Though it may take a few seconds to start up a Sauce Connect tunnel, you'll have a high security tunnel for communications between the machine where it's running and the Sauce Labs API and browser cloud. In addition to the security of the tunnel itself, each tunnel connection spins up a fresh virtual machine that is used only for your tests, and which is destroyed when the tunnel is closed. This is why one of the recommended best practices for Sauce Connect is to always create a new tunnel for each test suite or build, and then tear it down at the end of your test.
Data transmitted by Sauce Connect is encrypted through the TLS protocol, which uses perfect forward secrecy for maximum security. Sauce Connect also uses a caching web proxy to minimize data transfer. You can disable this with the command line option
-N, --no-proxy-caching, which is described further in the Sauce Connect Command Line Reference.
Sauce Connect in the DMZ
Within your infrastructure, Sauce Connect must be able to reach the application or server you want to test via your network, but can be firewalled from the rest of your internal network. We recommend running Sauce Connect in a firewall DMZ, on a dedicated machine, and setting up firewall rules to restrict access from that DMZ to your internal network. However, you must be careful about how to locate Sauce Connect in a DMZ. The topics in Setting Up Sauce Connect Proxy describe various network configurations for Sauce Connect, including a dysfunctional DMZ architecture.