Architecture overview

The architecture of SCIEX Cloud follows the microservices pattern, in which the system is built of small, independently deployable modular services with each service running in its own segregated unique environment. This allows for better modularity, continuous delivery, scalability and an evolutionary design of the system.

Reactive design principles are applied to help ensure the system is:

• Responsive
• Resilient
• Elastic
• Message-driven

The web UI is built as a single-page application (SPA) to provide a responsive and fluid user experience.

Long-running jobs are scheduled through a message queue that provides load balancing and high reliability while auto-scaling services provision compute capacity as required based on the load.

Infrastructure provisioning and software deployment are done through automated scripts to ensure security, stability, fault tolerance and business continuity.

Data center security

SCIEX Cloud runs on Amazon Web Services (AWS) within the supported AWS regions. Please visit the Amazon website for additional information on AWS security.

Instrument data and results files are stored in encrypted format on AWS S3 in a separate data center located in the US with SOC 1 and 2 compliance and ISO 27001 registration. For additional information and a security overview, please submit a request to SCIEX technical support.

Network / perimeter security

AWS security features and best practices are utilized to control access to the instances within the infrastructure of SCIEX Cloud. Perimeter firewalls, IP address restrictions for non-public services and secure bastion access for maintenance all combine to provide a secure environment.

Segregation is provided via AWS virtual private clouds. Authentication services are provided by industry-standard platforms and secured using comprehensive best practices.

External network traffic is encrypted via Transport Layer Security (TLS) 1.3 and must pass through the infrastructure firewall before reaching SCIEX Cloud.

Secret management is managed with a secure store, and access keys are rotated on a best practices basis.

User authentication

Users authenticate within the application with a valid username and password, which are encrypted in transit via TLS. Users are required to select strong passwords. All passwords that are stored are hashed using the latest algorithms.

Individual data folders within SCIEX Cloud can be shared with other SCIEX Cloud users by invite-only mode. Access is limited to that single folder for that specified sharing account and all security controls are maintained.

Data encryption

All external communication in transit via the application is encrypted with TLS. Customer data is encrypted at rest using the standard 256- bit Advanced Encryption Standard (AES).

All servers are hosted on the world-class Amazon infrastructure, which offers over 99.99% uptime. All customer data storage is hosted on AWS S3, where AWS offers 99.9% uptime as well as 99.999999999% durability guarantees.

Monitoring

AWS platform and server logs are monitored via Amazon CloudWatch and a commercial third-party service. Administrators are alerted when there are modifications to the AWS Identity and Access Management (IAM) resources, when thresholds are exceeded (e.g., failed access attempts, excessive connection attempts, etc.) and when there are other platform-related events.

Vulnerability scanning

OneOmics suite on SCIEX Cloud performs periodic third-party penetration tests and vulnerability scans. Our comprehensive quality management system requires immediate mitigation of all threats that are medium level or higher, while low-level threats are added to our development plan for near-future mitigation.

Data storage

OneOmics suite supports the use of SCIEX Cloud and Illumina BaseSpace as storage solutions. For the security features of BaseSpace, please refer to the whitepaper on the Illumina website.

SCIEX and affiliates are not responsible for unauthorized access to your account.