Atlan stores all sensitive user data in the cluster itself, inside the customer's VPC (virtual private cloud) in an encrypted format. No credentials are transferred outside the customer's VPC, and no credentials are stored inside the AWS Secrets Manager.
Atlan is a fully virtualized solution that does not involve moving data from existing storage layers.
Atlan crawls metadata from upstream data sources and stores it within the customer’s VPC. Any queries that run on the Atlan product are pushed to existing processing layers (e.g. directly to your database, warehouse, or a processing layer such as Athena or Presto on top of Blob storage).
Data and metadata collected and created by Atlan are stored in applications and databases within the customer’s VPC. This includes information for data previews and queries, data quality, asset metadata, and user data.
Atlan gives users the ability to see sample data previews for a data asset and results for any queries run on Atlan.
In both cases, the request is pushed upstream to the original data source, and a 100-row sample of the result is provided to Atlan users. Atlan caches this 100-row sample of the data in Redis for a faster load time when you return to a data preview or query.
Users can generate data quality metrics with the click of a button on Atlan. Once generated, these metrics are stored in PostgreSQL on the customer’s VPC.
Asset metadata, including metadata crawled by Atlan or data lineage generated on the product, is stored across Apache Atlas, Elasticsearch, and Cassandra.
Atlas is a graph database layer that stores entity relationships and attributes, Elasticsearch is used to optimize search on the product, and Cassandra acts as a persistence backend.
Data on users, roles, and groups is stored in a PostgreSQL database. Keycloak uses this information for access and identity management.
All sensitive fields like passwords are hashed and stored. Any user data transmitted over the internet is SSL-encrypted over HTTPS.
The Atlan authentication process is run on Keycloak, using open protocol standards like username-password or SAML 2.0–based login. Atlan can also integrate into organizations’ existing SAML 2.0–based SSO authentication systems.
Atlan is deployed using Kubernetes on the customer’s VPC. All access to the Kubernetes control plane is not allowed publicly on the internet, and is controlled by network access control lists restricted to the set of IP addresses needed to administer the cluster.
Nodes are configured to only accept connections (via network access control lists) from the control plane on the specified ports, and to accept connections for services in Kubernetes of type NodePort and LoadBalancer.
Each component of the Kubernetes cluster has security measures configured. These security measures are at the following levels:
Data encryption in transit
Atlan uses standard encryption to protect data in transit. Atlan uses Hypertext Transfer Protocol Secure (HTTPS) for encrypted and secure communication when data is in transit. This protocol is encrypted using Transport Layer Security (TLS). We also support Two-Factor Authentication (2FA) for accessing resources.
The S3 bucket launched by Atlan is secured with Amazon S3 server-side encryption. AES-256 is used as the SSE algorithm in the S3 bucket.
All of the EBS (Elastic Block Storage) launched by Atlan is encrypted. Atlan uses storage class, which is encrypted for provisioning persistent volumes to the microservices running inside the Kubernetes cluster.