# Security overview > Security white paper for the deployment of Unity Asset Manager in a private cloud ## Executive summary The deployment of Unity Asset Manager in a private cloud gives enterprises a comprehensive platform for managing their digital assets. This solution meets strict requirements in terms of security, data sovereignty, and intellectual property (IP). Unlike for the public SaaS offering, you deploy the solution entirely within a private cloud owned by the customer, on Amazon Web Services (AWS) or Microsoft Azure. You retain exclusive control over your security posture, while accessing all Unity tools to manage, transform, and collaborate on assets. This modern orchestration platform is built on Kubernetes. Unity can't access your data or infrastructure. ## Deployment models To meet diverse enterprise needs, Asset Manager supports the deployment configuration of Unity Virtual Private Cloud. You deploy this solution within the dedicated cloud tenant of your choice: * Azure Kubernetes Service (AKS) * Amazon Elastic Kubernetes Service (Amazon EKS) This model benefits from cloud scalability through the autoscaling of nodes and GPUs while keeping data within the customer's private cloud or virtual network (VNet). ## Shared-responsibility model Unity and the customer share responsibilities for security, with clear lines of demarcation. ### Unity responsibilities: application security Unity is responsible for the security of applications, including these areas: * Delivering secure application blueprints and Helm charts * Hardening container images, including minimal base images and non-root operation * Ensuring the security of the software supply chain, including SBOMs, image signing, and vulnerability scanning * Providing patches and updates for application services ### Customer and partner responsibilities: infrastructure security The customer and their partners are responsible for the security of the underlying infrastructure, including these areas: * Host infrastructure: managing the physical security, the host OS, and the Kubernetes cluster configuration (EKS/AKS) * Network: configuring firewalls, peering between Virtual Private Cloud and the VNet, and network policies * Identity: managing the enterprise Identity Provider (IdP) and user credentials * Data recovery: defining backup and disaster recovery policies ## Identity and access management (IAM) To support fully isolated environments, Asset Manager replaces Unity's public identity system (Unity ID) with a self-contained, local identity subsystem that is deployed directly in your cluster. ### Single sign-on Asset Manager supports single sign-on (SSO) through these features: * Decoupled authentication: the solution includes a dedicated instance of Keycloak to handle identity federation and token management locally. The solution doesn't connect to Unity's public authentication servers. * Enterprise federation (SSO): supports integration with your existing enterprise IdP – such as Microsoft Entra ID, Okta, or Active Directory – via OpenID Connect (OIDC) or SAML 2.0. * No local storage of passwords: if you use SSO, only your enterprise IdP manages your user credentials. Asset Manager never stores or accesses passwords. ### Granular role-based access control Authorization is enforced by Mini-USF. Mini-USF is a custom Unity component that sits alongside Keycloak and ensures strict access control without external dependencies. Granular role-based access control (RBAC) is implemented with these features: * Role hierarchy: permissions are applied at the organization level and at the project level. * Defined roles: * Owner: this role has full administrative control, including user management. * Other roles: admin, contributor, consumer, viewer. These granular roles dictate who can read, write, or download assets. * Service accounts: automated processes use secure service accounts to interact with the system, ensuring pipelines and bots are securely authenticated without human credentials. Services accounts are authenticated via API keys managed locally. ## Infrastructure and network security ### Container security We use these best practices for container security: * Hardened base images: where possible, we utilize minimal, hardened base images, such as Distroless or Alpine Linux, to drastically reduce the attack surface. Non-essential tools, such as shells and package managers, are removed so as to prevent Living off the Land (LOTL) attacks. * Non-root operation: all microservices run as non-root users, with a User Identifier (UID) higher than 1000, using Kubernetes Security Contexts to prevent container escape or escalation. * Immutable infrastructure: containers are replaced rather than patched live. * Image signing: Docker images are cryptographically signed. This process ensures that the code that runs in your cluster is exactly what Unity published, which mitigates supply chain attacks. ### Network isolation The solution ensures complete network isolation with these features: * Zero-trust architecture: the deployment supports network policies to put only the necessary east-west traffic between microservices in the allow list. For example, only the API gateway can communicate with the database. The default policy is `Deny All`. * API gateway (Traefik): Traefik manages all ingress traffic with strict TLS termination and ForwardAuth middleware. This configuration ensures that every request is authenticated and authorized before reaching any upstream service. * Private network: you deploy the solution in a private, corporate network. You don't need to expose the solution to the public internet. ## Data protection ### Data sovereignty The solution ensures data sovereignty with these features: * 100% customer control: assets, metadata, and user data never leave your configured environment. Data can be locked to specific geographic locations to comply with General Data Protection Regulation (GDPR) and data residency laws. * No telemetry: no usage data or IP is sent back to Unity Cloud. ### Encryption The solution provides encryption with these features: * Encryption in transit: all data strictly uses the protocol TLS 1.2/1.3 for transport. Internal service-to-service communication utilizes mTLS where applicable. * Encryption at rest: in Virtual Private Cloud, data that is stored in object storage (for example, in AWS S3 or Azure Blob) and in databases is encrypted using AES-256 standards. * Management of secrets: critical secrets, such as database passwords and TLS certificates, are never hardcoded. This information is managed via Azure Key Vault, AWS Secrets Manager or Kubernetes Secrets and injected at runtime. ## Software supply chain and secure software development life cycle Unity employs a rigorous secure software development life cycle (SSDLC) to ensure the integrity of the software deliverables: * Vulnerability scanning: the code is continuously scanned for vulnerabilities using Cycode and static analysis during development. * Software bill of materials (SBOM): to ensure transparency regarding third-party code risks, we provide, for each release, a comprehensive SBOM that details all open-source libraries and dependencies. * Offline licensing: a standalone offline licensing mechanism handles licensing, which removes the need for periodic call-home checks. ## Auditing and compliance To support auditing and compliance requirements, the solution includes these features: * Audit logging: comprehensive logs capture all user activities, including logins, asset downloads, and permission changes. * Integration of security information and event management (SIEM): logs are output in structured JSON formats through the stdout and stderr streams. For monitoring and threat detection, enterprise SIEM tools such as Splunk, Datadog, and ELK0, can ingest files in these formats. * Compliance roadmap: * **SOC2 Type 1**: Remediation complete for Unity Cloud Services. See [trust.unity.com](https://trust.unity.com). ## Conclusion Enterprises use this solution to manage high-value 3D content without compromising security. By combining local identity management and immutable infrastructure, the solution allows organizations to unlock the value of their content while keeping their most valuable intellectual property protected within their own secure perimeter.