Foundry Technical Onboarding - Copyright 2021 Palantir Technologies, Inc. All Rights Reserved
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Foundry Technical Onboarding Copyright © 2021 Palantir Technologies, Inc. All Rights Reserved
Intro to Palantir
INDUSTRIES WE WORK WITH
Palantir enables organizations to solve their hardest
problems using data.
Defense Energy Media
Headquarters Founded Employees Offices worldwide Intelligence Law Enforcement Automotive
Denver, CO 2004 2,400 20+ Disaster Response Aviation Humanitarian Aid
Manufacturing Healthcare Telecom
SOME OF OUR PARTNERS
Finance Regulatory Cybersecurity
Shipping Logistics Insurance
U.S. DEPARTMENT
OF DEFENSE
Pharma CPG Tech
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.
Foundry is Palantir’s managed SaaS for deriving decisions from data
Foundry unifies organizations around
their central mission, enabling them
to become fully digital “connected
organizations”:
Integrated data operations
Git-style branching & collaboration
Full data & logic lineage
Automatic propagating security &
governance
Operational application suite of
tools
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.
Foundry is Palantir’s managed SaaS
Foundry includes industry-standard Autoscaling Infrastructure Managed SaaS
and advanced backing platform Foundry incorporates an autoscaling Palantir Cloud Operations Infrastructure alerting,
infrastructure that scales based on your monitoring & support to ensure performance
features. immediate compute needs
Microservice Architecture 24/7/365 Monitoring & Support
Modular software development without user Palantir Cloud Operations Monitoring & Support
downtime or broader impact
Continuous Delivery & Automated High Availability & Disaster Recovery
Upgrades Designed and deployed with High-Availability &
Rapid online upgrades and patching without Disaster Recovery in the case of critical failures
system-wide effects
Encryption in-transit & at rest Single-Sign On and Access Control
Data, applications, and communications are Control access into & within Foundry through
encrypted throughout Foundry existing Single Sign-On identity providers
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.
Foundry gives customers best-in-class security controls
Foundry has a robust set of
operational security primitives
natively built into the platform, giving
you the necessary tools to enforce
proper control over your data.
Permission by users and nest-able
groups
Role-based access controls
Propagating security model
Granular Permissions / Row-level Foundry integrates seamlessly with your existing Identity
Manager/Provider, enabling full end-to-end access administration
Security
and management in your existing system.
Admin Permissions View
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.
Foundry’s environment is secured and monitored
Foundry operates with a robust Encryption in transit and at rest
security-focused infrastructure, Communication between services occurs over TLS 1.2+, only encrypted HTTPS
leveraging state-of-the-art security endpoints are exposed and strict Ingress/Egress rules are enforced for the platform
practices and protocols
All storage layers, including object stores, block storage, and disk volumes, are secured
with server-side encryption
Vulnerability management
Palantir’s Information Security team performs continuous internal penetration testing
and security reviews, as well annual third-party penetration tests that cover white, gray,
and black box testing of user interfaces and back-end APIs
Audit logs
Application audit logs can be made available for the customer to ingest into their
existing SIEM for further analysis and monitoring of user actions within Foundry
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Certifications and Attestations
Palantir maintains rigorous, Foundry is externally certified
1. SOC 2 Type II
externally verified infrastructure and for the following baselines:
2. ISO 27001, ISO 27017 and 27018
operations standards. 3. FedRAMP Moderate (Foundry for US Government)
4. US DoD Impact Level 5 (Foundry for US DoD)
On top of those certifications, we
1. NIST 800-53 and 800-171
are aligned with the controls and
2. ISO 27002, 27003
policies of:
3. ISO Business Continuity and Risk Management Standards
In addition, Palantir has extensive 1. EU General Data Protection Regulation (GDPR)
experience helping customers
2. US Health Insurance Portability and Accountability Act
meet specific regulatory and (HIPAA)
industry requirements, including:
3. California Consumer Privacy Act (CCPA)
4. Federal Information Security Modernization Act (FISMA)
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Sign-up steps
There are six steps to complete in 1. Select your region à Choose the region for your Foundry.
signing up to Foundry.
2. Select your domain à Palantir can either generate a domain for you, or
we can have Foundry accessible through a
subdomain with your chosen customer domain.
3. Configure the Data Connector à Configure either the on-premise or cloud Data
Connector to connect Foundry to your sources.
4. Set-up Single-Sign On à Confirm attributes and send your organization’s
SSO identity provider metadata for easy access to
Foundry from your existing SAML system.
5. Share your users’ country à This is for us to ensure that they can access
Foundry.
locations
6. Review our standard security à Upon request, we will provide comprehensive
documentation required for standard security
assessments reviews.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.1. Select your region
Available regions for your
Foundry’s data residency:
United States
Canada
European Union
United Kingdom
Japan
Australia
Brazil
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.2. Select your domain
There are two possible options 1. Customer-defined with Palantir domain
for your Foundry domain. You choose a subdomain, and Palantir creates a unique domain for you with that subdomain, such as
https://.palantirfoundry.com
2. Palantir-generated domain
Palantir generated a unique domain code name for you, such as
https://.palantirfoundry.com
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.3. Configure the Data Connector
Users schedule and execute
data syncs through an intuitive
and access-controlled UI
Depending on the location of
your sources, we have an On-
Premise Data Connector we
can deploy and a Cloud-based
Data Connector for your cloud-
based source systems
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.3. Configure the Data Connector | Option A: On-premise Data Connector
The cloud-based Coordinator
configures and executes jobs
that tell the Data Connector Your Network
how to migrate new data Sources Foundry
The Data Connector HDFS
Linux Server
communicates with your on- Fetches Configuration
Data & Pushes Data
premise sources to fetch Shared Connector
data Drive
Fetches Data
The on-premise connector On-Premise agent ENCRYPTED
importing data into HTTPS (Port 443, TLS 1.2+)
RDBMS Foundry over HTTPS
communicates with the (Port 443)
Outbound only
Data Connector
Coordinator via encrypted Coordinator
ETC.
outbound-only HTTPS
requests.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.3. Configure the Data Connector | Option A: On-premise Data Connector
Customer server provision — Provision a server for the Data Connector with appropriate
Common points of contact for user accounts created and at least the following specs:
on-premise installation: [4 Physical Cores] - [16 GB RAM] - [500 GB Hard disk] - [64-bit Unix-based operating system]
Networking/Infrastructure Palantir provides IPs — Palantir will provide the qualified domain name and IP addresses for
Provisions server for Data Connection in Foundry
appropriate location, as well as remote access
Allowlist the Foundry IP addresses to the Customer allowlist — Customer will allowlist the Foundry IPs in order to allow outbound
provisioned server
connections from the server to Foundry
Data Source Owners
Customer source networking access — Customer will enable open connections between the
Help identify data source for ingestion, as well
as supporting materials such as data Data Connector server and relevant Source Systems
dictionaries
Obtain any required approvals for data and/or Customer source connection information — Customer will share configuration options (e.g.
source system access
private IPs, ports, credentials) for the Data Connector to source system connection
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.3. Configure the Data Connector | Option B: Cloud-based Data Connector
The cloud-based cloud connector can connect to a wide-range of cloud data sources,
including:
Amazon S3
AWS Redshift
Azure Data Lake Storage
Azure Blob Storage
Box Drive
Google BigQuery
Google Cloud Storage
Oracle File Storage
Salesforce
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.4. Set-up Single Sign-On
Foundry easily integrates with your
existing Single Sign-On provider. Foundry supports any SAML 2.0 identity
provider (IdP), including the following:
Foundry has a native Multi-Factor
Authentication service, so if MFA is Azure AD
not enabled at your organization, we ADFS
can enable this service for an Okta
additional level of protection. PingFederate
Shibboleth
KeyCloak
Hennge One
GEOAxIS
DISA GCDS
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.5. Share your users’ country locations
Please let us know your
users’ country for us to ensure
that they can access the
platform.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Summary of Sign-up steps
1. Select your region 4. Configure Single Sign-On
[United States] - [Canada] - [European Union] - [United Kingdom] - [Japan] - [Australia] - [Brazil] Confirm the use of MFA in your SSO and:
Generate the appropriate SAML IdP metadata
2. Select your domain Confirm the SAML attributes that will be passed
Selecting a custom subdomain within a Palantir domain Upload SP metadata to your SSO once provided by Palantir
Utilizing a Palantir randomly-generated domain
5. Share your users’ country locations
We will allowlist access to Foundry to the IPs from these
3. Configure the Data Connector countries.
Depending on the sources, pursue an on-premise option or cloud option for data connection:
On-premise Cloud
6. Fulfill any security assessments or SaaS
Customer provisions the Linux Server Customer shares source
Customer allowlists Palantir-provided Foundry IPs system configuration vendor evaluation forms
Customer shares source system configuration We can respond to any questionnaires your organization
Palantir and customer perform installation requires to host data in the Foundry environment.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Customer-owned domain
If your organization has specific To set up, create an appropriate record in your DNS management panel with your chosen domain,
domain-name requirements or if pointing to the Palantir-provided domain and/or IP addresses.
the customer requires DNSSEC, Example: customer creates a record in their domain, https://foundry.customerdomain.gov
and points it to the Palantir-provided domain https://.palantirfoundry.com
your Foundry can be configured
to be accessible with a customer-
owned domain
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Audit logging
SETUP STEPS
Application audit logs can be made available for the customer to ingest into
I. Customer shares IPs — Customer provides
their existing SIEM for further analysis and monitoring of user actions within
IP range/CIDR from which they will be reading
Foundry
the logs.
Customers can be provided read-only access to Application Audit Logs via a II. Palantir allowlists IPs — Palantir allows the
cloud object store. The Application Audit Logs can then be ingested into a IP range/CIDR to the Palantir Platform.
customer-owned and customer-maintained SIEM.
III. Palantir provides access — Palantir
provides Customer with a read-only access key
Palantir’s Application Audit Logging event coverage and content follows
pair to the cloud storage containing the logs.
industry best practices and meets the requirements for standards such as
NIST 800-53, ISO 27001/17/18, and SOC2.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Private connectivity to Foundry
Palantir Foundry supports 1. Restricted IP space
additional networking options. We restrict front-door access to Foundry to your specific corporate IP range/CIDR so only users and
systems within your network can access Foundry
2. Connect via private IP space
We support PrivateLink private connectivity between your systems and Foundry
3. Dedicated network links to your systems
For dedicated bandwidth or consistent low bandwidth, we support deploying DirectConnect between
your on-premise systems and Foundry.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Customer Key Management Options
Palantir Foundry enables the 1. Enterprise Key Management (EKM)
customer to manage the keys for Palantir grants the customer a unique user to directly monitor, disable, or delete the underlying master
the Foundry Filesystem. key that encrypts their data in the Foundry Filesystem. Once the master key is deleted, the data stored
in the Foundry Filesystem is unrecoverable, effectively functioning as a “kill switch”.
2. Bring-your-own-Key (BYOK)
The customer creates a new key in a customer-owned account. All encryption and
decryption for the Foundry Filesystem calls are routed through the customer key.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Foundry Platform – On-Prem Appliance
The Palantir Foundry Appliance
provides the capabilities of the
Foundry platform pre-installed and
ready to use in an on-premise
environment. It is offered for Customer Foundry Apollo Infra
customers for which the Foundry Sources Management
SaaS Platform is not an option.
Upgrades and
Patches
The Palantir Foundry Appliance is Apps/SIEM
designed as an all-contained Infrastructure
Health Checks
appliance. The appliance is shipped ENCRYPTED
and installed by Palantir in the Users ENCRYPTED
Error Prevention
customer’s data center, and is and Remediation
managed remotely 24/7/365 via
Apollo, Palantir’s continuous delivery CLOUD
system. ON-PREM
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Foundry Platform – Hosting Value Comparison
Operations Speed Customer Costs Platform Infrastructure Features
Time-to-Launch Use Case Onboarding Capital Resource Demands Infrastructure Features Resiliency & Disaster
Investment Recovery
Cloud Hours Instantaneous No Capital Investment None Standard Enterprise Default High Availability
onboarding License across three Availability
Dynamic billing based on Zones
controlled autoscaling
infrastructure Multi-site by default
On-Prem 3-6 months before Subject to capacity Up-front investment to Space & resources in Data Restricted platform feature- Restricted by customer
Appliance environment readiness** planning lead-time meet minimum hardware Center set (streaming, ephemeral infrastructure
infra, & autoscaling
Constrained by static Over-provisioning to On-Call Engineers & unavailable) Constrained by customer
appliance hardware account for growth Management data center bandwidth,
constraints latency, and physical
Network & Infrastructure space
teams
** Based on experience working with government and financial services institutions
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Foundry in US Government
For US Government FOUNDRY IN US GOVERNMENT FOUNDRY IN US DOD
clients, we offer two • Impact Level 5 baseline. This certifies the environment
• FedRAMP Moderate Baseline. All controls
options for Foundry required for the FedRAMP Moderate baseline
to hold Controlled Unclassified Information and host
mission critical National Security Systems.
are met and documented per the SSP and
attachments found in OMB Max. • Built on AWS GovCloud. AWS GovCloud meets the IL5
• Agency sponsorship through HHS. The baseline for IaaS.
Palantir Federal Cloud Service (PFCS) SaaS • Operations teams staffed with US Persons. This
holds a FedRAMP Agency Authorization from ensures that all aspects of the environment and the
HHS, which manages all ongoing Continuous environment’s configuration are accessible only to USP
Monitoring requirements. Agencies may who are approved and onboarded to the environment.
choose to leverage HHS’s ATO or issue a new • All connections secured via the DISA BCAP from
ATO which fully inherits the existing controls NIPRNet. Cloud Computing SRG requirements are
and assessment from the PFCS FedRAMP already implemented in the architecture.
Authorization.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Sign-up steps
There are six steps to complete in 1. Review FedRAMP package and à Review FedRAMP package, found in OMB
Max, and clarify any inherited controls your
signing up to Foundry. verify compliance with customer organization requires to host data in Foundry.
responsibility matrix These include enabling DNSSEC, providing a
SAML IDP with MFA, and providing a FIPS-
validated CAP.
2. Set-up your Foundry à Foundry will be configured to be accessible
through a subdomain from your organization’s
domain domain.
3. Configure the Data Connector à Configure either the on-premise or cloud Data
Connector to connect Foundry to your sources.
4. Set-up Single-Sign On à Confirm attributes and send your organization’s
SSO identity provider metadata for easy access to
Foundry from your existing SAML system.
5. Share your network’s egress IPs à We will allow access to Foundry from these IPs.
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.1. Review FedRAMP package and verify compliance with customer responsibility
matrix
You can access the FedRAMP Customer responsibility compliance requirements include:
package from OMB Max • Customer IDP provides SAML 2.0 protocol, MFA, any organizationally required
following the instructions token auth, and meets FedRAMP parameters for account management
(CRM 1-5)
outlined in the Package Access
Request Form • Foundry Data Connector hosts provisioned and maintained according to
organizational requirements, configured for data access (CRM 14)
• Cloud Access Point (CAP) ensures FIPS 140-2 validated cryptography for all
connections across system boundary (CRM 10)
• Application Audit Log reviewers have procedures for reviewing Palantir
Platform audit, have configured system to read provided audit logs (CRM 6)
• Certificates and DNS provisioned and configured for DNSSEC (CRM 17)
• Organization roles and policies specified and communicated to Palantir
(CRM 7-9,11-13,15,16)
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.2. Set-up your Foundry domain
Foundry is configured to be To set up, create an appropriate record in your DNS management panel with
accessible with your domain your chosen domain, pointing to the Palantir-provided domain and/or IP
addresses.
Example: customer creates a record in their domain,
https://foundry.customerdomain.gov and points it to the Palantir-
provided domain https://.palantirfoundry.com
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.5. Share your network’s egress IPs for Foundry allowlist
Please provide your
organization’s corporate IP
range/CIDR block for Palantir Customer Network Foundry
to allow connections to Foundry Sources
If the On-premise Data
Connection server has an IP Apps/SIEM
With
address outside of the provided
Ingress IP
IP range/CIDR block, please Allowlisting
provide it for Palantir to allowlist Users ENCRYPTED
(HTTPS TLS 1.2+
as well. Outbound Only)
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.Summary of Sign-up steps
1. Review FedRAMP package and verify compliance 4. Configure Single Sign-On
with customer responsibility matrix Confirm the use of MFA in your SSO and:
Review FedRAMP package, found in OMB Max, and clarify any inherited controls your Generate the appropriate SAML IdP metadata
organization requires to host data in Foundry. These include enabling DNSSEC, providing a Confirm the SAML attributes that will be passed
SAML IDP with MFA, and providing a FIPS-validated CAP.
Upload SP metadata to your SSO once provided by Palantir
2. Set-up your Foundry domain
5. Share your network’s egress IPs
Foundry will be accessible through a subdomain from your organization’s domain.
We will allow access to Foundry from these IPs.
3. Configure the Data Connector
Depending on the sources, pursue an on-premise option or cloud option for data connection:
On-premise Cloud
Customer provisions the Linux Server Customer shares source
Customer allowlists Palantir-provided Foundry IPs system configuration
Customer shares source system configuration
Palantir and customer perform installation
Copyright © 2021 Palantir Technologies Inc. and/or affiliates (“Palantir”). All rights reserved.
The content provided herein is provided for informational purposes only and shall not create a warranty of any kind.You can also read
