How is the Directory-as-a-Service® platform secured?
It’s a reasonable question for a client to ask of a cloud-hosted, SaaS directory service. There are two ways to answer to this question, and both are significant:
- How we secure the platform itself
- The features we provide to help you secure your data in the system
Both of these are critical to Directory-as-a-Service security and both enable organizations to make smart decisions about the platforms they use.
Cloud Directory Security
The cloud directory services category is one of the hottest sectors of identity management. As more organizations move to the cloud, a key question for IT organizations is, “How do we control user access to cloud resources?”
Further, the migration from Microsoft® Windows® to Mac® and Linux® platforms disrupts control of users and systems. Couple that with the shift to web applications and infrastructure-as-a-service platforms such as AWS® and there is a lot of change going on with connecting users to their IT resources. The ability to centralize user management across a variety of platforms, protocols, providers, and locations is key for organizations moving to Directory-as-a-Service.
Security is also a major win for those who decide that a unified cloud directory is right for them. Security infrastructure is expensive to implement, time consuming to manage, and difficult to staff. And, nowhere is security more critical than in protecting identities, which are the number one cause of data breaches. SaaS providers spend a good deal of their time and budget on securing the data of their customers.
With respect to Directory-as-a-Service, here are some core methods we use to secure the platform:
We harden our infrastructure to ensure that only the proper traffic can reach us, and only the requisite servers and ports are publicly reachable. We use network segmentation, VPNs, hardened server platforms, and more. We employ monitoring tools to detect issues as well. Our infrastructure is locked down as a critical part of the approach to the service.
One-way Hashing And Salting
Passwords are one-way hashed and salted which is a vital part of our security program. Passwords should not be reversible; a one-way hash and salt accomplishes that task.
All of the inter-service communication is secured by mutual TLS. This is crucial because it increases security between our components, ensuring that a hacker is not able to pose as our service. Connections across the Internet, or even within our data center, need to be secured. We chose mutual TLS to accomplish that task.
While not a security “technology”, we regularly train our team on security and ensure that it is top of mind for all of our team, not just the engineers. We know that our team is a target, so we work hard to protect ourselves by talking about security, implementing internal security features such as MFA, and practicing secure coding habits and processes.
Platform Security is the Foundation
We use a variety of other important security mechanisms, and are regularly audited so that we can continually improve. These are critical ingredients to ensuring that the Directory-as-a-Service platform is secure.
Another part of our identity management security program involves enabling our clients to secure their credentials and user access. Of course, the platform itself is a core part of their security approach. Controlling who has access to what resources is essential when it comes to network security. By definition, JumpCloud’s centralized user management is a part of that. However, that’s not where it stops. JumpCloud has a number of features that help support security:
JumpCloud’s cloud identity service allows IT organizations to create standards for user passwords. These password complexity settings include length, characters, reuse, and rotation.
Access to the JumpCloud console where your application access may live can be protected via MFA / 2FA. Windows, Linux, and Mac systems can also be protected with multi-factor auth. Access to your VPN can be protected via 2FA. As many security experts state, adding MFA to your platforms is the single best security step-up you can take.
A common way to access servers is via SSH key-based authentication. It is simply a more secure method. JumpCloud supports access control via SSH keys. But it’s important to note that JumpCloud does not create your private keys or ask you to store them with us. That is a significant “no-no” in the security world. Users should always maintain control over private keys. Furthermore, keys should only be generated on a trustworthy and clean system.
Phishing is one of the most common ways that identities are compromised. Hackers send an email and ask you to login to a service on the web or change a password. Once the task is completed, hackers have access to your credentials and subsequently use those to access other services. Instead, JumpCloud has you update your core identity locally on your Mac and Windows system.
JumpCloud’s device management capabilities help you reduce the risk of a security breach. With hundreds of policies across your Windows, Mac, and Linux systems, IT admins can lock down their fleet of machines. From enabling and managing full disk encryption to screen saver lock to disabling guest accounts, IT admins can create and execute policies across their system fleet.
Auditing / Logging
A full log of all user access events, user changes to their identity, and admin changes are provided via our premium feature Directory Insights™. IT admins can get visibility into user authentication and login events for audit purposes, security investigations, and troubleshooting. Knowing who is doing what, when, and where is critical to protecting your organization, and with Directory Insights, you have that visibility.
Unlock The Power of Directory-as-a-Service Security
These features are just a few of the security-focused capabilities that our cloud-based directory service can provide to clients. Directory-as-a-Service plays a core role of any network security initiative.
To take JumpCloud’s DaaS for a test drive, we offer the first ten users and systems for free. In addition, we provide 10 days of 24×7 premium in-app chat support to answer any questions and get you going quickly.
To better understand how DaaS can support your security efforts, just drop us a note. Our staff is always happy to discuss identity management security efforts and compliance activities.