Connector Security
Advanced protection for your connector credentials through encryption and IDHub's best practices. Our approach guarantees that your data remains secure at every stage. We continuously update our security measures to adapt to emerging threats and ensure the highest level of protection.
Overview
At IDHub, we prioritize the security of your connector credentials, implementing rigorous measures to safeguard them. These credentials are securely stored, with their values encrypted to prevent unauthorized access. We utilize advanced encryption techniques and follow industry best practices to ensure that your data remains protected. Our security approach also includes regular updates and assessments to address emerging threats and vulnerabilities.
Encryption Methodology
We employ Encryptors.stronger to create a BytesEncryptor with the following specifications: See Spring Security Crypto Module :: Spring Security for more details.
Encryption Algorithm
256-bit AES in Galois Counter Mode (GCM)
Key Derivation
PBKDF2 (Password-Based Key Derivation Function #2)
Initialization Vector(IV)
A 16-byte random value applied to ensure uniqueness
Encryption and Decryption Process
Encryption
- The encryption key is derived using the 256-bit AES encryption with GCM algorithm.
- The sensitive value is encrypted using this key and a randomly generated IV.
- The encrypted value is securely stored within the application's file system.
Decryption
- The encrypted value is retrieved from secure storage.
- It is decrypted using the 256-bit AES encryption with GCM algorithm and the passphrase.
- This process ensures that only authorized parties with the correct passphrase can access the original sensitive data.
Encryption in Transit
To protect sensitive data during network transmission, we implement HTTPS using the SSL/TLS protocol:
- SSL/TLS Protocol:
HTTPS encrypts data in transit, preventing eavesdropping and tampering.
- Certificate Management:
We use SSL/TLS certificates issued by trusted Certificate Authorities (CAs) to establish secure connections, regularly updating them to maintain security.
Securing Credential/Secrets
Service Accounts
Workloads utilize the least-privileged service accounts necessary for their tasks.
Network Policies
We define network policies to control traffic flow between different services and external resources.
Audit Logging
Audit logging is enabled to track all actions performed, aiding in security monitoring and incident response.
Securing Data in Containers
- Volume Abstraction:
Containers use volumes to manage persistent data storage, allowing for better control, encryption, backup, and restoration independently of the container.
- Network Isolation:
Containers are isolated at the network level, preventing unauthorized access and lateral movement within the environment.
- Image Scanning and Vulnerability Management:
We proactively scan container images for known vulnerabilities before deploying them to production environments.
Security Considerations
- Passphrase Security: The passphrase used for encryption is kept secure and not shared.
- Salt Security: The salt is essential for preventing dictionary attacks. We ensure that the salt is generated randomly and kept secure.
Conclusion
By leveraging 256-bit AES encryption with Galois Counter Mode (GCM), we provide a high level of security for storing and managing sensitive data within our containers. This approach, combined with secure network transmission using HTTPS, ensures the protection of confidential information against unauthorized access and potential breaches.
Learn more...
IDHub Extras
The Cost Of IAM
Learn why IAM is so expensive and how the benefits outweigh the initial price tag in our blog post: Why is Identity Management so expensive?