Hi sindbad,
if I got it correctly, then for access to rds.mydomain.com user needs just username + password. Then he can get token and apps.
How about few things :
- first,if someone is about to steal copy of your app, he will manage to do so, most probably. But you can make it a bit harder.
- full-disk encryption with additional decryption keys .. so stolen NTB is useless without encryption keys
- distribute tokens in advance so even access to rds is token protected
- access to rds from outside only via VPN, which again needs token to auth
- so if app handless some sensitive data from rds (whatever it is for you), then it needs to go through tunnel, which is already token protected
- if authentication to app only needs user+pass, then you can consider additional token, or make app to auth against centralized auth authority like FortiAuthenticator or that FortiGate, or anything talking RADIUS for example
- if app handles sensitive data, then encrypt them locally
- use crypto cards to auth so keys, for example even those for HDD full-encrypt are on card, so it's hard to get to private keys as most of the cards has self destruct when tempered and cannot export private key out of card
.. there is a lot of ways how to make your environment at least a bit more secure.
Think as attacker and you will find a way in, then patch that hole and start to think again and again..
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.