Security
Security in IIOS is architectural, not bolted on. Every request — from a person, a service, or an agent — passes through one policy engine, is encrypted in transit and at rest, and is recorded to an immutable ledger.
Defense in depth
The platform layers independent controls so no single failure is catastrophic: federated identity, a central policy engine, encryption everywhere, network isolation per sovereignty boundary, and continuous audit. The control plane is the spine that ties them together.
Core controls
| Control | Mechanism | Scope |
|---|---|---|
| Encryption in transit | TLS 1.3 / mTLS | All service + client traffic |
| Encryption at rest | AES-256, BYOK / HSM | Graph, events, evidence, backups |
| Authorization | Central RBAC + ABAC policy engine | Every request, no bypass |
| Audit | Append-only immutable ledger | Reads, writes, agent actions |
| Isolation | Per-boundary network + tenancy | Deployment sovereignty domain |
Policy as code
Access rules are declarative, versioned, and reviewed like any other code. The engine evaluates role and attribute conditions together, and the default is always deny.
# Policy is declarative and versioned. Deny is the default.
policy "north-plant-operators" {
effect = "allow"
actions = ["graph:read", "reason:invoke"]
resources = ["plant:north/*"]
condition {
principal.classification >= resource.classification
request.topology in ["dedicated", "on-prem"]
}
}Assurance & compliance
The platform is built to map cleanly onto the controls enterprise programs already require:
- SSO/SCIM against your IdP — no parallel identity store
- Customer-managed keys (BYOK/HSM) in dedicated and on-prem topologies
- Immutable, exportable audit evidence for every access decision
- Data residency and isolation enforced by the sovereignty boundary
- Least-privilege, short-lived tokens for humans, services, and agents
Security patterns
Single enforcement point
One policy engine for all principals means one place to reason about, test, and audit access.
Encrypt everything, own the keys
Data is encrypted end to end, and regulated customers hold their own key material.
Prove it later
The immutable ledger turns "who saw what, when" into a query, not an investigation.
Assume breach
Short-lived tokens, deny-by-default, and isolation limit blast radius when something does go wrong.
