Before users leverage Coiled for productivity, IT and security teams need to review Coiled to ensure everything meets corporate standards, and doesn't introduce undue operational risk.
This document aids this review by providing the following:
But first, three frequently asked questions:
Coiled avoids access to your data and your systems. We serve as a broker between you and your cloud, setting up infrastructure so that you can have a productive and secure experience without relying on Coiled as an intermediary.
When a user asks for a cluster, Coiled …
Coiled is not present during the conversation when you and your cloud resources access your data. Your data never leaves your internal cloud network.
Coiled’s client software (runs on your machines) ships with functionality to forward your local credentials to your cloud resources after Coiled’s control plane (runs on our machines) exits the conversation.
In this way users have full access to their data on cloud resources without sending credentials through Coiled’s network.
However, Coiled does track substantial information about the health of your cluster and computation. This metadata includes information like the following:
Some of this metadata is required (like instance health), while other metadata is optional (like code snippets), and still other (logs, hardware utilization) can be configured to live entirely within your own cloud.
By default Coiled collects as much metadata as it can. This helps Coiled staff debug and optimize user workflows, which provides substantial cost savings. We understand that metadata collection is not always acceptable, and so Coiled’s metadata collection is highly configurable.
Coiled is maintained by professional cloud infrastructure engineers and follows best practices. Network communications are secured end-to-end. Sensitive data is encrypted at rest. Access is limited to a few individuals using secure passwords under frequent rotation, multi-factor-authentication, and so on.
Coiled Computing, Inc. is SOC 2 Type II and ISO-27001 compliant. To see evidence of our security certifications, reach out to email@example.com.
OK, but exactly what permissions do you need and exactly what metadata do you collect?
Let’s discuss precise IAM roles and metadata. We’ll use AWS terms for things in this document. Please see AWS Setup and GCP Setup for more details.
To operate you provide Coiled with an IAM role with the permissions below.
During Setup Coiled needs additional permissions one-time-only. These are below:
See https://docs.coiled.io/user_guide/aws_configure.html for more information.
Some of these permissions are optional if you are comfortable turning off certain features. For example:
Coiled collects metadata about your resources and computations. Some of this is critical, some is optional. We describe that metadata below:
We need this information to track and control distributed cloud resources. This operational metadata includes the following:
We get this information using the granted IAM roles. These can not be turned off. They are required for operation.
Performance metadata helps us debug and optimize workflows with users. Some entries are optional (✅). Others can be moved inside your cloud boundary (➡️) with mild effort on your part.
This data is collected both with Prometheus metrics, and with periodic check-ins with the Coiled control plane over secured web traffic.
By default Coiled sets everything up for you and tracks metadata within its own database. Optionally, you can deploy Coiled in more custom cloud environments, and attach metadata storage to your own databases ( ➡️ above). Common configuration choices include the following:
Like any technology, Coiled introduces operational risk. The approach above is designed to minimize risk while providing an easy, rich, and productive experience for users.
Our experience is that users will take whatever path is easiest, even if that path is insecure and unsanctioned. Coiled crafts an easy and attractive path for all users that is also highly secure and configurable.
Get started for free – its fast and easy.