strongDM Security Architecture

The strongDM application is a distributed system of clients and proxies, coordinated by a central API. The system achieves overall security via:

Device and User Identity

When end-users install a client locally, strongDM generates and records a forgery-resistant fingerprint of the device. Any attempt to access the session from another device will terminate all connections and force re-authentication.

Connections between Clients and Proxies

Each client and proxy instance have unique cryptographic identities, as distributed via the strongDM API. Once an end user authenticates and initiates a valid session using the strongDM client, a mutually-verified TLS 1.2 connection is established between the client and one or several proxies. All traffic between the local client and the destination is multiplexed via the encrypted connection regardless of the encryption status or capabilities of the underlying protocol.

API Security

All strongDM API traffic conforms to modern practices for preventing request interception, modification, or replay. Each call is signed using device and session keys unique to the caller’s installation and most recent authentication.

Database and Server Credential Handling

Because strongDM is a protocol-aware proxy, we are able to inject credentials during the “last mile” hop between the proxy and the target database or server. As a result, sensitive credentials are always inaccessible to users: they are never transferred to a client in any form.

Credentials are unlocked at runtime using a “dual key” system: only when a cryptographically valid proxy instance requests decryption on behalf of a cryptographically valid user session are they unlocked. Neither the user nor the proxy instance alone are sufficient to decrypt the credential.

Internally, the strongDM credential vault is implemented using the AWS Key Management System. The strongDM implementation fully leverages authenticated encryption with associated data (AEAD) via the KMS Encryption Context. All credential decryption events are written to a tamper-hardened audit log that is owned by a separate AWS account. You can read more about KMS at: (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf).

Activity and Audit Logging

Every action within the strongDM application is logged in a tamper-proof repository that is not accessible to account administrators. This includes every user authentication, query, ssh, and RDP command as well as administrator actions such as permission changes.

Logs are fully configurable so that you control what is passed to strongDM. You can choose to log with us or log locally. You can encrypt in the UI and/or encrypt locally. If you choose to do the latter, we provide a tool to decrypt the cryptext.

Additional Measures

Operational security is enhanced by additional monitoring and detection measures not explicitly detailed here.