Skip to content
Trimble Platform

Well Architected

Trimble Well Architected Criteria

Purpose

In order to guarantee the security and integrity of the Platform, and when enabling advanced Platform features, the following architecture rules will be enforced for Trimble Applications looking to be Trimble Platform certified. These requirements will ensure that applications adhere to best practices in cloud architecture, secure development, and proper data access management.

Trimble Applications that become Trimble Platform certified may be granted advanced Platform features, such as Trimble ID’s Subject Delegation grant type.

Requirements

  • Web Applications must meet Trimble Platform basic operational standards. We need to see their evidence submissions and their audit board results in order to compare with Trimble Platform.
  • Application’s client secret MUST be rotated every 6 months. For certified Applications, TID will sunset secrets automatically on expiration.
  • Applications must use TID and not accept any other access tokens.
  • If the Application offers APIs, those APIs must be behind Trimble’s API Cloud.
  • A JWT’s AUD claim must be validated on every request.
  • Applications must submit their telemetry information to Trimble’s telemetry solution. The APIs called by the Application must be behind API Cloud unless they are internal to the Application itself.
  • Applications must use Enterprise objects and definitions from IAM.
  • If the Authorization code flow is used then it must use PKCE for end-user authentication.
  • Encryption at Rest and in Transit MUST be used at all times.
  • Access tokens MUST be scoped as narrowly as possible.
  • For different contexts, every API interaction MUST be authenticated and authorized independently.
  • Applications must reside in regions supported by the Platform. Platform regions are deployed after Sector VP approves in accordance with the official policy.
  • When possible, actions must be performed on behalf of the Identity starting the action as opposed to the Application performing the action.
  • Applications must go through AWS and/or Azure well architected review and present the results for review. The Trimble Platform team must review results and may participate during the process.
  • Critical Trimble Cybersecurity requirements must be followed.
  • Critical Trimble xOps controls must be implemented. In particular: Change Management, Access Management, and Reliability.

Logging & Monitoring

Logging and monitoring of token usage MUST be implemented to allow for audit and alerting of suspicious or anomalous behavior (e.g., unexpected token usage locations, abnormal patterns of access).

Enforcement & Governance

Future advanced Platform features such as TID’s Subject Delegation grant type is subject to the Trimble Platform team and may be revoked for any application which fails to comply with the above requirements. Trimble will regularly monitor certified Applications for compliance.