4.4 KiB
- I would recommend breaking this into multiple whitepapers
- Morpheus
-
Below is a curated list of Morpheus security capabilities aligned with the needs of an IT security leader:
-
Single Sign-On (SSO) Integration
Morpheus can integrate with multiple SSO providers (e.g., SAML 2.0), enabling centralized user authentication and leveraging existing identity stores for streamlined user management and compliance with enterprise directory policies morpheusdata.com.
-
Role-Based Access Control (RBAC)
Security groups from the identity provider are mapped to Morpheus roles at first login, ensuring that users receive only the permissions they need, in accordance with the principle of least privilege morpheusdata.com.
-
Multi-Factor Authentication (MFA)
Supports MFA both natively (two-factor authentication for local accounts) and via SAML 2.0 integrations that propagate external MFA challenges, adding an extra layer of credential protection morpheusdata.com.
-
AES-256 Encryption of Sensitive Data
All configuration data, including passwords and metadata stored in the embedded database, are encrypted at rest using AES-256 symmetric key encryption. File-system data can also reside on encrypted volumes for defense-in-depth morpheusdata.com.
-
FIPS 140-2 Compliance Support
From version 3.6.5 onward, Morpheus Data Appliance offers FIPS 140-2 validated cryptographic modules. A specialized FIPS installer ensures that all cryptographic operations comply with U.S. federal standards morpheusdata.com.
-
Certificate Management
- CA-Signed Certificates: Recommended for production to establish trust.
- Self-Signed Certificates: Supported for testing environments only.
- Active Directory Integration: Requires a valid domain certificate from a trusted CA to secure LDAP/LDAPS traffic morpheusdata.com.
-
CVE Scanning and Patch Remediation
Each minor and patch release undergoes Common Vulnerabilities and Exposures (CVE) scanning. Identified CVEs are remediated before release, and release notes document all addressed vulnerabilities to aid in audit readiness morpheusdata.com.
-
Comprehensive Logging and Auditing
- Server Logs: Rotated daily with 30-day retention, capturing core services (e.g., Tomcat, NGINX, Elasticsearch).
- Audit Logs: Records all user-driven configuration changes and infrastructure operations; a subset is exposed via the UI activity feed and stored indefinitely in the database.
- Agent Logs: Managed machines forward syslog messages via the Morpheus Agent with configurable retention (default 7 days), ensuring visibility into workload-level events morpheusdata.com.
-
Secure Telemetry Controls
Telemetry data collection is opt-in and can be disabled via a license feature. This provides organizations full control over what operational data leaves their environment, aiding in data sovereignty and privacy compliance morpheusdata.com.
-
Network Security Requirements
- Port Restrictions: Administrator workstations communicate over TCP 22 and TCP 443; all user/API interactions occur exclusively over HTTPS (TCP 443).
- Name Resolution and Latency: Enforces strict DNS configurations and recommends sub-5 ms inter-node latency for HA deployments to prevent split-brain scenarios and ensure secure, performant clustering morpheusdata.com.
-
-
HPE-VM
-
Better together
- Morpheus