Analytics Service — Security Model
Status: populated Owner: Platform Engineering + Security Last updated: 2026-04-18 Companion: 13 Security
1. Authentication
No public-facing API. All callers are internal cluster services.
- Service mesh mTLS enforced on port 3030 (Istio/Linkerd
PeerAuthentication: STRICT). AuthorizationPolicypermits ingress only from:admin-dashboard,customer-portalnamespaces.- No Kong route → no JWT validation required.
2. Authorization
| Endpoint | Permitted callers |
|---|---|
/v1/internal/analytics/summary | admin-dashboard |
/v1/internal/analytics/operators/:id/performance | admin-dashboard |
/v1/internal/analytics/accounts/:id/usage | customer-portal, admin-dashboard |
/v1/internal/analytics/throughput | admin-dashboard |
/v1/internal/analytics/delivery-breakdown | admin-dashboard |
Account-scoped endpoint: /analytics/accounts/:id/usage — service validates that the accountId in the path matches the X-Account-Id header (set by customer-portal from authenticated session). Admin-dashboard can query any account.
3. Data Sensitivity
| Data class | Present in analytics? | Notes |
|---|---|---|
| MSISDN (destination phone) | No | Never stored; DLR events carry messageId, not to |
| Message body | No | Not included in billing or DLR events |
| Cost / billing amounts | Yes | Aggregated only; individual transaction not exposed |
| Account identity | Yes | accountId in per-account queries |
| Operator identity | Yes | operatorId in per-operator queries |
No PII in any analytics table. GDPR erasure request has no effect on analytics tables (no personal data stored).
4. Encryption
| Class | Mechanism |
|---|---|
| In-flight | mTLS (service mesh) |
| At rest (PG) | Transparent disk encryption |
| Secrets | Vault-injected env vars at pod start |
5. Threat Model
| Threat | Control |
|---|---|
| Unauthorized account data access | accountId scope validated in GetAccountUsageUseCase; caller cannot query another account |
| Data inflation via event replay | processed_events dedup table prevents double-counting |
| Backfill abuse (replay old events to inflate metrics) | Only ops team can seek durable consumer; requires cluster access |
| PG injection via date params | Parameterized queries (Prisma); date params strictly parsed as ISO 8601 |
| ClickHouse exfiltration | ClickHouse not network-accessible from outside cluster; accessed only by anlyt-etl job |