Security & Compliance
Multi-Layered Security Model
CCP implements defense-in-depth with a multi-layered security posture. Every request passes through authentication, authorization, encryption, and audit controls — no action is trusted by default. Security is not an add-on; it is built into every layer of the platform from the IAM engine to the storage tier.
| Security Layer | Mechanism | Protection |
|---|---|---|
| Authentication | Keycloak v24.0.5 — OAuth2/OIDC, JWT tokens, MFA | Identity verification for every user and service interaction |
| Authorization | OpenFGA — 18 pre-defined RBAC roles at Tenant and Cell levels | Role and context validation on every resource action |
| Transport Encryption | mTLS (Mutual TLS) between all services | Encrypted communication and mutual service authentication |
| At-Rest Encryption | AES-256 for all stored data | Data protected against unauthorized physical or logical access |
| Identity Federation | SAML 2.0 with Microsoft ADFS and Entra | Seamless SSO with enterprise identity providers; no password replication |
| Tenant Isolation | Per-tenant Keycloak realm | Complete identity and session isolation between tenants |
| Network Security | VPC isolation, Firewall (CheckPoint / Palo Alto), NAT Gateway | Network-level tenant segregation and perimeter protection |
| Audit Logging | API gateway logs, SIEM integration, centralized log management | Full traceability of every action; immutable audit trail |
| Security Services | WAF, SIEM, CSPM, DDoS protection, Cloud HSM, SSL management | Perimeter and workload-level threat detection and protection |
Identity and Access Management
Keycloak IAM Engine
CCP uses Keycloak v24.0.5 as its IAM engine. Every tenant gets a dedicated Keycloak realm — a completely isolated identity domain with its own users, roles, authentication flows, and federation configuration.
- OAuth2 / OpenID Connect: Industry-standard token-based authentication
- Multi-Factor Authentication: TOTP, SMS, email, and hardware key support
- Session Management: Admin-forced session termination for security incidents
- Per-Tenant Realm Isolation: Users in Tenant A cannot authenticate into Tenant B's realm under any circumstance
OpenFGA Authorization Engine
Authorization is enforced through OpenFGA, Coredge's fine-grained authorization engine. OpenFGA implements a relationship-based access control (ReBAC) model that evaluates permissions based on roles, relationships, and context — not just flat role assignments.
18 Pre-Defined RBAC Roles are organized across two levels:
- 7 Organization-Level Roles — Control tenant and cell administration, user management, and platform governance
- 11 Service-Specific Roles — Granular permissions aligned to individual service categories (compute, storage, network, security, monitoring, etc.)
This structure ensures the principle of least privilege: a user with Compute access cannot inadvertently access Security or Database management functions.
Identity Federation
| Federation Method | Integration | Use Case |
|---|---|---|
| SAML 2.0 | Microsoft ADFS, Microsoft Entra | Enterprise SSO with existing corporate identity providers |
| BSS Portal Federation | ATB BSS Portal | Customer onboarding, subscription, and identity creation from the billing system |
| LDAP / Active Directory | Microsoft Entra | Directory-based user management and group synchronization |
Encryption
In-Transit: Mutual TLS (mTLS)
All communication between CCP microservices, between the portal and APIs, and between CCP and integrated infrastructure uses mTLS. This means:
- Both the client and server present valid certificates to each other before any data is exchanged
- No service can impersonate another — every communication channel is mutually authenticated
- All data moving between services is encrypted; there are no plaintext internal channels
At-Rest: AES-256
All data stored by CCP — platform state in PostgreSQL, event data in MongoDB, session data in Redis — is encrypted at rest using AES-256. This includes backup data stored in geo-replicated object storage.
Security Services Portfolio
CCP includes a comprehensive set of security services available through the self-service catalogue:
| Service | Phase | Description |
|---|---|---|
| SIEM | MVP1 | Security Incident and Event Management — centralized threat detection and response |
| Log Monitoring | MVP1 | Continuous log analysis and anomaly detection across platform and workloads |
| CSPM | MVP1 | Cloud Workload Protection — posture management and configuration compliance |
| WAF | MVP1 | Web Application Firewall — Layer 7 protection for web-facing workloads |
| Cloud HSM | MVP2 | Cloud-based Hardware Security Module for key management and cryptographic operations |
| DDoS Protection | MVP2 | Volumetric and application-layer DDoS mitigation |
| TLS/SSL Certificate Management | MVP2 | Automated certificate lifecycle — issuance, renewal, revocation |
| Encryption as a Service | MVP2 | Managed encryption for tenant workloads and data |
| Digital Forensics | MVP2 | Forensic analysis capabilities for incident investigation |
Compliance Alignment
CCP is designed with compliance requirements of government and regulated industries in mind.
| Compliance Area | CCP Implementation |
|---|---|
| Access Control | Keycloak IAM with RBAC (OpenFGA), per-tenant realm isolation, least privilege via 18 pre-defined roles |
| Cryptography | mTLS in transit, AES-256 at rest, Cloud HSM for key management |
| Audit & Accountability | API gateway audit logs, SIEM integration, centralized log management with long-term retention |
| Identity & Authentication | MFA, SAML 2.0 federation, SSO, session management, short-lived tokens |
| Data Sovereignty | On-premises deployment, local data residency, geo-replicated backups within defined regions |
| Workload Protection | CSPM, WAF, firewall per tenant, per-cell network isolation via VPC |
Privileged Access Management
CCP includes Privileged Access Management (PAM) as a foundation service, ensuring that privileged operations — administrative actions on infrastructure, emergency access, break-glass procedures — are controlled, logged, and subject to approval workflows. PAM is delivered as part of the MVP1 Foundation Services catalogue.