Skip to main content

Remote Sharing Concepts

Overview

Organizations having Istari installations have the ability to share models through direct communication between the Istari installations at each organization. This type of sharing is called 'remote sharing', and must be configured in the Istari installations of 'upstream' model owners, and 'downstream' model consumers. There is no limit placed on the number of remote sharing relationships (upstream or downstream) that any one organization may participate in.

The key and critical concepts behind remote sharing include:

  • For Model Owners: Data sovereignty with control and auditable remote sharing between Istari installations
  • Secure, auditable, Istari control plane to control plane communication
  • Secure, isolated, downstream caching of models from upstream owners, revokable by upstream model owners
  • Control tags applied to models in the upstream installation are shared with downstream consumers, and provide an additional access check (see 'Control Tag Considerations', below)

Terminology

Upstream Model Owner : Organizations that have models in their Istari data plane, and wish to share those models with other organizations having Istari installations, are called the 'upstream model owners'.

Downstream Model Consumer : Organizations having an Istari installation and wish to configure it to view models shared with them by upstream model owners, are called 'downstream model consumers'.

Upstream shared model cache or 'read through cache' : A read-through cache is mutated by the downstream Istari control plane, and read by downstream Istari end users in order to enable model sharing between upstream and downstream organizations. End users do not write directly to the cache. The cache location and configuration is the responsibility of the upstream model owner.

Shared Responsibility Model : For organizations that enable remote model sharing, the Shared Responsibility Model defines the responsibilities of the upstream model owners, downstream model consumers, and Istari. See Remote Sharing - Shared Responsibility Model for more information.

Considerations

Understand Your Organization's Policies for External Sharing

Upstream owners who wish to share models with downstream organizations through direct communication between the Istari installations at each organization should understand and comply with their organization's security and data isolation policies. Istari provides the mechanisms for sharing models with other organizations who have Istari installations, and relies on a Shared Responsibility model to ensure that models and sensitive information is handled appropriately.

Please review the Remote Sharing - Shared Responsibility Model section to understand the responsibilities of Istari, Upstream Model Owners, and Downstream Model Consumers who participate in remote model sharing.

Control Tag Considerations

Models shared by upstream owners may be associated with one or more control tags, to support an additional layer of access control in any Istari installation. When models having control tags are shared with downstream Istari installations, control tags are carried to the downstream control plane in the following manner, for an additional level of access check in the downstream organization.

  • In the downstream control plane, upstream control tags are 'prefixed' by the name of the sharing relationship configured by the downstream (for example, 'ACME:UNCLASSIFIED')
  • Prefixed control tags are automatically granted to the downstream users who administer the sharing relationship
  • Prefixed control tags must be explicitly granted to any other downstream users, otherwise upstream models associated with upstream control tags can not be viewed by other downstream users
  • As with other control tags in any Istari control plane, Customer Administrators (in the downstream control plane) are responsible for granting control tags to Istari users
  • Istari Customer Administrators can not modify or delete control tags shared from upstream installations via a remote sharing relationship
  • If the upstream owner of a model adds or removes control tags from a model shared with a downstream consumer, the modifications to control tags associated with the model are synchronized to the downstream control plane on the next sync, potentially changing access to that model on the downstream installation for regular, non-privileged users who do not administer the sharing relationship

Security and Network Considerations

Both upstream model owners and downstream model consumers have a security perimeter in which their Istari installations reside. Configuring two Istari systems for remote sharing involves:

  1. Creating a dedicated identity and access token in the upstream organization that must be securely provided to the downstream organization, to enable communication between the Istari systems.
  2. Enabling direct network access for specific API calls between the two Istari control planes, via secure HTTP.
  3. Creating a shared read-through cache that is controlled by the upstream model owner. This cache is not necessarily expected to reside in either organization's Istari security perimeter, however:
  • The choice of shared cache location is the responsibility of the upstream model owner. See Configure Shared Cache for Upstream Models, and Remote Sharing - Shared Responsibility Model for additional details.
  • The shared read through cache of an upstream organization can be envisioned as a 'screened subnet' or 'DMZ' that is controlled by the upstream and specifically configured for remote sharing between Istari organizations.
  • Considerations for the shared cache include network distance (for example, the upstream may wish to create the shared cache in a location that is in a region that is close to downstream viewers), and high availability.
  1. Allowing both installations' Istari control planes to write to the upstream owners' shared model cache, to enable a pull model for read access to cached models.
  2. Allowing the downstream installations' Istari users to view the contents of the shared model cache.
  3. Configuring the downstream Istari control plane to communicate directly with the upstream installation's API endpoints using the secure identity and access token (#1, above).
  4. Allowing the downstream Istari control plane to communicate through one time links, acting as a client with the upstream Istari installation's main object store.

Instructions for these steps are provided in the following sections. The Additional Network Security Considerations section provides references to approaches that could be considered for shared model cache provisioning and the relationship of the shared model cache to the primary security perimeters of the Istari installation.

Assumptions

This assumes that you understand your organization's security policies, Istari network perimeter, and that you have authorization to configure the Istari installation for remote model sharing either as an upstream model owner, downstream model consumer, or both.

Expected Skills and Authorization

  • Authorization to handle and configure sensitive data, including secrets/tokens
  • Authorization to configure the Istari installation for remote sharing with other internal or external Istari installations
  • Knowledge of your Istari network configuration and perimeter, including VPC and firewall configuration
  • Knowledge of AWS S3 or Azure storage configuration and storage access control options