Security Architecture and Best Practices for Scispot Agent Deployment

Scispot Agent follows established industry patterns as a leading lab middleware solutions. The agent runs as a background service on customer-controlled infrastructure with outbound-only connectivity to Scispot cloud and optionally to customer-owned AWS S3, requiring no unsolicited inbound internet access.

Outbound-Only Connectivity Model

Scispot Agent operates on a zero-inbound-access architecture, consistent with modern lab middleware security practices:

• Required outbound connections:

- Scispot cloud endpoints (HTTPS/443)

- AWS S3 endpoints (HTTPS/443) — only if custom S3 upload is enabled

• No inbound internet access required — The agent initiates all connections; no ports need to be exposed to the internet.

• Optional internal-only services (not internet-exposed):

- Local FTP server (default port 2121) for instrument file transfer

- Local ASTM protocol server (configurable port) for clinical analyzer connectivity

- Both services should be restricted to instrument VLAN/subnet only

Recommended Firewall Configuration

Egress rules (outbound from agent host):

- ALLOW: Agent host → Scispot cloud endpoints (*.scispot.io) : TCP/443

- DENY: All other outbound traffic from agent host [optional, for high-security environments]

Ingress rules (inbound to agent host):

- ALLOW: Instrument IPs (specific subnet/VLAN) → Agent host : TCP/<FTP port>(FTP, if enabled)

- DENY: Internet → Agent host : ALL PORTS

- DENY: User workstation subnets → Agent host : TCP/2121, TCP/<ASTM port> [recommended]

Network segmentation best practices:

• Place agent host in a dedicated instrument connectivity VLAN or DMZ-like segment

• Isolate from general user workstations and administrative networks

• Apply micro-segmentation to limit lateral movement in case of compromise

Service-Level Security

The Scispot Agent runs as a Java-based background service:

• Monitoring mechanism: Uses Java WatchService API to detect ENTRY_CREATE and ENTRY_MODIFY events in configured directories with debounce logic

• Service isolation: Runs continuously in the background with no interactive UI requirements

• Process containment: Service should run under a dedicated, non-privileged OS account

Recommended Host-Level Controls

Security Control | Implementation

-----------------|-----------------

Service account | Create dedicated low-privilege account (e.g., 'scispot-agent') with read/write access only to monitored folders and agent installation directory

File system permissions | Restrict monitored folder to agent service account + instrument users only; block other users/groups

Configuration protection | Secure agent configuration files (containing API keys, AWS credentials) with permissions 600 (owner read/write only)

Java Runtime Environment | Install JRE 11 as required; keep updated with latest security patches

Operating system hardening | Apply CIS benchmarks or organizational baseline; disable unnecessary services; enable OS firewall

Anti-malware/EDR | Deploy endpoint protection with exceptions for agent executable/folders to prevent false positives

Patch management | Establish regular patching cadence for OS and Java runtime

Logging & monitoring | Enable OS-level process monitoring and file access auditing for agent activities

API Key Security

• Scispot API key acts as the primary authentication credential for cloud communication

• Storage: Never store API keys in plaintext in code or configuration; use OS credential stores or secrets management where possible

• Rotation: Establish API key rotation policy (recommended: 90-day rotation)

• Monitoring: Track API key usage via Scispot Glue agent dashboard; revoke compromised keys immediately.

Standard Data Flow (Default)

Instrument → Local folder → Agent (WatchService) → Outbound HTTPS → Scispot Cloud

• Files detected in monitored folder are uploaded via encrypted HTTPS (TLS 1.2+)

• Agent can be configured to automatically delete local files after successful upload (disabled by default to prevent data loss)

• Before enabling auto-deletion: Verify data retention in Scispot cloud or S3; implement backup strategy

Optional S3 Direct Upload Flow

Instrument → Local folder → Agent → Customer AWS S3 Bucket + Scispot Cloud (metadata/logs)

• Dual-upload pattern: Raw files to customer S3, metadata/events to Scispot cloud

• S3 bucket security:

- Enable S3 bucket encryption at rest (SSE-S3 or SSE-KMS)

- Enable S3 versioning for data recovery

- Apply bucket policies to restrict access to authorized IAM roles only

- Enable S3 access logging for audit trail

Agent Health Monitoring

Scispot provides a centralized agent dashboard in Glue to monitor agent status:

• Real-time connectivity status

• Last-seen timestamp

• File upload success/failure rates

• Remote agent configuration updates

Your security team should:

• Integrate agent status into SIEM or monitoring platform via API (if available)

• Set up alerts for agent disconnection >15 minutes

• Monitor for unusual upload volumes or file patterns

Logging Strategy

Agent-side logging:

• Enable verbose agent logging (if available in configuration)

• Rotate logs regularly to prevent disk exhaustion

• Forward logs to centralized log management (Splunk, ELK, etc.)

Cloud-side logging:

• Review Scispot cloud audit logs for agent API activity

• If using S3: Enable CloudTrail data events and S3 access logs

• Retain logs per organizational policy (typically 1-3 years for regulated environments)

Key events to monitor:

• Agent authentication failures or API key rejections

• Unusual outbound connection attempts

• File upload failures or repeated retries

• FTP/ASTM server authentication failures

Validation & Change Control

Following FDA 21 CFR Part 11, EU Annex 11, and ISO 17025 practices:

• Installation Qualification (IQ): Document agent installation, configuration, and network setup

• Operational Qualification (OQ): Test file upload, FTP/ASTM connectivity, S3 integration

• Performance Qualification (PQ): Verify end-to-end data flow with representative instrument files

• Change control: Scispot agents support remote updates via Glue; establish change control process for agent version upgrades; test in non-production environment first

Audit Trail

• Scispot cloud maintains audit logs of agent activity (uploads, configuration changes)

Before deploying Scispot Agent, your security team should:

☐ Validate network architecture: Confirm outbound-only connectivity; document firewall rules

☐ Review credential management: Approve API key and AWS IAM credential storage/rotation policies

☐ Define network segmentation: Place agent in instrument VLAN; restrict lateral movement

☐ Establish logging & monitoring: Configure SIEM integration and alert thresholds

☐ Create incident response plan: Document procedures for API key compromise and host breach

☐ Validate change control: Test agent update process in non-production environment

☐ Document system validation: Complete IQ/OQ/PQ for regulated environments