Securing Credentials

In order to ensure highest security standards when handling clients' credentials, Dataddo employs secret management services such as Amazon Web Services Key Management Service (AWS KMS), Google's Cloud Key Management (Cloud KMS), and Microsoft Azure's KeyVault for encryption and decryption of secrets and credentials.

These services manage customer secrets by replacing passwords and username with reference objects. Reference objects can be accessed only for specified purposes using tokens such as the JSON Web Tokens (JWT) which have set expiration time.

Secret Encryption Workflow

1. Client provides credentials to access their service account.
2. The credentials are encrypted by one of the secret management services. Usernames, passwords, and other information are replaced with reference objects.
3. A unique secret ID (UUID) is generated and it is used whenever a new extraction or write operation is triggered.
4. The password is revealed using an access token only during the moment of connection to the target system.

Access to Secrets

1. Every user activity or cron job run has a JWT token with a corresponding customer ID reference.
2. When an operation needs a password, the JWT token will be used for authorization.
3. A secret management service then validates the token and allows access only to the secrets with the corresponding customer ID.

Automatic Keys Rotation

Apart from secret encryption and decryption, AWS KMS, Google's Cloud Key Management (Cloud KMS), is also assigned with rotating the use of encryption keys for enhanced security.

Military-Grade and Quantum-Safe Encryption Keys

The default key spec, SYMMETRIC_DEFAULT, currently represents AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys which is an industry standard for secure encryption.

For more information, refer to AWS KMS official documentation.