Security is an important aspect to take into consideration when choosing a location DataBridge can read your data from. Not all storage connectors offer the same level of security, and the level of security of each storage connector can vary depending on how you configure it.
...
| Note |
|---|
All of the security measures mentioned below have their weaknesses, but they still drastically reduce the number of potential attacks and should be implemented when possible. |
Secure protocol
Most storage connectors support communication through a secure protocol, namely either SSL/ TLS or SSH. These protocols ensure your data is encrypted before it is sent from one server to another, so it remains confidential even if it gets intercepted on the way.
FTP
Standard FTP does not use encryption, so you should enable FTPS (FTP over TLS) on your FTP server and disable standard FTP. Alternatively, you can opt for an SFTP (FTP over SSH) server. Let DataBridge know which protocol your server uses in the advanced settings of the FTP connector.
FTPS
Protocol = FTP
Encryption mode = Explicit or Implicit
SFTP
Protocol = SFTP
Encryption mode -> not relevant for this protocol
Emails that contain the file to be read by DataBridge travel three times:
...
DataBridge retrieves emails using a TLS connection for both the IMAP and Office 365 connectors. For the IMAP connector, if you disable “Use SSL“ in the settings, then DataBridge will still try to use a TLS connection if the email server supports it. You would need to turn off this setting only if the email provider does not support SSL/ TLS, thus only in a non-secure setup.
Microsoft SQL Server
In DataBridge, communication with Microsoft SQL Server and Microsot Azure SQL is encrypted. It is not possible to connect to a database where SSL/ TLS is disabled, and for better security you should even force encryption on your SQL Server instance.
If your SQL Server instance uses a certificate that was not issued by a public certificate authority, then DataBridge will not be able to validate the certificate issuer. Communication with your database won’t work, unless you enable in DataBridge the avanced setting “Trust Server Certificate“. In that case, your data is still encrypted when it is in transit, but DataBridge will bypass trust validation and this will make your data vulnerable to a man-in-the-middle attack. Therefore, it is recommended that you use a certificate issued by a trusted certificate authority and leave the “Trust Server Certificate“ option disabled.
Other
All the other connectors are based on a web API exposed on HTTPS endpoints and are therefore secure.
Firewall
With firewall rules, you can restrict the access to your data to a small set of IP addresses, among which the IP addresses DataBridge uses to communicate with external systems. Not all storage connectors offer the possibility to configure a firewall.
...
IP filtering options can vary depending on the email provider, but keep in mind that these (pseudo-)firewall rules usually aim at blocking incoming emails. The IMAP connector of DataBridge does not send emails to the configured inbox (otherwise it would be an SMTP connector), it rather retrieves emails from it. You should make sure that the rules your email provider lets you set also apply for the IMAP protocol.
OAuth
Each storage connector uses one of these two ways to authenticate a user:
...
A note about password rotation policies: There is a controversy about whether a password rotation policy should be enforced or not. In DataBridge, using either an OAuth-based or basic authentication-based storage connector will make no difference regarding password rotation policies, because every time a password expires you will need to enter it again in DataBridge, whether directly in the portal or using the “connect“ button.
Delete
If somehow an attacker manages to access your storage account, you probably want the amount of data stored there to be minimal. The best way to make sure of that is to delete the files as soon as they have been processed by a DataBridge job. DataBridge offers the possibility to delete the file right after the job completes successfully, except, at the moment, for Google Drive.
For Dropbox and Microsoft 365 (Outlook, OneDrive, Sharepoint), files are merely soft deleted. They will be permanently deleted automatically after a certain number of days, which depends on your subscription plan.
Comparison
This table summarizes the differences between storage connectors.
...