Documentation

Security Model

Enterprise-grade security architecture designed for zero trust environments

Architecture Overview

TigerIdentity is built on a zero-trust security architecture with defense-in-depth principles. Every request is authenticated, authorized, and audited - regardless of source or network location.

Security Layers

  • Transport Security: TLS 1.3 for all connections
  • Authentication: Mutual TLS, OAuth 2.0, API keys with rotation
  • Authorization: Attribute-based access control (ABAC) for all APIs
  • Data Protection: Encryption at rest (AES-256) and in transit
  • Network Isolation: VPC peering, private endpoints, firewall rules

Data Encryption

Encryption in Transit

All network traffic uses TLS 1.3 with perfect forward secrecy. We support only strong cipher suites and disable legacy protocols.

# Supported Cipher Suites
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# Certificate Requirements
- RSA 2048+ or ECDSA P-256+
- SHA-256 or stronger
- Valid certificate chain
- OCSP stapling enabled

Encryption at Rest

All sensitive data is encrypted at rest using AES-256-GCM with envelope encryption. Each tenant has isolated encryption keys.

What's Encrypted

  • Identity attributes
  • Policy definitions
  • Session tokens
  • Audit logs
  • Database backups
  • Connector credentials

Authentication

TigerIdentity supports multiple authentication methods for different use cases.

API Keys

For service-to-service communication. Support automatic rotation and scope-based permissions.

Authorization: Bearer ti_prod_a1b2c3d4e5f6...

OAuth 2.0 / OIDC

For user authentication and delegated access. Supports PKCE flow for SPAs.

grant_type=authorization_code&code=abc123&code_verifier=xyz789

Mutual TLS (mTLS)

For high-security environments. Client certificates issued per service.

X-Client-Certificate-Verified: SUCCESS

Authorization

All API requests are subject to attribute-based access control. Permissions are evaluated in real-time based on:

Principal Attributes

  • • Identity type (user, service, agent)
  • • Department and role
  • • Security clearance level
  • • Authentication method used

Context Attributes

  • • Source IP and geolocation
  • • Time of day and day of week
  • • Device posture and trust level
  • • Recent authentication events

Network Security

Private Networking

Deploy TigerIdentity within your VPC using AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. No public internet exposure required.

DDoS Protection

Built-in rate limiting, WAF integration, and cloud provider DDoS shields protect against volumetric attacks.

IP Allowlisting

Configure per-tenant IP allowlists for administrative access and API calls.

Tenant Isolation

TigerIdentity uses a hybrid isolation model to balance security and efficiency:

  • Data Isolation: Logical separation via tenant_id with row-level security policies. Enterprise tier supports dedicated databases.
  • Encryption Keys: Per-tenant encryption keys managed via AWS KMS, Azure Key Vault, or Google Cloud KMS.
  • Compute Isolation: Kubernetes namespaces with network policies. Dedicated clusters available for Enterprise.
  • Access Isolation: Service accounts scoped to single tenant. No cross-tenant API access possible.

Key Management

TigerIdentity uses cloud-native KMS for centralized key management with FIPS 140-2 Level 3 validated HSMs.

# Example: AWS KMS Configuration
encryption:
  provider: aws-kms
  key_id: arn:aws:kms:us-east-1:123456789:key/abc-def
  rotation_enabled: true
  rotation_period_days: 90

# Customer-Managed Keys (CMK) supported
customer_managed_keys:
  enabled: true
  bring_your_own_key: true

Key Rotation

Encryption keys are automatically rotated every 90 days. Old keys are retained for decryption only. Manual rotation is available via API.

Security Compliance

TigerIdentity maintains industry-leading security certifications and undergoes regular third-party audits.

SOC 2 Type II

Audited annually for security, availability, and confidentiality

ISO 27001

Information security management system certification

Security Best Practices

For Customers

  • 1.Enable MFA for all administrative accounts
  • 2.Rotate API keys every 90 days or less
  • 3.Use service accounts with minimal scopes for integrations
  • 4.Configure IP allowlists for production environments
  • 5.Enable audit log streaming to your SIEM
  • 6.Review access grants and sessions weekly
  • 7.Test incident response procedures quarterly

Related Documentation

Audit Logging
Track all access decisions and changes
Compliance
Meet regulatory requirements
Data Privacy
How we protect your data

Questions About Security?

Our security team is available to discuss your specific requirements

Contact Security TeamBack to Docs