Central Server¶
Securden runs on a dedicated central server connected to a backend database. It is implemented as a fully access controlled and highly available cluster of application servers. While the server handles all the business logic, users connect to it using any standard web-browser. Every installation is secured with an automatically generated, unique random key. The key serves as the master key for various encryption operations in the product.
Data Storage¶
All sensitive data gets stored in an encrypted form inside the digital vault. Securden uses the AES-256 algorithm to do the encryption.
- The sensitive data provided as input to the Securden server is encrypted using the unique installation key. This happens at the application level.
- The encrypted data is securely stored in the database
Data Integrity¶
- The encryption key cannot be held together with the encrypted data.
- The encryption key is needed only for starting Securden. It has to be kept somewhere outside and made available to the Securden Endpoint Privilege Manager server during startup.
Even if the database gets into a malicious user's hands, sensitive data cannot be deciphered in plain-text without the installation key.
Database connections¶
The database accepts only secure connections. Clients can connect only from the same localhost. In high availability configuration, where the server and the database run on different servers, the database accepts connections only from specific IP addresses.
Design Highlights
- AES-256 encryption
- Encryption key