Security in IT is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Hello everyone.
After trying to run Python methods in the intersystemsdc/irishealth-community Docker container, which no longer allows any Python methods to be executed, I decided to abandon this version and start working with containers.intersystems.com/intersystems/iris-community.
In this environment, the Python methods work, which was a significant improvement.
I'm trying to import my libraries with pip install -r requirements.txt
What logging and auditing strategies are commonly recommended for InterSystems IRIS environments?
I’m interested in learning about best practices for tracking user activity, troubleshooting issues, monitoring integrations, and maintaining compliance in enterprise or healthcare systems.
Are there built-in tools or external integrations that work especially well for this purpose?
I’m currently working with REST APIs in InterSystems IRIS and would like to better understand the recommended security practices for production environments.
I’m especially interested in:
I would also appreciate learning about common mistakes to avoid when deploying APIs publicly or integrating with external systems.
What approaches or tools have worked best in your environments?
In v2026.1 we introduced support for a more robust and real-life secure authorization for your FHIR endpoints.
This is achieved by using SMART on FHIR v2 fine-grained scopes.
Data privacy regulations such as GDPR, LGPD, and HIPAA demand that organizations know exactly where Personally Identifiable Information (PII) lives inside their databases. Yet in practice, most teams rely on manual inventories, tribal knowledge, or external scanning tools that require data to leave the database engine — a process that itself creates privacy and security risks.
This article presents an MVP that takes a different approach: it runs PII detection inside InterSystems IRIS using Embedded Python, analyzing data where it lives and never exporting it to an external process.
As an experiment in agentic coding in ObjectScript I'm using VS Code to try and create an implementation of an SFTP server.
SFTP is built on top of SSH, so the first phase involves implementing an SSH server. While working on the KEX part of that the agent (using GPT-5.3-Codex) reported:
It then offered these options:
In v2026.2 (currently available as a Developer Preview), we are adding a feature that can help in a FHIR Endpoint SMART/OAuth authorization - more out-of-the-box flexibility in audience value validation.
. . . you are not alone.
Help is available.
This took me a while to figure out, and I assume there may be others struggling too. I made my way through all the Entra stuff to set up a client credentials workflow to send email through a Microsoft 365 account. I was able to successfully retrieve my token, but I couldn't ever get it to authenticate with the SMTP server using the %Net.SMTP class. There were two parts to fixing this.
First, the authenticator's access token needs to be more than JUST the access token. It has to be formatted as:
set smtp.authenticator.AccessToken = "user="_emailaddress_$C(1)_"auth=Bearer "_token_$C(1,1)A very important feature for HL7 FHIR has been introduced with the release of v2026.1 - the support for SMART on FHIR v2 fine-grained granular Scopes.
This enables you to be much stricter and more accurate in the access you provide to the data in your FHIR repository.
Part of this new support is to refuse requests that don't match the scopes, but an even more interesting ability is to filter the results according to the provided scopes.
This article reflects my recent experiences at trying to connect an IRIS Business Operation to a secure Kafka Server, using SSL tunnels to encrypt the communications and using SASL (Simple Authentication and Security Layer) password hashing with SCRAM-SHA-512.
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Resilience by Design - Business Continuity Through Secure Backup @ Ready 2025
Hi folks!
Is there an easy setting, e.g., to merge.cpf so that it will disable the management portal on a deployed IRIS container?
The idea is to let only one of my particular web apps be available and everything else not even accessible on IRIS.
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Operationalizing Cybersecurity - Making it Real and Relevant @ Ready 2025
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Data on the Move - Securing InterSystems IRIS Connections with TLS @ Ready 2025
Hi Community,
Enjoy the new video on InterSystems Developers YouTube:
⏯ Ahead of the Threats - The Future of Secure Systems @ Ready 2025
Hello Community!
We're pleased to invite you to the upcoming webinar in Hebrew:
👉Getting Started with OAuth 2.0 on InterSystems👈
📅 Date & time: March 25th, 3:00 PM IDT
SQL injection remains one of the most critical vulnerabilities in database-driven applications, allowing attackers to manipulate queries and potentially access or compromise sensitive data. In InterSystems IRIS, developers have access to both Dynamic SQL and Embedded SQL, each with distinct characteristics. Understanding how to use them securely is essential for preventing SQL injection.
Dynamic SQL constructs queries as strings at runtime. While this offers flexibility, it also creates a vulnerability if user input is not handled correctly.
With the release of InterSystems IRIS Cloud SQL, we're getting more frequent questions about how to establish secure connections over JDBC and other driver technologies. While we have nice summary and detailed documentation on the driver technologies themselves, our documentation does not go as far to describe individual client tools, such as our personal favourite DBeaver. In this article, we'll describe the steps to create a secure connection from DBeaver to your Cloud SQL deployment.
.png)
IRIS makes SIEM systems integration simple with Structured Logging and Pipes!
IRIS can use a KMS (Key Managment Service) as of release 2023.3. Intersystems documentation is a good resource on KMS implementation but does not go into details of the KMS set up on the system, nor provide an easily followable example of how one might set this up for basic testing.
The purpose of this article is to supplement the docs with a brief explanation of KMS, an example of its use in IRIS, and notes for setup of a testing system on AWS EC2 RedHat Linux system using the AWS KMS. It is assumed in this document that the reader/implementor already has access/knowledge to set up an AWS EC2 Linux system running IRIS (2023.3 or later), and that they have proper authority to access the AWS KMS and AWS IAM (for creating roles and polices), or that they will be able to get this access either on their own or via their organizations Security contact in charge of their AWS access.
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.
A JWT is typically composed of three parts:
1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature
These parts are encoded in Base64Url format and concatenated with dots (.) separating them.
Hi, Community!
Do you need a way to securely manage your passwords, API keys, and other credentials? See how the Secure Wallet in InterSystems IRIS® data platform can help:
There is a Master Table within IRIS that I am populating from Epic but want to share it with our Enterprise Application Development Team (Web). As a test I was able to use _SYSTEM from postman to execute the following.
POST /api/atelier/v1/xxxx/action/query HTTP/1.1
Host: xxxxxxxx
Content-Type: application/json
Authorization: ••••••
Cookie: CSPSESSIONID-SP-443-UP-api-atelier-=00f0000000000AKyLjBfUvU$MpFD8UT8y$EoNKNw1ixZeXN4_Q; CSPWSERVERID=hzZAT5rb
Content-Length: 86
{"query": "SELECT * FROM osuwmc_Epic_Clarity.DepartmentMaster WHERE ID = '300000000'"}Also in previous versions you could define your FHIR Server to accept requests via OAuth 2.0 (e.g. for a SMART on FHIR client) but nowadays with v2024.3, which was released a while ago, there is a new feature, that enables doing this more easily - the OAuth FHIR Client QuickStart.
.png)
It was encouraging to see more people building VS Code extensions for the recent contest. However I noticed that of of the three extensions requiring credentials with which to make their connections only mine, gj :: dataLoader, leverages the long-established and officially-supported InterSystems Server Manager extension to obtain the connection definitions and to handle credentials securely.
Introduction
In today's rapidly evolving threat landscape, organizations deploying mission-critical applications must implement robust security architectures that protect sensitive data while maintaining high availability and performance. This is especially crucial for enterprises utilizing advanced database management systems like InterSystems IRIS, which often powers applications handling highly sensitive healthcare, financial, or personal data.
Auditing is a critical capability ensuring the security of your server, and for quite a while ago we have included the ability to audit SQL statements run on the server.
With v2024.3 out already we're providing finer-grained options for defining these events to audit.
InterSystems IRIS provides extensive configurable security options, yet many developers primarily use roles and resources to secure entire tables or routines. Today, we will delve deeper. We can also secure individual columns and rows separately, but these two mechanisms operate very differently. Let's begin with the columns.
Column Security
For testing and demonstration, we will keep our table structure concise and straightforward. We have a table called "Person" in the USER namespace that contains an ID column, a date of birth column (DOB), first name, and last name.
Security is fundamental to enterprise application development. InterSystems IRIS provides a comprehensive security framework that protects data, controls access, and ensures compliance. This guide introduces essential security features for developers new to IRIS, covering authentication, authorization, encryption, and practical implementation strategies.
Throughout this guide, we'll use Docker containers to demonstrate security configurations in a practical, reproducible environment.