Security & Access Control
StacksAtlas is designed for high-security environments where data privacy and infrastructure integrity are paramount. Our security model focuses on Zero-Knowledge Architecture and Local-First persistence.
Data Sovereignty (The "Zero-Knowledge" Policy)
Unlike SaaS monitoring tools, StacksAtlas assumes your network data is sensitive and should never leave your premise.
- No Cloud Telemetry: The application does not collect usage statistics, anonymized crash reports, or device inventory metadata.
- Encrypted-at-Rest: The internal LiteDB database is encrypted using AES-256 (FIPS 140-2 compliant algorithms).
- License Isolation: The license validation service (
api.lemonsqueezy.com) only receives your license key and a unique hardware ID. No technical details about your scanned subnets are included in this handshake.
Access Control (RBAC)
To support multi-user teams, StacksAtlas implements a granular Role-Based Access Control system.
| Role | Permissions | Use Case |
|---|---|---|
Administrator | Full system control: global settings, user management, and license activation. | IT Manager / Owner |
Standard User | Operational access: device names, location management, and alert acknowledgment. | Network Technician |
Viewer | Read-only access: dashboard monitoring and report generation. | Management / Auditor |
Alert Only | Notification access: receives email/webhook triggers (no dashboard access). | Emergency Contact |
Authentication & Cryptography
- PBKDF2 Hashing: User passwords are never stored in plain text. We utilize industry-standard Password-Based Key Derivation Function 2 (PBKDF2) with unique salts.
- JWT Architecture: All communication between the browser and the background service is secured via JSON Web Tokens (JWT), ensuring stateless and tamper-proof sessions.
- HTTPS Enforcement: By default, StacksAtlas binds to Port 5001 with a self-signed or user-provided certificate to ensure all traffic is encrypted in transit.
- Protocol Hygiene Warnings: The UI provides explicit warnings when using unencrypted Protocol Quick Links (Telnet/FTP), ensuring administrators are aware of the risks of clear-text credentials in the environment.
Infrastructure Resilience
- Rate-Limited Discovery: Our proprietary scanning engine is designed to be "IDS-friendly." We implement adaptive rate-limiting to prevent triggering Intrusion Detection Systems or saturating network switches.
- Sandboxed Environment: The .NET host runs as a standard Windows Service, allowing you to use native Windows Service Accounts to restrict file system and network interface permissions.