Infrastructure security
See security.atlan.com for the latest policies and standards, reports and certifications, architecture, diagrams and more.
Atlan is deployed using Kubernetes in an Atlan-managed VPC (virtual private cloud).
Atlan also carries out:
- Vulnerability management through frequent releases—Atlan makes weekly releases to minimize vulnerability at a product and operating system level.
- Application Penetration Testing (APT)—Atlan uses a third-party vendors to conduct annual industry standard APT. A penetration test is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (including the potential for unauthorized parties to gain access to the system's features and data) and strengths, enabling a full risk assessment to be completed.
- Event logging and monitoring—Atlan has many tools to support monitoring and event logging:
- Prometheus and Grafana for monitoring
- OpenTelemetry (OTel) collectors ingest logs into ClickHouse, with Grafana dashboards on top for querying and alerting
- Fluent Bit ships tenant-level logs to customer-owned S3 buckets (where enabled)
Network access to control plane
Access to the Kubernetes control plane is restricted by to Atlan administrators with managerial approval. Any granted access is time limited. Public internet access to the control plane is denied.
Network access to nodes
Nodes are configured to only accept connections (via network access control lists):
- from the control plane on the specified ports
- for services in Kubernetes of type
NodePortandLoadBalancer
Each component of the Kubernetes cluster has security measures configured. These security measures are at the following levels:
- Cluster security
- Node security
- Pod security
- Container security
- Network security
- Code security
- Secret management
- Data encryption in transit
Responsible disclosure
Security researchers can report suspected vulnerabilities to Atlan's Responsible Disclosure Program