MID Server configuration file security

Sensitive MID Server configuration data can be protected using several different schemes, including internal and external data encryption and external data storage.

The MID Server provides the following built-in security options for content in the config.xml file:
  • Default security provider: Secures the data in the config.xml file by encryption. When the MID Server is restarted, any unencrypted data is encrypted and written to the config.xml file. The default security provider offers these encryption options:
    • Default encryptor: Default process for encrypting data in the MID Server config.xml file. See Encrypt MID Server login credentials for details.
    • Windows Data Protection API (DPAPI): The operating system performs the data encryption, rather than the MID Server. DPAPI encryption is based on the logged in user's account. When this scheme is used, the data can only be decrypted by the same user account. If the account changes, the data must be re-encrypted.
    • Custom encryption: Implement the IMidServerEncrypter interface to create your own custom encryption scheme to manage sensitive config.xml data.
  • CyberArk: Data security is provided by CyberArk's Privileged Account SecurityCyberArk's Privileged Account Security system, which moves sensitive data from the config.xml file to a secure CyberArk vault. This solution does not encrypt the data.
  • Custom external storage: Implement the ISecuredConfigProvider interface to create your own custom external storage system to manage sensitive config.xml data.
Figure 1. Secured content and encryption schemes
Secured content and encryption schemes