
  • Access Controls
  • Network Security
  • Account Review
  • Access Control / Authorization in Product
  • Other Capabilities
  • Data Governance - Data Retention and Deletion
  • Monitoring & Incident Response

Was this helpful?

Export as PDF
  1. Security FAQ

Advanced Security FAQ

Questions and answers for enterprise customers and security teams

PreviousSecurity FAQNextRelease Notes

Last updated 5 months ago

Was this helpful?

This document addresses advanced topics on Veza platform security. These include questions about authentication, encryption and key management, access controls, network security, and other procedures ensuring the security of our SaaS and cloud-premise deployments.

SaaS Architecture

Veza's SaaS production environment runs on AWS. Our architecture emphasizes security, scalability, and efficient resource management with a multi-VPC structure. Key components include Amazon EKS for container orchestration, AWS WAF for web application security, and integrated monitoring tools.

Supported Authentication Methods

What authentication methods does Veza support?

  • Interactive Users: Local User Accounts, SAML Single Sign-On, OpenID Connect (Early Access).

  • Non-Interactive Access: API Keys

Security Measures in SAML-Based Authentication

For SAML-based authentication, do you handle user-provided XML? Do you validate XML to protect from malformed XML?

  • Veza accepts user-provided XML for SAML configuration. We validate the input to protect against malformed XML input.

For API authentication, do you support access tokens instead of API keys? If so, what tokens are supported?

  • Not at present.

Do you check if MFA is performed on the IdP side for single sign-on?

  • No. The desire that MFA is performed for session creation can be configured via ACR Values with OpenID Connect (OIDC). The configuration is specific your identity provider and the IdP configuration. It does not guarantee that the MFA was performed.

How long are access tokens valid? Is the duration of access tokens configurable?

  • The valid duration of regular session/access tokens is 20 hours (non-configurable). Session tokens must refresh every 15 minutes or will expire.

  • API keys do not expire.

  • The customer can configure session idle time on the Veza Sign-in Settings page.

Do you use cookies? How are your cookies defined?

  • Yes. We use cookies, including a session token, for session tracking. We assign our cookies as HTTPOnly and Secure.

Are all human users accessing Veza’s EKS backend required to use MFA?

  • All access to Veza's EKS backend is limited to a select few SRE individuals and requires multiple layers of MFA.

How does Veza avoid spoofing attacks, where an attacker impersonates the Veza application to gain unauthorized access?

  • Veza can prevent spoofing attacks. Here are the details:

    • Using a single SAML-based IdP (e.g., Okta) as the SSO provider.

    • Customers can disable local accounts.

    • Customers can allow a Super Admin user, managed by the customer, access for break-glass situations. This user's activity can be audited for any actions the user performs.

Encryption and Key Management

How does in-transit and at-rest encryption for data ingested into Veza work?

  • For in-transit data, we support TLS 1.3 (default) with ECDSA, RSA, and TLS 1.2; for at-rest data encryption, we use AES-256-GCM. We use GPG to encrypt the secrets for all integrations.

  • Encryption and storage: All storage is encrypted at rest (EBS Volumes, S3 buckets, Database storage).

How are keys managed?

  • We use AWS KMS to manage and secure keys.

Does Veza implement chains of trust?

  • We use AWS Certificate Manager (ACM) to issue our public TLS certificates. Internally, we use our own certificate authority (CA) and self-signed certificates for mTLS between services to prevent a supply chain compromise of internal communications security.

How are keys rotated? How often are keys rotated?

  • We rotate AWS and Veza KMS keys yearly

  • Certificates are rotated every 6 months

How is communication between the Insight Point and Veza platform secured?

  • All communication between the Veza Platform and the Insight Point is performed via TLS (Transport Layer Security). All requests are also signed to provide data authenticity and integrity.

Access Controls

Access Control Infrastructure: At the infrastructure level (Kubernetes cluster, tenant), what access control does Veza enforce to ensure infrastructure security?

  • Only specific personnel have access to production environments.

  • We perform quarterly access reviews to audit production environment access.

  • Authorized personnel can only access customer-managed clusters through a designated bastion host.

  • Bastion host activities are monitored and audited via SysDig.

  • We require SSO and MFA for all production systems.

  • All cluster traffic is encrypted.

  • All internal communications use mTLS.

  • All access is tracked in audit logs.

Network Security

Is the network where customer data resides segmented from other networks, with only necessary ports and protocols allowed? Does Veza disable Public/Remote Access to EKS Cluster Endpoints?

  • Network policies isolate the tenant network. All external (incoming and outgoing) traffic is limited to the components that need it.

  • EKS access is only enabled from the Bastion host and limited to access from the private VPC. Public access is disabled.

Firewall and Intrusion Prevention: Does Veza Deploy Web Application Firewalls (WAFs) and intrusion prevention systems (IPS) to detect and block malicious traffic? Does Veza Regularly update signatures and rules? Is remote access to EKS cluster node groups disabled from the internet?

  • All external traffic must go through AWS WAF.

  • VPC traffic is analyzed and scanned to detect anomalies.

  • Signatures are updated automatically.

  • We restrict EKS node access to the private VPC from the bastion host.

Account Review

Does Veza routinely review accounts with access to production tenants and the EKS backend to ensure no stale or unauthorized accounts exist? Do you ensure that Cluster Node Group IAM Policies are maintained? Is the worker node IAM user for cluster EKS Namespaces segmented?

  • Veza performs regular quarterly access reviews.

  • Veza maintains least-privilege IAM policies/permissions.

  • IAM policy integrity is maintained by regularly reconciling infrastructure-as-code configured policy against the running policy.

  • Tenants have strong access isolation through the IAM policy and Kubernetes Role-Based Access Controls (RBAC).

Do you support multi-tenancy? If so, can you describe how accesses are isolated among tenants?

  • Yes, Veza supports multi-tenancy:

    • Each tenant is an isolated deployment in a separate namespace

    • Tenant data and permissions are isolated, with controls to prevent cross-tenant data access.

Access Control / Authorization in Product

Do you support RBAC for customer users in the same tenant? What roles are supported? What isolation is provided?

  • Veza supports four static roles:

    • Administrator (user management, provider management, and system settings)

    • Operator (access to all platform capabilities, like reports, rules, access workflows, etc.)

    • Access Reviewer (a specialized role for participating in access reviews)

  • Two additional roles are available in Early Access:

    • Viewer (Subset of operator role, preventing any changes or modifications)

    • Re-assigner (Subset of operator role, allowing re-assignment of any result in an Access Review)

  • Veza also supports Teams to limit access to specific integrations: users in a Team can only see data for integrations assigned to that Team.

Other Capabilities

How does Veza avoid repudiation (the inability to prove the occurrence of events or actions leading to disputes)?

  • Veza implements logging and monitoring to maintain an immutable record of all service activity:

    • Logs include the timestamp, the pod name that initiates the call, and all other operation details (which function, which line, etc.)

    • Logs are protected against tampering and stored immutably

    • We forward logs using TLS to our logging utility.

    • AWS CloudTrail is also used to monitor and audit access to AWS assets through the command line or console.

How does Veza avoid Denial of Services for supported integrations?

  • Veza implements rate limiting for all integrations.

  • Veza also monitors and allocates resources appropriately to handle spikes:

    • Default extraction intervals vary depending on the integration and can vary from 1 hour to 24 hours depending on target data source capabilities. Customers may set this to a larger time interval as desired.

    • Our EKS backend uses auto-scaling groups to achieve elasticity based on usage.

    • Resource usage is monitored and alerted on CPU, memory, and storage thresholds.

How does Veza avoid exploiting vulnerabilities to gain elevated privileges?

  • Veza uses strict permissions to ensure we use minimum necessary read permissions for each integration.

  • We audit Veza permissions and roles regularly.

  • Vulnerability Assessment and Patching:

    • Veza EKS backend must undergo regular vulnerability assessments.

    • Veza performs regular ECR image scans and patch images.

    • Veza assesses discovered vulnerabilities and patches them per CISA standards.

    • Veza automatically scans code dependencies continuously.

    • Veza keeps all system components up-to-date with a regular upgrade cadence.

    • Veza uses images with minimal dependencies necessary for each service.

Data Governance - Data Retention and Deletion

How does Veza define data retention policies for metadata stored in the EKS backend and ensure secure deletion methods that comply with industry standards (e.g., NIST's Guidelines for Media Sanitization)?

  • Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.

  • All metadata is stored in encrypted S3 buckets and encrypted EBS volumes. AWS deletion policies and procedures comply with NIST guidelines for media sanitization.

Monitoring & Incident Response

Anomaly Detection: Does Veza implement behavioral analytics to detect unusual patterns in data access or system behavior, which might indicate a breach or other security incident? Does Veza maintain a detailed incident response plan and conduct regular threat isolation and mitigation drills?

  • Veza uses behavioral analytics to detect anomalies in CloudTrail and VPC flow logs.

  • Incident response plans are created and routinely reviewed.

  • We perform incident response drills at least annually.

Continuous Monitoring: Does Veza implement solutions like Security Information and Event Management (SIEM) systems to gather, correlate, and analyze logs from all parts of the environment? Does Veza ensure CIS controls are met for the EKS and AWS resources used to store and manage customer data? Is a CSPM used to track CIS controls?

  • We use GuardDuty to continuously monitor Production AWS accounts, including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Kubernetes Service (Amazon EKS) clusters, and data stored in Amazon Simple Storage Service (Amazon S3) for malicious activity.

  • We use Sysdig to continuously monitor bastion host activities. Only authorized Veza personnel can use the host to access EKS and related AWS resources for the production AWS accounts.

🛡️
Veza SaaS Architecture.