STA encrypts passwords and limits access to the application based on role and any external authenticator (such as your company's internal LDAP).
The STA application uses encrypted password roles to protect itself. The application should be in a physically secured data center, which also has a secured network that allows access only to authorized users.