Security Architecture
Security Architecture
Section titled “Security Architecture”Short Summary: How SSL-CLM protects your private keys and infrastructure using Zero Trust principles, strong encryption, and strict access controls.
Encryption Standards
Section titled “Encryption Standards”Data at Rest
Section titled “Data at Rest”All sensitive fields in the MongoDB database are encrypted using AES-256 GCM.
- Fields:
privateKey,password,apiKey,token. - Key Management: The Master Key is configured via
ENCRYPTION_KEYenv var or fetched from a Vault.
Data in Transit
Section titled “Data in Transit”- Agent ↔ Backend: TLS 1.3 enforced.
- UI ↔ Backend: TLS 1.3 enforced.
- Mutual TLS (mTLS): Configuration option to require Agents to present a client certificate.
Access Control (RBAC)
Section titled “Access Control (RBAC)”We implement a permission-based model.
| Role | Permissions |
|---|---|
| Viewer | Read-only access to inventory. No sensitive data access. |
| Operator | Can request/renew certificates. Can trigger scans. |
| Admin | Full system access. Can manage users and global settings. |
Network Security
Section titled “Network Security”Outbound-Only Model
Section titled “Outbound-Only Model”The Agent connects outbound to the Backend. This eliminates the need to open dangerous inbound ports (like SSH/WinRM) on your critical servers to a central management server.
Supply Chain Security
Section titled “Supply Chain Security”- Software Bill of Materials (SBOM): Provided with every release.
- Code Signing: All artifacts are signed by QCecuring.