The GBDX platform leverages Amazon Web Services (AWS) and other state-of-the-art technologies to create a scalable infrastructure for accessing DigitalGlobe's vast imagery archive and performing analytical compute to answer business questions. At the core of its infrastructure is a group of restful APIs that allow users to search DigitalGlobe and third-party imagery holdings, order imagery products, bring custom algorithms to the platform, and run a series of algorithms in a workflow. Imagery and customer assets are stored in protected AWS S3 locations with access control.
GBDX uses AWS’s EC2 service (Elastic Cloud Compute) to run algorithms on imagery data. More information about EC2 can be found here.
This architectural diagram shows the components and technologies that govern data access and compute on the GBDX platform.
This diagram provides an overview of the GBDX platform architecture. Click to enlarge.
The GBDX platform includes the following components:
|Authentication System||The GBDX authentication system generates an access token that must be included with any API request||Authentication Course|
|Authorization System||The GBDX Authorization system restricts assets to data and assets by policy and license.||See Authorization below.|
|Catalog API||Search for imagery or get the metadata for a specific catalog record||Catalog V2 API Course|
|Orders API||Order DigitalGlobe imagery by catalog ID||Ordering Course v2|
|Workflow API||Register a task, submit a workflow to run a series of tasks||Workflow API Course|
|S3 Storage Service||Generate temporary AWS credentials to access the GBDX S3 customer location||S3 Storage Service Course|
This diagram shows the main user interactions with the individual components of GBDX.
GBDX dataflow diagram.
The GBDX platform was architected from the start with system and data security in mind. The GBDX team continues to track and implement security improvements using industry standards and best practices.
Some highlights of the GBDX platform security architecture include:
- GBDX participates in the AWS Shared Responsibility Model and adheres to the best practices described in this model.
- GBDX follows AWS best practices for Distributed Denial of Service (DDOS) attack mitigation.
- GBDX services are served from AWS Route53 scalable DNS.
- GBDX leverages Elastic Load Balanced AWS services such as Elastic Beanstalk and Lambda.
- REST API endpoints are located in private subnets of Amazon Virtual Private Clouds (VPCs). These VPCs are protected with strict security groups and network access control lists.
- All Internet traffic coming to GBDX systems goes through a Web Application Firewall (WAF).
- All data is stored in secured AWS S3 locations with strict policies for access.
- Comprehensive monitoring of platform resources is performed via dashboards, automated alarms, and issue management.
User credentials and an access token are both required to use GBDX platform components.
Users must have credentials to access applications that run on GBDX such as the GBDX Dashboard, GBDX Notebooks, and the python-based tools suite, "gbdxtools." User credentials are also required to request a user access token. Access tokens grant access to GBDX APIs.
There are two ways to create GBDX user credentials:
Sign up for an account: When a user fills out the signup form, they submit personally identifiable information such as first and last name, business name, and phone number. They also submit their email address and set a password. Email address and password are the customer's user credentials.
An account administrator can invite a user to their account. The user will receive an invitation in email. The email contains an authenticated link. that allows the user to continue the signup process. A user cannot log in in to the platform until the email has been verified. The same email verification system is also used when a customer requests to reset their password.
The GBDX Platform uses the industry standard Auth0 service to perform oauth2 authentication. These services provide robust sign-in services, user management, and sophisticated "brute force" protections that will block users if attempts to guess passwords are made.
To access GBDX APIs, an access token is required. Users can request a token with their user credentials. Tokens expire after a specified period of time. Tokens are required to access GBDX APIs and to generate temporary S3 credentials.
The GBDX Authorization system restricts access to customer data, API usage, and algorithms by user policy and license. The Authorization system determines who can access specific data and assets, based on a set of business rules, including but not limited to account tiers and user roles.
The GBDX platform uses “accounts” to manage and protect data and assets. All GBDX users are associated with an account. Accounts are considered the owner of the client’s resources. Because ownership is at the account level, users and personnel can change without losing access to and control of resources.
To understand how account level access control works, it's helpful to understand what we mean by "accounts" and "users."
|Account||An account has identifying information about the business, such as business name, address, phone number, and contract tier. When a user signs up for GBDX using an online tool, an account is automatically created, with that user as the account administrator. The account administrator can invite users to join the account.|
|User||Users must be associated with an account. User data includes name, email address, and password.|
The following rules apply to accounts and users.
- An account can have multiple users
- A user can only be associated with one account.
- Users can only access data and assets stored within the account they are associated with.
- Algorithms registered on the GBDX platform are associated with an account. Algorithms registered as “private” (the default setting) can only be seen and run by users within the account.
GBDX uses the concept of roles to manage account and user level data. All users are assigned roles.
|User||The user role can view all data within the account they are associated with. Users can update their own usernames and passwords.||Update username, Update password|
|Account Admin||The account administrator is responsible for adding users to the account using the GBDX account management user interface.||Invite a user to the account, Remove a user from the account, Assign or change roles to users, Update account profile data|
All user and account information is stored in secured databases. Authorization controls are in place to verify that only account owners and administrators can see or edit information for their account and for their users.
Information that could be used to make a personal identification is considered Personally Identifiable Information (PII). This information is associated with an account or a user, and only accessible with allowed user credentials.
PII includes, but not limited to:
● First and last name
● Phone numbers
● Any other metadata associated with the user’s account
User-generated content is any content created on or uploaded to the GBDX platform for the purposes of compute. Examples are shapefiles and Digital Elevation Models (DEMS) that a a user uploads to be used as inputs to an algorithm. Output files generated from a task are also considered user-generated content.
The user-generated content and assets are stored in a protected S3 location that is secured by two layers: AWS access control and a token acquired from the GBDX Authentication system. The S3 location and the content stored within are only accessible by members of the associated account.
Running a workflow on the GBDX platform produces an output file. Output files can be saved to the GBDX customer S3 location (recommended), or to a personal location. This operation requires the user to have AWS credentials to the personal S3 location.
For more information on saving task outputs see How to Save Task Outputs
Accessing files in the GBDX customer S3 location requires both a token and temporary AWS credentials. The GBDX S3 Storage Service provides temporary credentials that can be used to list or download data from the customer's data location. The GBDX customer S3 location and the content stored within are restricted to users of the associated account.
See S3 Storage Service Course for more information.
Users can delete data using temporary credentials acquired from the GBDX S3 Storage Service. DigitalGlobe reserves the right to delete customer data in the following circumstances:
- The stored contents violate either GBDX or AWS Terms of Service
- The storage capacity allowed for in the customer’s subscription contract has been exceeded
- The GBDX subscription is terminated or reaches its end date without extension
The GBDX platform is designed to allow users to bring their own algorithms to the platform. Publishing a task on GBDX requires the task to be "Dockerized" and registered in the GBDX task registry. When a task is registered, the Docker image is migrated to an AWS Container accessible by the GBDX platform.
Registering a task is accomplished by submitting a JSON task definition to the Workflow API. Registering a task triggers migration of the associated Docker image.
When a task is registered, it is associated with the account ID of the user that submitted the registration. New algorithms are registered as "private" by default. Algorithms can be made "public" by a member of the GBDX Operations and Support team by request.
|Private Task||A private task is only available to users of the account the task was registered with.|
|Public Task||A public task is available for use by any GBDX user.|
|Custom Authorization||It is possible to share a task with users outside of the account by adding individuals as authorized users of that task. At this time, this can only be done by submitting a request to the GBDX Support team.|
For more information about Dockerizing and registering a task, see Creating a Custom Task.
User -produced algorithms are accessed from the user-controlled Docker Hub repositories. Before registering a task in the GBDX task registry, the user must allow “read” access to a specific Docker Hub user under DigitalGlobe control. The task owner may remove this user's permissions at any time; however, removing the DG user may make the task unavailable on the GBDX platform.
When the user submits the task to the platform, the Docker images are migrated to reside within AWS Containers that are designed to store and execute code. AWS provides dedicated access to these containers for GBDX platform resources. No direct access to the container, or its underlying executable, is provided to any user at any time.
To update or version a task, the user must be a member of the account the task was registered with. Only users of that account can perform the following operations for an existing task:
- Update the contents of the task definition
- Update the version number for a task
- Delete a task from the task registry
A "workflow" is a series of tasks chained together to perform a series of operations and produce an output. Workflows are associated with accounts. Only a user from the associated account can see information about the workflow. This includes the workflow definition and workflow status and events.
If you have questions about GBDX Security, please contact GBDX Support.