Security Architecture

At ControlUp we care about your security and are committed to the protection of your company’s infrastructure and data. ControlUp Edge DX has a robust security architecture comprising multiple security measures, designed to minimize the exposure of your company’s networks and systems to invasive or malicious activity.

Secure Cloud Service

Edge DX uses the Microsoft Azure Cloud Service.

• There is a dedicated instance per customer – absolutely zero data is shared.
• There is no direct access to the database or other components from the internet.

Secure Data Storage in the Cloud

Edge DX data is stored in the Edge DX database in Microsoft Azure. The data storage in the cloud is secured.

• Access to the database is only possible through the API.
• The data storage is encrypted, so that if an unauthorized entity gains access to the data storage, it is not possible to read any of the data off the disk.
• API calls to the interface:
  • Device calls to the API for upload of data and retrieval of configurations require the device to use a Device Access Token, which is generated on device registration.
  • Administrator actions through the API require a User Access Token, which is generated following successful Multi-Factor Authentication.
  • Data can be optionally retrieved through the API with an apikey, which is created by an Administrator. There are no apikeys in the system by default.
• The database and tenant nodes are in Azure US East by default for US customers. For European customers, tenants (including the database) can be placed in Azure datacenters in Europe. For example, if all the Edge DX agents and the tenant are inside the US, the data never leaves the US.

Secure Data Transmission

Data transmission for Edge DX:

• All data travels over port 443 on HTTPS using TLS 1.2 or higher.

Secure Communication between the Edge DX Agents and the Edge DX Backend in the Cloud

Communication between the Edge DX agents and the Edge DX backend in the cloud is secured:

• All communication is initiated outbound by the agent. The agent does not listen on any port.
• The agent attempts to establish a WebSocket to the Edge DX Cloud Service. If this fails, it reverts to polling.
• The (optional) Agent Manager auto-updates the agent from downloads.sip.controlup.com, which uses the Azure CDN.

Data Retention

Data retention is managed as follows:

• Data is retained for each device for a minimum of 30 days.
• Core performance metrics are gathered every 60 seconds.
• If the connection between an endpoint and Edge DX is temporarily interrupted, data is cached locally in the file system while the endpoint is offline. The data is uploaded as soon as the connection is restored. The only limit to the amount of data which can be stored locally is the file system, but typically the stored data amounts to only a few MB a week.

Secure User Logons

• The exchange of authentication and authorization data can be configured using a SAML provider.
• The Edge DX console relies on ControlUp Solve for SSO to SAML providers. You can configure a SAML authentication provider in Solve and then you can use it to SSO into the Edge DX console.
• Multi-Factor Authentication is employed to enhance the security of Edge DX. All administrators are required to change their password and register for MFA at first logon.

Role-based Permissions in Edge DX

Access to features within Edge DX is secured using role-based permissions. See Role-Based Access in Edge DX for further details.

Edge DX Security Best Practices

Adherence to recommended security best practices minimize the exposure of your company’s networks and systems to invasive or malicious activity.

We recommend the following to optimize the security of your company’s networks and systems:

Edge DX Agent Updates

• For OS platforms that support it, we recommend distributing the Agent Manager which automatically updates the Agent with the versions that you set in your version control settings. Learn more about Agent version control.
• If you opt not to use the Agent Manager to automatically update the Edge DX Agents, and instead manually update the Agent on each machine, update agents at least every 6 months to take advantage of fixes and new functionality.