Skip to content

Security guide

This guide provides an overview of Wherobots’ security features.

Definitions

Control Plane: The Control Plane is managed by Wherobots and runs within a private Wherobots network. It is a cloud-hosted system that manages authentication, users, access to the service (user interface and APIs). The Control Plane handles metadata management, enterprise management, and usage monitoring. Customer data does not pass through nor is it stored in the Control Plane.

Compute Plane: The Compute Plane is serverless to users, so it’s fully managed by Wherobots, and is deployed into cloud regions supported by Wherobots. The Compute Plane hosts the workloads in a Wherobots managed network, and it can connect to the Wherobots Spatial Catalog, connect privately to customer owned data sources (e.g., an Amazon Simple Storage Service (S3) bucket), or public data sources and repositories.

The Compute Plane is a cloud-regional service that runs in isolation from the Control Plane. Supported clouds and regions can be found in the Wherobots availability section of the user documentation. Currently, Wherobots operates in the Amazon Web Services (AWS), US-West-2 region, but can connect to other clouds and storage in other regions.

Workloads: Workloads are the Wherobots jobs, queries, notebooks, sessions, machine learning models, or artificial intelligence capabilities that can run on Wherobots and interact with customer data.

Key Aspects

Compute Plane isolation

  • Within the Compute Plane, Wherobots runs workloads on single-tenant virtual machines, which means that workloads are isolated between tenants through cloud hypervisor isolation.
  • Workloads are typically short-lived, and data processed by Wherobots, unless explicitly written to Wherobots Managed Storage or in a hosted notebook, does not persist within the Compute Plane after a notebook, session, or job is destroyed or terminated.
  • The Compute Plane runs separately from the Control Plane. There are no connections from the Control Plane into the Compute Plane.

Compute Plane connectivity and encryption

  • Internet connectivity to the Compute Plane is enabled by default.
  • All network traffic, including traffic between virtual machines1 within the Compute Plane, and connections with private and public data sources, is encrypted in transit.
  • Wherobots uses network-attached storage with virtual machines, and when data is at rest it is always encrypted using an encryption key provided and managed by a cloud provider (e.g., AWS Key Management Service).

Wherobots networking

  • The Compute and Control Plane network infrastructure is managed by Wherobots in Wherobots’ cloud service provider account. The network is shared among customers, and Wherobots maintains network isolation between workloads.
  • By default, Wherobots uses Virtual Private Cloud (VPC) Gateway endpoints to ensure that connectivity between the Wherobots Compute Plane and Amazon S3 buckets is private and never leaves the AWS cloud network.
  • Wherobots' access to customer managed S3 buckets is controlled by customers through the use of AWS IAM cross-account roles and policies.

Wherobots Managed Storage

  • Wherobots Cloud Managed Storage is available as an option for customers.
  • Wherobots Cloud Managed Storage is always encrypted.

Wherobots authentication

  • Organization Administrators can manage user access to Wherobots Cloud using the Wherobots Console.
  • User-attached API keys can be created and configured to expire. These keys can be used to programmatically interface with Wherobots Cloud resources.
  • Professional and Enterprise Edition Organization Administrators can create and manage service principals to access Wherobots Cloud's APIs and services for production deployments, instead of granting this access to individual Users. API keys can be associated with these service principals, allowing API keys to authenticate as the service principal.
  • We support and recommend the use of SAML to delegate authentication, with automatic user provisioning, to a third-party identity provider (IdP), along with the option to restrict log in to Wherobots Cloud to Single Sign-On (SSO) flows through the configured IdP.

Integrating with customer-managed cloud storage

  • Wherobots Storage Integrations can be used to allow Wherobots to access (i.e. read, write) data in a cloud storage bucket. Wherobots Storage Integrations can be configured, managed, and revoked by a Wherobots Organization Administrator.
  • Storage Integrations utilize customer defined cross-account IAM Roles and an IAM Trust Policy. Wherobots assumes those Roles for the following purposes:
    • To perform I/O operations within the bucket with the Wherobots Compute Plane.
    • To store and manage spatial catalog metadata with the Wherobots Control Plane.
  • Network connectivity to S3 buckets is private through the use of S3 Gateway Endpoints (within the same region as the Compute Plane).
  • Access to data is always encrypted in transit with HTTPS/TLS.

  1. In AWS, Wherobots uses Amazon EC2 Nitro instances that encrypt data in transit between virtual machines.