This page provides an overview of how to secure a Camunda Optimize installation. For Camunda’s security policy, a list of security notices and a guide how to report vulnerabilities, please visit the general security documentation.
This guide also identifies areas where we consider security issues to be relevant for the Camunda Optimize product and list those in the subsequent sections. Compliance for those areas is ensured based on common industry best practices and influenced by security requirements of standards like OWASP Top 10 and others.
It is essential to know that Optimize does not operate on its own, but needs the Camunda BPM engine to import the data from and Elasticsearch to store the data. A detailed description of the set-up can be found in the architecture overview guide. Hence, there are three components that are affected by security, which are handled in the succeeding subsections:
Secure the Engine
The BPMN platform with its process engine is a full standalone application which has a dedicated security guide. The sections that are of major importance for the communication with Optimize are enabling authentication for the REST API and Enabling SSL / HTTPS.
Optimize already comes with a myriad of settings and security mechanism by default. In the following you will find the parts that still need manual adjustments.
Consider to disable HTTP, to prevent easy cookie theft. This can simply be done by setting the http property in the container settings to an empty/null value. Consult the respective section in the configuration guide for the details.
Authentication controls who can access Optimize . Read all about how to restrict the application access in the user access management guide.
Authorization controls what data a user can access and change in Optimize once authenticated. Authentication is a pre-requisite to authorization. Read all about how to restrict the data access in the authorization management guide.
Optimize stores its data into Elasticsearch, which is a search engine that acts as a document based datastore. In order to protect access to this data, it must be configured correctly. The documentation guide on secure elasticsearch provides a detailed description on how to restrict the access to the data and secure the connection to Elasticsearch.