How can I securely transfer my data to DataBridge?
Security is an important aspect to take into consideration when choosing a location DataBridge can read your data from. Not all storage connectors offer the same level of security, and the level of security of each storage connector can vary depending on how you configure it.
In this article, we explain briefly which security criteria you should examine in order to select a storage provider. Please refer to your IT security officer to study these criteria more in depth before making a decision.
All of the security measures mentioned below have their weaknesses, but they still drastically reduce the number of potential attacks and should be implemented when possible.
Overview
Secure transport protocol: make sure the connector communicates using a TLS or SSH connection.
Authentication method: preferably choose a connector based on OAuth rather than basic authentication.
IP filtering: consider enabling firewall(-like) rules on your connector, when supported.
File deletion: configure DataBridge to delete the files it just processed, when supported.
Secure transport protocol
Most storage connectors support communication through a secure protocol, namely either TLS 1.2 or SSH. These protocols ensure your data is encrypted before it is sent from one server to another, so it remains confidential even if it gets intercepted on the way.
FTP
Standard FTP does not use encryption, so you should enable FTPS (FTP over TLS) on your FTP server and disable standard FTP. Alternatively, you can opt for an SFTP (FTP over SSH) server. Let DataBridge know which protocol your server uses in the advanced settings of the FTP connector.
FTPS
Protocol = FTP
Encryption mode = Explicit or Implicit
SFTP
Protocol = SFTP
Encryption mode -> not relevant for this protocol
Emails that contain the file to be read by DataBridge travel three times:
From the sender’s email client to the sender’s email provider server
From the sender’s email provider server to the recipient’s email provider server
From the recipient’s email provider server to DataBridge
In order to make sure your data transits in an entirely secure way, you have to check that both email providers support TLS, as well as the sender’s email client.
DataBridge retrieves emails using a TLS connection for both the IMAP and Office 365 connectors. For the IMAP connector, if you disable “Use SSL“ in the settings, then DataBridge will still try to use a TLS connection if the email server supports it. You would need to turn off this setting only if the email provider does not support TLS, thus only in a non-secure setup.
Microsoft SQL Server
In DataBridge, communication with Microsoft SQL Server and Microsot Azure SQL is encrypted. It is not possible to connect to a database where TLS is disabled, and for better security you should even force encryption on your SQL Server instance.
If your SQL Server instance uses a certificate that was not issued by a public certificate authority, then DataBridge will not be able to validate the certificate issuer. Communication with your database won’t work, unless you enable in DataBridge the avanced setting “Trust Server Certificate“. In that case, your data is still encrypted when it is in transit, but DataBridge will bypass trust validation and this will make your data vulnerable to a man-in-the-middle attack. Therefore, it is recommended that you use a certificate issued by a trusted certificate authority and leave the “Trust Server Certificate“ option disabled.
Other
All the other connectors are based on a web API exposed on HTTPS endpoints and are therefore secure.
Authentication method
Each storage connector uses one of these two ways to authenticate a user:
Basic authentication: you need to enter your username and password directly in DataBridge.
OAuth 2.0: you need to click a “connect“ button in DataBridge that redirects you to the login page of the storage provider.
With basic authentication, DataBridge stores your credentials in database, whereas with OAuth it stores a token. In both cases, DataBridge encrypts them according to industry standards. The difference lies in the fact that the token is short-lived, which limits the timespan over which an attacker would be able to use it.
Another benefit from OAuth is that you can enable two-factor authentication (2FA) on your storage provider. With 2FA, knowing your credentials is not enough to log in to your account, an attacker would also need to know the one-time password that is sent to your device at every login attempt. DataBridge back-end services cannot enter a one-time password on your behalf, therefore you need to disable two-factor authentication for connectors that use basic authentication. With OAuth, delegated access always works, whether you enable 2FA or not. It is highly recommended to enable 2FA.
A note about password rotation policies: There is a controversy about whether a password rotation policy should be enforced or not. In DataBridge, using either an OAuth-based or basic authentication-based storage connector will make no difference regarding password rotation policies, because every time a password expires you will need to enter it again in DataBridge, whether directly in the portal or using the “connect“ button.
IP filtering
With IP filtering, you can restrict the access to your data to a small set of IP addresses, among which the IP addresses DataBridge uses to communicate with external systems.
When the server hosting your data is located on your premises (or at least you have access to the server’s configuration) then you can set up a firewall to regulate network traffic. It should be the case for your FTP server, your Microsoft SQL Server instance, or your self-hosted email provider.
When your data is hosted in the cloud, it is protected by the firewall of the storage provider, and on top of that you can sometimes add extra IP filtering rules to whitelist only a small set of IP addresses. This feature is only offered by some subscription plans, usually intended for businesses. A Google Drive needs to belong to a Google Workspace, where IP lock can be configured, and OneDrive, Sharepoint and Outlook need to belong to a Microsoft 365 Business plan. You will need to explicitely configure the IPs you want to whitelist since no filtering is configured by default. On the opposite, Microsoft Azure SQL, which is also hosted in the cloud, comes with a default firewall rule to allow only one IP address. DevOps engineers can then add more firewall rules. As for Dropbox, none of its subscription plans offer any kind of IP filtering.
IP filtering options can vary depending on the email provider, but keep in mind that these (pseudo-)firewall rules usually aim at blocking incoming emails. The IMAP connector of DataBridge does not send emails to the configured inbox (otherwise it would be an SMTP connector), it rather retrieves emails from it. You should make sure that the rules your email provider lets you set also apply for the IMAP protocol.
File deletion
If somehow an attacker manages to access your storage account, you probably want the amount of data stored there to be minimal. The best way to make sure of that is to delete the files as soon as they have been processed by a DataBridge job. DataBridge offers the possibility to delete the file right after the job completes successfully, except, at the moment, for Google Drive.
For Dropbox and Microsoft 365 (Outlook, OneDrive, Sharepoint), files are merely soft deleted. They will be permanently deleted automatically after a certain number of days, which depends on your subscription plan.
Comparison
This table summarizes the differences between storage connectors. Please read carefully the explanations above to get more details about the limitations of each security measure.
Storage connector | Secure transport | OAuth | IP filtering | File deletion | |
---|---|---|---|---|---|
FTP | FTP | No | No | Yes | Yes |
FTPS | Yes | No | Yes | Yes | |
SFTP | Yes | No | Yes | Yes | |
Google Drive | Yes | Yes | Yes* | No | |
OneDrive / Sharepoint | Yes | Yes | Yes* | Yes** | |
Dropbox | Yes | Yes | No | Yes** | |
Email (Office 365) | Yes* | Yes | Yes* | Yes** | |
Email (IMAP) | Yes* | No | Yes* | Yes | |
Microsoft Azure SQL & Microsoft SQL Server | Yes | No | Yes | Yes |
* Not always, it depends on your provider
** Delete is not immediately permanent