Inter-Business Vault. Technical Overview

Transcription

1 Inter-Business Vault Technical Overview Finally, you can enjoy the security, performance and accessibility of a local area network, when sharing information over the Internet with business partners, customers, and remote offices.

2 Table of Contents 1. The Challenge: Connecting your enterprise to remote offices and business partners The Dark Side of the Internet Security Accessibility Performance Administration Introducing Inter-Business Vault Inter-Business Vault Architecture Security Layers providing End-to-end Security Firewall & Code-Data Isolation VPN Authentication Access Control File Encryption Visual, Manual, and Geographical Security Content Inspection Secure Backup and Version Control Boundless Connectivity Central System Gateway Windows GUI Web Interface (ActiveX) Windows Integration - Namespace Extension SDK Scalability, Availability and Enterprise-Level Management The breakthrough is in the Vaulting Technology The Inter-Business Vault Connecting Enterprises Security Accessibility Performance Administration Cost Effectiveness Rapid ROI Inter-Business Vault 1

3 11. Implementations Summary About Cyber-Ark Software Awards Appendix A - The Inter-Business Vault vs. Alternative Solutions Appendix B - Technical Specifications Supported Platforms:...20 Inter-Business Vault 2

4 1. The Challenge: Connecting your enterprise to remote offices and business partners Significant inter-business processes today are essentially based on file distribution, collection and sharing mechanisms. Whether you are a financial institute distributing credit card transaction files to corporate customers or a bank collecting daily check deposit reports; whether you are a telecommunications company publishing billing statements or an airline company sharing flight schedules with code-share partners; or whether you are a distributed enterprise sharing file servers between remote branches; in all cases, you need to share files with business partners, customers and remote offices in order to increase your business productivity. Applications that need to share and exchange files are constantly facing problems of security, performance, accessibility and administration. Enterprises and vendors have addressed those issues using numerous products and complex integrations. Nevertheless, the results fall into the trap of the lowest common denominator and are extremely expensive. Based on its patented Vaulting technology, Cyber-Ark introduces its sophisticated state-of-the-art infrastructure for inter-business information sharing: The Inter-Business Vault. 2. The Dark Side of the Internet Formerly, data access was limited to and by the internal network boundaries. Traditional applications took advantage of the high-performance, homogenous and relatively secure internal network. Nowadays, when data is constantly shared between a company and external entities, various issues must be taken into consideration Security Exposing the enterprise s sensitive files to business partners is definitely one of the major concerns of IT officers. Companies often build an extranet, which is an independent network, outside the internal one in order to share desired files. Generally speaking, since the users of the extranet are not under the direct control of the enterprise, security should be much stricter and harder to control. Therefore, the sensitive data on the extranet should be secured at least to the same extent as the internal network. This means re-implementing all the traditional security solutions, such as: firewall, encryption, access control, authentication, etc, but this time on the extranet. Potential intruders can also use the extranet as a good starting point to hack into the internal network by taking advantage of possible connections between the extranet applications and internal information. Inter-Business Vault 3

5 2.2. Accessibility When communicating with business partners, we encounter the problems of inter-business interoperability and accessibility behind network boundaries. Contrary to the internal network environment in which no boundaries limit the accessibility of any application, in an inter-business environment network boundaries block most of the standard protocols such as file server protocols, forcing the use of special FTP or HTTP-based tools. These interfaces are usually less intuitive and harder to maintain. Moreover, each partner may have its preferred way of accessing your data. Some will prefer FTP while others require a file server front-end, some have Windows systems while others rely on Unix. Some installations require a web front-end to your files while others need to transfer transaction data automatically to and from their systems. Since it is much harder to enforce standardization on the external users, organizations develop multiple access methods to their applications Performance External users that access the enterprise s files remotely usually face significant performance degradation. One obvious cause of performance problems is the communication line. The second cause of performance problems is encryption. VPN is usually implemented between the external network and the remote user and is known to be a performance bottleneck. Server-side encryption and decryption should keep up with the computing power of thousands of clients that send encrypted data. With a file server, for instance, not only that every file is encrypted on one side and decrypted on the other, but also intermediate read and write operations are carried through the remote encrypted channel. On top of that, it is usually desirable to have data encrypted while it is kept on the storage device. This adds another time-consuming encryption or decryption operation. Inter-Business Vault 4

6 2.4. Administration Administering thousands of external business partners that need access to the enterprise s data is in itself a major issue. The enterprise creates user accounts for people it doesn t know directly, supports them and eventually deletes the account when they change positions. It is unlikely that an enterprise will notify its business partners about personnel changes just to enable setting the access rights to a shared system. Moreover, business partners that have invested in implementing certain authentication methods would like them to be acceptable to access external shared systems, in order to avoid the need for multiple passwords. The above problems are well known and are addressed by software and hardware vendors by numerous solutions for each particular problem. The difficulty arises when a comprehensive solution needs to be implemented. This requires an extremely expensive integration of products and produces an overall mediocre solution. The Inter-Business Vault, addresses all the issues above in a revolutionary cutting edge solution and provides, for the first time, a LAN-like experience when connecting external entities. 3. Introducing Inter-Business Vault Based on its patented Vaulting Technology, Cyber-Ark provides the Inter-Business Vault, a Safe Haven, highly-secured regardless of overall network security, where information can be stored and shared over the Internet. It enables business partners and remote offices to distribute, collect, transfer and share files as if they were on the same network, thus providing a ready-to-use platform for every inter-business file based application. The innovative Vaulting Technology enables organizations, for the first time, to enjoy a LAN-like experience over the Web by providing a LAN level of security, performance and accessibility. This places the Vault way ahead of alternative information sharing implementations, which are made of a secured extranet combined with a file sharing/transfer solution and performance enhancers. The Inter-Business Vault enables large enterprises such as Financial institutions, Manufacturing corporations, communication companies, Healthcare and Governmental organizations to rapidly deploy file sharing, distribution and collection applications, while increasing inter-business connectivity, enhancing the level of security, significantly improving productivity and cutting up to 80 percent of the enterprise costs on secure extranet. Inter-Business Vault 5

7 4. Inter-Business Vault Architecture The Inter-Business Vault architecture consists of two major elements. One is the Storage Engine (also referred to as the server or simply the Vault ), which holds the data and is responsible for securing the data at rest and ensuring authenticated and controlled access. The second element is the System Gateway that communicates with the Storage Engine on one hand and provides standard access interfaces to users and applications on the other. The Storage Engine and System Gateway communicate using Cyber-Ark s secure protocol the Vault protocol. The next four chapters discuss various aspects of the architecture: the security features of the server and the communication; methods of accessing the Vault s data and the unique advantages of the two-tier architecture; scalability, availability and enterprise-level integration; and a technological overview of the enabling breakthroughs. Inter-Business Vault 6

8 5. 10 Security Layers providing End-to-end Security The Inter-Business Vault is comprised of 10 layers of security, including: Firewall, VPN, Access Control, Authentication, Content Inspection, Encryption engine, Secured Backup and Version Control, Auditing tools and more. These layers were all designed and built specifically for the Inter-Business Vault, as enabled by the Vaulting Technology making it the ultimate solution for secured information sharing over the Web. Information is highly secured while stored in the Inter-Business Vault and while transmitted over the network Firewall & Code-Data Isolation 5.2. VPN The Inter-Business Vault server must run on a dedicated server, eliminating security holes in third party products. This is enforced by the Inter-Business Vault firewall, which doesn t let any communication into the server or out of it other than its own authenticated protocol the Vault protocol. No other component is able to communicate with the outside world, except for the Storage Engine. The fact that the Inter-Business Vault s code is the only code that runs on the dedicated server assures a sterile environment and total control over the server by the security system. The VPN encrypts every transmission (i.e. transactions and data) over the network. About 95% of the encryption processes occur on the client side (see Client Side Encryption below), thus offloading the Inter-Business Vault and allowing higher throughput Authentication Every access to the Inter-Business Vault must be authenticated. The Inter-Business Vault uses a strong two-way authentication protocol. Authentication is based on passwords, PKI digital certificates, RSA SecurID tokens, USB tokens, or Windows NT/2000 domain authentication. Taking the latter approach requires no additional authentication to be made by the end-user Access Control The Inter-Business Vault provides a built-in access control mechanism. Users are totally unaware of information that is not intended for their use. Users can be permitted to read, write, delete, or administer data according to the access control rules. Inter-Business Vault 7

9 5.5. File Encryption Every file stored on the Inter-Business Vault is encrypted. The Inter- Business Vault introduces a state-of-the-art encryption infrastructure that is totally hidden from the end user. This means that neither users nor administrators need to concern themselves with any key management issues. The Inter-Business Vault assigns a unique symmetric encryption key to every version of every file stored in it. These encryption keys are securely delivered only to authenticated users that have appropriate access control rights. This enables the administrator to grant and deny access to files without the need to re-encrypt them. Users are never exposed to extraneous encryption keys and cannot decrypt files once their permissions are removed. This unique key management also provides the means for the client-side encryption and the encrypted backups Visual, Manual, and Geographical Security Visual Security provides the end-user with real-time indications of who accessed his or her data, from where, and when. Manual Security can be used to force confirmation from another user whenever a sensitive file is being accessed. Geographical Security can limit access to information based on the user s location Content Inspection Files that are placed inside the Vault are optionally stripped of any potential code, whether it is a Microsoft Office macro, VB script or a plain executable. This black and white approach guarantees that files that are shared with a certain entity are always virus-free Secure Backup and Version Control Since data is stored encrypted inside the Vault, backups are encrypted as well. Cyber-Ark has invested a major effort in allowing standard systems to backup the Vault without the risk of data exposure or corruption caused by security holes in the backup system. Files that are placed inside the Vault always create a new version and never overwrite existing information. This guarantees protection against deliberate or unintentional data corruption. Inter-Business Vault 8

10 6. Boundless Connectivity The two-tier nature of the Inter-Business Vault, in which there is a separation between the actual locations where data is stored and the locations from where it is accessed, provides great benefits in terms of accessibility. The System Gateway can be installed inside any network that needs to access the Vault. This can be the enterprise s own internal network, a remote branch network, or a business partner network. Several alternative interfaces are provided for users who have no access to a central System Gateway in their network. All in all, the Inter-Business Vault provides a variety of interfaces to the data. This allows users and organizations to access the Vault using the most suitable interface for their needs Central System Gateway The Central System Gateway provides a standard protocol interface (such as: CIFS, FTP and HTTP) to the data. Using the Central System Gateway, data can be accessed transparently, providing seamless implementation at the end-user level and integration with numerous applications. For example, the CIFS Gateway presents data in the Vault as if it were a standard CIFS/SMB file server. It enables business partners to access files over the Internet, using the same tools they use inside their LAN. File access by any application using File-Open/Save As Dialog File access using the Windows explorer Inter-Business Vault 9

11 File access by FTP Clients File send/receive by any solution 6.2. Windows GUI The native Windows client is a regular Windows application, installed using a CD-ROM or through SMS. The Windows client is easy to use and only requires the end user to double-click in order to access the Vault. All administration tasks such as managing users and Safes are performed through the user interface Web Interface (ActiveX) Based on ActiveX technology, the Web browser interface provides the same interface as the Windows native client. The Web interface simplifies installation and distribution of the client in large organizations and permits easy access to the Vault from mobile computers. File access by the Vault s Collaboration Web Interface Inter-Business Vault 10

12 6.4. Windows Integration - Namespace Extension The Vault s content can be accessed through a Windows namespace as well. Using this interface, the user sees the Vault as just another drive on his desktop. Yet, access to the Vault is performed directly from his desktop with no need for a centralized gateway. Using the namespace, the end-user can access the Vault s content from Windows Explorer, and from any standard Windows applications via the file-open or filesave-as dialog SDK The Inter-Business Vault provides a full capability Application Programming Interface (API) and Command Line Interface (CLI). The API/CLI can be used to integrate existing applications with the Vault and to automate batch procedures such as data distribution to business partners for automatic B2B connectivity. File access by batch scripts using the CLI 7. Scalability, Availability and Enterprise-Level Management The Inter-Business Vault s Clustering solution offers extremely high availability and superb scalability. While there are multiple physical computers in the cluster, each running the Vault server software, the user sees an image of only one Vault. Users are automatically distributed between the Vault cluster computers, thus loadbalancing the cluster. In case of a failure in one of the cluster s computers, users can continue to work with the Vault, while seamlessly serviced by the other computers. Local and remote directory services (LDAP) is also supported to provide centralized user management within the enterprise and among its business partners. Existing PKI deployments can be used to authenticate to the Vault using digital certificates. The Vault integrates with leading enterprise backup products, remote control and centralized console solutions. Inter-Business Vault 11

13 8. The breakthrough is in the Vaulting Technology The Inter-Business Vault architecture is based on Cyber-Ark s Vaulting Technology (US Patent No 6,356,941 B1). Cyber-Ark has discovered that by splitting the data-access interfaces from the data-storage it can remove many of today s technology barriers associated with inter-business connectivity. The Vaulting Technology creates a Single Data-Access Channel to the data-storage, which significantly improves security and makes it possible to build 10 security layers in a unified solution. The Vaulting Technology breaks through in performance, accessibility and administration, by enabling distributed VPN, remote caching, object-level end-to-end data compression, distributed administration, distributed authentication and boundless connectivity. Contrary to the Vault environment, standard server architecture provides MANY interfaces, which enable external entities to communicate DIRECTLY with services and subsystem components. On a typical server, for example, a network file-system interface (e.g. CIFS) is provided to communicate with the file system, RPC enables remote procedure calls, SNMP allows remote control and monitoring of the server activities, FTP interface may be provided to support file transfer activities, SMB interface enables communication with the operating system for administering users and access rights, and different backup protocols enable system backup by the enterprise s backup solutions. This multi-interface environment creates enormous security complexity, since each system component and service is only aware of a small portion of the full picture; there is no single point in the system that grasps the full picture and may be a good candidate for being the security checkpoint. (See Figure 1). Figure 1 - A Standard non-vaulted server architecture Inter-Business Vault 12

14 The Vaulting Technology splits the server into two entities (i) the Storage Engine, which controls the data-storage and (ii) the System Gateway, which provides the data-access interfaces. This way the interfaces are removed from within the server and relocated to the accessing point. The System Gateway exports multiple standard data-access interfaces (e.g. CIFS, FTP). It then converts and converges those protocols into Cyber-Ark s Vault Protocol, which is used to communicate with the Storage Engine. The Vault Protocol is authenticated and encrypted and maintains the identity of the authenticated user and the accessed object. The Storage Engine allows only the Vault Protocol through its Single Data-Access Channel. Figure 2 - A Vaulted server architecture This architecture is the basis for the Vault s two major security differentiators. First, the Single Data-Access Channel that is allowed into the Storage Engine, being the only logical and physical entry point, can easily be secured. Second, this single entry point to the Storage Engine is the ultimate candidate to perform a full-picture, object-based inspection of the requested access. This model allows Cyber-Ark to create 10 must-go-through, unified and object-aware security layers and thus provide the highest level of security existing today. The Vault s two-tier nature provides many other major benefits beyond security, creating real breakthroughs in performance, administration and accessibility issues: Built-in VPN - Securing the data from end-to-end from the Storage Engine up to the System Gateway. In an inter-business environment, this means full built-in VPN from the remote network of the business partner s site down to the storage in the enterprise s network. Client Side Encryption Since the data is always encrypted while it is stored inside the storage and while transmitted over the network, it is possible to encrypt the data on the client side, transfer it to the storage engine and store it as it is without the need to decrypt it prior to storage. Consequentially, most of the encryption is handled on the client side, distributing the encryption process between hundreds of computers. Inter-Business Vault 13

15 Processors are highly limited in the amount of data they can encrypt in a given time. Having a single point of encryption, as in the standard VPN, gives only a fraction of the encryption power to each user. In a Client Side Encryption environment, this limitation is removed and the actual encryption rate is much higher. Standard VPN s encryption rate for each user is expressed by: One-computer-encryption-rate divided by Number-of-users. Client Side Encryption rate is expressed by: One-computer-encryption-rate. Thus, the latter is Number-of-users times faster. Compression The Vault provides object-level end-to-end compression between the Storage Engine and the System Gateway. This compression is handled on the object level and not on the packet level as in standard communication compression solutions, thus providing much better compression ratio. For example, a typical 900KB word document is compressed to 18% of its original size, compared to a packet-based compression, which will end up in 33% compression. Caching - The Vault s two-tier nature enables local caching in the remote site. Thus, after an initial access to the data, subsequent accesses will be served from the business partner s Gateway cache where local network response times can be expected. Distributed Administration - The Inter-Business Vault presents an advanced administration scheme; administration implementation can range from a centralized one to a highly distributed approach. Users and resources can be either managed by the enterprise s administrators or can be fully delegated to the business partner s management, while maintaining access control boundaries, quotas and centralized control. Distributed Authentication - The two-tier nature enables a distributed authentication model. The Vault can be set to trust remote users authentication to their local network as an acceptable authentication to the Vault. This eliminates the need for re-authentication and further reduces the burden of administering remote users. This capability is enabled by the fact that the remote tier is part of the remote network and can be part of its authentication domain. Boundless Connectivity The Inter-Business Vault offers boundless connectivity, which enables business partners to access files over the Internet using the same tools they use inside their LAN. This is in contrast to a non-vaulted environment in which most of the standard protocols are usually blocked by network boundaries the Vaulting Technology enables worldwide accessibility by all major protocols regardless of network boundaries. Inter-Business Vault 14

16 In a Vaulted environment, communication between users and the System Gateway inside a local network is carried out using standard-protocol access (e.g. CIFS). The communication from the System Gateway to the Storage Engine, through network boundaries, is always done using the Vault protocol, which is a Firewall Friendly protocol. 9. The Inter-Business Vault Connecting Enterprises The Inter-Business Vault provides the ultimate solution for inter-business connectivity by solving all the issues of inter-business file sharing presented earlier: 9.1. Security The Vaulting technology provides security regardless of the overall network security. The Vault s security scheme overlays the existing security implementation, which is highly dependent on the network infrastructure. This enables data located inside the Vault to be placed on the Internet for sharing and distribution. The Vault s two-tier nature extends the scope of security all the way to your partner s network. Data is protected while it is stored inside the Vault and when it is transmitted over the network. Thus, the Vault provides the complete security solution that is needed for sharing information over the Internet. The Vault was named Best Security Product of 2001 in the Networking Industry Awards, and is considered the most secure solution available today for information sharing over the Web Accessibility The Inter-Business Vault architecture enables the enterprise to locate information outside the organizational network where it can be easily accessed by any user and business partner. Using the central Gateway, users of the Inter-Business Vault can access information as if it were located on their own internal network. Communication to the Vault employs a firewall-friendly protocol that allows access across the business partner s network boundary without changing firewall configuration. Business partners can choose to access data using their preferred interface, eliminating the need to enforce your working standards, platforms and tools on a different company. Inter-Business Vault 15

17 9.3. Performance The Client Side Encryption, coupled with compression, caching and clustering, provides significantly higher performance over other non-vaulted alternatives. On top of that, the high level of scalability and availability provided by the clustering solution gives you the ultimate solution to get the maximum out of your infrastructure. A benchmark made for the Inter-Business Vault shows, for example, that on a slow Internet connection a document was accessed via the Inter-Business Vault 28 times faster than via a standard file server protected by Firewall and VPN. The benchmark also shows that on a fast network, the average data access rate to the Vault is 13 times higher than to a standard file server protected by a VPN and file encryption solutions in case of 10 concurrent users Administration Using the Vault, business partners no longer need to notify each other about personnel changes for setting access rights to the shared system. The Vault s administration offers a distributed approach that enables secure delegation of administration tasks to business partners in order to let them independently control their sub-territory. Moreover, with distributed authentication your LAN sign-on can be your inter-business sign-on, eliminating the need for an additional sign-on to each and every business partner network. 10. Cost Effectiveness Rapid ROI Using the Vault, there is no need for dedicated networks, couriers or ASPs for sharing files with business partners. In addition, the Inter-Business Vault can cut up to 80 percent of the enterprise costs on alternative solutions by eliminating the need for extra collaboration, security and performance products, by effectively utilizing your existing networking bandwidth, and by increasing your business productivity. Inter-Business Vault 16

18 11. Implementations Learn from our customers experience: Financial institutions use the Inter-Business Vault to distribute and collect transaction files such as banking transactions, check deposits, and salary files to and from their corporate customers. Manufacturing companies use the Inter-Business Vault to securely share design specs with sub-contractors over the Internet. Telecommunication companies use the Inter-Business Vault to distribute billing information to their customers. Large enterprises use the Inter-Business Vault as a shared file server between remote branches. ASP vendors offer secured file sharing services based on the Inter-Business Vault. 12. Summary The Inter-Business Vault provides: Security Level - Enjoy a LAN level of security while using the Internet for information sharing. Performance Level Leverage your existing Internet infrastructure to achieve a LAN-like performance level. Boundless Connectivity Increase your business productivity by using the same tools that you use inside your LAN to access external information. Simplified Administration Avoid the headache of administrating your partners end-users. Boundless Authentication Avoid the need to authenticate to your business partners networks; your LAN authentication is acceptable worldwide. And you can achieve all of these with lower costs and rapid deployment Inter-Business Vault 17

19 13. About Cyber-Ark Software Cyber-Ark Software Inc., is the leading provider of vaulting security software that leverages its unique patented Vaulting Technology to create safe havens for securing and sharing vital company information. The company s award-winning Network Vault and Inter-Business Vault solutions enable a truly secure extended enterprise by providing an infrastructure that allows for completely transparent, yet totally secure, intra- and inter- business communications. Founded by a group of leading military security experts and computer engineers, Cyber-Ark Software is privately held and backed by some of the world s most successful venture capitalists, including: Jerusalem Venture Partners, Seed Capital Partners (a SOFTBANK Affiliate), JP Morgan/Chase Partners, Vertex Management and Nomura International Plc Awards Cyber-Ark s solution was awarded Best Security Product of the Year 2001 by the renowned Networking Industry. offers the most elegant and efficient solution we have seen to the problem of securing confidential data in a networked environment where sharing is important but must be properly authorized and user authenticated. Cyber-Ark Software, Inc. 270 Bridge Street, Suite 203 Dedham, MA Tel: Tel: Fax: [email protected] Cyber-Ark Software, Ltd. All rights reserved. US Patent No 6,356,941. Cyber-Ark, the Cyber-Ark logo, the Cyber-Ark slogan,, Network Vault, Inter-Business Vault, Geographical Security and Visual Security are trademarks of Cyber-Ark Software Ltd. All other product names mentioned herein are trademarks of their respective owners. Information in this document is subject to change without notice. Inter-Business Vault 18

20 Appendix A - The Inter-Business Vault vs. Alternative Solutions Criteria The Inter-Business Vault A Standard Extranet with File Distribution/Collection/Transfer/Sharing Solutions Security Built-in Firewall Yes No Built-in VPN Yes Solution Dependent Built-in Access Control Yes Basic Built-in Audit Yes Basic Built-in Authentication PKI, RSA SecureID, Aladdin Token, Password NT, Password based two-ways challenge response Built-in Virus Free Env. Yes No Secure Backup and Version Yes No Control Built-in Geographical Security Yes No Built-in Dual Control Yes No Performance VPN speed per end-user (Processor Encryption Speed) (Processor Encryption Speed)/(Number of Users) Data transfer rate Internet Speed X Compression Ratio Internet Speed Recurring access rate LAN Speed Internet Speed Clustering Yes Solution Dependent Administration Additional sign-on required per-user 0 Number of Extranets Number of users to administer Number of Enterprise s users Total number of users of all business partners Time to production Few days Few months Accessibility Direct Access from any Yes No standard application Supported Interfaces SMB/CIFS, Namespace Extension, FTP or HTTP FTP, HTTP, ActiveX, End-user Involvement Transparent High Involvement Costs Licensing 20% of the alternative solution Very Expensive Bandwidth Utilization Very High Very Low Administration Low Very High End-user Overhead None or Low Very High Inter-Business Vault 19

21 Appendix B - Technical Specifications The Inter-Business Vault supports major industry standards and protocols: Encryption and Hash algorithms: 3DES, IDEA, Blowfish, RC2, RC4, RC5, RSA, SHA1, MD5 Compression algorithm: Deflate Authentication Methods and Devices: Password based - Two way Challenge-Response PKI Windows NT based Authentication Cyber-Key RSA SecurID Smart cards Supported Platforms: Server: The Vault server should be run on a dedicated computer. Windows Professional, Server, Advanced Server Centralized Gateway: Red Hat Linux Version 7 Personal Client: Win9x with Internet Explorer 4 or higher. WinNT SP5 or higher with Internet Explorer 4 or higher Win2000 SP1 or higher WinXP Inter-Business Vault 20