<h1 id="securityfeaturesofcloudberry">Security features of CloudBerry</h1> <p>Brief description of current security features in Managed Backup Service and Backup agent</p> <hr /> <h2 id="mbsconsole">MBS Console</h2> <h3 id="twofactorauthentication">Two-factor authentication</h3> <p>To minimize penetration risk we implemented 2FA. You could enable it in General settings section</p> <p><img src="/content/images/7b29aeb4-6017-4d70-aeac-3b000cff2594.png" alt="MBS 2FA" /></p> <p>2FA option available for root accounts and sub-administrators.</p> <h3 id="ssltls">SSL/TLS</h3> <p>We use SSL within our environment. If you're concerned about overall servers security you can always check our servers from outside with vulnerabilities assessment tools, like SSL Labs by QualysGuard. Test results can be found at the following links:</p> <p><a href="https://www.ssllabs.com/ssltest/analyze.html?d=mspbackups.com">https://www.ssllabs.com/ssltest/analyze.html?d=mspbackups.com</a></p> <p><a href="https://www.ssllabs.com/ssltest/analyze.html?d=mbs.cloudberrylab.com">https://www.ssllabs.com/ssltest/analyze.html?d=mbs.cloudberrylab.com</a></p> <hr /> <h2 id="backupagent">Backup agent</h2> <h3 id="dataintransitencryption">Data in transit encryption</h3> <p>During data transfers, we encrypt data with SSL/TLS protocols. </p> <h3 id="onsiteencrytion">On-site encrytion</h3> <p><strong>Cloudberry</strong> is able to encrypt data before sending it to the cloud (it can be encrypted with AES algorithm (with key length 128-256))</p> <p><img src="/content/images/c5349a9a-07f1-4f4d-a0e7-257d484c6929.png" alt="AES support for on-site encryption" /></p> <p><strong>Server-side encryption</strong></p> <p><strong>Cloudberry agent</strong> supports AWS S3 encryption REST API</p> <p><img src="/content/images/25cf9f51-0773-44b5-8901-6db6e3c3fe43.png" alt="AWS REST API support" /></p> <h3 id="temporarysecuritycredentials">Temporary security credentials</h3> <p>Our software support temporary security credentials using AWS Security Token Service API. These credentials have limited lifetime which means that even in case of security breach they can't be used for any valuable period of time.</p> <h3 id="assumerole">Assume role</h3> <p>Using AWS Assume Role <strong>Cloudberry Backup</strong> gains cross-account access ability. Assuming role gives user an opportunity to have one set of long-term credentials in one account and use temporary security credentials to access all the other accounts. </p>