Security architecture and principles
In this topic, you will learn about the Portnox™ Cloud security principles and how they apply to every layer of the Portnox Cloud architecture.
Introduction
Portnox Cloud enables IT security personnel to discover, monitor, and manage endpoint security postures, threats, and vulnerabilities, and to make real-time access decisions (network and cloud), based on the determined endpoint risk.
Portnox Cloud risk assessment is built as an ongoing, continuous process of collecting and analyzing hundreds of different endpoint parameters and activities, which are used to determine an endpoint risk score.
To provide these capabilities, Portnox Cloud accesses, collects, and stores data from organizational devices that are enrolled in the Portnox Cloud system. Data is an organization’s most valuable and irreplaceable asset and as such, Portnox Cloud utilizes the most advanced security measures available on the market.
In this topic, we describe in depth Portnox Cloud’s security principles as they apply to every layer of the Portnox Cloud architecture:
-
Data at rest – Describes how Portnox Cloud uses highly secure, encrypted Azure storage and COSMOS to store customer data.
-
Data in transit – Describes the data and privacy protection measures employed when data travels from the Portnox AgentP, Portnox Active Directory Broker, external repositories, wireless controllers, Ethernet switches, VPN gateways, local RADIUS, and admin browsers to and from the Portnox Cloud services in the Azure public cloud and back.
-
Portnox Cloud administrators – securing privileged accounts – Describes the identity and authorization model used for administrators accessing the Portnox Cloud portal.
-
Cloud service platform security and protection – Describes the security measures that protect the Portnox Cloud services.
Please note that since 1.1.2018 to date, Portnox Cloud service is SOC2-Type2 certified and fully compliant with their security principals: security, availability, processing integrity, confidentiality, privacy.
Data at rest
Cryptographic protection of data in the cloud
Portnox Cloud stores all of its customers’ data on the Azure Storage Service and Azure Cosmos DB in various formats (Big Data model). Azure storage is known as a highly secure data storage because it implements strong (256-bit AES) encryption for stored data, also known as Azure Storage Service Encryption (SSE). Portnox Cloud utilizes SSE to protect and safeguard customers’ data to meet customers’ security and compliance commitments. All collected data is automatically encrypted prior to persisting to storage and decrypted prior to retrieval.
Azure Cosmos DB provides encryption in transit (over the network) and at rest (nonvolatile storage), giving you end-to-end encryption. Data stored in Cosmos uses same as Azure Store AES-256 encryption with keys managed by Microsoft (service-managed keys).
Data engineering security principles in Portnox Cloud
-
Portnox AgentP saves collected data locally (on the endpoint device) only temporarily to send immediately/periodically to the Portnox Cloud service, which is proceeded and saved in Portnox Cloud storage in the cloud.
-
Local RADIUS authentication cache and settings are stored in an encrypted form, using 128-bit AES, to protect sensitive authentication data.
-
Data in the cloud is always stored inside encrypted storage with low coherence to complicate identifying organization or device owner the data belongs to.
-
Portnox AgentP does not save any collected data locally on the endpoint device (unless temporarily due to a connection outage). All collected data is processed and resides only in the endpoint device RAM and is sent immediately/periodically to the Portnox Cloud service, which is saved in Portnox Cloud storage in the cloud.
-
Portnox Cloud never collects any PII information to protect customer privacy.
Data in transit
Portnox Cloud protects all data traveling from various Portnox Cloud components to and from the Portnox Cloud services, based on the following security principle:
With 802.1X implementation, Portnox Cloud supports only secure EAP authentication methods: TLS/TTLS and PEAP-MSCHAPv2. With potential implementation of RadSec or RADIUS proxy, any type of RADIUS communication goes inside an additional TLS-wrapped transport layer which serves as best protection from potential attacks like MITM. Portnox Cloud services use an authorization model for allowing any access, data extraction, or data submission from any Portnox Cloud or third-party components (API calls). The authorization model is based on periodically rotated API tokens that are presented by the service caller in any request. There are no anonymous calls, session management, trusted IP caches, or any other well-known techniques that jeopardize data-in-motion security; and any data submission or fetching request from Portnox Cloud components is re-authenticated and authorized anew.
Portnox Active Directory Broker
The Portnox Active Directory Broker is a software application that runs on-premises on the customer network and acts as a mediator between the Portnox Cloud services and the customer’s corporate directory services (Active Directory or OpenLDAP).
Since Active Directory users and groups are among an organization’s most valuable information, extra security measures are taken to safeguard that information:
-
The Portnox Active Directory Broker must be installed on a Domain member server, Windows 2008 server and above (it can also be installed on the AD Domain controller).
-
The Portnox Active Directory Broker connects to the domain controller with a domain account that has read-only access on the organizational Active Directory.
-
The Portnox Active Directory Broker can connect to the organizational Active Directory using the LDAP or SLDAP (Secure LDAP) protocols, according to the customer’s preference.
-
The Portnox Active Directory Broker connects to the Portnox Cloud service using outbound TCP ports 8081 and 443. Cloud traffic is always initiated by the Portnox Active Directory Broker.
-
The Portnox Active Directory Broker communicates with the Portnox Cloud services over TLS. All traffic between the Portnox Active Directory Broker and the Portnox Cloud services is encrypted.
-
The Portnox Active Directory Broker updates the Portnox Cloud service only with directory users and groups. User authentication is performed by utilizing the MS-CHAP-V2 challenge/response protocol (password doesn’t travel within the TLS encrypted tunnels, only the challenge/response hashes) or in plain text format but within the TLS encrypted tunnels (in case of enrollment or PAP RADIUS authentication attempt).
External repositories
Portnox Cloud supports several external repositories which are used to authenticate users to network and to enroll AgentP (via Portnox Cloud or federated SSO): Azure, Google Workspace, Okta.
Communication between Portnox Cloud, the user, and external repositories uses best security practices to provide full protection for user data:
-
All inter-service communication uses TLS tunnels so traffic between services is encrypted.
-
In case of Azure Directory Domain Services integration, Portnox Active Directory Broker is installed inside the organization tenant, which provides additional security control for the organization itself.
-
All requests to the user repository are made using read-only access without any changes on customer federation provider side.
-
Federated enrollment or on-boarding authentication process is fully handled by identity provider with all setup policies (like MFA).
Wireless controllers and Ethernet switches
Wireless controllers and Ethernet switches send RADIUS authentication requests to the Portnox Cloud RADIUS server, to perform validation and allow access of endpoint devices with the Portnox AgentP installed or agentless devices. The following security measurements are taken to ensure secure communication between the organizational network equipment and Portnox Cloud RADIUS in the cloud:
-
All RADIUS packets use a shared secret as key to encrypt sensitive data.
-
RadSec is a new approach for RADIUS communication with the best level of security, as it works fully inside a TLS tunnel and uses the PEAP-MSCAPv2, EAP-TLS, and EAP-TTLS protocols. The TLS tunnel is used only for sensitive data, such as passwords and hashes. All common RADIUS attributes, like Calling- Station-Id, are transferred outside of the TLS tunnel.
-
In the case of MSCHAPv2, the end-user credentials never travel across networks. Instead, only the challenge/response hashes travel, enabling Portnox Cloud to reliably validate user credentials without knowing them, by using the organization’s authentication repository.
Portnox Cloud guest management for wireless networks
With Portnox Cloud guest management for wireless networks, Portnox Cloud uses the built-in captive portal capabilities of each supported wireless controller vendor.
Portnox Cloud replaces the following vendor-specific components as follows:
-
Replaces the original vendor captive portal web page with the Portnox Cloud web pages
-
Replaces the AAA server with the Portnox Cloud RADIUS
-
Replaces the user repository with the Portnox Cloud guest management repository
The Portnox Cloud captive portal can be accessed only via HTTPS/SSL, unlike some vendor solutions that allow plain unencrypted HTTP access.
Guest credentials are sent to the wireless controller using SSL. The controller then authenticates them against the Portnox Cloud RADIUS.
With this architecture, traffic between the wireless controller and the Portnox Cloud RADIUS could be secured by different authentication protocols, RadSec (fully inside a TLS tunnel), PEAP-MSCHAPv2, or PEAP-CHAP where only credentials are placed inside the TLS tunnel.
VPN gateways
Portnox Cloud can be used to authenticate VPN users using two-factor authentication, with the second factor being a strong factor. Portnox Cloud can also add an additional layer of security for users connecting remotely via VPN with the VPN gateway using the cloud RADIUS service as an authentication authority.
The connection security type, tunnel encryption, and challenge/response protocol are determined exclusively by the VPN terminator itself.
The Portnox Cloud RADIUS service supports the highest and strongest secure connection type available today by VPN terminator vendors: the PEAP protocols family, which uses a TLS tunnel for critical data with MS-CHAP-V2 or CHAP authentication protocols inside, and even PAP, which is secured only by the RADIUS protocol level (shared secret).
Portnox local RADIUS
The Portnox local RADIUS is a software application that runs on-premises on the customer network, and acts as RADIUS services to perform authentication from on-premises. It also contains cache of authentication data for the last 7 days to authenticate devices when connection to Internet cannot be established.
Portnox Cloud local RADIUS provides the following methods to secure authentication data:
-
The Portnox Cloud local RADIUS connects to the cloud service using the outbound 443 TCP port. Cloud traffic is always initiated by the local RADIUS.
-
The Portnox Cloud local RADIUS communicates with the Portnox Cloud services over TLS. All traffic between the Portnox Cloud local RADIUS and the Portnox Cloud services is encrypted.
-
Communication between the NAS and the Portnox Cloud local RADIUS is the same as for cloud RADIUS but happens inside on-premises network, so all data is also protected the security department of the organization.
Portnox Cloud administrators – securing privileged accounts
The process of securing privileged accounts should be ongoing, with continuous evaluation and adjustments to improve security as the business and threat landscape change.
Portnox Cloud utilizes the following methods to secure privileged admin accounts and to minimize exposure to attacks:
-
Portnox Cloud enables configuration of two-factor authentication (code sent in a text message to a pre-registered number) for any administrator to use as an additional strong factor in admin access authorization.
-
The failed authentication attempts policy starts with showing a CAPTCHA after a few failed attempts and progresses to locking the account after a number of subsequent failures.
-
Admin password complexity enforcement is built into the product and cannot be turned off.
-
The admin password expiration policy is built into the product and cannot be turned off.
-
Portnox Cloud gives the possibility to use federated SSO for Portnox Cloud administrators with different levels of access. The organization can use Azure, Google Workspace, or Okta with their protection policies to authenticate administrators.
-
Granular admin role management allows assigning a superset of permissions to each Portnox Cloud administrator.
-
MSP admin role management allows to control access to each organization with separate specific permissions inside MSP.
Cloud service platform security and protection
Portnox Cloud uses Microsoft Azure as its public cloud provider. One of the key factors in choosing Azure was its approach, implementation, and integration of all security aspects and measures at all platform levels.
Security and privacy are built into the Azure platform, beginning with the security development lifecycle (SDL). The SDL addresses security at every development phase, from initial planning to launch, and ensures that Azure is continually updated to make it even more secure. Operational security assurance (OSA) builds on SDL knowledge and processes to provide a framework that helps ensure secure operations throughout the lifecycle of cloud-based services.
The Azure Security Center makes Azure the only public cloud platform to offer continuous security- health monitoring.
For detailed information about Azure Security, read Microsoft Azure information pages.
To protect Portnox Cloud services from very aggressive authentication requests from evaluations organizations or specific devices, Portnox Cloud provides anti-flood mechanism with good level of visibility (notifications) and ability to easily unblock organization or devices after fixing the reason of blocking.
Also, Portnox Cloud provides a feature to restrict access to the cloud RADIUS service by choosing to allow access only from specific IP addresses. All other IP addresses would be denied in access, so that customers can be sure then only traffic from known IPs will be processed.
In addition to inherited environmental security, Portnox Cloud takes the following measures to ensure security of cloud services:
-
Portnox conducts periodical penetration tests with a third party that specializes in security testing of cloud services.
-
The Portnox development team uses an automated code scanning tool to identify vulnerabilities in code, third party components that are not up-to-date, and other security issues.
-
The Portnox DevOps procedure ensures the periodic rotation of all relevant credentials and secrets, including TLS and encryption certificates rotation, as well as the secret keys and passwords used by the system and supporting personnel.