This topic is for teams that use the functionality offered by our Team Edition.
When choosing any data source type that is not on-premises, you need to think about the safety of the data both at rest and during transport. We strongly recommend that you further encrypt your data by applying a master key for file-based solutions or a Security Provider for Advanced Data Sources. This ensures only you can read the data.
To help you select a data source, here is a set of concerns and the list of data sources that can serve in such context.
|Devolutions Server||SQL SERVER||SQL AZURE|
|Database not accessible to end users||Note 1 and 2||Note 1|
|AD accounts used for authentication|
|AD group membership used to assign permissions|
|Data stored on-premises|
|Data accessible globally||Note 3||Note 4|
|Optional local cache of connections|
Administrators can create accounts for end users without divulging the passwords. A locked data source definition is imported for each end user. This requires a lot of manual operations by the administrator.
Integrated security is the name of a Microsoft technology that allows access to an instance of SQL Server without sending credentials, but rather by using the token provided by the authentication in your Windows computer. This therefore allows the users to connect directly to the database using other tools. It should not be used if you need to prevent direct access to the database.
Our SQL Server data source offers a third authentication option, namely the Custom (Devolutions) user type. It allows for the user to be impersonated and therefore not be made aware of the credentials used to connect to the database. Please consult User Management for details.
You should not expose a Devolutions Server instance to the Internet without being able to protect it from DDoS attacks. Strong passwords must be used as well as obscure account names that are not easily inferred using social data mining.
You can indeed expose a database to the Internet, but you must use SSL/TLS to encrypt traffic and also protect against DDoS attacks. Cloud services like Azure have that concern in the forefront. The default settings of the firewall should be to block everything and then add exceptions and rules. It is also necessary to open the minimum number of required ports, add the numbers of these ports to the exception list, and filter all future requests based on their origin.