Security Compliance¶
This guide maps Quine Enterprise security features to NIST SP 800-53 Rev. 5 controls. Use this as a reference when completing security assessments or compliance documentation.
For cryptographic requirements, Quine Enterprise supports FIPS 140-3 validated modules when deployed on FIPS-enabled operating systems (see Cryptographic Controls).
Quine Enterprise requires an OpenID Connect (OIDC)-compliant identity provider for authentication. If your organization does not have an existing provider, Keycloak is an open-source option that integrates well with Quine Enterprise.
Control Mapping¶
Access Control (AC)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| AC-3 | Access Enforcement | Role-based access control (RBAC) with configurable roles | OIDC/RBAC Setup |
| AC-4 | Information Flow Enforcement | Namespaces for data separation | Namespaces |
| AC-6(4) | Separate Processing Domains | Namespaces isolation | Namespaces |
| AC-7 | Unsuccessful Logon Attempts | Delegated to identity provider (IdP) | OIDC/RBAC Setup |
| AC-9(1) | Previous Logon Notification | Delegated to identity provider (IdP) | OIDC/RBAC Setup |
| AC-12 | Session Termination | Configurable session timeout | OIDC/RBAC Setup |
| AC-17 | Remote Access | HTTPS with TLS 1.2+ | TLS Configuration |
| AC-17(2) | Encryption of Remote Access | Encrypted communications via TLS | TLS Configuration |
Identification and Authentication (IA)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| IA-3 | Device Identification | mTLS for cluster communication | Cluster TLS |
| IA-3(1) | Cryptographic Authentication | Certificate-based mutual TLS | Cluster TLS |
Audit and Accountability (AU)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| AU-3 | Content of Audit Records | Structured audit logs with user, action, timestamp | Audit Logging |
| AU-3(3) | Limit PII in Audit Records | Safe logging with configurable redaction | Log Redaction |
| AU-8 | Time Stamps | ISO 8601 timestamps in audit records | Audit Logging |
| AU-10 | Non-repudiation | Authenticated user identity in audit records | Audit Logging |
| AU-12 | Audit Record Generation | Automatic audit logging for API operations | Audit Logging |
System and Communications Protection (SC)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| SC-8 | Transmission Confidentiality and Integrity | TLS 1.2+ for all HTTP communications | TLS Configuration |
| SC-13 | Cryptographic Protection | FIPS 140-3 validated modules (on FIPS-enabled OS) | Cryptographic Controls |
| SC-18 | Mobile Code | JavaScript-based web UI | Mobile Code |
| SC-23 | Session Authenticity | Signed session tokens with secure cookies | OIDC/RBAC Setup |
| SC-28 | Protection of Information at Rest | Persistence layer encryption | Encryption at Rest |
| SC-28(1) | Cryptographic Protection at Rest | Disk/volume encryption for data stores | Encryption at Rest |
| SC-32 | System Partitioning | Namespaces separation | Namespaces |
| SC-38 | Operations Security | Safe logging and operational monitoring | Log Redaction, Metrics, Executable Integrity |
System and Information Integrity (SI)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| SI-4 | System Monitoring | Audit logging, metrics endpoints | Audit Logging, Metrics |
| SI-7 | Software Integrity | Tamper detection and code protection | Executable Integrity |
| SI-10 | Information Input Validation | Query parameter validation | Input Validation |
| SI-10(6) | Injection Prevention | Parameterized Cypher queries | Input Validation |
| SI-11 | Error Handling | Sanitized error messages | REST API Reference |
Configuration Management (CM)¶
| Control | Description | Quine Enterprise Feature | Documentation |
|---|---|---|---|
| CM-7 | Least Functionality | File ingest restricted to whitelisted directories | File Ingest Security |
| CM-8 | System Component Inventory | Software Bill of Materials (SBOM) | Component Inventory |
| CM-10 | Software Usage Restrictions | License inventory | Component Inventory |
Implementation Details¶
TLS Configuration (External)¶
Quine Enterprise supports TLS 1.2 and TLS 1.3 for external HTTP interfaces (REST API, web UI). TLS can be enabled using environment variables or JVM system properties.
Using environment variables:
export SSL_KEYSTORE_PATH="/path/to/keystore.jks"
export SSL_KEYSTORE_PASSWORD="your-keystore-password"
java -jar quine-enterprise.jar
Using JVM system properties:
java -Djavax.net.ssl.keyStore=/path/to/keystore.jks \
-Djavax.net.ssl.keyStorePassword=your-keystore-password \
-jar quine-enterprise.jar
Using configuration file:
quine.webserver {
use-tls = yes
}
When use-tls is enabled, the keystore must be configured via environment variables or JVM system properties as shown above. We recommend using a reverse proxy for TLS termination instead, as it provides more flexibility and better performance.
For cipher suite customization, use JVM system properties:
java -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 \
-Dhttps.cipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 \
-jar quine-enterprise.jar
For FIPS-compliant deployments, see Cryptographic Controls.
Cluster TLS (Internal)¶
For cluster deployments, enable mutual TLS (mTLS) for internal node-to-node communication using Pekko's TLS configuration:
pekko.remote.artery {
transport = tls-tcp
canonical.hostname = "node1.example.com"
canonical.port = 17750
ssl.config-ssl-engine {
key-store = "/path/to/keystore.jks"
key-store-password = ${KEYSTORE_PASSWORD}
trust-store = "/path/to/truststore.jks"
trust-store-password = ${TRUSTSTORE_PASSWORD}
protocol = "TLSv1.3"
}
}
See Apache Pekko TLS documentation for complete options.
Cryptographic Controls¶
Quine Enterprise uses the JVM's cryptographic providers. For FIPS 140-3 compliance:
- Deploy on a FIPS-enabled operating system (e.g., RHEL 9 with FIPS mode enabled)
- Use a FIPS-validated JVM (e.g., Red Hat build of OpenJDK with FIPS provider)
- The JVM automatically uses FIPS-validated cryptographic modules when the OS is in FIPS mode
No application-level configuration is required—Quine Enterprise inherits FIPS compliance from the underlying platform.
Encryption at Rest¶
For Cassandra persistence, enable encryption at the storage layer:
- Cassandra Transparent Data Encryption (TDE): Enable in
cassandra.yaml - Disk/volume encryption: Use LUKS, dm-crypt, or cloud provider encryption (AWS EBS, GCP PD)
- Recommended: 3+ node cluster with replication factor 3 for durability
For RocksDB persistence, use filesystem or volume encryption on the data directory.
See Configuration Reference for persistence configuration options.
Log Redaction¶
Configure log redaction to limit sensitive information in logs:
quine.log-config {
# Hide potentially sensitive information (e.g., values from ingested records)
show-unsafe = no
# Control exception logging (may contain sensitive data or verbose stacktraces)
show-exceptions = no
# Redaction method: replaces sensitive information with "**REDACTED**"
redactor {
type = redact-hide
}
}
When show-unsafe = no (the default), potentially sensitive values are replaced with **REDACTED** in log output. This includes values derived from ingested data that could contain PII.
See Configuration Reference for additional logging options.
File Ingest Security¶
Quine Enterprise restricts file-based data ingestion to whitelisted directories:
quine.file-ingest {
# Whitelist of allowed directories for file ingests
# Empty list = no file ingests allowed (except from recipes)
allowed-directories = ["file_ingests"]
# File resolution mode:
# - "static": Only files present at startup are allowed
# - "dynamic": Any file in allowed directories is allowed
resolution-mode = "static"
}
This prevents unauthorized file access and limits the attack surface for file-based ingestion.
See Configuration Reference for additional file ingest options.
Mobile Code¶
Quine Enterprise provides a web-based user interface that uses JavaScript. Organizations with policies governing mobile code (SC-18) should evaluate this against their requirements. The JavaScript is served directly from the Quine Enterprise application and does not load external scripts.
Input Validation¶
Quine Enterprise validates all API inputs and query parameters. To prevent query injection:
- Use parameterized queries: Pass user input as parameters (
$param), not string concatenation - Avoid
cypher.doIt: Do not pass unsanitized input to dynamic query execution procedures - Validate at ingestion: Sanitize data before it enters the graph
See Configuration Reference for detailed security recommendations.
Executable Integrity¶
Quine Enterprise binaries include built-in protections against tampering and reverse engineering. These protections are applied during the build process and require no user configuration.
Component Inventory¶
Software Bill of Materials (SBOM) and license inventory are available upon request. Contact support@thatdot.com to obtain these documents for your deployment.