Mitto is an extremely flexible and extensible platform with extremely varied uses cases. The overall security standards of Mitto depend upon the choices users make. In every case, there is a secure option available for the user if they choose to use it.
Due to Mitto's single tenant architecture, each individual Mitto server can be hosted by Zuar or self-hosted by the customer (in the cloud or on-premise).
Zuar Hosted Mitto
Mitto enforces two-factor authentication (2FA):
- Network access is controlled through IP allow lists. Therefore only specific, pre-defined users can access the Mitto admin interface or Mitto's internal PostgreSQL database.
- Admin and database authentication (see authentication section below)
For self-hosted Mitto, either in the cloud or on-premise, Mitto can be deployed in any way the customer chooses to match their security requirements. Mitto simply becomes another component in a security setup that the user has developed.
In all cases, SSL is used to protect all web traffic between a user's browser and the Mitto user interface.
Mitto Admin Interface
Mitto's admin interface supports basic authentication (username and password). Mitto includes a Zuar WAF and therefore can support other authentication mechanisms if needed. Mitto uses a one way hash of the password making it impossible to recover the clear text password following OWASP security best practices.
Mitto's internal PostgreSQL database supports the authentication methods of Postgres. The standard is username and password. Users have admin access to Mitto's internal PostgreSQL database and can set up any database security requirements they need.
Mitto's API Authentication
Mitto's API uses a revocable API key for access.
How is data transmitted to and through Mitto?
Mitto is able to pipe data from external APIs, databases, and flat files.
- APIs - REST or SOAP based APIs are the most common and they use standard SSL encryption for traffic (e.g. Salesforce, Netsuite, etc.)
- Databases - When Mitto pipes data from or to an external database, Mitto leverages the security of the driver provided by the database vendor. Mitto can be configured to use SSL if the external database supports it.
- Flat Files - Flat files can be transferred to Mitto in any number of ways (via HTTPS in the UI, via FTP/sFTP, rclone, etc).
Contact Zuar for plugin specific questions.
How is data stored in Mitto?
Data is stored internally in one of two cases:
- For all Mitto deployments, named credentials are encrypted at rest.
- For self-hosted deployments, customers can deploy Mitto where all data is encrypted at rest.