Overview

Data Control Tower (DCT) is a SaaS application that introduces a centralized architecture used to launch unique services, providing a means of drastically reducing administrative overhead with global policies. Data Control Tower is the necessary Delphix tool for any organization looking to efficiently operate at a large scale. A summarized list of benefits and value drivers offered by Data Control Tower are shown below:

  • Provides a Programmable Data Infrastructure (PDI) focal point for all connected Delphix Engines.
  • Significantly reduces administrative overhead when operating Delphix at scale.
  • Aggregates engine-based metadata for monitoring and reporting.
  • Drives enterprise-grade security to any Delphix deployment.

The following sections will go over additional details of the architectural shifts, core value drivers, and key concepts that encompass Data Control Tower.

Architectural Shifts

Data Control Tower was designed as a means of tackling the sprawling complexity that comes with operating Delphix Virtualization and Masking at a large scale (10+ engines). However, there are benefits for any customer, and it facilitates the establishment of best practices if you intend to scale your deployment. 

Data Control Tower builds upon the engine administrative experience from both a human and API perspective. Rather than administering elements like user management, object tracking, and performance monitoring from an engine-by-engine perspective, Data Control Tower drives simplicity through aggregating meaningful metadata and launching services that allow for global monitoring and policy setting. Even with scripting and/or automation workflows, the experience with Data Control Tower is simplified with the notion of an API gateway, Data Library, and API keys to drive simplicity, intelligence, and security. 

Data Control Tower changes this engine-by-engine architecture by shifting to a global management application that will aggregate engine-generated metadata and launch new experiences that only can be done from this shift to a central management model. Whether looking to operate from a UI or API experience, Data Control Tower looks to streamline both experiences with Delphix.

Core Value Drivers

Programmable Data Infrastructure

A single point to access all of your data.

The Data Control Tower API experience delivers a simpler architecture through an API gateway as opposed to a per-engine API. This simplifies the overall automation experience by abstracting out the engine location making scripts easier to write. 

Secondly, Data Control Tower's global nature offers a vantage point in which to launch unique Delphix experiences via Data Control Tower APIs (e.g. global reports, auditing, and policy setting).

Lastly, Data Control Tower improves API security, as it is the API token-granting authority for all Delphix products.

Policy-based Data Authorization

Direct the flow of data to those who need it.

The architecture shift from engine-by-engine management to Data Control Tower's global governing model creates a unique opportunity to streamline the experience around operating Delphix at scale. This is accomplished by:

  • Setting global policies to govern access and set permissions across Virtualization and Masking objects.
  • Tie into enterprise authentication systems for administrative simplicity.

Users and Groups shifts object access for both Virtualization and Masking from being an engine-by-engine experience to one that is globally managed. The chart below demonstrates the authorization workflow for two groups built around App team A and the compliance team. A global group such as “App Team A” can be set to manage objects spanning multiple engines with granular permissions. This represents a significant reduction in administrative overhead as this only is set once versus multiple times for each engine. 

Users, groups, and other global authorization policies can further reduce the administrative load for Delphix administrators by tying into enterprise systems like directory services to determine group membership. In the above example, the leftmost column represents an enterprise directory with users listed with associated attributes (e.g. App A, Compliance). IdP attribute mapping allows for these pertinent labels to be passed through and associated with virtualization and masking access groups so that changes from an LDAP or Active Directory perspective are automatically reflected within Delphix access groups. 

Monitoring and Reporting

Measure, audit, and report on all of your Delphix Data.

Data Control Tower is the metadata aggregator across all connected Virtualization and Masking Engines. It provides the ideal architectural point to launch reporting and monitoring services. One of these services is the insights dashboard that displays all sorts of Virtualization and Masking use data on a dashboard.

The listed existing functionality serves as a first step in building out reporting and monitoring workflow support in Data Control Tower. Future enhancements include releasing external-facing APIs for report generation, as well as additional generalized monitoring functionality for organizations to use as a basis for customization.

Enterprise Discipline for Organizational Security

Driving identity, authentication, authorization, and accountability across your Delphix deployment.

IDENTITY

A person’s identity in Delphix used to solely be tied to a person’s username. With Delphix’s support for Single Sign-On (SSO), user identity could now be tied to an email address. Data Control Tower makes SSO a requirement for the application and all connected engines, thus forcing email addresses as the new and only standard for a person’s identity. 

This is significant because email is relatively immutable (versus a username that often can change from engine-to-engine) and ties into enterprise identity management systems that InfoSec teams can build security controls on top of such as multi-factor authentication (MFA).

In general, an employee at an enterprise will have a single email. Delphix leverages this as a means of providing an objective standard (this notion of identity won’t change over time) versus the legacy method of identity - user names, which are subjective and prone to changes that can take place by creating accounts on multiple engines for a single user. The below image demonstrates this for John Smith, rather than having three separate identities - John, jsmith, and John_admin - John simply uses john.smith@company.com as a way to create a global identity, which goes hand-in-hand with a service likeData Control Tower

Authentication

Human-based Authentication

The shift to email-based identity coupled with the support for single sign-on (SSO) through support for SAML 2.0 allows for the use of enterprise IdPs, which is the standard for human-based authentication. Whether internally developed or externally supported, IdP services provide a means for InfoSec departments to establish umbrella security standards such as multi-factor authentication that will apply to all connected applications. In the below diagram, the blue user authenticates with a third-party service, Okta. From there, he or she can access Data Control Tower and any SSO-enabled Delphix Engine (if the engine is connected to Data Control Tower, then it has already shifted to SSO-based authentication) where the user has been granted access via a registered email.

Machine-based Authentication

API keys build in a new level of security for scripting and automation workflows by shifting to a token-based authentication system from the less secure username and password. All keys are tied to the user email that generated them, and each key can be rotated to maintain token lifecycle standards. 

Authorization

After determining whether a user has the ability to access Data Control Tower and/or a Delphix Engine, the next control most InfoSec teams focus on is authorization - what a specific user can do once they’ve been authenticated. Data Control Tower provides a critical set of functionality to determine Virtualization and Masking objects access and permissions by establishing global groups and policies tied to those groups that drive authorization across a large-scale distribution of Delphix. 

Data Control Tower admins are now able to set global user groups that have granular access and across all objects from Data Control Tower-connected engines.

For Virtualization, this takes the form of global data-access groups in which a Data Control Tower admin creates a group, assigns members to that group, and determines what objects (irrespective of engine location) the group has access to with granular permissions. For Masking, the group membership form factor is the same, only the object and permissions shift to masking environments and masking-specific permissions. For more detail on Virtualization, Masking, Self-Service, and administrative access groups - please see the User Groups page of the Data Control Tower documentation.

Enterprise Directory Service Support - As a special note, Data Control Tower supports enterprise directory services (e.g. LDAP, Active Directory, etc.) by way of attributes federated via customer IdPs that are tied to a user email. This allows for an LDAP or Active Directory to be able to determine user membership to all Data Control Tower User Groups. For more information, please see the IdP Attribute Mapping section under the Users and Groups page of the Data Control Tower documentation. 

Accountability

Data Control Tower introduces multiple levers that provide additional means of driving accountability built off of an individual’s identity. First and foremost, all actions within Data Control Tower are viewable and exportable via the Data Control Tower audit log. Secondly, Data Control Tower introduces a means of driving accountability for API interaction across all Delphix products via the ability to associate user emails with API keys.

Data Control Tower records all user interactions, which are viewable via the audit log.