Certificate Verification at Fivetran
Transport Layer Security (TLS, also referred to as Secure Socket Layer, HTTPS, or SSL) is one of the encryption methods that Fivetran uses to secure data in motion. TLS allows for both encryption and authentication of the connections that Fivetran makes to your data sources and to your destinations.
Fivetran connections made over TLS are always encrypted, and support automatic verification for connectors that use hostname verification (such as web-based applications), and for proprietary systems with built-in certificate authority management such as Snowflake, BigQuery, and Redshift.
For other connectors, such as customer operated databases, we support verifying a certificate using root certificate authority verification.
Rollout to Existing Connectors
The initial rollout of TLS/SSH verification at Fivetran relies on a “trust on first use” model based on the server certificate observed on existing connectors.
Fivetran customers have been relying on security techniques such as IP whitelisting, SSH tunnels, and IPSec VPNs to secure connections to their critical data, so our rollout strategy capitalizes on those security methods to bootstrap an initial TLS trust anchor.
Verifying a Certificate
New customers and connectors added or reconfigured after the release will require a user to explicitly select the certificate to use as the trust anchor. Customers who use self-signed certificates for their databases can verify based on the fingerprint of the certificate, and customers who use a certificate authority model can select the authority which Fivetran should validate against.
Auditing Trusted Certificates
The account page in your Fivetran dashboard will include a section where your security team can audit all the trust selections that have been made within your Fivetran configuration. You have the option to revoke the trust of a certificate at any time. Once a certificate’s trust has been revoked, you will need to re-run the setup tests for any affected connectors to select the new certificate and resume data replication.