02: What data is stored in PolicyPak Cloud, and how is that data safely communicated and stored ?
What is stored:
As expected, some data from your organization is stored within PolicyPak Cloud after a computer “joins” PolicyPak cloud. However, there isn’t very much stored.
Note: At no times are any usernames, passwords, OUs, domain names, or anything else utilized or stored within PolicyPak Cloud.
Here is precisely what is stored within PolicyPak Cloud with regards to data about
- PolicyPak UUID: This is random, unique ID generated in the cloud at “join time.” It doesn't contain any computer-specific data, but it helps us to identify the computer when it checks in.
- Fingerprint: This is a SHA256 hash of hardware UUID and OS IDs. This is used as a unique computer ID in order to generate a unique license.
- MAC address: All physical network adapters MAC addresses are stored in PPCloud.
- BIOS UUID: This is a unique hardware ID assigned to every physical and virtual machine by the manufacturer. (For more information on BIOS UUID, see http://searchsoa.techtarget.com/definition/UUID)
- Last known public IP address: This is stored only for reporting and search on the website.
- OS version and build: This is stored only for reporting. (e.g. Microsoft Windows NT 6.2.9200.0 or Microsoft Windows NT 6.1.7601 Service Pack 1)
- Computer name: The FQDN computer name it has been assigned.
- Check in times: First check in date and time and Last check in date and time.
Other items which are stored in PolicyPak Cloud are:
- XML Data files (Policies) that you upload.
- Group Names you create.
- Reports that you create.
- Names and email addresses of other administrators you have granted rights to use PolicyPak cloud
- Current licensing status and number of computers licensed.
How is data is stored “at rest” with PolicyPak Cloud:
All communication to and from the client machines with PolicyPak Cloud is always encrypted as seen in the next section.
At rest, we store all the data in SQL Azure, and have Transparent Data Encryption option enabled.
More about TDE Azure option: https://msdn.microsoft.com/library/dn948096
More about TDE (in general): https://msdn.microsoft.com/en-us/library/bb934049
So.. from the second MS link:“Transparent Data Encryption(TDE) encrypts SQL Server and Azure SQL Database data files, known as encrypting data at rest. “
How is data communicated to and from PolicyPak Cloud:
All communication to and from the client machines with PolicyPak Cloud is always encrypted. Here is how the client attempts to communicate with PolicyPak Cloud:
- PolicyPak Cloud client tries HTTPS (secure HTTP) using port 443 first using an encrypted PolicyPak Cloud certificate the client received at “join” time.
- PolicyPak Cloud client then tries HTTP using port 80, but with a message-level algorithm suite that uses RSA15 as the key wrap algorithm, SHA256 for the signature digest, and 256-bit Basic as the message encryption algorithm. In HTTP mode the PolicyPak Cloud client verifies the identity of the server using a hardcoded certificate.