Overview
This document provides recommended security practices for Vaultastic administrators and IT teams responsible for operating and securing Vaultastic environments.
Vaultastic is designed with multiple layers of security controls across infrastructure, platform, storage, movement, and access management. Effective security requires both Vaultastic platform controls and customer operational controls.
This guide defines those responsibilities and operational recommendations.
Security Shared Responsibility Model
Security in Vaultastic follows a shared responsibility model.
Vaultastic secures the platform, while customers secure access, configurations, governance, and operational usage.
Vaultastic Responsibilities
Vaultastic provides platform-level security controls including:
Platform Security
Encryption for data in transit and at rest
Disaster Recovery (DR) capabilities for Active, Open, Deep, and Live Stores
Authentication and authorization controls
Tenant isolation and partitioned data architecture
Rate controls and abuse protection
Secure APIs and open archive formats
Data Protection
Data residency controls
Integrity validation during automated movement of archived data
Protection against corruption during lifecycle transitions
Immutable archival capabilities where applicable
Operations & Compliance
Continuous monitoring through Network Operations Center (NOC)
Vulnerability Assessment and Penetration Testing (VAPT)
Secure Software Development Lifecycle (Secure SDLC)
Regular platform security updates
Compliance-aligned controls and operational processes
Cloud infrastructure operated on AWS
Governance & Traceability
Audit trails
Security event logging
Access monitoring capabilities
Customer Responsibilities
Customers remain responsible for:
User access governance
Administrative access controls
Password and identity policies
Primary source credentials and API keys
Audit review
Data retention configuration
Private Store security
Internal compliance and approvals
The sections below define recommended customer controls.
1. Administrative Access Control
Administrative accounts represent the highest risk surface and should be tightly controlled.
1.1 Use Named Administrative Access
Recommendation
Assign administrator privileges only to named individuals.
Best Practices
No shared administrator accounts
Separate operational and compliance administrators
Assign temporary elevation where possible
Remove admin access immediately after role changes
Review Frequency
Perform access review monthly.
Avoid
❌ Shared admin credentials
❌ Permanent elevated access
❌ Generic IT accounts
1.2 Enforce Strong Authentication
Recommendation
Configure organization authentication policies with strong identity controls.
Minimum Controls
Strong password requirements
Password expiration and rotation policies
Account lockout protection
Multi-factor authentication (2FA/MFA)
Recommended Baseline
| Control | Recommendation |
|---|---|
| Password length | ≥12 characters |
| Complexity | Enforced |
| Failed attempts | Account lockout |
| MFA | Required for administrators |
1.3 Enable CAPTCHA Protection
Recommendation
Enable CAPTCHA on authentication interfaces where supported.
Benefit
Reduces:
Credential stuffing
Automated login attempts
Password spray attacks
1.4 Never Share Credentials
Recommendation
Credentials must never be shared externally.
Important
Do not share:
Administrator passwords
Recovery codes
MFA tokens
API credentials
Including with:
Vendors
Contractors
Support personnel
Mithi teams
Support activities should be performed using approved support workflows.
1.5 Maintain Recovery and Notification Accounts
Recommendation
Review and maintain primary administrator email addresses.
Required Actions
Update postmaster/admin email when employees leave
Remove inactive contacts
Ensure mailbox continuity
Risk if Ignored
Loss of password recovery
Delayed security notifications
1.6 Apply Least Privilege
Recommendation
Grant only the permissions necessary to perform assigned tasks.
Examples
| Role | Recommended Capability |
|---|---|
| Junior Admin | Read + Operations |
| Compliance Admin | Search + Export |
| Platform Admin | Full administration |
| Auditor | Read-only |
Avoid
❌ Delete rights for junior administrators
❌ Universal application access
1.7 Advanced Deployment Isolation (Optional)
For customers with elevated security requirements:
Recommended Controls
VPC isolation
Restricted IP ranges
Private endpoints
Segmented administrative networks
Best suited for:
BFSI
Government
Healthcare
Regulated industries
2. End User Access Control
User access should follow need-to-know principles.
2.1 Enable Self-Service Carefully
Recommendation
Default self-service access should expose only user-owned archived data.
Users should not gain visibility into:
Other mailboxes
Shared archives
Administrative functions
2.2 Restrict Supervisor and Auditor Access
Recommendation
Grant scoped vault access.
Examples:
Department-only supervision
Case-based legal review
Audit-period access
Avoid broad archive visibility.
2.3 Use Time-Bound Access
Recommendation
Setup a process to revoke access after the prescribed time.
Typical scenarios:
Investigations
Legal review
Internal audits
Temporary supervision
Review access regularly.
3. Secure Keys and Access to Primary Data Sources
Vaultastic relies on secure integration with source systems.
Examples:
Microsoft 365
Google Workspace
Exchange
SharePoint
OneDrive
File systems
3.1 Manage Key Lifetime
Recommendation
Rotate credentials and tokens periodically.
Controls
Establish expiration windows
Remove unused keys
Monitor integration health
3.2 Apply Least Privilege on Source Systems
Recommendation
Integration accounts should default to:
✅ Read-only access
Only grant write permissions when operationally required.
Examples:
Backfill jobs
Migration workflows
Controlled remediation
Avoid broad administrative permissions.
4. Audit Trail Management
Audit data is effective only when reviewed.
4.1 Review Audit Logs Regularly
Recommendation
Review:
Login activity
Access changes
Export actions
Retrieval activity
Administrative operations
Suggested Frequency
| Activity | Frequency |
|---|---|
| Admin review | Monthly |
| Compliance review | Quarterly |
| Incident review | Immediate |
4.2 Export and Retain Audit Trails (Optional)
For advanced governance:
Recommendation
Download and retain audit logs externally.
Benefits:
Long-term investigation
Regulatory evidence
Cross-platform correlation
5. Secure Private Stores
Private Stores extend customer responsibility.
5.1 Protect Store Access
Recommendation
Restrict storage access using:
IAM policies
RBAC
Network restrictions
Avoid public exposure.
5.2 Control Data Deletion
Recommendation
Implement approval workflows for:
Deletion
Purging
Retention exceptions
Prevent accidental archive loss.
5.3 Enforce Retention Policies
Recommendation
Configure:
Retention duration
Legal hold exceptions
Expiry workflows
Review annually.
5.4 Encrypt Customer-Controlled Storage
Recommendation
Enable encryption for:
Stored data
Backup copies
Replicated environments
Manage encryption keys securely.
Security Operations Checklist
Identity & Access
Named admin accounts
MFA enabled
Monthly access review
CAPTCHA enabled
Data Protection
Source keys rotated
Retention policies configured
Encryption validated
Monitoring
Audit review schedule
Incident process defined
Notifications configured
Private Stores
Access restricted
Deletion approvals implemented
Encryption enabled
Following these practices strengthens the security posture of Vaultastic deployments while reducing operational risk and improving governance readiness.