Edge DX Security Architecture

At ControlUp we care about your security and are committed to the protection of your company’s infrastructure and data.  ControlUp Edge DX has a robust security architecture comprising multiple security measures, designed to minimize the exposure of your company’s networks and systems to invasive or malicious activity.

Edge_DX_Security_Architecture.png

Secure Cloud Service

Edge DX uses the Microsoft Azure Cloud Service.

  • There is a dedicated instance per customer – absolutely zero data is shared.
  • There is no direct access to the database or other components from the internet.

Secure Data Storage in the Cloud

Edge DX data is stored in the Edge DX database in Microsoft Azure. The data storage in the cloud is secured.

  • Access to the database is only possible through the API.
  • The data storage is encrypted, so that if an unauthorized entity gains access to the data storage, it is not possible to read any of the data off the disk.
  • API calls to the interface:
    • Device calls to the API for upload of data and retrieval of configurations require the device to use a Device Access Token, which is generated on device registration.
    • Administrator actions through the API require a User Access Token, which is generated following successful Multi-Factor Authentication.
    • Data can be optionally retrieved through the API with an apikey, which is created by an Administrator. There are no apikeys in the system by default.
  • The database and tenant nodes are in Azure US East by default for US customers. For European customers, tenants (including the database) can be placed in Azure datacenters in Europe. For example, if all the Edge DX agents and the tenant are inside the US, the data never leaves the US.

Secure Data Transmission

Data transmission for Edge DX:

  • All data travels over port 443 on HTTPS using TLS 1.2 or higher.

Secure Communication between the Edge DX Agents and the Edge DX Backend in the Cloud

Communication between the Edge DX agents and the Edge DX backend in the cloud is secured:

  • All communication is initiated outbound by the agent. The agent does not listen on any port.
  • The agent attempts to establish a WebSocket to the Edge DX Cloud Service.  If this fails, it reverts to polling.
  • The (optional) Agent Manager auto-updates the agent from downloads.sip.controlup.com, which uses the Azure CDN.

Data Retention

Data retention is managed as follows:

  • Data is retained for each device for a minimum of 30 days.
  • Core performance metrics are gathered every 60 seconds.
  • If the connection between an endpoint and Edge DX is temporarily interrupted, data is cached locally in the file system while the endpoint is offline.  The data is uploaded as soon as the connection is restored.  The only limit to the amount of data which can be stored locally is the file system, but typically the stored data only amounts to a few MB a week. 

Secure User Logons

  • The exchange of authentication and authorization data can be configured using a SAML provider.
  • The Edge DX console relies on ControlUp Solve for SSO to SAML providers. You can configure a SAML authentication provider in Solve and then you can use it to SSO into the Edge DX console.
  • Multi-Factor Authentication is employed to enhance the security of Edge DX. All administrators are required to change their password and register for MFA at first logon.

Role-based Permissions in Edge DX 

Access to features within Edge DX is secured using roles and permissions:

  • The current (Oct 2021) release of Edge DX supports the use of two roles: Administrator and Viewer. The Administrator has full control of all settings, whereas a Viewer has access only to reporting and device information.
  • Features which are not allowed at all for any roles can be disabled for all users. These can include Remote Control and Remote Shell, and User Activity collection.
  • Administrator actions can be audited using the System Events log, which retains a log of Administrator logons and actions.
  • More granular custom roles based on a list of permissions is a security improvement which is currently being designed and is scheduled for release at the end of 2021.
  • A second phase of improvement will allow roles to be restricted to particular groups of devices. 

Edge DX Security Best Practices

Adherence to recommended security best practices minimize the exposure of your company’s networks and systems to invasive or malicious activity.

We recommend the following to optimize the security of your company’s networks and systems:

Edge DX Agent Updates

  • We recommend distributing the Agent Manager with the Edge DX Agent so that each device is automatically upgraded to the latest version of the agent.
  • If you opt not to use the Agent Manager to automatically update the Edge DX Agents, and instead manually update the Agent on each machine, update agents at least every 6 months to take advantage of fixes and new functionality.
1-on-1 Demo
Schedule now
Price Quote
Get it now
Need a Script?
Get it here
Powered by Zendesk