phData Managed Services
Virtual Cleanroom

Play Video

At phData, the threat of data product instability or downtime is what keeps us up at night. All aspects of phData’s services are designed to ensure that our customer’s data platforms and data products are available and performant, 24×7. To this end, we must ensure that phData’s worldwide teams of certified Solutions Architects and Engineers must have secure access to customer environments.

While phData supports multiple methods for secure access, the phData Virtual Cleanroom provides the best results. The phData Virtual Cleanroom provides a secure and fully-audited mechanism for phData to provision and maintain access to customer environments.

phData Team Network Access

Given the immense breadth of big data and machine learning technology, phData uses shared teams of 10 to 15 engineers to support a given customer. For our largest customers, that team can be even larger. It’s critical that each member of this team has prompt access to the customer’s environment prior to having SLA-bound support.

Teams of this size provide important benefits to our customers:

phData requires secure network access for each member of the managed services team to our customer’s environment in order to provide our managed services.
phData Virtual Cleanroom

Cleanroom Benefits

The phData Virtual Cleanroom provides a secure and fully-audited mechanism for phData to provision new users to support a customer environment. The phData Virtual Cleanroom provides the following benefits:

More secure

phData’s Virtual Cleanroom goes beyond the typical security and auditing provided in most customer-provisioned “named accounts”. Not only does the Cleanroom provide full authentication and authorization, but also aggressive auditing and screen capture of every activity.

Less risk

Some companies are slow to provision new accounts or balk at the number of accounts needed to support the environment 24×7. If the customer cannot provision accounts promptly or meet the required number of accounts, we cannot commit to SLA-bound support. The phData Virtual Cleanroom ensures that phData engineers have instant, secure access to customer environments so we can always allocate the right person to help.

Less effort for the customer

phData’s has extremely low employee turnover (<5%), but employees do switch teams and occasionally leave phData. Most customers do not want to be responsible for creating or maintaining phData named accounts. The phData Virtual Cleanroom uses automation to provision fully-secured accounts with alerting and notifications to our customers.

phData Virtual Cleanroom Overview

phData will work with customer’s Network and Security teams to establish a Site-to-Site VPN. phData will use customer’s IP space to setup the VPN. The VPN will only have access to Cloudera infrastructure and required administrative portals. phData maintains a Windows jump host that all phData access will be managed from. The host will have the highest security standards applied (patching, Anti-virus, video recording, named accounts, no internet access (provided through VPN)). The VPN network will only have this Windows host. Access to the host will be limited to only members of phData that have been communicated to work on your account. The list will be provided when anything changes. You can access for audits and video recordings of the jump host at any time.

Technical Details

phData Virtual Cleanroom

Access Alternatives

phData supports three approaches to secure network access for our customers:

  • phData Virtual Cleanroom
  • Customer Client VPN
  • Customer VDI

Of these approaches, we have found that the phData Virtual Cleanroom is most efficient at reducing cost, reducing the effort to maintain access, and better meets the security requirements of our customers.

For customers that still prefer that phData use customer “named accounts” or VDI access to their environment, we do support this method. However, customers should be aware that this requires significant coordination and time. In addition, some companies are slow to provision new accounts or balk at the number of accounts needed to support the environment 24×7. For this reason, “named account” access does incur a price premium and we strongly recommend and prefer the phData Cleanroom.

FAQ

We believe it’s our customer’s best interest to be supported by a larger team. Having a larger support team means more skill breadth. This means our customers are able to draw on a broad base of skills to drive faster results and lower risk. Our reporting shows that, in the course of a year, 72% of our team will work on a typical customer environment at some point. Having more people access to the customer environment also gives us the ability to seamlessly scale up as the workload increases, or if there is a critical issue where we need more senior hands. In addition, this also insures us and you from any unfortunate turnover in the team.

phData will work with customer’s Network and Security teams to establish a Site-to-Site VPN. phData will use customer’s IP space to setup the VPN. The VPN will only have access to Cloudera infrastructure and required administrative portals. phData maintains a Windows jump host that all phData access will be managed from. The host will have the highest security standards applied (patching, Anti-virus, video recording, named accounts, no internet access (provided through VPN)). The VPN network will only have this Windows host. Access to the host will be limited to only members of phData that have been communicated to work on your account. The list will be provided when anything changes. You can access for audits and video recordings of the jump host at any time.

phData is using non-publicly-routed public-address space to connect to the Jumpbox. We use this non-publicly-routed public-address ensure we don’t conflict with address space provided by the customer. Customers can provide us with public address space or RFC1918 private address space for our side of the VPN.

phData will used named accounts on the Jump Host but then use a service account to administer the cluster. The service account usage will only be used during incidents and maintenance items. It will not have access to any data. Auditing of who is using the service account can be obtained from video recordings of the jump host.
Every year, phData employees take security, privacy, GDPR, accepted use and data classification training. Proof of training can be obtained by request.
phData can still meet the customer-specific training using this method. Our engineers due go through general security training as part of onboarding and on a yearly basis, many customer-specific training requirements may already be fulfilled as part of our standard training. For customers who require industry-specific training, we have the option of integrating those into our internal learning management system and ensuring our engineers undergo training.
  • Site-to-Site VPN from a phData Managed Virtual Private Cloud (VPC) to the customer environment.
  • phData Managed VPC is limited to accessing only nodes managed by phData and does not have any other network access including the internet.
  • phData Managed VPC contains a phData managed jumpbox and nothing else.
  • Access to the Jumpbox is restricted to named accounts who need access to the environment.
  • Jumpbox authentication follows all standard security mechanisms including strong passwords, rotating passwords, and named accounts.
  • Everything phData employees do will be recorded and the recording will be encrypted and accessible only to our General Counsel and Chief Technology Officer. Customers can request recordings at any time.

Ready to learn more phData Virtual Cleanroom? Let's chat.