By Rajat Bhargava Posted July 12, 2016
We are commonly asked, how is your Directory-as-a-Service® platform secured?
That’s a good and pretty reasonable question for a client to ask of a cloud-hosted, SaaS-based directory service. There are two ways to answer to this question, and both are significant:
- How we secure the platform itself
- The features we provide to help you secure your data in the system
Both of these are critical to Directory-as-a-Service security and enable organizations to make smart decisions about the platforms that they use.
Cloud Directory Security
The cloud-based directory services category has recently emerged as one of the hottest sectors of identity management. As more organizations move to the cloud, a key question for IT organizations has become, “How do we control user access to those services?”
Further, the migration from Microsoft Windows to Mac and Linux platforms is causing disruption over control of users and systems. The ability to centralize user management across a variety of platforms, protocols, and locations is a key selling point for organizations in moving to Directory-as-a-Service.
Security is also a major win for those who decide that a unified cloud directory is right for them. Security infrastructure is expensive to implement, time consuming to manage, and difficult to staff. Third-party SaaS providers spend a good deal of their time and budget on securing the data of their customers.
With respect to Directory-as-a-Service, here are some core methods that we use to secure the platform:
We greatly invest in hardening our infrastructure, making sure that only the proper traffic can reach us, and only the requisite servers and ports are available to the public Internet. We heavily leverage network segmentation, VPNs, hardened server platforms, and more. Ensuring that our infrastructure is locked down is a critical part of the approach to the service.
One-way Hashing And Salting
Passwords are one-way hashed and salted which is a vital part of our security program. Passwords should not be reversible; a one-way hash and salt accomplishes that task.
All of the inter-service communication is secured by mutual TLS. This is crucial because it increases security between our components, ensuring that a hacker is not able to pose as our service. Connections across the Internet, or even within our data center, need to be secured. We have chosen mutual TLS as the way to accomplish that task.
Platform Security is the Foundation
We use a wide variety of other important security mechanisms, and we spend time training the JumpCloud® staff about security practices. All of these are important ingredients to guaranteeing that the Directory-as-a-Service platform is secure.
The other part of our identity management security program is to enable our clients to help secure their credentials and user access. Of course, the platform itself can be considered a core part of their security approach. Controlling who has access to what resources is essential when it comes to network security. By definition, JumpCloud’s centralized user management is a part of that. However, that’s not where it stops. JumpCloud has a number of features that help support security:
Password Complexity And Rotation
JumpCloud’s virtual identity service allows IT organizations to create standards for user passwords. These password complexity settings include length, characters, reuse, and rotation.
Access to the JumpCloud console can be protected via MFA / 2FA. Linux and Mac systems can also be protected with multi-factor auth. As many security experts state, adding MFA to your platforms is, perhaps, the single best security step-up you can take.
A common way to access servers is via SSH key-based authentication. It is simply a more secure method. JumpCloud supports access control via SSH keys. But it’s important to note that JumpCloud does not create your private keys or ask you to store them with us. That is a significant “no-no” in the security world. Users should always maintain control over private keys. Furthermore, keys should only be generated on a trustworthy and clean system.
Auditing / Logging
A full log of all access to the console and systems is a part of the JumpCloud Directory-as-a-Service platform. Understanding who is logging into your systems, and if those are the right people, is valuable and critical to any security program.
Unlock The Power of Directory-as-a-Service Security
These features are just a few of the security-focused capabilities that our cloud-based directory service can provide to clients. Directory-as-a-Service can play a core role of any network security initiative.
If you want to take JumpCloud’s DaaS for a test drive, we offer the first ten users for free.
If you still have questions and want to better understand how DaaS can support your security efforts, just drop us a note. Our staff is always happy to discuss identity management security efforts and compliance activities.