Backup & Archive Security Overview
Overview
OverviewFlosum Backup & Archive is designed to deliver enterprise-grade security across both Flosum-hosted and customer-hosted environments. This article provides a comprehensive overview of its security architecture, covering encryption, infrastructure setup, identity management, and secure communication practices.
Key Security Features
Strong Encryption: Utilizes AES-256 and TLS 1.2+ to ensure robust data protection.
Secure Key Management: Encryption keys are protected by AWS KMS for enhanced security.
Controlled Access: Offers flexible identity provider options for tailored access control.
Compatibility: Integrates smoothly with Salesforce Shield and VPN solutions, ensuring comprehensive security.
These features ensure that Flosum Backup & Archive provides secure and reliable backup and archiving solutions for enterprise needs.
System Architecture Overview
Backup & Archive runs on a cloud-based virtual machine (VM) and supports two deployment models:
Flosum-Hosted
Flosum hosts the application on AWS infrastructure.
Customer-Hosted
The customer owns and manages the cloud instance and infrastructure.
Core Components
Cloud Virtual Machine:
Required specs: 32 GB RAM, 4 CPU, AWS r5n.xlarge or better
OS: Ubuntu x64
Domain Registration & SSL Certificate:
Required for secure access
Only TLS 1.2 or later supported (not SSL)
HTTPS traffic is managed using NGINX and SSL certs
NGINX Proxy:
Acts as a gateway to the Backup & Archive Docker container
Manages HTTPS and routing
MySQL Database:
Stores configuration data (e.g., access tokens, job logs, dataset info)
Does NOT store actual customer backup data
Storage Options:
SSD (gp2/gp3) or AWS S3 (for AWS deployments only)
Supports file compression for text/data files (up to 60%)
Binary files are not compressed
VPN Support:
Fully compatible
Anonymous access is not supported
Salesforce Shield Compatibility:
Fully supported; Backup & Archive works via API without conflict
Encryption & Data Security
Key Management
Encryption Keys:
Stored securely in the Backup & Archive database and protected by AWS KMS
Unique key per connected org
Keys are persistent across sandbox refreshes
Key Lifecycle:
Cannot be rotated automatically
To change a key, connect a new Salesforce org
Migrating Encryption Keys for Customer-Hosted
Generate 32-byte base64 key: openssl rand -base64 32
Add key to docker-compose: LOCAL_ORGANIZATION_ENCRYPTION_KEY=<key>
Upgrade the app to complete the migration
Encryption in Transit and at Rest
Transit:
All data is transmitted via HTTPS (SSL/TLS)
Bi-directional encryption between Salesforce and Backup & Archive
At Rest:
Data is encrypted using AES-256 in cloud storage
Remains encrypted even when viewed/exported
Decryption Process of Data for GUI Display
When the user requests encrypted data from the Backup & Archive storage, the following process occurs.
The encryption key is retrieved from the Backup & Archive database
Key is cached in VM RAM
Encrypted file is decompressed and decrypted in-memory
Data is shown to the user in the GUI
File in storage remains encrypted
Identity & Access Management
Backup & Archive supports multiple identity providers:
Username & Password
OAuth 2.0
Single Sign-On (SSO)
Flosum’s Global Settings app is used to manage access across hosted environments securely.
Licensing & Version Control
Backup & Archive and Flosum DevOps are separate products
Each has its own license and version number
Multi-org support:
A single license can manage multiple Salesforce orgs
Additional orgs increase required storage and may incur extra cost
Check the current release:
View the Release Notes section for the current version of Backup & Archive: Backup & Archive
Last updated
Was this helpful?