This documentation describes a release under development. Documentation for the latest release, 3.6.2, can be found here.

Security

Mitto is an extremely flexible and extensible platform with varied security uses cases. The overall security standards of Mitto depend upon the choices users make.

In every case, there is a secure option available for the user if they choose to use it.

The baseline security infrastructure for ZUAR hosted Mitto is 2FA consisting of:

1. Individual IP allow list - Only designated IPs may login to a particular customer tenet.

2. Basic authentication - Standard username and passwords are enforced by the ZUAR Web Application Firewall .

Network Security

Because the security of your data is critical, we prioritize the development and maintenancece of a secure, trusted platform. We are committed to industry standard security best practices, policies, and procedures to protect your data.

Mitto is available via two hosting options:

• Zuar-hosted: Zuar hosts and maintains the Mitto instance; the customer does not need to provide any hardware

• Customer-hosted: Mitto resides on a customer server

Zuar-hosted Mitto

Zuar hosts Mitto for customers in either AWS or Digital Ocean . Mitto therefore benefits from the security of each of these cloud platforms:

• AWS Cloud Security

• Digital Ocean Security

Multi-factor Authentication

Zuar enforces two-factor authentication (2FA) for Zuar-hosted Mitto as follows:

1. Network access is controlled through an IP address allow list. Only specific, pre-defined addresses can access the Mitto administration interface or internal PostgreSQL database.

2. Mitto administration and database authentication requires separate usernames and passwords, along with the above pre-authorized network access.

Customer-hosted Mitto

Mitto can be deployed in accordance with your security requirements when hosting it within your IT infrastructure.

SSL Encryption

In both hosting scenarios, Secure Sockets Layer (SSL) encryption is used to protect all web traffic between clients and the Mitto instance.

Authentication

Mitto Admin Interface

Mitto’s admin interface supports basic authentication (username and password). Mitto includes a Zuar Web Application Firewall (WAF) and therefore can support other authentication mechanisms if needed. Mitto uses a one way hash of the password making it impossible to recover the clear text password following OWASP security best practices.

Database Authentication

Mitto’s internal PostgreSQL database supports the authentication methods of Postgres . The standard is username and password. Users have admin access to Mitto’s internal PostgreSQL database and can set up any database security requirements they need.

Mitto’s API Authentication

Mitto’s API uses a revocable API key for access.

Data Security

How is data transmitted to and through Mitto?

Mitto is able to pipe data from external APIs, databases, and flat files.

• APIs: REST or SOAP based APIs are the most common and they use standard SSL encryption for traffic (e.g. Salesforce, Netsuite, etc.)

• Databases: When Mitto pipes data from or to an external database, Mitto leverages the security of the driver provided by the database vendor. Mitto can be configured to use SSL if the external database supports it.

• Flat Files: Flat files can be transferred to Mitto in any number of ways (via HTTPS in the UI, via FTP/sFTP, rclone, etc).

Contact Zuar for plugin-specific questions.

How is data stored in Mitto?

Data is stored internally in one of two cases:

1. For all Mitto deployments, named credentials are encrypted at rest.

2. For self-hosted deployments, customers can deploy Mitto where all data is encrypted at rest.