Mitto is an extremely flexible and extensible platform with extremely varied uses cases. The overall security standards of Mitto depend upon the choices users make. In every case, there is a secure option available for the user if they choose to use it.

Network security

Due to Mitto's single tenant architecture, each individual Mitto server can be hosted by Zuar or self-hosted by the customer (in the cloud or on-premise).

Zuar Hosted Mitto

Zuar hosts Mitto for customers in either AWS or Digital Ocean. Mitto therefore benefits from the security of each of these cloud platforms:

Mitto enforces two-factor authentication (2FA):

  • Network access is controlled through IP allow lists. Therefore only specific, pre-defined users can access the Mitto admin interface or Mitto's internal PostgreSQL database.
  • Admin and database authentication (see authentication section below)

Self-hosted Mitto

For self-hosted Mitto, either in the cloud or on-premise, Mitto can be deployed in any way the customer chooses to match their security requirements. Mitto simply becomes another component in a security setup that the user has developed.

SSL Certificates

In all cases, SSL is used to protect all web traffic between a user's browser and the Mitto user interface.

Authentication

Mitto Admin Interface

Mitto's admin interface supports basic authentication (username and password). Mitto includes a Zuar WAF and therefore can support other authentication mechanisms if needed. Mitto uses a one way hash of the password making it impossible to recover  the clear text password following OWASP security best practices.

Database Authentication

Mitto's internal PostgreSQL database supports the authentication methods of Postgres. The standard is username and password. Users have admin access to Mitto's internal PostgreSQL database and can set up any database security requirements they need.

Mitto's API Authentication

Mitto's API uses a revocable API key for access.

Data security

How is data transmitted to and through Mitto?

Mitto is able to pipe data from external APIs, databases, and flat files.

  • APIs - REST or SOAP based APIs are the most common and they use standard SSL encryption for traffic (e.g. Salesforce, Netsuite, etc.)
  • Databases - When Mitto pipes data from or to an external database, Mitto leverages the security of the driver provided by the database vendor. Mitto can be configured to use SSL if the external database supports it.
  • Flat Files - Flat files can be transferred to Mitto in any number of ways (via HTTPS in the UI, via FTP/sFTP, rclone, etc).

Contact Zuar for plugin specific questions.

How is data stored in Mitto?

Data is stored internally in one of two cases:

  • For all Mitto deployments, named credentials are encrypted at rest.
  • For self-hosted deployments, customers can deploy Mitto where all data is encrypted at rest.