This section collects architectural properties of Governor.

  • Enterprise-grade security

Synthesized supports industry-standard security protocols including Secure Sockets Layer (SSL), JWT Tokens and Bcrypt cryptography. Governor can be installed in isolated security zones so the data transormation process takes place locally and no data is exposed outside of its home jurisdiction. Synthesized requires no server or outside connection. It is designed to work without network access and within air-gapped deployment environments.

  • Inactivity timeouts

Implemented appropriate timeouts, based on risk considerations.

  • Cryptographic systems

The list of enabled protocols and ciphers, and approved exceptions (or ORIs) for any non-approved protocols or ciphers.

  • Date format

The usual format as described in ISO8601-01:2019 is YYYY-MM-DD”T”hh:mm:ss, where the time zone descriptor may by "Z" for UTC, or a positive or negative number as offset to UTC. E.g. 2020-08-06T15:48:15Z, or 2020-08-06T16:48:15+01.

  • Logging must not be disabled

The component doesn’t allow disabling of logging, or it must trigger a security event on the logging stream. Disabling logging triggers a security event, by getting such an entry from the component’s log stream.

  • Auditing

The format of the log entries which are produced by the component.

  • Identification of users prior to granting access

Enforcing authentication and access control is usually done either on OS level (e.g. using Active Directory), or authentication on OS level and access control on application level. This is depending on the needed granularity of the access control, which is coarse on OS level.

  • Application of authentication techniques

Documentation of which authentication service is used.

  • Disabling of built-in accounts

Built-in accounts should be “disabled”, which means either deleted (seldomly feasible), or configured to be not usable for interactive use, e.g. by denying login, or not having a shell (i.e. CLI). Typically, built-in accounts are used to own running processes, which is fine. But using a built-in account interactively must not be possible, as it does not allow to trace activities back to who triggered them.