COMPLAUD. Customer’s data security is our top priority!
We perfectly well realize that the most important part of the “to use or not to use the cloud” question is the data security part. Many fear that administrators of the cloud system or intruders who possessed this data as a result of its leakage can use the credentials (logins / passwords / private keys / password phrases) to access the scanned servers and network devices.
To dispel any doubts about security of sensitive data we’ll show how the crucial information of customer’s security credentials is protected in COMPLAUD.
In addition to the well-known mechanisms of information security, such as cryptographic encryption algorithms and the use of secure connections only, the RCNTEC team developed a simple but reliable solution for its COMPLAUD system working with the credentials of the scanned objects. This solution completely excludes the possibility of using the credentials of scanned servers and network devices by anyone except the customer.
How it works:
All credentials in the clear exist on the customer’s side only:
• In web-browser when a user types his/her credentials
• In the memory of an agent when it scans a server. The agent is a program written in Python for hosts scanning that is located in customer’s IT-infrastructure on the customer’s servers
A user types credentials in a web-browser. The web-browser encrypts credentials with agent’s public key and sends encrypted credentials to a cloud. Any web-interface has open source and can be inspected for backdoors by anyone.
An agent working in the customer's infrastructure receives encrypted credentials from the cloud and decrypts them using his private key. The source code of an agent is open too and is available for researches.
And now to some details.
Each agent uses its own unique private key issued by a customer and a certificate issued by the Customer’s Certificate Authority (CA).
Only the agents that received the CA issued certificates can work with the customer’s data. This is controlled by both web-interface and the agent itself.
All the credentials encryption/decryption operations are performed in COMPLАUD components only; those are located in the customer’s infrastructure and are controlled by him/her.
The asymmetric encryption is used for the authentication of an agents. An agent encrypts certain information using it’s private key. The core of COMPLAUD decrypts the information. Successful decryption means that the agent is authenticated.
To protect security credentials symmetric (AES-256-CBC) and asymmetric (RSA-4096) encryption algorithms are used.
The data entered by a user is encrypted by a symmetric algorithm, then the symmetric encryption key is encrypted with the public key of any agent which certificate has the CA signature.
After that the encrypted credentials and the encrypted symmetric encryption key are sent to COMPLAUD core.
Multiple encryption of the symmetric encryption key for other agents is performed automatically in the background.
To scan a host, an agent receives encrypted host credentials and a symmetric encryption key encrypted with its own public key. Then it decrypts the key with its own private key and with the help of the now-decrypted symmetric encryption key decrypts the credentials of the host.
Symmetric encryption key can only be decrypted with the private key of the same agent for which it was encrypted.
Thus, the security credentials, used to access the IT-infrastructure objects of a customer are encrypted on the customer’s side and can only be decrypted using the private keys of the agents, that are deployed in the customer’s infrastructure. It allows to completely eliminate any possibility of the security credential leaks from the cloud as well as its unauthorized use.
Have questions? Feel free to ask!
We’ll be glad to answer.
Press Center, RCNTEC
+ (495) 009 87 87,