Security Architecture
Zero-trust, pull-based security model with full deployment isolation
Security is foundational to LaserData Cloud. The architecture is designed so that the control plane cannot push commands to your infrastructure, there are no inbound connections to your nodes, and the blast radius of any credential compromise is minimal.
Pull-Based Architecture
The Warden agent on each node initiates all communication with the control plane. The control plane never connects inbound to your infrastructure.
| Data Flow | Direction | Description |
|---|---|---|
| Config, tasks, certificates | Pulled by Warden | Warden polls the control plane over HTTPS |
| Heartbeats, metrics | Pushed by Warden | Warden reports node health outbound |
| Inbound connections | None | No SSH, no SSM, no open ports |
This means:
- Even if the control plane is fully compromised, an attacker cannot push commands to your VMs
- Your firewall only needs to allow outbound HTTPS — no inbound rules required
- No SSH keys, no management agents, no bastion hosts
Network Isolation
| Property | Managed | BYOC | On-Premise |
|---|---|---|---|
| Control plane can push commands | No | No | No |
| SSH access | None | None | None |
| SSM access | None | None | None |
| Inbound ports to agent | None | None | None |
| Customer data leaves infrastructure | N/A | No | No |
| LaserData has network access to endpoints | No | No | No |
Every deployment starts fully isolated by default. No traffic reaches your endpoints until you explicitly create Access Rules. This includes LaserData — our control plane orchestrates infrastructure but has no network access to your deployment data or endpoints.
Encryption
| What | How |
|---|---|
| Data in transit | TLS on all connections — Warden to control plane, client to Iggy |
| Data at rest | AES encryption for all sensitive data |
| Certificate lifecycle | Automated issuance and rotation — no manual intervention |
| Audit data | Encrypted at rest, including actor names and event payloads |
Binary Integrity
All binaries deployed to nodes (Warden, Iggy server, Connectors) are cryptographically signed. Before executing any downloaded binary, Warden verifies the signature against the LaserData public key and rejects the binary if verification fails.
This prevents supply chain attacks — even if the download channel is compromised, unsigned binaries cannot be executed.
Task Signing
Every operational task sent to Warden is signed with Ed25519. Warden verifies the signature before execution, ensuring tasks originate from the legitimate control plane and cannot be tampered with in transit.
Credential Scope
Warden Tokens
Each Warden agent authenticates with an Ed25519-signed token scoped to a single node. If a token is compromised, the attacker can only observe telemetry for that one node — no data access, no command execution, no lateral movement. See Warden Agent for details.
IAM Model (AWS)
BYOC Deployments
LaserData assumes a scoped IAM role in your account for provisioning only:
| Permission Scope | Purpose |
|---|---|
| EC2 lifecycle | Provisioning and maintenance |
| Networking | VPC, subnets, security groups, NLB |
| EBS | Storage management |
Not included: No S3, no Secrets Manager, no CloudWatch, no SSM. LaserData has no access to your application data.
Managed Deployments
Nodes run with no IAM instance profile (standalone clusters). Warden authenticates using pre-provisioned credentials — no AWS API access from the nodes.
Multi-Cloud Consistency
The pull-based architecture is cloud-agnostic. Warden works on any infrastructure — cloud or bare metal. Because Warden pulls everything over HTTPS, there is no dependency on cloud-specific management agents.