Media Shuttle s Defense-in- Depth Security Strategy

Transcription

1 Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among the various players on your team isn t something you want to think about. That s why Signiant designed Media Shuttle as a file sharing solution especially for media production that also eases the minds of tireless IT professionals responsible for keeping cyber criminals at bay. Leaders in media and entertainment depend on Signiant to move petabytes of high-value digital content every day. Our customers trust us with their intellectual property, delivery timelines, and ultimately their reputation. But mostly they simply want a solution that allows them to focus on their work, without having to track the security of it. Effective security is complicated, however it must encompass all aspects of product development and daily operations, and requires thoughtful application of both policy and technology. This white paper provides an overview of the methods used to secure Signiant s Media Shuttle hybrid SaaS offering. Starting with a description of the Media Shuttle architecture and associated security mechanism, the paper continues with a summary of the secure design principles incorporated into all aspects of Media Shuttle and finishes with an overview of SaaS operational policies and procedure.

2 Media Shuttle s Defense-in-Depth Security Strategy 2 Architecture The Media Shuttle architecture incorporates a file transfer tier, made up of file transfer clients and servers, and a transfer logistics tier hosted in the cloud. Media Shuttle s hybrid SaaS technology is unique in offering you a choice between storing your files on-premise or in the cloud, while the software that actually moves files is a true cloud-managed SaaS offering. This eliminates the security risk of popular consumer file transfer services your files are never stored in the same file system or cloud storage tenancy as other people s files. The advantages of segregated storage are numerous, but from a security perspective it provides an extra layer of containerization. To break it down a bit: the cloud tier of Media Shuttle delivers the browser-based user interface and provides file transfer logistics support. The cloud tier interacts with transfer clients and servers to move files between user storage and transfer server storage. A transfer client runs as a native browser plug-in for user-initiated transfers. The following diagram illustrates these components and how they interact: Fig. 1: Media Shuttle Components Secure Web Communications All web interactions utilize standard Transport Layer Security (TLS) to authenticate the server and encrypt information exchanged between the browser and the server. Users log in to the Media Shuttle web interface using their username and password. Strong password policies are enforced and users can optionally authenticate using SAML-based Web Single Sign-On (SSO) with usernames and passwords managed in enterprise and cloud directories.

3 Media Shuttle s Defense-in-Depth Security Strategy 3 Web SSO also enables alternate authentication schemes, like multi-factor authentication, and enables enterprise specific password policies. When web SSO is used, user passwords are never exposed to Media Shuttle web servers. Instead, Media Shuttle utilizes a trust relationship to interact with identity gateways, like the Active Directory Federated Services gateway, to securely retrieve and validate access tokens for users. For users managed exclusively in Media Shuttle, passwords are stored using secure salted one-way hashes. Passwords are not stored in clear text and what is stored can only be used to determine if a password provided by a user is correct. Passwords provided by users are tested by applying the hashing process and comparing the result to the stored value. The salt is random data that is included in the hash to prevent brute force dictionary attacks on the password database in the unlikely event of a breach. This is just one layer in the defensein-depth strategy incorporated in the Media Shuttle design. Customer Provisioning The trust model for an individual customer begins with the creation of a customer account and assignment of top-level administrators for the account. The initial account creation step is performed by Signiant Customer Care as part of the customer provisioning process. The next step is to setup and associate file transfer servers with the account. Signiant Customer Care may also assist in this step. Each transfer server installation securely binds with the cloud tier and the customer account using a one-time setup key generated by the cloud tier for this purpose. This one-time key is used to securely establish and exchange security credentials, which are then used to validate and encrypt all future communication between the cloud and the transfer server. Portal and Member Management Once transfer servers are registered with an account, the administrator can create new Portals that allow communities of users, called Members, to securely exchange files. Portals have their own unique Web URL and can be branded with portal specific wallpaper, logos, icons, color schemes and messaging. From an information security perspective, it s relevant that a portal is associated with a specific area of storage visible to a transfer server or visible to a set of redundant transfer servers. Portals can be configured so that members of the portal can browse the associated storage, in portal Share mode, or so that member have no storage visibility and only utilize the associated storage as transient transfer storage, in portal Send mode. Using a portal in share mode involves FTP-like upload and download interactions. Using a portal in send mode involves -attachment-like send and receive interactions.

4 Media Shuttle s Defense-in-Depth Security Strategy 4 Administrative rights to manage certain aspects of the portal, like membership, can be delegated to operations staff within the organization. The access rights of regular members can be controlled by top-level administrators and delegated administrators, as allowed by top-level administrators. File Transfer Mechanics When a user initiates a file transfer via the cloud-served graphical user interface, or a transfer is initiated by an unattended sync operation, transfer instructions are generated for and delivered to the transfer client. Transfer instructions include a unique transfer security token and are delivered via secure web communications. The transfer client then connects to the transfer server and delivers the transfer instructions. The transfer server validates the transfer instructions by contacting the cloud tier with the transfer instructions including the transfer token. This round trip check ensures that transfers are authorized and valid at the time of transfer and are fully tracked by the cloud tier. Transfer Plug-in Security User initiated transfers are performed using a browser plug in that interacts with Media Shuttle web pages. Browser plug-ins and installed applications that interact with web pages operated outside the browser security sandbox with broader access to the user s files and other resources. Plug-ins and applications can be used by malicious web pages as a point of attack when associated threats are not mitigated in their design. For example, a rogue web page that detects the presence of the plug-in can instruct it to upload a sensitive file or download and overwrite a sensitive system file without the user s knowledge. The Signiant transfer plugin has been designed so that all file access performed by the plug-in is explicitly authorized by the user to eliminate this threat. Interactions between installed software and web pages are an open attack point in many products. Data Storage All file transfers are protected from eavesdropping and modification in transit using Transport Layer Security. However, to enhance protection of files on storage, users can specify a unique transfer password. The content of the file is then encrypted on storage with a random encryption key, which is in turn protected with the user-supplied password. To gain access to the unencrypted content of the file, users must specify the correct password. Audit All user and file transfer activity is logged by the system. Specifically failed and successful user logins and transfers initiated by users are logged and visible to administrators. Audit information can be analyzed in real-time to identify suspicious access patterns and analyzed in retrospect for forensic purposes.

5 Media Shuttle s Defense-in-Depth Security Strategy 5 Service Availability Media Shuttle architecture pays equal attention to maintaining service availability in the event of both internal component failures and malicious attacks. N+1 local redundancy is used in combination with multiple geographically distributed data centers to remove single points of failure. The system utilizes elastic cloud infrastructure that is automatically scaled up and down to handle current load. The system is monitored 24x7 for availability and suspicious activity patterns. Least Privilege Every task in the system should be performed with the least privileges possible both in terms of scope of resources that can be accessed and the duration of time that resources can be accessed. A corollary of least privilege is that mechanisms used to control access to resources should never be shared. Secure by Default Preventing the unpredictable nature of human factors while maintain usability are key components of secure design. A system is secure by default when the default settings put the system in a secure state. This ensures that security features aren t circumvented for the sake of convenience. Defense-in-Depth A defense-in-depth design strategy involves layering security controls for the system such that multiple security compromises are required to gain access to critical resources. Service Operations Operational policies and procedures are key to the security of any SaaS offering. Signiant operational policies and procedures are established in accordance with industry standards for service organization controls. Connectivity between the production service environment and Signiant business operations is restricted in accordance with least privilege and defense-indepth principals. Fully independent production and development Media Shuttle environments are also maintained. This section of the paper highlights some of the operational controls in place for production elements of the cloud environment. Physical Security All Signiant services and infrastructure are hosted by Amazon Web Services. AWS maintains strict physical access policies that utilize sophisticated physical access control mechanisms. Environmental controls like uninterruptable power and non-destructive fire suppression are integrated elements of all data centers. Signiant uses multiple geographically distributed data centers as part of a comprehensive disaster recovery strategy.

6 Media Shuttle s Defense-in-Depth Security Strategy 6 Access to production infrastructure is managed on a least privileges basis and is limited to the Signiant operations team. Background checks are performed and security training is provided to ensure the background and skills of operations staff are consistent with security objectives. Sensitive product service data stored in service databases never leaves the production system and access is controlled according to least privilege principles. NEXT STEPS mediashuttle@signiant.com Firewalls rules are maintained so that production systems can only be accessed for maintenance from defined Signiant locations using secured access mechanisms. Systems are maintained in a hardened state with defined baselines for all host and network equipment. All changes to systems are tracked and managed according to well-established change management policies and procedures. The patch level of third-party software on systems in regularly updated to eliminate potential vulnerabilities. Breach Detection and Response Signiant continuously monitors using external monitoring tools. System logs are aggregated and archived centrally facilitating both continuous analysis for suspicious access patterns and future forensic analysis. Regular external vulnerability scanning is also performed. In the event of a breach, Signiant has the ability to isolate components of the system to contain the breach and maintain ongoing operations. Signiant s incident response team is at the ready to notify customers of security or service impacting events according to defined notification policies. Independent Security Evaluation Signiant engages independent third parties on an ongoing basis to review the security of Signiant products and services. Services performed by these third parties include design, implementation and deployment assessments as well as white and black box penetration testing. Third parties are given full access to design documentation and source code as part of these reviews. Signiant believes that quality independent third party review provides invaluable insight into system security and how to continuously improve it. Summary Signiant recognizes how critical our products and services are to our customers. This recognition is reflected in an organization wide commitment to information security and resilience. The commitment starts with secure design principles and encompass every aspect of product development and daily operations. For more information on Media Shuttle and our commitment to exceptional customer experiences, please contact Signiant ( ABOUT SIGNIANT Used by the world s top content creators and distributors, Signiant is the market leader in intelligent file movement software for the media and entertainment industry. The company s powerful software suite optimizes existing enterprise network infrastructure and media technologies to ensure secure digital media exchanges, workflow efficiency and superior user experiences. SKU