Security aspects of FlowFuse are divided up into three sections;
# Application
The FlowFuse platform architecture is described in our documentation.
# Users
# Sessions
Users are identified by an unique combination of username and password, or by a SAML compliant server for Single Sign-on (SSO) or LDAP. FlowFuse by default will
close active sessions after 14 days, or when user signs out.
Users can self-register on the platform, or if their SSO/LDAP configuration allows, they can be automatically registered on first login.
# Multi-factor authentication
FlowFuse supports Multi-factor authentication (MFA), also known as 2-factor authentication (2FA) for its users. They can configure this once they have registered on the platform.
# Role-Based Access Control
Within FlowFuse, users are organised within Teams. A user can be in multiple Teams.
Within the Team, a user will have a role to determine what they are able to do. The available roles are:
Role | Description |
---|---|
Owner | Full access to the team. Create create/delete resources and manage the billing settings |
Member | Can access and modify existing Node-RED instances |
Viewer | Has read-only access to the Node-RED instances - cannot modify anything |
Dashboard | Cannot access the Node-RED editor, but can access any Dashboard created within a Node-RED instance |
Some users can also be granted admin
level access. This allows them to administer the overall FlowFuse platform.
FlowFuse Cloud: Only FlowFuse employees have admin
access to the platform, based on their role and business need to have that level of access.
# Audit logs
FlowFuse features multiple layers of audit logging, both at the administrator level as well as at a team level. Audit logs are currently stored indefinitely.
# FlowFuse Configuration
Configuration of the FlowFuse application influences security aspects of the system at large. For each section the implementation of FlowFuse Cloud is mentioned too. For self managed installs we advise to follow the choices made by FlowFuse Cloud.
# Data storage
# Data at Rest
All user data is stored in a relational database.
FlowFuse Cloud: Data is stored in a PostgreSQL database. All data is encrypted using the industry standard AES-256 encryption algorithm.
FlowFuse Cloud: All persistent users files are stored at rest in an Encrypted AWS EFS volume, using the AES-256 encryption algorithm. Persistent Storage
# Data residency
Long term data storage is depended on the location of the relational database storage.
FlowFuse Cloud: Data is stored in the European Union, specifically Ireland, on AWS eu-west-1
.
# Data in Transit
Traffic from external sources to the FlowFuse application can be encrypted. When a load balancer is used, the encryption is terminated on the edge. Internal traffic is not encrypted.
FlowFuse Cloud: Data in transit to and from external sources uses the latest recommended AWS Network Security policy. This enforces TLS1.2 as a minimum. Encryption is terminated at the edge, both for HTTP and MQTT traffic.
Adding internal SSL/TLS is being investigated.
# Inter Node-RED communication
Communication between a team's instances is MQTT based. Traffic can be encrypted based on the broker configuration.
FlowFuse Cloud: Inbound and outbound traffic is sent encrypted to FlowFuse. The encryption is terminated at the load balancer. Internal traffic is not encrypted.
# Service endpoints
It's recommended to run the FlowFuse application and the flow runtimes on different domains. This will create separation of concerns and enhances security for, among others, cookies.
FlowFuse Cloud: Our SaaS offering has multiple domains:
domain | purpose |
---|---|
app.flowfuse.com |
The FlowFuse Cloud platform |
mqtt.flowfuse.com |
The MQTT endpoint for the platform - via secure WebSocket connection |
*.flowfuse.cloud |
The endpoints of individual Node-RED instances |
*.flowforge.cloud |
Older Node-RED instances may be served under this domain as they were created prior to the migration to the FlowFuse name |
When running the FlowFuse Device Agent on a user's own hardware and network, it will require access to the following domains to be fully operational:
app.flowfuse.com
mqtt.flowfuse.com
registry.npmjs.org
- to enable installing of Node-RED modules
When running the Node-RED editor on a user's own network, it will require access to the following domains to be fully operational:
app.flowfuse.com
mqtt.flowfuse.com
*.flowfuse.cloud
catalogue.nodered.org
Outbound connections from Node-RED instances running within FlowFuse Cloud will always come from the IP address 63.33.85.112
.
# Organisation
Keeping our customer's data secure is dependant on our internal practises too.
# Certifications
FlowFuse obtained the SOC 2 Type 1 and Type 2 certification, audited by Advantage Partners.
# Security Governance
FlowFuse has information and data policies, the full list can be found in our handbook.
Most notably for (prospective) customers assessing FlowFuse: