LucidLink’s default settings provide a TPN Gold certified secure production environment including AES256 encryption at rest, TLS encryption in flight, as well as a zero-knowledge policy, but there are some optional steps that can be implemented to maximize the security posture. 

LucidLink follows the “shared responsibility” model whereby end users must assume responsibility for “security in the cloud” while LucidLink assumes responsibility for “security of the cloud”.  These guidelines provide recommendations for hardening the security of your LucidLink environment, but teams also need to manage and secure their own host systems used to access LucidLink filespaces.

Technological Recommendations
 

• Use SSO
  • require MFA through an authenticator app.
• Enable Audit Trail functionality
  • Setup audit log ingest and query methodology of choice
  • Setup alerting based on relevant parameters
• Adjust snapshot schedule to meet business needs
• Implement a fully redundant disaster recovery / business continuity process including planning for fail-over and fail-back
• Use LucidLink custom to enable your own S3 key rotation policies and bucket access policies.
• If using LucidLink classic custom, after initialization, apply bucket policies that only allow the hub to perform "s3:deleteObject" commands to facilitate garbage collection. Note: by using this technique bucket access polices will need to be temporarily modified to enable key rotation.

Procedural Recommendations

• Store root user login credentials with a trusted secrets management tool
  • Ensure multiple people know how to access in case of staff changes
• Do key rotation on a regularly scheduled interval (Custom Filespaces only)
• Minimize Admin roles to only those who absolutely need it.
• Grant folder access on the “Least Privileged Access” principle
• Audit your user access and permissions on a regularly scheduled interval