Enterprise Security
Comprehensive security configuration for enterprise FAOS deployments. This guide covers authentication, authorization, encryption, compliance, and security best practices.
Authentication & Authorization
Single Sign-On (SSO)
SAML 2.0 Configuration
# config/saml.yaml
saml:
enabled: true
entity_id: "https://faos.yourcompany.com"
idp:
metadata_url: "https://idp.yourcompany.com/metadata"
sso_url: "https://idp.yourcompany.com/sso"
slo_url: "https://idp.yourcompany.com/slo"
certificate: |
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJ...
-----END CERTIFICATE-----
sp:
private_key_file: /etc/faos/saml/sp-key.pem
certificate_file: /etc/faos/saml/sp-cert.pem
assertion_consumer_service_url: "https://faos.yourcompany.com/saml/acs"
single_logout_service_url: "https://faos.yourcompany.com/saml/sls"
attributes:
email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
first_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
last_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
groups: "http://schemas.xmlsoap.org/claims/Group"
settings:
name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
authn_context: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
want_assertions_signed: true
want_messages_signed: true
OAuth 2.0 / OpenID Connect
# config/oidc.yaml
oidc:
enabled: true
provider: okta # or azure, google, custom
client_id: "your-client-id"
client_secret: "${OIDC_CLIENT_SECRET}"
issuer: "https://yourcompany.okta.com"
authorization_endpoint: "https://yourcompany.okta.com/oauth2/v1/authorize"
token_endpoint: "https://yourcompany.okta.com/oauth2/v1/token"
userinfo_endpoint: "https://yourcompany.okta.com/oauth2/v1/userinfo"
jwks_uri: "https://yourcompany.okta.com/oauth2/v1/keys"
scopes:
- openid
- email
- profile
- groups
claims:
user_id: sub
email: email
name: name
groups: groups
Multi-Factor Authentication (MFA)
# config/mfa.yaml
mfa:
enabled: true
required_for_roles:
- admin
- developer
- auditor
methods:
totp:
enabled: true
issuer: "FAOS - Your Company"
algorithm: SHA256
digits: 6
period: 30
webauthn:
enabled: true
rp_name: "FAOS Platform"
rp_id: "faos.yourcompany.com"
attestation: "direct"
user_verification: "required"
sms:
enabled: false # Not recommended for enterprise
settings:
remember_device_days: 30
max_failed_attempts: 3
lockout_duration_minutes: 15
Role-Based Access Control (RBAC)
# config/rbac.yaml
roles:
- name: admin
description: "Full system access"
permissions:
- "agents:*"
- "workflows:*"
- "users:*"
- "settings:*"
- "audit:read"
- name: developer
description: "Agent and workflow management"
permissions:
- "agents:read"
- "agents:create"
- "agents:update"
- "workflows:read"
- "workflows:create"
- "workflows:update"
- "integrations:read"
- name: operator
description: "Monitor and operate agents"
permissions:
- "agents:read"
- "workflows:read"
- "workflows:execute"
- "analytics:read"
- name: auditor
description: "Read-only access with audit logs"
permissions:
- "agents:read"
- "workflows:read"
- "users:read"
- "audit:read"
- "analytics:read"
groups:
- name: "IT-Admins"
roles:
- admin
- name: "AI-Team"
roles:
- developer
- name: "Operations"
roles:
- operator
Data Encryption
Encryption at Rest
# config/encryption.yaml
encryption:
at_rest:
enabled: true
provider: aws-kms # or azure-keyvault, gcp-kms, vault
database:
enabled: true
algorithm: AES-256-GCM
key_id: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
files:
enabled: true
algorithm: AES-256-GCM
key_id: "arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321"
backups:
enabled: true
algorithm: AES-256-GCM
key_id: "arn:aws:kms:us-east-1:123456789012:key/abcdefab-1234-5678-9012-abcdefabcdef"
key_rotation:
enabled: true
schedule: "0 0 1 * *" # Monthly on the 1st
retain_old_keys_days: 90
Encryption in Transit
# config/tls.yaml
tls:
enabled: true
min_version: "1.3" # TLS 1.3
certificate:
provider: cert-manager # or custom, acme
issuer: letsencrypt-prod
auto_renew: true
renewal_days_before: 30
mutual_tls:
enabled: true # For API clients
require_client_cert: true
trusted_ca_file: /etc/faos/tls/ca-bundle.pem
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
Secrets Management
# config/secrets.yaml
secrets:
provider: vault # or aws-secrets-manager, azure-keyvault
vault:
address: "https://vault.yourcompany.com:8200"
namespace: "faos"
auth:
method: kubernetes
role: faos-production
service_account: faos-api
paths:
database: "secret/data/faos/database"
redis: "secret/data/faos/redis"
llm_api_keys: "secret/data/faos/llm"
integrations: "secret/data/faos/integrations"
rotation:
enabled: true
schedule: "0 0 * * 0" # Weekly on Sunday
notify_before_days: 7
Network Security
Network Policies
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: faos-network-policy
namespace: faos-production
spec:
podSelector:
matchLabels:
app: faos-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow traffic from ingress controller
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
# Allow traffic from monitoring
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 9090 # Metrics port
egress:
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
# Allow database
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
# Allow Redis
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
# Allow HTTPS egress (for LLM APIs)
- to:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 443
Firewall Rules
# Ingress firewall rules
ingress_rules:
# HTTPS only
- protocol: tcp
port: 443
source: 0.0.0.0/0
description: "HTTPS from internet"
# SSH (restricted to bastion)
- protocol: tcp
port: 22
source: 10.0.1.0/24
description: "SSH from bastion"
# Kubernetes API (VPN only)
- protocol: tcp
port: 6443
source: 10.0.0.0/16
description: "K8s API from VPN"
# Egress firewall rules
egress_rules:
# LLM APIs
- protocol: tcp
port: 443
destination:
- api.openai.com
- api.anthropic.com
description: "LLM API calls"
# Allow internal
- protocol: tcp
port: "*"
destination: 10.0.0.0/8
description: "Internal traffic"
# Block everything else
- protocol: "*"
port: "*"
destination: 0.0.0.0/0
action: deny
description: "Default deny"
Compliance & Auditing
Audit Logging
# config/audit.yaml
audit:
enabled: true
events:
# Authentication events
- user.login.success
- user.login.failure
- user.logout
- user.mfa.enabled
- user.mfa.disabled
# Authorization events
- access.granted
- access.denied
- role.assigned
- role.removed
# Agent events
- agent.created
- agent.updated
- agent.deleted
- agent.executed
# Data events
- data.access
- data.export
- data.delete
# System events
- config.changed
- backup.created
- backup.restored
- secret.rotated
storage:
backend: elasticsearch # or splunk, cloudwatch
endpoint: "https://es.yourcompany.com:9200"
index_prefix: "faos-audit"
retention_days: 2555 # 7 years
format:
timestamp: iso8601
include_request_body: true
include_response_body: false
include_ip_address: true
include_user_agent: true
alerts:
- event: "user.login.failure"
threshold: 5
window: "5m"
action: "lock_account"
- event: "access.denied"
threshold: 10
window: "1h"
action: "alert_security_team"
- event: "data.export"
threshold: 1
window: "1m"
action: "notify_dpo"
Compliance Standards
SOC 2 Type II
# config/compliance/soc2.yaml
soc2:
enabled: true
controls:
cc1_1: # Control environment
name: "Integrity and ethical values"
implemented: true
evidence:
- code_of_conduct.pdf
- security_policy.pdf
cc6_1: # Logical access
name: "Access control"
implemented: true
controls:
- SSO with MFA
- RBAC
- Session timeout (30 min)
- Password complexity requirements
cc7_2: # System monitoring
name: "Security monitoring"
implemented: true
controls:
- Real-time alerting
- SIEM integration
- Anomaly detection
evidence_collection:
enabled: true
retention_days: 2555
storage: s3://compliance-evidence/soc2
HIPAA
# config/compliance/hipaa.yaml
hipaa:
enabled: true
safeguards:
administrative:
- security_management_process
- workforce_security
- information_access_management
- security_awareness_training
- contingency_plan
physical:
- facility_access_controls
- workstation_use
- workstation_security
- device_media_controls
technical:
- access_control
- audit_controls
- integrity_controls
- transmission_security
phi_protection:
encryption_at_rest: true
encryption_in_transit: true
access_logging: true
automatic_logoff: 900 # 15 minutes
business_associate_agreements:
required: true
storage: /etc/faos/compliance/baa
GDPR
# config/compliance/gdpr.yaml
gdpr:
enabled: true
data_protection:
dpo_email: "dpo@yourcompany.com"
lawful_basis:
- consent
- contract
- legal_obligation
data_minimization: true
purpose_limitation: true
storage_limitation: true
privacy_by_design:
default_encryption: true
pseudonymization: true
data_masking: true
subject_rights:
right_to_access:
enabled: true
response_time_days: 30
right_to_erasure:
enabled: true
soft_delete: true
hard_delete_after_days: 90
right_to_portability:
enabled: true
export_format: json
right_to_rectification:
enabled: true
breach_notification:
enabled: true
notification_time_hours: 72
recipients:
- dpo@yourcompany.com
- legal@yourcompany.com
Security Monitoring
Intrusion Detection
# config/ids.yaml
intrusion_detection:
enabled: true
waf:
enabled: true
provider: cloudflare # or aws-waf, azure-waf
rules:
- owasp_top_10
- sql_injection
- xss_protection
- rate_limiting
- geo_blocking
custom_rules:
- name: "Block suspicious user agents"
condition: "user_agent matches 'bot|crawler|scraper'"
action: block
- name: "Rate limit API endpoints"
condition: "path starts_with '/api/'"
action: rate_limit
limit: 100
period: 60
ids:
enabled: true
provider: suricata
signatures:
- emerging_threats
- custom_rules
alerts:
- type: port_scan
severity: medium
action: alert
- type: brute_force
severity: high
action: block
- type: malware_detected
severity: critical
action: block_and_alert
Vulnerability Scanning
# config/vulnerability-scanning.yaml
vulnerability_scanning:
enabled: true
container_scanning:
provider: trivy
scan_on_push: true
block_on_critical: true
severity_thresholds:
critical: 0 # Block if any critical
high: 5 # Block if more than 5 high
medium: 20
dependency_scanning:
provider: snyk
schedule: "0 2 * * *" # Daily at 2 AM
auto_remediate: true
penetration_testing:
provider: external
frequency: quarterly
scope:
- api_endpoints
- authentication
- authorization
- data_protection
Incident Response
Security Incident Plan
# config/incident-response.yaml
incident_response:
enabled: true
severity_levels:
critical:
description: "Data breach, system compromise"
response_time_minutes: 15
escalation:
- security_team
- ciso
- ceo
high:
description: "Failed authentication attempts, DoS"
response_time_minutes: 60
escalation:
- security_team
- ciso
medium:
description: "Policy violations"
response_time_hours: 4
escalation:
- security_team
playbooks:
data_breach:
steps:
- isolate_affected_systems
- preserve_evidence
- notify_stakeholders
- engage_legal
- notify_authorities (within 72h)
- remediate_vulnerability
- document_incident
ransomware:
steps:
- isolate_infected_systems
- identify_malware_variant
- restore_from_backup
- patch_vulnerability
- notify_law_enforcement
communication:
internal:
- security@yourcompany.com
- incident-response@yourcompany.com
external:
- customers (if data breach)
- regulators (if compliance breach)
- law_enforcement (if criminal)
Security Best Practices
Secure Configuration Checklist
security_checklist:
authentication:
- [ ] SSO enabled
- [ ] MFA required for admins
- [ ] Password complexity enforced
- [ ] Session timeout configured
- [ ] Account lockout after failed attempts
authorization:
- [ ] RBAC implemented
- [ ] Least privilege principle
- [ ] Regular access reviews
- [ ] Service account restrictions
encryption:
- [ ] TLS 1.3 enforced
- [ ] Data at rest encrypted
- [ ] Database encrypted
- [ ] Backups encrypted
- [ ] Key rotation enabled
network:
- [ ] Network policies configured
- [ ] Firewall rules implemented
- [ ] VPN for administrative access
- [ ] DDoS protection enabled
monitoring:
- [ ] Audit logging enabled
- [ ] Security alerts configured
- [ ] SIEM integration active
- [ ] Vulnerability scanning scheduled
compliance:
- [ ] Required standards identified
- [ ] Controls implemented
- [ ] Evidence collection automated
- [ ] Regular audits scheduled
Next Steps
- Enterprise Integrations - Connect securely to enterprise systems
- Partner Deployment - Multi-tenant security
- API Reference - API security configuration
Security is not a feature, it's a requirement. Protect your AI agents and data with enterprise-grade security.