Securing Your Data in Matillion's Data Productivity Cloud

As businesses increasingly rely on cloud technology for data operations, ensuring the security of data in transit is more important than ever. Matillion's Data Productivity Cloud (DPC) offers robust services for extracting, loading, and transforming data, and securing these processes is crucial. This guide will show you how to protect your data using cloud security best practices during deployment and processing.

What is Matillion's Data Productivity Cloud?

Matillion DPC consists of two primary components:

  • Control Plane (Matillion Designer): This is the interface where you design and control your ETL jobs, acting as the command center for managing data workflows.
  • Data Plane (Designer Agent): This component executes your data processing tasks. It utilizes Docker technology to enhance efficiency and scalability.

Data Productivity Cloud Architecture

Options for Deploying DPC Agents

Matillion’s DPC, allows the flexibility to choose between two deployment options for your DPC agents, each catering to different security and control needs:

  • Matillion Hosted Agents: These agents are fully managed by Matillion DPC, offering a straightforward, maintenance-free solution ideal for businesses looking to minimize administrative overhead. While these hosted agents provide a secure environment and infrastructure, the data they integrate with is transferred over the internet, albeit encrypted when supported. This setup is suitable for many scenarios but may conflict with organizational requirements for data sovereignty or industry-specific data governance restrictions.
  • Customer-Hosted Agents: If your needs include stringent security controls and the ability to access resources within a private network, customer-hosted agents are the optimal choice. By managing agents yourself, you can tightly control their configuration, security, and the data they access. This option is particularly beneficial for enterprises that require access to private resources, such as internal databases and applications not exposed to the public internet.

Data & Control Plan Options

Security Best Practices for Customer-Hosted Agents in Matillion DPC

To ensure the highest level of security for your customer-hosted agents in Matillion DPC, consider implementing the following best practices:

Secure Networking for Agents

Goal: The primary goal is to protect your data and operations from unauthorized external access and control outbound traffic to prevent sensitive data from leaving your network without proper authorization.

Benefits: Secure networks and managed outbound traffic help prevent cyber threats and attacks. They ensure secure communication, maintain compliance with data protection regulations, and enforce internal security policies.


  • Deploy agents in a private subnet: Make your agents inaccessible from the internet by deploying them in private subnets within your cloud network. They will need a NAT gateway to connect to the internet – essential for keeping the Control and Data planes connected.
  • Use Routing Tables, ACLs, and Security Groups: Configure these with minimal required ingress and egress rules to restrict access. Agents need outbound access to the control plane and source systems, but no open inbound connections.
  • Control Outbound Traffic: Use network security groups and ACLs to enforce outbound traffic policies by defining rules that specify allowable destinations, protocols, and ports. Implement egress filtering and deep packet inspection to examine outbound traffic for any signs of malicious activity or data breach attempts.
  • Implement Additional Firewalls: Define and enforce security policies that restrict access via additional firewall servers and services as appropriate, maintaining the integrity and confidentiality of your operations.
  • Employ Logging and Continuous Monitoring: Detect and respond to unauthorized attempts to access external networks through comprehensive logging and monitoring.
Encrypting Data in Matillion DPC

Goal: Protect sensitive data from unauthorized access during transit and while stored, ensuring compliance with data protection regulations.


  • Ensures data is unreadable by unauthorized parties.
  • Helps meet compliance requirements for data security.
  • Reduces the risk of data breaches and data theft.


In Transit:

  • Use TLS for all data transmissions to ensure secure and encrypted data flows.
  • Establish VPN tunnels for added security in sensitive or highly regulated data transfers.

At Rest:

  • Enable default encryption on all storage solutions.
  • Use AES-256 for strong, resilient data protection.

Key Management:

  • Utilize managed services like AWS KMS or Azure Key Vault for key management.
  • Regularly rotate keys and restrict key access to authorized personnel only.


  • Implement access logging and conduct regular security audits to maintain and improve encryption practices.
Managing Secrets in Matillion DPC

Matillion DPC agents are specifically engineered to ensure secure data interactions without storing sensitive information such as passwords, SSH keys, or other credentials internally. Instead, they utilize a method to access secrets that are securely managed and stored in your cloud platform's dedicated secrets manager. This approach minimizes the risk of exposure and enhances overall security.

By leveraging cloud-native secrets managers, Matillion DPC agents maintain a high level of security by accessing only encrypted and managed secrets when needed. This method effectively reduces the attack surface by not storing sensitive data on the agents themselves.

Recommendations: Implement secrets managers such as AWS Secrets Manager, Azure Key Vault, or Google Cloud's Secret Manager to handle credentials and other sensitive data. Configure these managers to automatically rotate secrets to further reduce potential vulnerabilities. Ensure that access policies and permissions are strictly controlled to allow only authorized agents and services to retrieve these secrets.

Regular Updates

Your agents are automatically kept up to date with the latest security patches and software updates, to protect against new vulnerabilities and enhance functionalityPlease take a look at this comprehensive guidance on Matillion DPC agent version tracks


Ensuring cloud data security is crucial. Matillion provides robust security for MHA's hosted within its cloud infrastructure, establishing a strong foundation for data management. However, by adopting customer-hosted agents and additional security practices, you can further enhance data protection within Matillion DPC. Remember to always stay vigilant and proactive in safeguarding your valuable data, and consider all available options to ensure your data is sufficiently secured.

James Kosterman
James Kosterman

DevOps Sales Solutions Consultant