Skip to main content

Home

Unravel SaaS FAQ

General

  • What is Unravel's primary purpose?

    Unravel is an observability platform designed to optimize and manage complex data environments. It provides comprehensive monitoring, troubleshooting, and performance management for big data applications and infrastructures.

  • Can Unravel be deployed on-premises or in the cloud?

    Yes, Unravel supports both deployment options. It can be deployed on-premises or in various cloud environments, including AWS, Azure, and Google Cloud.

Privacy

  • What types of data do you collect?

    We only collect metadata and performance data from the data application jobs themselves. Unravel does not have access to the data stored in your data lake or other databases, and that data is not and cannot be shared with Unravel.

  • Does Unravel send data back to my data lake and other databases?

    No, Unravel only collects metadata from jobs and pipelines run against your data lake and other databases as read-only and does not send anything back to you.

  • How much egress is estimated?

    Based on our metrics, we estimate 1 GiB of data egress for every 1,000 running jobs per day.

  • Where is the account hosted?

    Unravel is hosted on Azure, AWS and Google Cloud Platforms (GCP) but can be hosted on other cloud platforms by request.

Unravel SaaS Security FAQs

Authentication
  • Does the application support SSO for authentication? Is Single Sign-On (SSO) to be used?

    SaaS is supported via SAML2.0 and OAuth.

  • Does the application use cookie-based session management or token-based session management such as JWT, OAuth, SAML, and API keys?

    The application uses token-based session management. We support JWT (JSON Web Tokens) for stateless authentication, OAuth for delegated access control, and SAML for single sign-on (SSO). API keys are also used to secure API endpoints. Cookie-based session management is not utilized.

  • How does Unravel handle LDAP authentication?

    For LDAP, we take the password from the user once and store it in the unravel.properties file for initial authentication to the LDAP server. This password is encrypted and input into the property to ensure it remains secure at rest.

  • Does Unravel store credentials for AAD (Microsoft Entra ID) authentication?

    No credentials are stored on the Unravel side for AAD (now called Microsoft Entra ID).

  • Do stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks?

    Yes, the stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.

  • Is the secure flag or HttpOnly set for session cookies?

    No, the secure flag or HttpOnly is not set for session cookies, as the application does not use cookie-based session management.

  • Is the application using custom authentication? If 'Yes', where are the user credentials stored? Will authentication be facilitated via integration?

    Yes, custom authentication is supported. The user credentials are stored in the database in hashed form. We only support Unravel’s native authentication with username and password.

  • Do any credentials need to be hard-coded in scripts, files, etc.?

    No.

  • Is this application integrated with other applications?

    Yes, it has many integrations. Some include CI/CD pipeline, Slack, email, SSO, etc.

  • Does the application enforce Two-Factor Authentication (2FA)? Is MFA implemented in the application?

    No.

  • Are any Forgot password/Password reset features implemented in the application?

    No.

  • Is account lockout enabled for multiple incorrect login attempts?

    The SSO service provides the account lockout functionality. This functionality is enabled if you are using an SSO service.

  • Does the application enforce step-up authentication for sensitive transactions?

    No.

  • What are the password policies being applied? What controls are in place for password strength? i.e., Length, Numbers, Symbols, uppercase, minimum lifetime, and use of previous passwords. Required to keep passwords confidential, use complex passwords, and change passwords at periodic intervals?

    Password policies are managed by SSO service.

Network and Server Security
  • How is the database accessed from the application? Through direct SQL queries or parameterized queries?

    Parameterized queries.

  • Is the database shared with other applications?

    No.

  • Does the application pass unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to an OS system shell?

    No.

Identity and Access
  • Is authorization based on roles? If so, describe the users in terms of roles and the capabilities of each role.

    Yes, authentication is based on roles. For more details see here.

  • How are any temporary files protected from unauthorized disclosure, alteration, and destruction?

    Temporary files are written to <unravel-install-location>/tmp which is owned by and restricted to the user running Unravel.

  • What is the process of obtaining a user account?

    SSO typically manages this; however, if you are using Unravel's built-in authentication, please contact Unravel support.

Compliance
  • Which compliance standards does Unravel adhere to?

    Unravel is compliant with several major standards, including SOC 2, GDPR, and HIPAA. This ensures that the platform meets stringent security, privacy, and data protection requirements. See here for more information.

  • How does Unravel assist in regulatory compliance and reporting?

    Unravel provides detailed logs and audit trails that help organizations maintain compliance with regulatory requirements. It also offers reporting tools that can generate compliance-related reports on-demand.

Data Security
  • How does Unravel ensure data is secured when sending to Unravel Cloud?

    We use TLS encryption, which is the same standard secure websites use to secure data in transit.

  • How does Unravel handle data encryption at rest and in transit?

    Unravel uses industry-standard encryption protocols to secure data both at rest and in transit. Data at rest is encrypted using AES-256, while data in transit is protected using TLS 1.2 or higher.

  • Does Unravel support role-based access control (RBAC)?

    Yes, Unravel supports RBAC, allowing for granular control over user access and permissions based on their roles within the organization.

  • What ports do I need to open?

    Port - 443.

  • Is the user input validated for special characters like '<> to prevent attacks like XSS, SQL Injection, etc.?

    Yes, it is validated. We also do it after receiving any vulnerability report from internal security or penetration tests from a third-party vendor.

  • What measures are in place to protect against insider threats?

    Unravel implements strict access controls, audit logs, and real-time monitoring to detect and mitigate any potential insider threats. It also supports integration with SIEM systems for enhanced security management.

  • How frequently are security updates and patches applied to Unravel?

    Unravel follows a proactive approach to security updates. Critical patches are applied as soon as they are available, and regular updates are scheduled quarterly to ensure the platform remains secure and up-to-date.

  • Do input validation routines consider equivalent (canonicalization) names such as Unicode or URL-encoded equivalents? File paths and URLs are particularly prone to canonicalization issues, and many well-known exploits directly result from canonicalization bugs.

    Yes, our input validation routines consider equivalent names such as Unicode or URL-encoded equivalents. This helps prevent canonicalization issues which can lead to exploits. We perform these validations as part of our security measures, incorporating them into our regular internal security tests and third-party penetration tests.

  • Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

    Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

  • Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?

    Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

  • Does the server rely on JavaScript or other client-side means for validation?

    Yes.

  • Is untrusted data encoded before it is reflected back to the output stream?

    We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.

  • Does this application have file upload functionality? Is there a file upload or download component to the system? For example, can a user upload a file from their desktop/laptop to the application? What data elements are expected to be uploaded–e.g., email addresses, full names, etc.? What is the classification of this data?

    Yes. With the app store feature, a user can upload a file from their laptop to the application. The data element expected to be uploaded is a micro-app given by Unravel for customized reports. File download is also supported for certain functionalities. CSV file download is used to download tabular data of jobs, users, clusters, queries, etc.

  • Where are the files stored? Database or file system?

    File system.

  • What events are logged and audited?

    Our system logs and audits a variety of events to ensure security and operational oversight. These include errors, exceptions, Spark workload statuses, configuration calls, Unravel CLI commands, and failed and successful login attempts.

Integration and Interoperability
  • What types of data sources and platforms does Unravel support?

    Unravel supports a wide range of data sources and platforms, including Hadoop, Spark, Kubernetes, and various cloud-native data services. It integrates seamlessly with popular databases and data warehouses such as PostgreSQL, MySQL, and Snowflake.

Secure Configuration
  • Is a commercial-off-the-shelf (COTS) product being used? If yes, have all default passwords been de-activated?

    We do not use commercial off the-shelf product

  • What is the sensitivity of the information assets that the software will store and process?

    We process mainly the usage metrics and information exposed by the data platform at the runtime of these SQL and Spark jobs.

  • Is any sensitive information/token going to be included as a part of the GET request?

    No. No sensitive info is included in the GET request.

  • Are unused methods like TRACE, PUT, DELETE, etc., disabled?

    Yes, they are disabled.

  • Is the communication between the components, such as between the application server and database server, encrypted?

    No.

  • How are exceptions handled in the application? Are there any custom error pages designed?

    We use standard Java error packages. We do not have a custom error page.

Deployment

  • What other ways can I try Unravel?

    Unravel supports AWS, Microsoft Azure, Snowflake, and Google Bigquery.

  • Where can I get access to the deploy guides and user guides?

    All of our documentation is available at https://docs.unraveldata.com

Features

  • Is there someone I can speak to for support?

    Feel free to reach out to or your dedicated assistant for your new account.

  • Can I connect multiple platforms to Unravel as part of the new account?

    Yes, access to multiple platforms from your account is available upon request. Get in touch with the dedicated assistant for your account or email us .

  • What happens after my new account is created?

    You will receive a verification email to confirm your email address, followed by a welcome email and login credentials.

  • Where can I sign up for Unravel SaaS for free?

    Signup for Unravel SaaS here.

  • I have more questions; how can I get in touch with you?

    Live chat with us here.

    Email us: