EIGHT-WIRE
CONDUCTOR
Security White Paper
AUDIENCE
This white paper covers all aspects of
security related to Conductor and
how it stores and moves data. This
document is intended for a technical
audience who will have experience
with databases, file systems and
networking.
Overview
Broadly speaking the following diagram represents the major
components that could participate in any point-to-point ETL process
through Conductor, including on-premise data stores and cloud-based
data stores. This is only one of many possible scenarios, for illustration
purposes:
CUSTOMER NETWORK
CLOUD PROVIDERS
Databases
SQL Azure, Amazon Redshift, etc
AGENT
Eight-Wire’s Conductor is a data
provisioning management
application that automates the
movement, management, and control
of business data. It was built to
minimise the pain that customers
typically experience with managing
data day-to-day. This is accomplished
through automating the majority of
the work behind the scenes so it
doesn’t need to be built manually by
developers.
Eight-Wire Conductor ▷ Security White Paper
CONDUCTOR
Documents
Cloudant, MongoDB, etc
Data Store to Agent Communications
The agent can connect to database and file resources on the local
network where it is installed.
Database
The Conductor Agent makes use of industry standard communication
protocols when communicating with databases (data stores), such as
OLEDB and ODBC, and also supports Microsoft SQL Native Client. The
agent relies on existing drivers on the server it is running on and does
not provide any native functionality to support these protocols or
drivers. The user provides a connection string through the Conductor
website, which is used to make a connection between the agent and
database. All encryption, or lack thereof, is the result of the connection
between the user-installed or OS-provided driver and the user’s
database and is out of Eight Wire’s control. If your driver natively
supports encryption then your connection is probably encrypted, if it
needs to be enabled then you should do this in the connection string.
1
© 2015 Eight Wire Ltd | eight-wire.com
Remember, no data has left or entered your network as part of this link between a
database and an agent, provided the database is within your network.
File System
For file-based data stores (folders), the agent will either load a file into memory from
disk or network drive, or write a file to disk or network drive from memory. The
security of this data as it travels between the agent and the file system is dependent
on the file systems’ own encryption and security practices, but is usually fairly secure
and following industry best practice. Again, no data has travelled outside of your
network to achieve this.
Security Context on Microsoft Windows
When an agent is installed on a Microsoft Windows computer it will run as a windows
service under the NT AUTHORITY/SYSTEM account by default. You can configure
which account it runs under by configuring the Windows Service. You should ensure
that the account used has enough access to the database or file system to do the job
and nothing more. This account should also have the right to access the internet over
port 443 (HTTPS). By managing these access permissions you can dictate what can
and cannot be done through the agent.
The Conductor Agent currently supports Microsoft Windows XP and above. Both 32bit
and 64bit versions are available.
Agent to Conductor
When an agent receives data from a data store on your network, whether it is data
from a file or database, it compresses it, encrypts it and sends it over the internet to
Conductor servers. When it receives data from the Conductor server the same
process happens in reverse.
All communication over the internet happens using the industry standard HTTPS
protocol and encryption over TCP port 443. Our encryption certificate uses SHA1/RSA
(2048 bit) encryption.
All communication between agent and server is encrypted and obscure – aside from
the data itself, it does not contain references to accounts or users and cannot be
tracked back to individual customers using any information contained in the
metadata included in the data transfer.
The agent periodically calls out to Conductor servers, never the other way around.
There is usually no need to make any changes to existing firewalls and certainly no
need to allow in-bound communications of any sort. Instructions sent to the agent
initiating an upload or download are likewise encrypted and reasonably obscure. The
nature of this one-way communication makes it impossible to directly attack an agent
from outside the firewall by connecting to it as there is usually no way to make a
direct connection.
The agent supports the use of a standard proxy server and can be configured to use
one if required.
Eight-Wire Conductor ▷ Security White Paper
2
© 2015 Eight Wire Ltd | eight-wire.com
All data held on our
servers is deleted
after 24 hours. No
customer data is
included in any
internal backups,
ensuring that
when it is deleted,
it is truly gone.
In building our security systems, a large number of potential attack scenarios were
considered—none provided a direct path to customer data. Multiple lines of defence
are present no matter which direction an attack originates, including multiple levels
of encryption, authentication, single-use keys and short timeouts to name a few. This
is a very difficult proposition for any hacker and there are usually perceived easier
routes to compromising a system. We are confident we have adopted secure
practices throughout our communication systems. Any abnormalities are
automatically reported back to us. We have never had a security breach.
Conductor Internal Processing
When Conductor servers receive information from an agent or other source, it is
stored temporarily (up to 24 hours) on our servers for reference purposes. All data
stored on our servers is encrypted using the AES cipher. Data is stored in an
encrypted and secured database on cloud servers behind multiple layers of firewall
and datacentre physical protection. No other information is stored with the data
other than an obscure single-use GUID relating to metadata stored in a different part
of the system – none of the metadata stored with the data can be linked directly to an
account or user. Although the risk of interception within our own internal networks is
next to nil, we still ensure all data is encrypted in memory before it is transmitted
internally or stored in any internal database.
All data held on our servers is deleted after 24 hours. No customer data is included in
any internal backups, ensuring that when it is deleted, it is truly gone.
All other sensitive information we hold such as user passwords, file paths and
database connection strings are all encrypted and never stored in plain text.
Conductor to Cloud Providers
When Conductor receives data from a cloud provider it is treated with the same level
of security and stored as described above.
When Conductor sends data to a cloud provider we make use of that provider’s own
security mechanisms. For example, when we connect to SQL Azure, we use the
security implicit in the SQL Native Client, likewise we use HTTPS when
communicating with the Cloudant API. For more information about the security
available from each provider please visit their websites. If you are not sure, contact us
at [email protected].
Conductor API
All Conductor functionality can be accessed through the Conductor API. All API
communication is over encrypted HTTPS and is REST-based. Conductor account
authentication is key-based. All Conductor keys can be regenerated by users at any
point through the Conductor website.
Eight-Wire Conductor ▷ Security White Paper
3
© 2015 Eight Wire Ltd | eight-wire.com