Skip to content

Latest commit

 

History

History
68 lines (48 loc) · 4.02 KB

README.md

File metadata and controls

68 lines (48 loc) · 4.02 KB

Sombra

Deploy Sombra with Terraform

Self-host Sombra to encrypt user data before it leaves your firewall.

Built by security engineers with a healthy sense of paranoia.

Sombra Terraform Module
View on the Terraform Module Registry


Motivation

Sombra provides the same security guarantees as going completely on-premise, but with a simple, lightweight gateway that performs cryptographic operations. By hosting Sombra on-prem, you don't have to trust Transcend. Sombra verifies that any incoming webhooks from Transcend were consented to by the user and verified by a trusted identity provider. It passes on the verified webhooks to any destination server or script inside the company firewall. When it's time to upload data to Transcend's cloud, Sombra encrypts the data before it leaves the firewall with a key that is only known to Sombra. Since Transcend doesn't have the decryption keys, Transcend employees have no means of seeing the data.

Difference between a normal API and an API with Sombra in the middle

External Application

This is a logically separated application with an open port on the internet that is only accessible by Transcend. Performing any operation on the data subject's personal data requires authorization (or consent) from an authenticated data subject.

The external application is responsible for receiving all communications from Transcend. Any webhook comes through here as well as operations related to the data subject's data download step.

Internal Application

This is a logically separated application with one open port on the company private network. Only internal clients can use these ports (when var.use_private_load_balancer is set to true). There is also the option to add an internal password to prevent accidental or unauthorized access from clients in the private network.

Using Sombra in a Separate VPC

You need to be able to communicate with Sombra's internal load balancer and port from your backend. There are two options:

  1. You can leave var.use_private_load_balancer set to false, which will allow you to talk to sombra over TCP. If you go this route, make sure to set var.incoming_cidr_ranges to the public DNS CIDR blocks for your backend.
  2. You can communicate through a VPC Peering Connection. This way, all of your communication with the internal ALB can happen over private DNS. To accomplish this, you'll need to:
  • Set up VPC peering. I'd recommend checking out https://registry.terraform.io/modules/cloudposse/vpc-peering/aws/0.3.0
  • Set var.use_private_load_balancer to true on this module
  • Make sure your backends security group can communicate to private subnet CIDR blocks from the VPC containing this module
  • Set var.incoming_cidr_ranges to be the private CIDR blocks from your backend's VPC
  • Add your backend's VPC to the private hosted zone association, with something like:
resource "aws_route53_zone_association" "private_sombra_zone" {
  zone_id = module.sombra.private_zone_id
  vpc_id  = module.your_peered_vpc.vpc_id
}

After that, you can reference the internal_url output from your backend over HTTPS.


Copyright © 2020 Transcend Inc.

Examples

We have two examples of deploying soombra in the ./examples folder, one for using HTTP and one for HTTPS.

Releases

To release a new version of the module to the Terraform Module registry, simply create a new Github release here. CI will automatically pick up this release & publish to registry.terraform.io