As you plan your PingDataGovernance deployment, review the components to install as well as the potential deployment methods, architectures, and environments.
Seeing PingDataGovernance in action
To quickly see PingDataGovernance in action, see Getting started with PingDataGovernance (tutorials).
Components
- Policy Administration GUI
- Powered by Symphonic®, the PingDataGovernance Policy Administration GUI gives policy administrators the ability to develop and test data-access policies.
- PingDataGovernance Server
- Enforces policies to control fine-grained access to data. REST APIs access data through PingDataGovernance Server, which applies the data-access policies to allow, block, filter, or modify data resources and data attributes.
Deployment methods
To deploy PingDataGovernance, your options include the following methods.
Deployment method | Recommended for |
---|---|
Docker | Server administrators familiar with Docker and want to use orchestration to manage their environments. |
Manual | Server administrators familiar with their operating systems and want to tweak and maintain their environments themselves |
Deployment architectures
PingDataGovernance Server supports the following options of deployment architectures for enforcing fine-grained access to data:
- System for Cross-domain Identity Management (SCIM) API to datastores
- API Security Gateway as reverse proxy
- API Security Gateway in Sideband configuration
The following sections describe these deployment architectures in more detail.
SCIM API to datastores
API Security Gateway as reverse proxy
PingDataGovernance Server's API security gateway can be deployed as a reverse proxy to an existing JSON-based REST API. In this configuration, PingDataGovernance Server acts as an intermediary between clients and existing API services. The policy is enforced by the API security gateway.
API Security Gateway in Sideband configuration
PingDataGovernance Server's API security gateway can be deployed as an extension to an existing API Lifecycle Management Gateway, which is commonly known as a sideband configuration. In this configuration, the API Lifecycle Management Gateway functions as the intermediary between clients and existing API services. However, API request and response data still flows through PingDataGovernance Server to enforce policy.
Deployment environments
- Development environment
- PingDataGovernance Server and the Policy Administration GUI are used together during the development of policies.
- Other pre-production and production environments
- After policies are developed, they are tested in other pre-production environments and eventually put into production.
The following sections describe these deployment environments in more detail.
Development environment
To allow teams to test data-access policies during their development, PingDataGovernance Server is configured to obtain policy decisions from the Policy Administration GUI. The development environment supports all deployment architectures. In this configuration, the Policy Decision Service is set to External mode.
The following image shows PingDataGovernance Server configured in the Reverse Proxy architecture.
As test API requests are proxied through PingDataGovernance Server's API security gateway, policy decisions are obtained from the Policy Administration GUI and are enforced by the API security gateway.
Other pre-production and production environments
The Policy Administration GUI is not a part of so-called "higher" environments. Instead, the policy is exported from the Policy Administration GUI and is imported into PingDataGovernance Server.
In the following configuration, the Policy Decision Service is set to Embedded mode.