Security Architecture
Zero-trust, pull-based security model with full deployment isolation
Security is foundational to LaserData Cloud. The architecture is designed so that the control plane cannot push commands to your infrastructure, there are no inbound connections to your nodes, and the blast radius of any credential compromise is minimal.
Security Model
Thick arrows = pull (Warden initiates outbound). Dashed arrows = push (outbound telemetry). No inbound connections exist.
Stream UI is embedded directly in the Warden process on each node. It provides a web interface for browsing streams, topics, and messages - your data is accessed locally and never leaves your infrastructure. Access is controlled through Access Rules.
Pull-Based Architecture
The Warden agent on each node initiates all communication with the control plane. The control plane never connects inbound to your infrastructure.
| Data Flow | Direction | Description |
|---|---|---|
| Config, tasks, certificates | Pulled by Warden | Warden polls the control plane over HTTPS |
| Heartbeats, metrics | Pushed by Warden | Warden reports node health outbound |
| Inbound connections | None | No SSH, no SSM, no open ports |
This means:
- Even if the control plane is fully compromised, an attacker cannot push commands to your VMs
- Your firewall only needs to allow outbound HTTPS - no inbound rules required
- No SSH keys, no management agents, no bastion hosts
Network Isolation
| Property | Managed | BYOC | On-Premise |
|---|---|---|---|
| Control plane can push commands | No | No | No |
| SSH access | None | None | None |
| SSM access | None | None | None |
| Inbound ports to agent | None | None | None |
| Customer data leaves infrastructure | N/A | No | No |
| LaserData has network access to endpoints | No | No | No |
Every deployment starts fully isolated by default. No traffic reaches your endpoints until you explicitly create Access Rules. This includes LaserData - our control plane orchestrates infrastructure but has no network access to your deployment data or endpoints.
Encryption
| What | How |
|---|---|
| In transit | TLS on all connections - Warden to control plane, client to Iggy |
| NVMe SSD at rest | Encrypted at the hardware level by the cloud provider |
| Network disks at rest | Encryption always enabled (EBS on AWS, Persistent Disk on GCP) |
| Custom key encryption | Optional per-deployment encryption with a custom key on top of disk encryption |
| Certificate lifecycle | Automated issuance and rotation - no manual intervention |
| Audit data | Encrypted at rest, including actor names and event payloads |
Binary Integrity
All binaries deployed to nodes (Warden, Iggy server, Connectors) are cryptographically signed. Before executing any downloaded binary, Warden verifies the signature against the LaserData public key and rejects the binary if verification fails.
This prevents supply chain attacks - even if the download channel is compromised, unsigned binaries cannot be executed.
Task Signing
Every operational task sent to Warden is signed with Ed25519. Warden verifies the signature before execution, ensuring tasks originate from the legitimate control plane and cannot be tampered with in transit.
Credential Scope
Warden Tokens
Each Warden agent authenticates with an Ed25519-signed token scoped to a single node. If a token is compromised, the attacker can only observe telemetry for that one node - no data access, no command execution, no lateral movement. See Warden Agent for details.
Provisioning Credentials
BYOC Deployments
LaserData uses scoped credentials for provisioning only:
AWS - assumes a scoped IAM role in your account:
| Permission Scope | Purpose |
|---|---|
| EC2 lifecycle | Provisioning and maintenance |
| Networking | VPC, subnets, security groups, NLB |
| EBS | Storage management |
Not included: No S3, no Secrets Manager, no CloudWatch, no SSM.
GCP - impersonates a service account in your project:
| Permission Scope | Purpose |
|---|---|
| Compute instances | Provisioning and maintenance |
| Networking | VPC, subnets, firewall rules, routes |
| IAM | Service account binding to instances |
Not included: No Cloud Storage, no Secret Manager, no Cloud Logging.
LaserData has no access to your application data on either cloud provider.
Managed Deployments
Nodes run with minimal cloud credentials. Warden authenticates using pre-provisioned credentials - no broad cloud API access from the nodes.
Multi-Cloud Consistency
The pull-based architecture is cloud-agnostic. Warden works on any infrastructure - cloud or bare metal. Because Warden pulls everything over HTTPS, there is no dependency on cloud-specific management agents.