IA-05 (07) Sensitive Data in Installer
Introduction
This document describes how Private Mendix Platform fulfills the IA-05 (07) control.
| Control ID | IA-05 (07) |
|---|---|
| Control category | IA - Identification and Authentication |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Mendix - Studio Pro/Runtime, Customer - Infra, Customer - Org |
Control
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Supplemental Guidance
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (for example, a password).
Responsibility
Mendix Responsibility
Private Mendix Platform installation supports retrieving environment-sensitive data from external secret storage (for example, AWS Secrets Manager, Key Vault, and so on).
Customer Responsibility
The customer must set up the external secret manager and properly configure the corresponding secrets.
Guidance
Customer Responsibility
The customer must implement an external secrets store to manage sensitive data:
- Set up and configure the secret storage provider, for example, HashiCorp Vault, AWS Secret Manager or Azure Key Vault.
- Install and configure a Kubernetes Secrets Store CSI driver, for example, AWS Secrets Manager CSI Secrets Store. This driver is installed globally for the entire cluster.
- Configure the keys at the external secret manager.
- When running the Private Mendix Platform installer, select Use Secret Provider for the storage plan, database plan, and admin password:
Proof and Remarks
Selecting AWS as the secret provider:
Selecting Azure Key Vault as the secret provider:
Selecting HashiCorp Vault as the secret provider: