Virtual Staging Environment Security
The White List
When a virtual environment is created you need to specify a white list. The white list is used to restrict access to the environment to the set of IP addresses specified by an administrator. The video below provides an overview of setting up and using a white list.
Video: Setting up a white list
In the example below, we are creating a white list called "Launch team" and adding the IP address for the London office team, this might be an IP address that is specific to the set of team members involved in the project and accessed via a VPN, for example. We've also included the IP address for the ecommerce server used for the project. Any request to access an asset in "Launch environment" that originates from an IP address not included in the white list will be ignored.
IP addresses are specified using CIDR notation and in this case we are specifying that the exact IP address must be matched. For security reasons, by default you can only include specific IP addresses rather than a range of addresses.
Other security features
The white list is the primary way of restricting access to a virtual staging environment, but there are a number of other security measures that protect your content from unauthorised access.
Only an administrator has permission to create a virtual staging environment and grant read only access to the specified resources restricted by IP address. The administrator can edit the details of the environment, including the asset stores that can be accessed and the white list, or delete the environment, at any time.
When a virtual environment is created, we create a server side token and use this to store the security credentials that the administrator has defined for this environment. When an asset is requested using a staging URL, if the IP address making the request is on the whitelist, the staging service will look up the credentials on your behalf and load the asset based on the rules defined.
Asset stores have permissions attached to them, so that only specified users can view and upload content to them. In our example, access to the "launchassets" asset store would be restricted to authorised users within the launch team.
Only certain range of IP addresses can be specified by default, so the administrator cannot accidentally allow access and make assets public.
By providing access to users via a Virtual Private Network (VPN), that requires a user name and password or key based authentication, you can add a further layer of security to that provided by access control via a trusted IP address.