This article is intended primarly for small teams of up to 15 users who use the features provided by our Team edition.
To assist with selecting the appropriate data source, here is a set of concerns and the list of data sources that can serve in such a context.
When choosing a non-on-premises data source, it is important to account for the security of data both at rest and in transit. It is strongly recommended to further encrypt data using a master key for file-based solutions or a security provider for advanced data sources, ensuring that only authorized parties can access the data.
For enhanced security features such as encryption at rest and in transit, restricted database access, and zero-knowledge encryption, consider our enterprise data sources.
Concern | SQL Server | SQL Azure |
---|---|---|
Unaccessible database to end users | Note 1 Note 2 |
Note 1 |
AD accounts used for authentication | ||
Data stored on-premises | ||
Activity logs | ||
Data accessible globally | Note 3 | |
Optional local cache of connections |
Notes
Note 1
Administrators can create end-user accounts without sharing passwords by importing a locked data source definition for each user. However, this process involves significant manual effort by the administrator.
Note 2
Integrated security is a Microsoft technology that allows access to a SQL Server instance without transmitting credentials, relying on the authentication token from the Windows environment. This allows users to connect directly to the database using other tools, but it should not be used if preventing direct database access is required.
Our SQL Server data source provides a third authentication option, Custom (Devolutions), which allows user impersonation without revealing the credentials used to connect to the database. For more information, refer to User management.
Note 3
It is possible to expose a database to the Internet, but SSL/TLS encryption is necessary to secure the traffic and mitigate risks like DDoS attacks. Cloud services, such as Azure, prioritize this concern. The default firewall settings should block all traffic initially, with exceptions and rules added as needed. Additionally, open only the essential ports, add them to the exception list, and filter incoming requests based on their origin.