Credential propagation solution for enterprise customers in regulated industries

Organizations in regulated industries face strict compliance standards around data security and user impersonation. For data science teams within these enterprises, it is essential to build, iterate, and share ML applications that access sensitive data while ensuring only authorized users can query and view it. This balance of security and usability is crucial to meet regulatory requirements.

The challenge lies in making sure that data accessed through these ML applications reflects the credentials of individual users consuming the app. Below, we explore the problem, Domino’s innovative solution, and how it helps enterprises stay compliant and secure.

The problem: Preventing user impersonation in shared app environments

In most enterprises, data scientists build and share applications that query data from sources like AWS S3 or other databases, passing the results into models for further analysis. However, the current model in Domino only allowed the credentials of the app launcher to be used for data access, even when other users interact with the app.

This creates a major security risk. Using the apps embedded credentials for all access leads to user impersonation, which violates regulatory compliance policies enforced by bodies like the SEC, GDPR, or HIPAA. As organizations transition to more modern identity management systems (such as Okta and Okera), they need a better solution to ensure individual accountability for data access.

Domino’s solution: Propagating user credentials into apps

Domino offers a secure credential propagation solution that embeds the active user’s credentials into the app environment through HTTP headers. This ensures that data access is authorized based on the identity of the individual user interacting with the app, not the developer or the person who launched it.

How the solution works

1. Credential propagation via HTTP headers:
   • When a user opens an app, Domino injects the user’s temporary Domino credentials into the HTTP headers of the app environment.
   • The app developer can now build experiences by retrieving these credentials and use them to perform secure queries to S3 or other resources or reject access to the application.
2. Temporary, non-renewable tokens:
   • Domino passes only temporary credentials that are not renewable. If a token expires, the app must notify the user, who will need to re-authenticate in Domino to refresh the credentials.

Why this matters: Security and compliance in regulated industries

This solution aligns with regulatory requirements by preventing unauthorized data access and tracing queries back to the correct individual user. It ensures that enterprise customers in industries such as finance and life sciences can meet the demands of compliance frameworks like SEC, GDPR, HIPAA, and SOX.

As enterprises adopt modern identity management systems such as Okta-Okera, Domino’s credential propagation solution provides a seamless, future-proof integration that meets both security and usability requirements.

Takeaway: Secure credential management for enterprise apps

With Domino’s credential propagation framework, enterprise customers can confidently share apps that access sensitive data without compromising on security or compliance. By ensuring that each user’s temporary credentials are passed to the app, organizations can avoid user impersonation risks while maintaining accountability and traceability.

Domino’s solution provides a scalable, compliant approach that empowers developers to manage access effectively and gives users transparency and control over their credentials. For enterprises operating in regulated industries, this approach ensures they can innovate with confidence, knowing their compliance and security policies are enforced at every step. Contact the Domino team to learn more about this topic, or check out the documentation page for additional details.