K2 Cloud Secure Data Access (SDA) enables you to access your traditional, on-premises line-of-business systems from K2 Cloud applications without the need to open access within the firewall, place systems outside the firewall, or create VPN connections. Connections to your K2 Cloud tenancy originate from a network appliance deployed within your private network and are secured by an SSL-based, encrypted and exclusive connection between your on-premises environment and your tenancy.
Traditional approaches to connecting on-premises and cloud platforms require complex VPN structures, expensive dedicated circuits, or solutions that require publicly exposing certain network communication ports. These solutions create larger surface areas for data leakage and security breaches in your organization.
K2 SDA utilizes a patented, reverse-access technology that does not require a VPN, DMZ, publicly-accessible ports or other network infrastructure changes in your on-premises environment.
K2 SDA provides integration with the following on-premises line-of-business systems compatible with K2 Cloud. For the latest compatibility information, see Product Compatibility, Integration and Support.
You connect your on-premises systems to your K2 Cloud tenancy using a web-based administration portal that is part of the SDA Access Controller (the “controller”). This provides the ability to expose line-of-business systems, configure the ports that traffic flows through, and more.
K2 SDA is deployed as a matched pair of nodes: a Controller node, and a Gateway node. You deploy the Controller node in your on-premises environment as a virtual machine hosting the SDA administration site, while the Gateway node is deployed by K2 Operations in your K2 Cloud tenant environment.
Once you pair the nodes, an encrypted and exclusive tunnel is used between the nodes that allow traffic to flow from on-premises systems into your K2 Cloud tenant. The SDA Controller ensures that requests to on-premises systems can only be received and fulfilled by the SDA appliance if that request originated from within the paired node in your K2 Cloud tenant.
Gateway (K2 Cloud environment node)
Located in the organization’s K2 Cloud tenant, the role of the gateway SDA node is to act as a front-end to all applications and users within K2 Cloud. It operates without the need to open any ports in your firewall and ensures that only legitimate session data can pass through into your internal network.
This component runs as a windows service on a K2 Cloud environment. It accepts inbound tcp connections from K2 and queues the requests for access to on-premises LOB systems.
Controller (On-Premises node)
The role of the controller SDA node is to:
If the session is legitimate, the data request is passed to the destination application server for processing and then returns to the K2 Cloud tenant.
The SDA Access Controller establishes a persistent outbound tcp connection with the SDA Gateway and pulls the queued requests for access to on-premises LOB systems down, eliminating the need to open incoming ports on the private network firewall. The SDA Access Controller node then brokers the connection to the on premises LOB system and pushes the response back out to the SDA Gateway, then ultimately to the K2 server and end user.
The controller is platform-agnostic and supports Windows Server and Linux distributions, and you can deploy it on your network using a virtual server infrastructure.
The diagram below illustrates how communication is initiated and flows in an SDA implementation. In this example, we are using SQL Server as the on-premises LOB system.
K2 SDA isolates applications and APIs from external attackers, effectively making internal data invisible on the internet while providing the ability to build K2 Cloud apps to integrate with your on-premises line-of-business systems. To protect your on-premises environment, K2 Cloud SDA provides the following layers of security protection:
For more information about K2 SDA, see Overview, Installation, and Configuration of K2 Cloud Secure Data Access