Backup & Archive Security Overview


Overview

Flosum Backup & Archive is designed to deliver enterprise-grade security across both Flosum-hosted and customer-hosted environments. This article provides a comprehensive overview of its security architecture, covering encryption, infrastructure setup, identity management, and secure communication practices.

Key Security Features

  • Strong Encryption: Utilizes AES-256 and TLS 1.2+ to ensure robust data protection.

  • Secure Key Management: Encryption keys are protected by AWS KMS for enhanced security.

  • Controlled Access: Offers flexible identity provider options for tailored access control.

  • Compatibility: Integrates smoothly with Salesforce Shield and VPN solutions, ensuring comprehensive security.

These features ensure that Flosum Backup & Archive provides secure and reliable backup and archiving solutions for enterprise needs.


System Architecture Overview

Backup & Archive runs on a cloud-based virtual machine (VM) and supports two deployment models:

Flosum-Hosted

Flosum hosts the application on AWS infrastructure.

Customer-Hosted

The customer owns and manages the cloud instance and infrastructure.

Core Components

  • Cloud Virtual Machine:

    • Required specs: 32 GB RAM, 4 CPU, AWS r5n.xlarge or better

    • OS: Ubuntu x64

  • Domain Registration & SSL Certificate:

    • Required for secure access

    • Only TLS 1.2 or later supported (not SSL)

    • HTTPS traffic is managed using NGINX and SSL certs

  • NGINX Proxy:

    • Acts as a gateway to the Backup & Archive Docker container

    • Manages HTTPS and routing

  • MySQL Database:

    • Stores configuration data (e.g., access tokens, job logs, dataset info)

    • Does NOT store actual customer backup data

  • Storage Options:

    • SSD (gp2/gp3) or AWS S3 (for AWS deployments only)

    • Supports file compression for text/data files (up to 60%)

    • Binary files are not compressed

  • VPN Support:

    • Fully compatible

    • Anonymous access is not supported

  • Salesforce Shield Compatibility:

    • Fully supported; Backup & Archive works via API without conflict


Encryption & Data Security

Key Management

  • Encryption Keys:

    • Stored securely in the Backup & Archive database and protected by AWS KMS

    • Unique key per connected org

    • Keys are persistent across sandbox refreshes

  • Key Lifecycle:

    • Cannot be rotated automatically

    • To change a key, connect a new Salesforce org

circle-info

Migrating Encryption Keys for Customer-Hosted

  • Generate 32-byte base64 key: openssl rand -base64 32

  • Add key to docker-compose: LOCAL_ORGANIZATION_ENCRYPTION_KEY=<key>

  • Upgrade the app to complete the migration

Encryption in Transit and at Rest

  • Transit:

    • All data is transmitted via HTTPS (SSL/TLS)

    • Bi-directional encryption between Salesforce and Backup & Archive

  • At Rest:

    • Data is encrypted using AES-256 in cloud storage

    • Remains encrypted even when viewed/exported

circle-info

Decryption Process of Data for GUI Display

When the user requests encrypted data from the Backup & Archive storage, the following process occurs.

  1. The encryption key is retrieved from the Backup & Archive database

  2. Key is cached in VM RAM

  3. Encrypted file is decompressed and decrypted in-memory

  4. Data is shown to the user in the GUI

  5. File in storage remains encrypted


Identity & Access Management

Backup & Archive supports multiple identity providers:

  • Username & Password

  • OAuth 2.0

  • Single Sign-On (SSO)

circle-info

Flosum’s Global Settings app is used to manage access across hosted environments securely.


Licensing & Version Control

  • Backup & Archive and Flosum DevOps are separate products

    • Each has its own license and version number

  • Multi-org support:

    • A single license can manage multiple Salesforce orgs

    • Additional orgs increase required storage and may incur extra cost

  • Check the current release:

    • View the Release Notes section for the current version of Backup & Archive: Backup & Archive

Last updated

Was this helpful?