Enterprise-Class Security

Transcription

1 insync Enterprise-Class Security Advanced, multi-dimensional security features ensure the highest security levels

2 Table of Contents Overview...4 Data in Transit...5 Data at Rest...5 Secure Client Authentication... 5 insync On-Premise...6 insync On-Premise Secure Deployment... 6 insync On-Premise Ports...8 insync On-Premise AD Integration... 8 insync Cloud...8 insync Cloud Security Objectives...10 Ensuring Data Security During Bi-directional Transfer Between Client Machines and Servers...10 Segregation of Customer Data Factor Encryption Key Management & Authentication...11 insync Cloud AD Integration...13 File Retention and Version Control...13 insync Cloud Management Control Panel...14 insync Cloud Access by Druva Employees...14 Data Center Security...14 Additional Security Mechanisms to Protect Cloud Infrastructure and Data Assets...15 Third-Party Security Certifications...16 Backup Security...17 Client Triggered Architecture...17 Data Backup Session Security...18 Data Restore Session Security

3 Device Security...19 Data Encryption...19 Remote Wipe...20 Geo-location Features...21 Security for Smartphones and Tablets...22 Mobile Access...22 Policy-based Access...22 Secure Authentication...23 Securing Data in Transit...23 Private Container for Corporate Data Accessed on a Mobile Device...23 Protecting Mobile Devices...24 Data Encryption...24 File Share Security...25 IT Control...25 Control on employees who can share data...26 Control on who can share and what can be shared...26 Control on sharing data with external partners and collaborators...26 Encryption...27 Comparing with Consumer-Grade Sharing Options (e.g., Dropbox with SecretSync)...27 Protecting Shared Data...28 Summary...28 About Druva

4 Overview With Druva insync, you can rest assured that your enterprise s data is completely secure end to end. insync comprehensively protects your corporate data by adhering to strict standards that keep your data private and safe from external threats. With data protection as its number one priority, insync is engineered to ensure data security at every step data transmission, data storage, and data access. This document provides an overview of the security measures that Druva has put in place including security of data in transit and at rest, the on-premise deployment architecture, cloud security, and secure access to the service. Web Browser Access insync On-Premise Active Directory Server Edge Server Corporate Firewall insync Server Endpoints Authentication 256-bit SSL Encryption DLP Encryption on device 256-bit AES Encryption insync Cloud HIPAA TRUSTE Web Browser Access Authentication Third Party IdP SOC 1 SOC 2 3rd Party Security Certifications SOC 3 SAML Endpoints AD Server insync Cloud Service 256-bit AES Encryption 256-bit SSL Encryption DLP Encryption on device 2-Factor Encryption 4

5 Data in Transit insync is designed from the ground up for endpoints with the understanding that endpoints often connect over WANs and VPN-less networks. insync always encrypts data in transit with 256-bit SSL encryption, ensuring enterprise-grade security over these networks. Data at Rest In addition to strict authentication and access controls, insync secures data on storage nodes with 256-bit AES encryption. Secure Client Authentication insync clients can either be mass-deployed using Integrated Mass Deployment (IMD) tools or can be activated by end users individually. For IMD, insync uses a one-time activation token that is used to uniquely activate endpoints. Once activated, the client re-negotiates the authentication parameters. These authentication parameters are then stored in the insync client for all subsequent connections with the insync server. Even when a user self-deploys insync on his or her device with a user ID and password, the client and server use the authentication key mechanism in the background to authenticate and authorize client activities such as backups, setting changes, and restores. Every time the authentication key is regenerated or the credentials are reset by an administrator, the existing authentication key is reset, this feature ensures that data never lands in the hands of a malicious user. 5

6 insync On-Premise insync On-Premise is a deployment of insync in an enterprise s own data center. Available in multiple editions to address enterprises of varying sizes, insync features a future-proof, scale-out architecture that enables linear scaling with the addition of customer provisioned storage as needed. insync On-Premise Secure Deployment insync on-premise servers can be deployed behind the firewall without requiring VPN connections from end users as depicted by Figure 1. insync on-premise servers may also be deployed in the DMZ as shown by Figure 2. Figure 1. Deployment behind a firewall 6

7 Figure 2. Deployment in the DMZ Deployment of insync Private Cloud with Edge Server Edge 1 Firewall Master server insync network Storage node 1 Internet insync clients DMZ Storage node 2 Edge 2 Firewall Storage nodes connecting via WAN Storage node 3 Storage node 4 Figure 3. Deployment of insync Private Cloud with Edge Server 7

8 insync On-Premise Ports insync on-premise servers require the following ports to be opened to allow secure connections to the server from outside: Endpoint Backup: 6061 Endpoint Restore: 443 Administrator Web Console (HTTPS access): 443 insync storage nodes (Applicable for Private Cloud deployments only): 6071 insync On-Premise AD Integration insync on-premise can be configured to integrate with on-premise Active Directory for: Integrated mass deployment of the insync client Automatic user provisioning/deprovisioning User authentication User management insync Cloud insync Cloud is a fully-automated, enterprise-class endpoint protection solution offered as a software as a service (SaaS). Powered by Amazon s state-of-the-art AWS technology, insync Cloud offers elastic, on-demand storage that can grow to handle any number of users and data. The service can be instantly provisioned to a global user base with policies that lock user storage to specific regions. insync Cloud offers secure, lightning-fast data backups and restores. It operates within multiple storage regions across the world to address the needs of the global enterprise. The service provides high availability and enterprise-scale RPO and RTO. The service s enterprise-class security is compliant with international standards such as SOC-1, SOC-2, and SOC-3. 8

9 Full administrative control to insync Cloud is provided via a secure Web-based administrator control panel over HTTPS, which allows corporate policies to be defined for groups of protected users, including the ability to enable or disable users to change settings on their accounts. On the client side, the insync Cloud agent is a lightweight, non-intrusive client application that manages data backup along with other endpoint services such as DLP and file sharing on each protected device. With IT having centralized policy setting and controls they can enable end users to manage their preferences such as folder selection and scheduling, while also providing them to access their shared and backed up data including data from their other devices. Figure 4. insync Cloud Architecture 9

10 insync Cloud Security Objectives Druva strictly adheres to the following set of objectives to ensure the security of insync Cloud: Ensuring data security during bi-directional transfer between client machines and servers Segregation of customer data Two-factor encryption key management and authentication Data center security Additional security mechanisms to protect Cloud infrastructure and data assets Third-party security verifications Ensuring Data Security During Bi-directional Transfer Between Client Machines and Servers See Overview (page 4) and Backup Security (page 17) sections Segregation of Customer Data insync Cloud segregates each customer s data from other customers data, thereby resulting in a virtual private cloud for each customer. Virtual Private Cloud for each customer is realized by: Compartmentalization of customer configuration based on access credentials Compartmentalization of customer metadata within Dynamo DB Compartmentalization of customer data within S3 buckets Encrypting data of each customer using a unique 256 AES encryption key 10

11 2-Factor Encryption Key Management & Authentication To uphold the highest security standards for enterprises, key management in insync Cloud is modeled after a bank lockbox system, in which both parties hold part of the key. The encryption and authentication keys are mutually shared between the customer and the Cloud. Consequently, neither has full, unencrypted access to any data on the cloud independently. Key Points to Note: Both authentication and encryption depend upon two pieces of information: UPn password (held ONLY by the customer) UTn token (held ONLY by insync) Both these pieces (UPn and UTn) are required to authenticate the user and get the final key AK, which is used to encrypt and decrypt user data. At no time is the actual key (AKn) saved by insync; it exists only until a user or admin is authenticated and is then destroyed. UTn password held only by Customer UTn token held only by insync Figure 5. Two pieces of information required for access. Both the insync and Customer components required to decrypt user data. Actual key is never saved by insync. 11

12 Steps followed by insync Cloud to create an account and secure data in the cloud: Primary admin (A1) opens a new account with insync Cloud with a randomly generated password P1 insync Cloud creates a new virtual private instance with AES 256-bit encryption key : AK1. This is a customer specific encryption key insync Cloud creates a new storage based on AK1, reminds the administrator that they take steps to remember the password. insync Cloud then creates a new security token to be stored in the cloud. The new key is created as follows: New Token T1 = encrypted with P1 (AK1 + P1 + salt) where salt is a random string generated for this operation. The token T1 is saved in insync Cloud while the password (P1) is held only by the admin (and NOT saved in the cloud). insync Cloud strongly recommends that the admin create a secondary admin account (A2), which results in the creation of a new password (P2) and a token T2. This is needed for potential scenarios where an admin forgets his or her password and only a secondary admin can reset it. Because of Druva s stringent password policy, Druva is unable to reset admin passwords for any customer. 7. When a new backup user account is created (U1), insync saves a new token (UT1) based on the user s password (UP1), which only the user knows. Likewise, for all other users, insync Cloud creates a username (Un) and a customized token (UTn). Authentication and encryption steps: 1. A user or admin authenticates with a password, e.g., UP The password is used to decrypt the associated token UT1 and determine if a meaningful combination of AK1, UP1 and salt can be achieved. If insync Cloud gets a meaningful combination, the user is authenticated and AK1 is used to encrypt/decrypt the user backup stream. The key is finally discarded when the user exits. 12

13 insync Cloud AD Integration insync s Cloud AD-connector extends all the benefits of deep AD integration to insync Cloud enabling integrated mass deployment of the insync client, automatic user provisioning/deprovisioning, user authentication, and user management. Additionally, insync Cloud supports SAML, an XML based open standard for exchanging authentication and authorization data between security domains. SAML permits users to securely log into insync using their credentials on external identity services such as Microsoft Active Directory. AD Federation Services (AD FS 2.0) can be set up to be the ID provider for insync Cloud Mobile app access can be set up for AD authentication using SAML SAML can provide integration with other 3rd party ID providers, providing MFA services as well File Retention and Version Control insync Cloud enables its customers to hold infinite restore points for protected data. Administrative control provides the ability to specify file retention at an individual backup policy level. If this option is chosen, an automatic process (Compaction) runs daily to remove any files outside of the retention rules. Administrators with appropriate rights also have the ability to selectively remove restore points from individual accounts where required. End users of the system have no control over removal of stored files, thus keeping the ownership of protected data with the administrator. 13

14 insync Cloud Management Control Panel Administrative access to each insync Cloud instance is provided via an Admin Control Panel. Administrators access insync Cloud using a web console over an HTTPS connection. insync Cloud does not store the admin password but uses the authentication methodology defined in section above. An administrator can create multiple other admins based on roles. There are two primary types of administrators: -- Server administrator: Has overall administrator rights across all areas of service -- Profile administrator: Has tiered rights on user profiles. Each profile admin can have one or more of following rights: create users, restore data, and run reports. No Druva employee has Server or Profile Administration based access to the instance. Only server administrators can revoke access of another admin at any time by removing the appropriate admin account via the web-based admin control panel. insync Cloud Access by Druva Employees Druva employees have no access to any of customers insync Cloud instances. Access to cloud infrastructure by Druva employees is limited to its cloud operations team that follows strict rules and regulations defined under the Druva security policies document. This access is granted for the purpose of security patching, service upgrades, and monitoring tasks. Data Center Security insync Cloud is built on top of the Amazon Web Services (AWS) technology stack. Amazon has several years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate 14

15 business need to have such information know the actual location of these data centers, and the data centers themselves are secure and meet SOC-1, SOC-2, and SOC-3 certification requirements. The AWS network provides significant protection against network security issues including (but not limited to): Distributed denial-of-service (DDoS) attacks Man-in-the-middle (MITM) attacks IP spoofing Port scanning Packet sniffing by other tenants For details, please refer Amazon Web Services - Overview of Security Processes. Additional Security Mechanisms to Protect Cloud Infrastructure and Data Assets Redundancy AWS data centers are designed to anticipate and tolerate failure while maintaining service levels and are built in clusters in various global regions. insync Cloud provides multi-zone replication of various elements of customer data including configuration, metadata and the actual data, thereby ensuring that customer data is available in multiple availability zones to handle failure of any zone. Redundancy measures provided by Amazon include ( but not limited to) : Fire detection and suppression Power Climate and temperature Management For details, please refer Amazon Web Services - Overview of Security Processes. 15

16 Third-Party Security Certifications AWS has achieved compliance with the following 3rd party standards and/or frameworks. The list of certifications includes (but is not limited to): SOC 1 (SSAE 16/ISAE 3402) and SOC 2 and SOC 3 PCI DSS Level 1 ISO FedRAMP DIACAP and FISMA ITAR Regularly updated details about compliance certifications completed by Amazon can be found at : ISAE 3000 Type II Druva has completed an ISAE 3000 Type II certification by KPMG. The ISAE audit covers the following elements: Description of Druva s system related to general operating environment supporting insync Cloud Operations Design of controls related to the control objectives stated in the description TRUSTe EU Safe Harbor Druva has achieved TRUSTe EU Safe Harbor certification facilitating compliance with the European Union s Data Protection Directive. HIPAA Druva has passed a review by KPMG validating the company s security and privacy controls for handling HIPAA-compliant protected health information (PHI). These certifications are available from Druva upon request. 16

17 Certifications ITAR SOC 1, 2, 3 FISMA Moderate ISAE 3000 HIPAA BAA ISO HIPAA PCI DSS TRUSTe MPAA FIPS ISAE 3402 EU Safe Harbor Amazon Web Services Amazon Web Services Certifications Certified Cloud Certified Cloud Operations Backup Security Client Triggered Architecture With Druva insync, backup and restore requests are always initiated by the insync client, which aids in security and scalability of the server. The servers never initiate any request, and both backup and restore use the same (default 6061) port for all configuration, control and data requests. All backup and restore activities are secured using 256-bit SSL encryption. 17

18 Data Backup Session Security: 1. The agent contacts the insync server via TCP/IP socket bit SSL encryption is used for all communication by insync. 3. Server authenticates users with the encryption key As required, the client sends the server blocks of data for backup over the secure SSL connection. Blocks of data are stored encrypted on the server using 256 AES encryption. Data Restore Session Security: 1. User launches client agent, selects files from the restore points required. 2. The agent contacts the insync server via TCP/IP socket bit SSL encryption is used for all communication of authentication details. 4. The client agent sends a list of files to the server to retrieve. 5. The client agent sends a list of files to the server to retrieve. 6. insync offers optional support for data restore over a Web browser. User authentication can be mandated prior to restore, which can utilize Active Directory authentication. This enables end-users to select and restores files, which are then transferred via a secure 256-bit SSL connection. 18

19 Device Security insync includes a simple but highly effective solution that reduces the economic impact to an enterprise from a lost or stolen endpoint. Its device-level security features provide powerful, multi-layered protection of critical corporate data on endpoints. Data Encryption With insync, critical files and folders on laptops and mobile devices can be selected for data encryption to ensure that they are protected with the highest encryption standards. On-device data encryption features (requires DLP to be enabled): Uses endpoint operating system s built-in encryption tools (e.g., Windows Encrypting File System or EFS). Selective encryption of files or folders avoids need for a heavy, full-disk encryption. Any file on the endpoint, which has been selected for backup, is encrypted. This approach is superior to alternatives that require a heavyweight full disk encryption or placing all files on a single location, either of which is sub-optimal. Encryption and decryption are transparent, with no need for any additional user steps. Users logging into their endpoint device automatically have decrypted access to their files. 19

20 Remote Wipe In order to prevent data breach on lost or stolen devices, insync provides remote wipe capabilities across both laptops and smart-devices that can be executed either by an administrator or an auto-delete policy. Remote Wipe Features: Administrators can initiate a remote decommission operation on a lost or stolen device, so the device s data is wiped the next time time the device connects with insync. An auto-delete policy can be configured to automatically wipe data if a device hasn t connected for a specified number of days. Data deletion meets NSA Security Standards and protects lost or stolen devices from data breach. Steps followed during remote wipe (for Windows): insync overwrites all files that were backed up. If a file cannot be overwritten (possible with encrypted files) then the file is deleted right away. insync then overwrites the entire free space of that partition by creating an SErase file and increasing the size of SErase until it gets a 'No free space error. By doing so, it is able to clean up the free space of the drive, with data written by a secure algorithm. 3. Next, insync deletes all backed up or sync/shared files Then, it creates 0 byte SMFT files untill it exhausts MFT records and can't create any more of them. This overwrites the records in the MFT table so that no one can see the name of the files that were there on the system. insync finally deletes the SErase file (the file used to fill up the free space). 20

21 Steps followed during remote wipe (for Mac): 1. insync uses the srm tool to do safe delete of data SRM ensures each file is overwritten, renamed, and truncated before it is unlinked. This prevents other people from undeleting or recovering any information about the file. Additionally, the overwrite process is implemented with 7 US DoD compliant passes (0xF6, 0x00, 0xFF, random, 0x00, 0xFF, random) Geo-location Features: insync provides the ability to track the geographical location of devices with an accuracy of near to 20 meters at any point in time. An embedded software engine uses advanced hybrid positioning algorithms based on data from Wi-Fi access points, GPS satellites, and cell towers to keep track of all your endpoints. Geo-location provides details such as street, city, state, or country. A familiar Google Maps interface provides a quick view of the coordinates for every endpoint device available on the insync management console. 21

22 Security for Smartphones and Tablets insync s mobile application allows users to access backed up and shared data from any of their mobile devices. insync provides administrators a variety of policy options to protect devices and data on both BYOD and corporateowned devices. Administrators can allow users to choose their backup & device protection policies; however, the corporate data (accessed using the insync mobile app) on these mobile devices is always under administrator control. All of insync s features - secure client authentication, client triggered architecture, data backup session, data restore session and data in transit security features are applicable to mobile devices as well. Mobile Access insync ensures that access to corporate data (backed up, shared) is secure in order to prevent data leaks from mobile devices. the insync mobile app is enabled with the following security features: 1. Policy-based Access Access to insync data on mobile devices is enabled at a profile level that is assigned to a user. By making it a profile setting, insync gives the option to allow only select employees mobile access to corporate data based on their roles, privileges, and security levels or even based on the projects they work on. 22

23 2. Secure Authentication To access their data, employees need to login to the insync mobile app using their ID and Password. The insync mobile app is equipped to authenticate using insync s base credentials, Active Directory password or even with an organization s single sign-on solution using SAML 2.0. In addition, administrators can configure policies to enforce a user-defined PIN to access the insync mobile app. This will ensure that corporate data in the insync mobile app is secure even if an employee hasn t configured a PIN for the mobile device. 3. Securing Data in Transit Communication between the server and the mobile device is encrypted using 256-bit SSL encryption. This ensures that data at all levels is secure until it is received by the device and presented to the authenticated employee using the the insync mobile app. 4. Private Container for Corporate Data Accessed on a Mobile Device insync recognizes that IT administrators need to have control over corporate data stored on all endpoints - company-owned devices or employee-owned (BYOD) devices. To help administrators achieve this, insync employs a private container that allows administrators to wipe critical data in a compartmentalized manner. insync ensures that data on stolen or lost mobile devices can be protected. Administrators can remotely wipe a device and the data is wiped whenever the device is turned on even if a new data/sim card is used on the stolen mobile device. In addition, admins can enforce policies to disable downloads of files accessed via insync on personal devices as well as prevent the opening of files in third party apps. 23

24 Protecting Mobile Devices IT administrators can configure insync to enforce backup and device protection on mobile devices. Employees cannot access their data using the insync mobile app until these settings are accepted and configured successfully. Administrators can configure insync to backup Contacts, Photos, and Videos on these mobile devices and even SD-card content on Android devices. These settings are configured on the mobile devices using encrypted certificates generated by the enterprise. The insync mobile app periodically backs up the selected data based on the configured settings and also updates the latest location of the device from where it was backed up. With this configuration, insync gives administrators the option to deactivate the entire device (as against wiping just the insync Container). Deactivating the entire device will lead to all the data on the device being lost - equivalent to a new device purchased from the store. All the backed up data, however, continues to reside on the server. Data Encryption insync ensures that no data is stored in an unencrypted form on mobile devices. insync leverages ios' Full Disk AES 256-bit hardware encryption on devices with passcode enabled. On Android insync uses 128-bit AES-CBC and ESSIV:SHA256, with an option to strengthen the encryption with PIN which administrators can mandate. 24

25 File Sharing Security insync s security capabilities encompass data synced/shared using insync Share. insync Share offers administrators the ability to configure policies for sharing data within the enterprise or with external users. In addition, all shared data is encrypted on the wire, on the server, and also on the endpoints with the DLP option. IT Control insync provides IT with three-tiered control over shared data within the enterprise. It also offers administrators visibility into data sharing activities and access at all levels to monitor and check for any unsecure sharing practices. 25

26 USER LEVEL FILE LEVEL EXTERNAL 1. SHARING 2. SHARING 3. PARTY SHARING 1. Control on employees who can share data IT can control which employees can share data using insync. Administrators can enable this setting at a group/user profile level based on an employee s functional role, or projects that the employee works on. Administrators have complete visibility over an employee s shared data. Administrators can view sharing activities including what data has been shared and when, in the context of a single employee as well as globally (all employees). insync also offers requisite privacy settings for companies with policies disallowing administrator access to employee data. Employees can configure privacy settings if they don t want IT to view their confidential data. 2. Control on who can share and what can be shared IT administrators can control whether a user can share data with all other employees or only with selected groups of employees within the enterprise. This setting is part of the user profile and is configured by specifying the user profiles that data can be shared with. This setting allows administrators to configure insync for employees working in groups that have data sharing restrictions. 3. IT control on sharing data with external partners and collaborators IT administrators can control whether a user can share data using links and whether a user can collaborate with external parties via guest accounts. Shared links allow external partners to view or download the shared files depending on the link configuration. Guest accounts further allow external users to edit and upload files to a shared folder. Administrators can determine how long shared links remain valid by setting automatic expiry policies. Administrators and employees can also manually delete links to any documents shared with external partners with immediate effect. Links can be password protected and configured as view-only. Administrators have complete visibility on the usage of links shared with external partners and can see the number of link views and downloads. Administrators further have visibility into all activity related to guest accounts. 26

27 Encryption Administrators can choose to encrypt data added to the insync Share folder as part of their organizations DLP policies. Data is encrypted using the endpoint s operating system s native encryption algorithms, giving much better performance than application-level encryption algorithms. For example, insync leverages Windows Encrypted File System services to encrypt and decrypt data on the fly. Parameter Dropbox with SecretSync insync Share Functionality Limited (encrypting data synced across devices). Complete (Encrypting data for sharing across users OR syncing across devices). Tools required Multiple tools required (Dropbox & SecretSync, each with their own password & key. Also requires Java). Single unified solution Accessing encrypted data Requires SecretSync key to decrypt data for every access. Requires no additional keys - managed by the native OS. Risk to data Loss of key is irreparable. No risk to employee data - admin can reset any lost password. Performance Slow (Application level encryption). Fast (Native OS API s). Platforms Windows, ios, Mac OS, Linux Windows, Mac OS, ios, Android Cost High (inclusive of all tools) Low The following algorithms are used to encrypt shared data. 1. Windows bit AES encryption used by Windows EFS. 2. ios & Mac bit AES encryption. 3. Android bit AES-CBC and ESSIV:SHA256 encryption. 27

28 Protecting Shared Data insync s remote wipe & auto delete DLP policies also encompass shared data. Data in the insync Share folder can be remotely wiped by administrators by decommissioning the device. The insync Share folder on all devices of the employee can be automatically deleted by setting an auto-delete policy in the insync user profile. Summary Data protection is Druva s number one priority, and insync guarantees security at every step. By adhering to strict standards, insync keeps your corporate data private, protected, and safe from threats. 28

29 About Druva Druva provides integrated data protection and governance solutions for enterprise laptops, PCs, smartphones and tablets. Its flagship product, insync, empowers an enterprise's mobile workforce and IT teams with backup, ITmanaged file sharing, data loss prevention and rich analytics. Deployed in public or private cloud scenarios or on-premise, insync is the only solution built with both IT needs and end user experiences in mind. With offices in the U.S., India and U.K., Druva is privately held and is backed by Nexus Venture Partners, Sequoia Capital and Tenaya Capital. For more information, visit Druva, Inc. Americas: Europe: +44.(0) APJ: