The Secure Data Connector (SDC) is a mechanism whose aim is to allow Google Apps services to access enterprise data that lies behind a firewall, in a controlled way. "Controlled" here means that only users duly authorized to access this data will be able to benefit from the SDC. The SDC is an application that runs on a server in the company IS.
There are three Google Apps services that can take advantage of the SDC. We will briefly indicate for each of them how an invocation of the SDC is performed:
The five steps of a call to the SDC services are shown in the following figure. The following list describes the role of each system:
- One of the three Google Apps services mentioned previously sends a request to the tunnel servers that are in charge of encrypting the data.
- One of the tunnel servers checks that the user has been granted the right to access the requested resource. Filters can be set up at this stage to limit access to the IS through the SDC, depending on which Google Apps service or application is making the request. The tunnel servers are permanently connected to the SDC using an encrypted channel. The SDC is a process that runs on a server within the company's IS. Usually, this server lies behind a firewall and this is the reason why an encrypted tunnel is necessary.
- The tunnel protocol allows the SDC to be permanently connected to the tunnel servers, to authenticate the incoming data and, in turn, to encode the data returning from the enterprise IS.
- The SDC uses resource rules to validate that a user has the appropriate rights to request a particular resource.
- The SDC sends a request to the service, which answers. The SDC then encodes this response and sends it back through the encrypted tunnel to the Google Apps that made the request in the first place.
The Secure Data Connector makes enterprise data, lying behind an enterprise firewall, accessible to Google Apps
To summarize, the SDC has three roles: it decodes the encrypted data from the tunnel servers that encoded the data from the Google Apps, it routes the requests to the appropriate service, and eventually, sends back the resource in encoded form.
Th
e SDC must be enabled in the Google Apps console as shown in the following screenshot. The username for accessing the SDC is the following fixed string secure-data-connector-user. The password, on the other hand, has to be specified by the administrator. This username and the password should both be entered in the localCondiguration.xml file of the SDC.
Activation of the SDC and entering the password in the console
Configuration of the SDC uses two XML files.
The first, named localConfiguration.xml, contains all parameters that are needed to establish communication with the Google Apps from a specific domain. The most important parameters are the following:
- The domain name where the SDC will be installed
- The username (a fixed string, see above) and the password such as defined in the Google Apps console
An agent ID, agentId, which will be referred to in the configuration file that specifies the access rules.
The second one, named resourceRules.xml, defines which users are authorized to access local resources. More precisely, this file lists rules. A number is associated to each rule which specifies its priority level.
Among the important parameters for each rule, you'll find:
- A reference to the agent through the
agentIdparameter in thelocalConfiguration.xmlthat we mentioned above - A URL that localizes the resource we want to make accessible within the IS
- Another URL that should be used in the Google Apps domain to access the resource identified by the first URL
- A number that specifies the priority of the rule
- A list of the email addresses of the users allowed accessing the resource