Security

DataZen implements security at multiple levels including DataZen Manager, DataSync Agents, and Change Logs. This section provides an overview of various security features available.

DataZen Manager

DataZen Manager does not store sensitive data directly. However, it provides management screens that display and send sensitive data to DataSync Agents. As a result, DataZen Manager offers a few security options to help keep sensitive data secure.

DataZen Manager communicates to an agent using an HTTP API exposed by the agent. Cloud-hosted agents use SSL automatically. Self-hosted agents are configured to listen on port 9559 by default, but the port can be changed. To encrypt self-hosted HTTP communication, you can bind an SSL certificate to port 9559, or change the listening port to 443. Even without SSL encryption, connection strings are transferred encrypted by DataZen. See the Connection Strings section below for more information.

Cloud Agents

Communication to cloud agents is always SSL encrypted. Access cloud agents through its API is not currently supported.

Multitenant Configuration

By default, cloud agents are created in a multitenant configuration. The multitenant design implies that jobs you create will execute alongside other customers' jobs. However, each cloud agent deployed has its dedicated database. This ensures that while the compute engine is shared, the storage of you settings and connection strings is dedicated.

When using cloud agents, you can optionally use a shared storage for your change logs as well. This setting is optional; you can use your personal cloud storage to store your change logs. When using cloud-based agents, it is recommended to encrypt and sign your change logs to ensure maximum privacy.

Self-Hosted Agents

Authentication & Authorization

DataZen Manager requires users to be authenticated on the local machine and as such implements a single sign-on mechanism with the local Windows operating system. However, DataZen Manager does not by itself provide any information or configuration settings that is sensitive in nature, so no additional authentication or authorization is implemented by DataZen Manager, until you register an agent. Accessing a DataSync Agent requires authentication and authorization.

Connection Strings

Most screens showing connection strings do not actually load secrets on the screen; instead, most screens display the Connection Key of the selected connection string. However, the Connection String management screens do display and save full connection string secrets. Anytime a connection string secret is read, or saved, the connection string is encrypted. This ensures that even if no SSL encryption is enabled on the DataSync Agent HTTP port connection secrets are encrypted on the wire.

Connection strings are encrypted using AES and are stored with a Vector (Salt). They can be accessed using the GET Connections operation if the Shared Access Keys are enabled for the Agent API.

DataSync Agent Configuration

SSL Encryption

Unless specifically configured to listen on a different port, agents listen on HTTP port 9559 on an unencrypted HTTP channel. To secure administrative traffic to your agent, you can install an SSL certificate and bind it to the listening port to enable HTTPS communication.

To bind EnzoDS.exe to port 443 on your local server, change the appSettings section of the settings file (EnzoDS.exe.Config) as follows:

<add key="listenerPort" value="443" />
<add key="listenerUrl" value="https://SERVERNAME" />

This section provides high level information on how to create and configure a self-signed SSL certificate on port 443, for a test environment. For production environments, it is recommended to use a public Certificate Authority to obtain a certificate for your server instead.

• Create a CA Certificate

  makecert -n "CN=datazen" -r -sv datazen.pvk datazen.cer

  Once created, add this certificate to your Trusted Root Certification Auhorities store.
• Create an SSL Certificate Replace YOURSERVERNAME below with you actual server name.

  makecert -sk DataZenSSL -iv datazen.pvk -n "CN=YOURSERVERNAME" -ic datazen.cer datazenssl2.cer -sr localmachine -ss My

  This command will generate an SSL certificate and add it to the My certificate store.
• Find the SSL Cert Thumbprint (MMC Snap-In) Using MMC (Certificate Snap-In) find the SSL certificate you just created in the Personal\Certificate store (My) and copy its Thumbprint in memory.
• Bind SSL to Port 443 (IPv4 and IPv6) Replace the certhash value with Thumbprint above

  netsh http add sslcert ipport=0.0.0.0:443 certhash=THUMBPRINT appid={0abc7514-3558-4142-b81b-79149673bf57} certstorename=MY usagecheck=disable
  netsh http add sslcert ipport=[::]:443 certhash=THUMBPRINT appid={0abc7514-3558-4142-b81b-79149673bf57} certstorename=MY usagecheck=disable

You should now be able to start the agent on your machine using https://SERVERNAME on port 443, and connect to is using DataZen Manager.

Auditing

DataZen stores a detailed log of actions taken on its API in the database. A summary of jobs that have been executed is stored in the jobexecutions table, while the details of each execution are stored in the executionauditlog table. In addition, it is possible to log all activities to disk. Enabling this feature is only recommended during testing for performance reasons. To enable the disk audit log, add an entry in the appSettings section of the EnzoDS.exe.Config file:

<add key="logFile" value="c:\tmp\enzodslog.txt" />