Controlling data residencies for user data storage
Due to regulatory and compliance concerns you might need to restrict the data residency of your users' data to one ore more regions. Authress supports this out of the box.
Data Residencies are configured at an Identity Connection level. When a user logs in with an identity connection, their data will automatically be stored in the region configured in that Identity Connection. This allows you to meet your requirements for each and every one of your customers.
Authress Account setupโ
During Authress account creation you will be asked to select a Primary Region from a list of a few different regions. This is the region where Authress stores your account information, but not your users' data. The Primary Region is made up of multiple different local regions enabling Disaster Recovery as well has the high reliability that Authress commits to, for your account.
User Data by default will be replicated Globally depending on where that user logs in from, how they log in, and specific backup and restore purposes. This is the default, however not every business wants to enable global operation and some prefer the storage of their employees' and users' data in specific data residencies.
When configuring SSO for one of your customers, you will create an Identity Connection. This identity connection allows you to control how their users will log in and how their data will be saved.
Identity Provider Configurationโ
On the advanced tab of the identity provider configuration screen, you'll be able to select which region user data for that connection should be persisted in.
Regional data persistence architectureโ
User-related data is composed of two pieces:
- Authress Secure Identity
- User Profile Data
The Authress Secure Identity is the data that Authress uses to securely identify the user, such as their userId, revelant session identifiers, as well as audit information. This information is replicated globaly in every Authress Primary Location to ensure that in the case of a data incident your users can still log in. This data does not include any Personal Identifiable Information (PII).
The User Profile Data is everything else including PII, their email address, profile picture, name, and so forth.
When a data residency other than global is selected the User Profile Data for users authenticating with this connection will be stored in a local encryption format in that region. This ensures that only access from that region can provide a transparent version of that data. This data is linked to the Authress Secure Identity use strong hashing and encryption when necessary. Normally, that data would be replicated to other regions, however with a restricted data residency that means that data only is persisted in that Local Data Residency.
Data Incident and Disaster Recoveryโ
In the case of a Data Incident in that region, the User Profile Data will be temporarily unaccessible until that user logs in. With a more restricted localization of data, the likelihood of data loss is higher. This is an important trade-off. When your users use Authress, they will always be able to log in irrespective of any data incidents that might be in progress, and Authress provides a five-9s SLA (99.999%) on the durability and reliability of authentication, but parts of their data might be unaccessible at that time.