Securing access to a synchronization sourceSecuring access to a synchronization source

For both of our supported synchronization methods we expect the customer to expose a data source to our environment over the internet.

There are a number of options to provide a defense in depth strategy to this potentially sensitive data source. Our recommendations are:

1. Only allow access from our outgoing IPs (see Hosting and installation, Outgoing IPs (NAT Gateways)) on the needed ports to the data source. Please note that these IP's are shared across all hosted customers in the region so this cannot be a stand-alone measure
2. Ensure encrypted communication
   1. For XML based solutions make sure to use TLS
   2. For database based solutions we recommend tunneling the traffic through an SSL tunnel (see SSH Tunnel from Pure server to Customer network) if the database doesn't natively support encrypted communications
3. Ensure that the data source requires authentication
   1. For XML based solutions we support Basic auth, Header based auth, and S3 credentials if hosted in AWS
   2. For database based solutions we support the normal database username/password authentication mechanism

Generally we recommend that customers consider partitioning the components and data so that only data needed for the Pure synchronization is included in the data source where access is provided. This would in particular mean not to expose a multi-tenant database in this manner.