Security
All Macula editions have enhanced security aimed at data protection, which includes not only advanced permission management but also encryption wherever possible. Data protection for Macula encompasses database encryption, server-to-server and server-to-clients connection encryption, password protection for the proprietary archive, as well as certain system settings and policies that increase the level of cybersecurity.
The system offers pre-configured security levels, each of which includes a certain preset of security-related features. Some of the security settings are system-wide, and some other can be adjusted for individual servers (e.g., archive encryption).
Cybersecurity Dashboard
You can access the cybersecurity dashboard via Macula Console main menu in the top right corner > Cyber security.
Four pre-defined security levels range from the lowest to the highest. You can choose any level as a basis and, either leave it is it is, or turn off individual security checks.
The security checks for the selected settings mean that these settings are monitored and you are warned trying to assign an inappropriate value. Enabling a certain security level does NOT change any of the related configuration parameters!
Each security check means that the related setting is tracked and you are notified if it does not meet the security requirements. For example, if the automated backup location is on the same disk as the main configuration file, the backup directory setting in the Automated backup configuration dialog box will have a warning shield. Thus, the selected security level is a set of recommended security settings, and you are free to ignore the warnings or exclude individual checks from the security profile.
Security Levels
The cybersecurity dashboard will display recommended setting values accompanied by warnings if the current preference is lower than recommended. For some of the checks, the warnings cannot be displayed: this happens if the security check is applied at a certain moment. For example, this is true for the storage and device passwords: the server cannot validate the existing password so the password complexity will be estimated on the password creation step.
Cybersecurity levels:
None: no security checks at all
Low: only some password policies and server backup settings are tracked
Medium: more of these settings plus user- and device-related settings
High: all possible settings related to security are monitored for maximum system protection
If the security check concludes there are issues with the current configuration, you will be notified with an orange shield and offered to review the list of issues.
Click the Show active issues button to see the list of detected security issues and recommendations on how to get rid of them.
From here, you can save the list of active cybersecurity issues into a CSV file.
Security Checks
The following security checks are available with their corresponding recommended values for different security levels:
Automated configuration backup
Automated configuration backup mode
Enabled
Enabled
Enabled
Automated configuration backup interval
Every 5 days
Every 2 days
Every day
Number of config backup files to keep (max)
1 or more
15 or more
30 or more
Backup directory is located on a different drive
-
+
+
Databases to be backed up
-
All
All
Server security policy
Minimal user password length
6+ characters
8+ characters
12+ characters
Minimum number of uppercase letters in the user password
1+
2+
2+
Minimum number of lowercase letters in the user password
1+
2+
2+
Number of previous passwords to remember
-
1+
3+
Number of days between password changes
-
90-
30-
Max number of simultaneous connections using the same user account
-
1
1
Max unsuccessful login attempts before blocking the user account
-
5-
3-
Minimum number of special symbols in the user password
-
-
1+
Minimum number of digits in the user password
-
-
2+
Server storage
Check storage password complexity (upon setting the password)
-
+
+
Storage encryption is enabled
-
-
+
Audit policy
All audit options related to security policy are enabled
-
+
-
Server connections
Client-server connection encryption is enabled
-
-
+
HTTPS is enabled
-
-
+
Two-factor authentication (2FA)
2FA is enabled
-
-
+
User account
Check password complexity against server policy
-
+
+
Lock account after N unsuccessful login attempts ("never lock on bad password" option is disabled)
-
+
+
User password is valid for a limited time ("password never expires" option is disabled)
-
-
+
Device settings
Verify password complexity (upon entering the password)
-
+
+
Some of the security options are hard-coded so it is impossible to disable them (e.g., database encryption) and these are therefore not listed here.
Database Encryption
Macula server uses several databases for storing the server configuration, audit logs and other software data, and all of them are encrypted by default. Once you install the software version that supports database encryption, all the databases are automatically converted to the encrypted format. There is no need to adjust any settings to enable this feature.
Connection Encryption
Traffic encryption is not enabled by default, it can be turned ON in the server settings, in the Connections tab. There are separate settings for TCP connection encryption and HTTPS.
Client-Server Connections
This setting affects all TCP traffic between servers and clients, including server-to-server communications in Macula Global.
The currently available encryption options:
None: no encryption
AES-128 or AES-256: choose the one you need
When configuring a Macula Global system that has remote servers and clients of version 1.7 or earlier, make sure to upgrade all remote components to the same version as Macula Global so that they support encrypted connections. As soon as it is done, you can safely enable encryption for TCP connections.
HTTPS
Connections from remote Web browser clients and mobile applications, as well as API connections, can also use a secure channel instead of plain HTTP.
To enable secure communications, enable HTTPS in the server settings, then specify desired HTTPS ports (different from HTTP ports) for local and internet connections, and then add the digital certificate you wish to use; you can either use your own certificate or generate a self-signed one right on this step.
If you are setting up a Macula Global system:
In addition to the setup in the central management server settings, HTTPS should be enabled for each Macula Recording Server separately, in the settings of the target server. The certificate, though, should be only added once, and then you just need to choose it from the list, when setting up HTTPS on the Macula Recording Server machines.
Archive Encryption
Each archive storage (local or network), as well as archive backups made through the Archive Backup Wizard, can be encrypted. You can provide a different password for every storage unit, and there is also an option to change the password at any time.
Regular Server Archive
To access the archive encryption settings in Macula Console, open the Configuration section, choose Servers on the left, then double-click the desired server to edit its settings. In the Storage tab, click the Open storage properties button.
Click the target storage in the list on the right or add a new local or network storage unit by using the +New button above the storage list: its properties will appear on the left. Mark the Enable encryption option and specify the password you want.
The currently available encryption options:
None: no encryption
AES-128 or AES-256: choose the one you need
To save the changes, hit the Apply button beneath the storage settings, then hit OK to close the storage configuration dialog box, and then click OK to finally save the storage settings together with the server configuration. Pressing Cancel on the last step will revoke the changes in the storage configuration.
There is no option to recover the password if you have forgotten it.
Starting from the moment you set the password, all footage recorded to the target storage becomes encrypted; retroactive encryption for the previously recorded archive is not supported. If you wish to have the already recorded data to be encrypted, you can use the replication feature in Macula Global, targeting the replicas to an encrypted storage.
When the storage password is changed, the new password is used for encryption from then on. If storage encryption is disabled for some time and then enabled back, that part of the archive will remain unencrypted.
Adding an Encrypted Disk
If you wish to use a storage, which contains encrypted archive, as a new storage unit and add it to the server configuration, you will be prompted for the password. You need to provide the password that was used to encrypt that disk. If you have provided a password hint earlier, it will appear as a tooltip when hovering your mouse over the password field.
Do not modify the contents of encrypted disks manually, this may result in the corruption of the whole archive.
Archive Backups
The archive backup tool also provides an option to specify a password to encrypt the backup.
There is no difference if the backup is made from an encrypted or an unencrypted storage; the password provided at this step will be used in future for archive access, whether you read the disk contents using the Portable Player tool or add the disk as a new storage to some Macula server.
Encrypted Archive Access
When accessing an encrypted storage via Macula Monitor and Macula Mobile, the archive is decrypted automatically and provided for browsing according to the user permissions.
Should you want to access a directory that contains proprietary Macula archive or its part (backup) using Macula Portable Player tool, you will be prompted for the password.
If you have specified a hint at the point of setting the password, it will be displayed as text or as a hint when hovering your mouse over the password field.
Last updated