Tecton Shared Responsibility Model
note
This Shared Responsibility Model applies only to the Virtual Private Tecton deployment model.
Introduction​
Overview of the Shared Responsibility Concept​
Shared responsibility defines the division of security and operational tasks between Tecton and our customers. This model ensures clarity in managing infrastructure, security, and workflows, fostering a secure and efficient feature engineering lifecycle.
Importance of Security and Operational Responsibilities​
Understanding these responsibilities is critical to maintaining data integrity, availability, and compliance. Clearly defined roles help mitigate risks, streamline operations, and ensure best practices in feature engineering.
Notes on Responsibilities​
- Tecton controls the Control Plane, which includes platform-level infrastructure, container images, application code, monitoring, logging, and incident response within Tecton's AWS accounts.
- Customer controls the Data Plane in their own AWS environment, bearing responsibility for configuring and monitoring any infrastructure, security policies, data encryption, and code executed there.
- Cloud Provider (e.g., AWS) underpins both planes, offering data center security, hardware-level protection, and the baseline services upon which both Tecton's and the customer's environments run.
| Responsibility Category | Tecton | Customer | Cloud Provider |
|---|---|---|---|
| Platform Security | Manages and secures Tecton Control Plane infrastructure, including vulnerability scanning, patching, and configuration hardening. Maintains, updates, and secures container images and worker nodes. | Secures any customer-managed infrastructure in the Data Plane (e.g., virtual private clouds, on-prem integrations). Implements required security controls within their AWS account (or other environment) for data and workflows. | Provides secure and compliant physical infrastructure (e.g., data centers, underlying hardware). Delivers core compute and storage resources with baseline security, firmware updates, and relevant cloud services. |
| Network Security | Ensures secure networking for Tecton Control Plane, including configuring access controls, firewalls, and network policies in Tecton-managed AWS accounts. Monitors for unauthorized network activity in Tecton-managed environments. | Implements and maintains secure network configurations in the Data Plane, such as VPC setups, routing rules, and firewall settings. Monitors and secures network traffic for any data sources and endpoints under the customer’s control. | Provides core networking infrastructure (e.g., AWS VPC, subnets, gateways). Ensures the availability and reliability of network backbone and services. |
| Data Security | Encrypts data at rest and in transit within the Tecton Control Plane. Manages secure configuration of Tecton-controlled services and storage (e.g., containerized apps, databases). | Maintains encryption configurations in the customer's Data Plane (e.g., enabling AWS encryption, managing their own keys when applicable). Implements data governance policies, including data classification and retention. | Provides and secures the foundational data storage services, encryption at rest, and underlying KMS/HSM components. |
| IAM | Enforces least-privilege access within Tecton Control Plane (e.g., limiting Tecton personnel access). Enforces least-privilege access from Tecton Control Plane to Tecton Data Plane. Audits Tecton-side access permissions for platform and infrastructure. | Integrates and manages user authentication and policies via their own IdP (SSO, MFA, RBAC). Performs periodic access reviews, enforces joiner-mover-leaver processes, and maintains internal governance on user permissions. | Maintains underlying Identity and Access Management infrastructure (e.g., AWS IAM). Ensures reliability and security of the IAM services used by Tecton and customers. |
| Compliance | Maintains compliance with applicable industry standards (e.g., SOC 2, ISO 27001, GDPR) within the Tecton Control Plane. Undergoes periodic assessments and audits. Ensures the Data Plane and customer's overall environment align with any regulatory or internal compliance obligations (e.g., HIPAA, PCI-DSS) specific to their use case. | Ensures the Data Plane and customer's overall environment align with any regulatory or internal compliance obligations (e.g., HIPAA, PCI-DSS) specific to their use case. Maintains required documentation, records, and audit trails. | Demonstrates compliance of the physical infrastructure, data centers, and cloud services (e.g., AWS’ own certifications and attestations). |
| High Availability and Business Continuity | Designs and operates Tecton Control Plane for resilience and minimal downtime. Implements and disaster recovery for Tecton-managed components and ensures the Control Plane meets uptime commitments. | Develops and executes backup, restore, and DR strategies for Data Plane resources in their own AWS account. Maintains operational continuity for data pipelines, custom integrations, and processes leveraging Tecton. | Provides physical infrastructure redundancy (multiple availability zones, power, network paths). Operates regional or global data center facilities supporting high availability. |
| Security Best Practices | Follows industry standards (e.g., secure coding, vulnerability management, patching) and monitors Tecton infrastructure for threats. Provides configuration guidance and platform features that help customers achieve best practices. Implements secure coding and best practices in Tecton’s application source code. Coordinates regular third party penetration testing. | Implements their own organizational security controls, including endpoint protection, secure coding for any custom jobs, and compliance with internal IT/security policies. Regularly reviews logs and alerts in the Data Plane. | Offers baseline security features (like AWS GuardDuty, security groups, etc.) that customers and Tecton may leverage. Addresses known vulnerabilities at the virtualization, hypervisor, or hardware level. |
| Code Execution and Jobs | Maintains a secure environment for Tecton-managed code, container images, and worker nodes in the Control Plane. Monitors for malicious activity or compromise in Tecton’s platform-level code or processes. | Owns the security of any code or jobs run in the Data Plane (e.g., user-defined transformations, custom pipelines). Ensures proper CI/CD processes, including vulnerability scanning of code used within Tecton workflows. | Provides the compute infrastructure layer used by containers or serverless jobs. Addresses host or hypervisor-level security patches and updates in alignment with the cloud provider's shared responsibility model. |
| Feature Engineering and Serving | Releases new SDK versions. Provides tools to monitor serving capacity and performance. | Defines, tests, and deploys features. Upgrades repositories to remain compatible with Tecton SDK versions. Data source configuration and access. Scales feature serving capacity. | Provides highly available compute, network, and storage infrastructure for feature pipelines and serving.> |
| Monitoring | Monitors Feature Server health. Monitors Orchestration health. Monitors serving latency from the application load balancer. | Monitors Feature Server connectivity and capacity on the Client and Server side. Monitors Materialization Job health, alerting for event age, input rate, and capacity. Monitors latency from the client. | Provides monitoring capabilities. |