Security Considerations

Describes the Cloudera security measures for Workload XM.

Workload XM security involves establishing secure connections, secure access authentication, and protecting customer and user data.


Cloudera Manager's Telemetry Publisher collects and sends diagnostic information about job and query processes to Workload XM. As this diagnostic data may contain sensitive information it is important to mask this data on your Workload cluster in Cloudera Manager before Telemetry Publisher sends it to Workload XM. For more information on redaction, see the related links below.

Data in Motion

Workload XM and its services run on a secure Cloudera Workload XM framework. The transfer of diagnostic data to Workload XM from your Workload cluster is completed using the Hypertext Transfer Protocol Secure (HTTPS) and the Transport Layer Security (TLS) protocols and an authentication process. Access to Workload XM requires that each Workload cluster is configured with the Altus access and private keys in Cloudera Manager, which are used by Telemetry Publisher to authenticate the connection and identify the owner of the data. The access key identifies the user making the API call, and the request is signed by the key, using public key encryption. The signature is verified by the service and then the request is processed. You create your Telemetry Publisher access keys in Workload XM, and add, delete, and disable them from Cloudera Manager on your Workload Cluster. For more information on creating Telemetry Publisher access keys, see the related link below.

Data at Rest

Your diagnostic data goes through several transformation processes before it is stored in the Workload XM S3 bucket. The Workload XM microservices that are granted access to the Workload XM S3 bucket do so through the Amazon Web Services (AWS) Identity Access Management (IAM) service, which securely controls access to AWS resources and is managed by you.

Furthermore, the AWS S3 Server Side encryption is used to encrypt your data at the object level. A dedicated AWS Key Management System (KMS) key is used for the encryption, and only the Workload XM microservices are allowed to access the key.

Data Isolation

Workload XM isolates data access at the customer account level, where each customer account has its own dedicated storage database that contains all the data owned by the account, including the account's clusters. This ensures that each account's data is only cross-cluster viewable and not cross-account viewable.

All read access requests to Workload XM use authentication, which identifies the customer account of the user before directing the user's queries to the database associated with the account.

User Access

Workload XM supports resource access roles and privilege types that define who is entitled to access your Workload XM Workload clusters and who is entitled to access and administer your Workload XM Workload clusters. The user's identity and Workload XM access rights are validated each time a user logs in to the Workload XM UI, such as, the existence of a user account, the correct password, and the correct user role and access credentials. For more information, see the related link below.