CloudReady utilizes Public Key Infrastructure (PKI) to provide additional security, authentication and authorization for communicating with its servers as well as for credential encryption for the sensors. This is layered on top of its SSL-based communications.
Public Key Encryption
CloudReady Monitor uses public-key encryption to securely store sensor credentials while still enabling customers the ability to easily deploy, control and configure a large number of distributed sensors from one secure location in the cloud.
Installation and Key-pairs
Installation of the Private Sites requires a private-public key-pair. You can learn more about Public Key Infrastructure (PKI) here. CloudReady makes initializing and PKI keys and certificates easy through the use of the Management Client and custom installers that securely join the Secure Service to the CloudReady servers.
The private key is stored on the machine where the sensors and Secure Service run. The private key is registered and configured during installation of the Secure Service. CloudReady records the public key part of the key-pair in its database for encrypting credentials and sensor configuration.
During sensor creation, configuration and assignment to a Private Site, the credentials are encrypted using the public key part of the key-pair. When each sensor is deployed to a location only the Private Site with the matching private key part of the key-pair can decrypt the credentials specific to that sensor. This ensures that sensor credentials are securely encrypted, end-to-end, and that there is no way of retrieving the credentials without having the private key file that is registered and secured by the machine where the site is running.
Deploying a large number of senors and sites requires deployment planning. Currently, to enable deploying the same sensor configurations to multiple locations, you must install the same private key file alongside each secure service location. This securely enables sensor configuration sharing across different Private Site locations. If the deployed sensor locations have different public-private key-pairs then administrators will need to supply sensor credentials for each assignment of a sensor to a locations.
For administrators who would like to use various Electronic Software Deployment tools (ESD) such as SCCM to deploy the Private Site you can use the bulk deployment page to retrieve a set of Join keys and download the Exoprise Service Service installer.
The Secure Service installer is a standard .exe installer that can be packaged, supports silent installs and takes a number of command line arguments as defined here:
Join keys enable a secure initial registration during the installation of a Secure Service location. During installation of the service it passes the join key to CloudReady and validates that the location is accurate for your account.