This article describes recommended security best practices for customers deploying and operating Etlworks when building data integration applications and services. The guidance is aligned with U.S. FedRAMP Moderate / High operational expectations and similar government security frameworks.
The focus is on customer-side operational security, across multiple deployment models.
Alignment with Government and FedRAMP-Style Security Requirements
While FedRAMP certification applies to specific cloud service offerings, the security controls and operational practices described here map directly to common FedRAMP control families, including:
-
IA – Identification and Authentication
-
AC – Access Control
-
CM – Configuration Management
-
CP – Contingency Planning
-
IR – Incident Response
-
AU – Audit and Accountability
-
SC – System and Communications Protection
-
SI – System and Information Integrity
Customers deploying Etlworks are expected to implement these controls as part of their own Authority to Operate (ATO) or equivalent approval process.
Core Security Capabilities in Etlworks
Role-Based Access Control (AC, IA)
Etlworks includes a traditional role-based security model that supports FedRAMP-style access control requirements:
-
Access based on roles
-
Optional per-user access for sensitive operations
-
Access scoped to specific artifacts and groups of artifacts
This allows customers to:
-
Enforce least-privilege access (AC-6)
-
Separate duties between administrators, developers, operators, and auditors (AC-5)
-
Restrict access to production artifacts (AC-3)
Artifact access is managed using Tags and Tag Views, enabling logical security boundaries aligned with teams, projects, or environments. Read more →
Multi-Factor Authentication (IA)
Etlworks fully supports built-in multi-factor authentication:
-
MFA can be enforced per user or organization-wide (using SSO)
-
Supports strong second-factor authentication
-
Recommended for all privileged and production-access users
This supports FedRAMP requirements such as:
-
IA-2 (Multi-Factor Authentication)
-
IA-5 (Authenticator Management)
Single Sign-On via SAML (IA, AC)
Etlworks fully supports SAML-based Single Sign-On with all major identity providers:
-
Integration with government-approved IdPs
-
Centralized authentication and deprovisioning
-
Enforcement of organizational password and session policies
-
Improved auditability and compliance reporting
This aligns with:
-
IA-2, IA-4 (Identity Management)
-
AC-2 (Account Management)
Shared Responsibility Model
Etlworks follows a shared responsibility model consistent with FedRAMP guidance:
-
Etlworks or Etlworks Partner secures the product and platform components.
-
Customers secure deployment configuration, access controls, network boundaries, and operational usage.
Responsibility allocation varies by deployment model.
Deployment Model 1: Traditional SaaS (Etlworks or Partner-Managed)
This model aligns closely with FedRAMP-authorized SaaS patterns.
Customer Responsibilities (FedRAMP Alignment)
-
Configure RBAC and Tag Views (AC)
-
Enable MFA and SSO (IA)
-
Define data handling and retention policies (PL, MP)
-
Monitor usage and review audit logs (AU, IR)
Best Practices
-
Enforce least-privilege access for all users.
-
Separate production and non-production artifacts.
-
Avoid storing sensitive data in logs.
-
Review access and configuration changes regularly.
Deployment Model 2: On-Premise with License Server Connectivity
This model supports hybrid FedRAMP environments where customer-managed systems maintain limited external connectivity.
FedRAMP-Relevant Controls
-
Outbound-only connectivity (SC-7)
-
Network segmentation and firewall rules (SC-7, SC-32)
-
Patch and configuration management (CM)
-
Logging and monitoring (AU, SI)
Best Practices
-
Restrict outbound access to license endpoints only.
-
Apply OS and application hardening.
-
Maintain documented incident response procedures.
Deployment Model 3: Fully Isolated On-Premise (No Internet Access)
This model is aligned with FedRAMP High and classified environment expectations.
FedRAMP-Relevant Controls
-
System isolation and boundary protection (SC)
-
Offline patching and configuration management (CM)
-
Strong identity controls and auditing (IA, AU)
-
Incident preparedness and continuity planning (IR, CP)
Best Practices
-
Enforce RBAC and MFA even in isolated environments.
-
Maintain offline update validation procedures.
-
Document all configuration and access changes.
Logging, Auditing, and Incident Response (AU, IR)
Across all models:
-
Audit logging is always enabled for:
-
User access
-
Configuration changes
-
Flow execution
-
-
Retain logs per regulatory requirements.
-
Define procedures to:
-
Disable flows
-
Revoke credentials
-
Isolate systems
-
These practices directly support FedRAMP audit and incident response requirements.
Patch, Update, and Configuration Management (CM, SI)
-
Keep Etlworks components on supported versions.
-
Test updates in non-production environments.
-
Document changes and approvals.
Summary
Etlworks provides built-in security capabilities that align with FedRAMP-style requirements, including role-based access control, artifact-level authorization, MFA, and SAML-based SSO. Combined with flexible deployment models, Etlworks supports government organizations pursuing ATO, FedRAMP Moderate, or FedRAMP High operational compliance. Read more →
Final compliance outcomes depend on customer implementation and operational controls, consistent with FedRAMP’s shared responsibility model.