Types of sensitive data in transit

Different components within OneSpan Authentication Server environments exchange sensitive data via the network or via inter-process communication. In any case, the data exchange requires protection against unauthorized access or disclosure. Among the most sensitive data exchanges are:

• Replication data
• Data between the OneSpan Authentication Server service and the data store
• Data between the OneSpan Authentication Server service and the audit database
• Live audit data
• Data for SEAL/SOAP/RADIUS communicator modules
• Messages sent via Message Delivery Component (MDC)
• Configuration via Web Administration Service

If your organization is impacted by the General Data Protection Regulation (GDPR), ensure that the communicator interfaces are configured to use SSL. If an OneSpan Authentication Server component does not support SSL, the respective interface must be configured without SSL. However, to be GDPR-compliant, it is advised to set up an encrypted VPN tunnel to secure the communication. Note that you should always set up an encrypted VPN tunnel to secure the communication between RADIUS clients and OneSpan Authentication Server.

For more information about GDPR, refer to the OneSpan Authentication Server General Data Protection Regulation Compliance Guide.

Replication data

Replication can be configured to allow multiple OneSpan Authentication Server instances to keep their data synchronized and ensure consistency. OneSpan Authentication Server replicates entire records, rather than individual record attributes. When multiple OneSpan Authentication Server instances use different ODBC databases as their data stores, replication ensures that each database is up to date with the latest data changes.

You can use SSL to protect replication connections. Enabling and configuring SSL for replication connections requires your server's SSL certificate and its corresponding private key password (if you set one) and the SEAL SSL certification authority (CA) file of the destination server.

If your organization is impacted by the General Data Protection Regulation (GDPR), be aware that when using replication, the data to be replicated is temporarily stored in a local SQLite database, and then transferred via messages over the SEAL protocol to its destination. The data temporarily stored on the disk is unencrypted. To be GDPR-compliant, we recommend to encrypt either the folder containing the replication database or the hard disk, and setting up SSL-encryption for replication connections between the OneSpan Authentication Server instances.

For more information about GDPR, refer to the OneSpan Authentication Server General Data Protection Regulation Compliance Guide.

Data between the OneSpan Authentication Server service and the data store

OneSpan Authentication Server connects to the ODBC data store using ODBC drivers. An SSL tunnel needs to be set up between the ODBC driver and the ODBC DBMS. For more information about configuring the ODBC drivers with the ODBC DBMS, refer to the product documentation of your DBMS.

Data between the OneSpan Authentication Server service and the audit database

Audit messages are primarily generated by OneSpan Authentication Server and include RADIUS accounting data. These messages may be recorded by a number of different methods. To ensure the data transit for audit messages, SSL between the ODBC driver and the ODBC DBMS must be enabled. For information about configuring the ODBC drivers with the ODBC DBMS, refer to the product documentation of your DBMS.

Live audit data

Live auditing allows to capture and pass audit messages directly to the Audit Viewer application as a live feed.

You can use SSL to protect live audit connections. Enabling and configuring SSL for live audit connections requires your server's certificate and its corresponding private key password (if you set one) and a certification authority (CA) certificate file for (optional) client certificate verification.

Data sent and received via the SEAL/SOAP/RADIUS communicator modules

OneSpan Authentication Server provides a communicator module for each protocol for which it can receive and handle requests. Each communicator module can be enabled or disabled as required, subject to support in the server license.

You can use SSL to protect connections between the communicator modules and the communication end points. Enabling and configuring SSL for communicator module connections requires your server's certificate and its corresponding private key password (if you set one). Configuring the SEAL and SOAP communicator modules will also require a certification authority (CA) certificate file for (optional) client certificate verification.

If your organization is impacted by the General Data Protection Regulation (GDPR), ensure that the communicator interfaces are configured to use SSL. If an OneSpan Authentication Server component does not support SSL, the respective interface must be configured without SSL. However, to be GDPR-compliant, it is advised to set up an encrypted VPN tunnel to secure the communication. Note that you should always set up an encrypted VPN tunnel to secure the communication between RADIUS clients and OneSpan Authentication Server.

For more information about GDPR, refer to the OneSpan Authentication Server General Data Protection Regulation Compliance Guide.

Messages sent via Message Delivery Component (MDC)

The Message Delivery Component (MDC) service accepts one-time password (OTP) notifications and other messages from OneSpan Authentication Server. It interfaces with SMS, email, voice, or push notification gateways to relay those messages to a user's phone or email address. Push notifications can be forwarded via an on-prem DIGIPASS Gateway or OneSpan Notification Gateway.

You can use SSL to protect connections between OneSpan Authentication Server and MDC. This requires your server's certificate and its corresponding private key password (if you set one) and a certification authority (CA) certificate file for (optional) client certificate verification.

If your organization is impacted by the General Data Protection Regulation (GDPR), note that the SEAL protocol used for communication with OneSpan Authentication Server must be SSL enabled in the MDC Configuration Utility to be GDPR-compliant.

If the Email Delivery option is selected, ensure that the gateway server is configured to use SSL and TLS encryption.

For more information about GDPR, refer to the OneSpan Authentication Server General Data Protection Regulation Compliance Guide.

Configuration via the Web Administration Service

The Web Administration Service (Administration Web Interface) is a web-based administration application used to complete most of the administration tasks in the OneSpan Authentication Server environment.

You can use SSL to protect connections between the client browser and the Administration Web Interface and connections between the Administration Web Interface and the OneSpan Authentication Server service.

The OneSpan Authentication Server Setup Utility will deploy the Administration Web Interface TLS/SSL-secured if you deploy it locally. A TLS/SSL certificate and a random password will be generated for this purpose. You can configure these via the Apache Tomcat settings after installation.