VaultOne: Best Security Practices for the Connector Server

The VaultOne Connector is a critical component of the VaultOne solution, responsible for brokering remote sessions and auditing privileged access. This connector is typically installed on a Linux server within the customer’s infrastructure (it can also be hosted by JumpCloud through a service contract). When the server is provisioned in your own environment, VaultOne does not have visibility or control over its hardware maintenance and security

To maximize protection and resilience, follow these best practices for securely configuring your VaultOne Connector server.

Basic Security Requirements

Before configuring the server, ensure it meets the minimum requirements outlined in the VaultOne Connector Server Requirements.

We also recommend:

• Verify hardware or virtual environment compliance: Ensure your server meets the minimum specifications described in the official documentation
• Apply strict access controls: Limit server access to only authorized personnel and restrict unnecessary permissions
• Set strong passwords: Use complex passwords for server access (at least 15 characters, including uppercase and lowercase letters, numbers, and special characters)
• Isolate the server: Place the server in a secure network segment to prevent unnecessary exposure to public networks or unauthorized external access

While VaultOne hardens its system by default, customers are responsible for securing the infrastructure where the connector is installed, including network policies, access controls, and ongoing monitoring.

Secure Access Control

Minimize risk by restricting unnecessary access and following access management best practices.

• User and access management:
  • Avoid direct access to the VaultOne Connector server unless required for maintenance
  • Create dedicated administrative user accounts; avoid using generic or shared accounts
  • Restrict administrative access to authorized users only, and ensure all access is performed through VaultOne whenever possible
• Disable direct root login:
  • Access should be performed using a regular user with elevated privileges via sudo
  • To disable direct root login via SSH, edit the SSH configuration file: sudo nano /etc/ssh/sshd_config
  • Change the following line: PermitRootLogin no
  • Then restart the SSH service: sudo systemctl restart sshd
• Use SSH keys for remote access:
  • For increased security, disable password authentication and enable SSH key authentication. In /etc/ssh/sshd_config, set: PasswordAuthentication no PubkeyAuthentication yes

Firewall Configuration and Network Isolation

• Enable the firewall:
  • Allow only the necessary ports required for VaultOne Connector operation
  • Use your organization’s firewall to block unauthorized access
• Network segmentation:
  • Place the VaultOne Connector in an isolated network segment, limiting its access to only what is necessary
• Monitor connections:
  • Enable detailed firewall logging to track and respond to unauthorized access attempts

Maintenance and Updates

• Apply patches and updates:
  • Regularly update the server and VaultOne Connector to ensure the latest security patches are applied
• Continuous monitoring:
  • Include the VaultOne Connector server in your organization’s monitoring and observability strategy to detect and respond to potential issues promptly

The VaultOne Connector is essential for securing privileged access. Protecting the server where it is installed is crucial to prevent vulnerabilities and maintain a secure environment.

By following these best practices, your organization will reduce risks and strengthen the security of its infrastructure.