WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Transcription

1 NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

2 INTRODUCTION As businesses adopt new technologies that touch or leverage critical company data, maintaining the highest level of security is their most pressing concern. Often, these businesses handle increasing amounts of digital data from their customers or partners. This exposes them to increasing risks and new vulnerabilities including: viruses, malware, data intrusion, and even hackers. In the absence of an easy to use IT controlled file sharing platform and to enhance personal productivity, employees often self select a public cloud to sync, and share files (i.e., Box or Dropbox). The desire by employees to access their files in a manner that is convenient to them is promoting their use of tools and cloud services not approved by their employers. The use of unapproved cloud services can lead to data breaches and non-compliance in regulated industries. Ultimately, these discretions can result in expensive legal costs and hefty fines. To avoid these problems, IT organizations need to provide employees with a convenient, easy to use, and secure method of accessing files from their mobile devices. Such a robust file-sharing platform with comprehensive data protection will help IT avoid unintended data breach problems. Transporter for Business offers such a solution. Once established, this unique enterprise file sharing solution with world-class security, privacy and control, provides businesses with a secure file access, storage, and collaboration platform that employees actually want to use. Nexsan s Transporter is designed with end-to-end data protection and multiple levels of security at each layer. Transporter empowers IT with administrative controls for: Access, storage, network, transmission, and data Mobile data management Ability to invite users to share folders Best of all, Transporter provides users with the user interface (UI) experience they expect from a traditional cloud provider. With Transporter, there are no difficult VPNs to navigate because files stored on Transporter are immediately available to all mobile devices owned by the user. In addition, whenever a file is modified on one device, Transporter syncs these changes to the other devices ensuring the user always has access to the latest files. Should the user want to return to an earlier version of a file, Transporter s versioning capabilities enable the user to do that as well. It translates into an employee workflow tool that s easier for IT to setup and control, and ensures that all employee file activity comply with their industry s regulations and company s privacy policies. 2

3 TRANSPORTER FOR BUSINESS Transporter for Business private cloud appliances returns control and security of a company s data back to its IT department. That s because it easily and quickly enables businesses to build and deliver their own private cloud service for their employees and important stakeholders. In fact, the Transporter UI is similar to those from popular services like Box and Dropbox. By offering your employees the cloud features they require and the UI they demand, Transporter eliminates the temptation to use unauthorized public cloud solutions that could expose sensitive business information. Transporter s hardware deployment model gives you total control over the physical location of your data and its redundancy. Best of all, there are no recurring monthly fees. ARCHITECTURE Nexsan products like Transporter for Business are engineered with data security, user mobility, and ease of use as key design elements. To accomplish this, Transporter is deployed as an encrypted peer-to-peer private network that can reside either side of a company s firewall. It delivers multiple layers of protection, covering user permissions, data transfer, and encryption that is all distributed across a scalable and secure infrastructure. Unlike public cloud file sync and share providers, Nexsan s database stores the relationships between Transporters, and Transporters and Apps (i.e., mobile devices). It also stores user addresses, login information and more. The main difference between Transporter and its competitors is that the data stored on your Transporter is never in Nexsan s possession. That s because we separated the data plane from the control plane. In fact, we never see or have access to your data! Data is transferred between Transporters and user owned devices using Advanced Encryption Standard (AES-256) Public/Private Key Encryption. Connections between nodes on the network are established using three different techniques. First, the Transporter will request for the network s gateway to open a port using the Universal Plug and Play (UPnP) set of networking protocols and the Network Address Translation Port Mapping Protocol (NAT-PMP). These are not supported, Transporter will establish a public port using industry standard User Datagram Protocol (UDP) hole punching techniques (a.k.a., Session Traversal Utilities for NAT and Interactive Connectivity Establishment). Finally, if neither of these techniques is successful (under 10%), Nexsan utilizes a relay server to facilitate the connection. No matter which connection technique, all data is encrypted at the end points and Nexsan has no ability to inspect the data. Web/browser-based network traffic is handled using industry standard Secure Hypertext Transfer Protocol (https) which signal the browser to use an added 3

4 encryption layer based on the Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect network traffic. Transporter users can access files and folders at any time from a desktop or mobile device. CENTRAL SERVICE The Central Service enables Nexsan to monitor the health and capacity usage on all deployed Transporters via their serial numbers. This service is located on protected database and web servers in a hidden private network that cannot be accessed directly from the Internet. For administrative purposes, Nexsan s web servers can be accessed from the management site through load balancers using the https protocol. Think of the Central Service in the same way you think of air traffic control, Transporters are the planes, and the folders/files are the passengers. Air Traffic Control never directly interacts with the planes or passengers they guide safely between two locations (originating airport and destination airport). Air traffic control gives the pilots information on the takeoff and landing (runways, course, altitude, and speed). Thus helping to give passengers a safe on time arrival at their destination. In this example: a user will request a file be moved between two devices. The originating device will contact the Transporter s Central Service which then tells the devices who they are allowed to communicate with using a universally unique identifier (UUID). If both devices are authorized to establish a secure connection, they will then exchange data. The devices will inform each other about the files directly, Nexsan s Central Service has no knowledge about this exchange. ENCRYPTION Most public and private cloud file sync and share providers do employ data encryption technology both in-flight and at-rest. And when you look at the data in a Web Browser, it has already been decrypted for you by the time it reaches your computer or device. Like other cloud offerings, Nexsan Transporter generates and stores your private/public encryption keys directly on your appliances and these are used to decrypt your data. This means the data is directly under your control and nobody else (including Nexsan) has any access to your files. Nexsan can never decrypt data packets sent by the relay router because they never have access to the private key. Transporter is the first business class file sync and share solution to meet the privacy requirements necessary for sensitive medical, financial, and legal data. KEY MANAGEMENT Transporter creates an Encryption key based on the AES-256 specification for the encryption of electronic data established by the U.S. National Institute of 4

5 Standards and Technology (NIST) in AES has been adopted by the U.S. government and is now used worldwide. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. When a transporter is born (leaves manufacturing), a record is created in the Central Service database. Once created the record is populated with all the important information that uniquely identifies that specific Transporter. When first powered on, Transporter announces itself to the Central Service and then is told it needs to create its private/public encryption key. If something unexpected happens during key generation, the Transporter will place itself into an unusable state to ensure the device isn t used in a production environment. FOLDER ACCESS INVITATIONS When deploying Transporter for the first time, there s no top-level folder structure that needs to be created. An administrator simply deploys the Transporter on their network, claims it, and starts creating user accounts. Users within the organization receive an invitation instructing them to complete their account registration and install the desktop application, much like they would for a public cloud service like Box or Dropbox. Once the user has installed the desktop application, they will see a newly created folder, called Transporter, that looks and works just like any other folder on their computer. Within this folder the organizational user: Creates their own folder hierarchy Shares folders Creates links Folder owners can then invite other people to share the folder and its contents. Invited users will then have organizational level privileges (read/write) or guest user privileges (read only) to all files and folders within the shared folder. Therefore, the folder owners themselves undertake responsibility for setting folder security and access privileges. For example, a folder owner may be a department manager who only invites their team to share the folder. Accepting this invitation establishes access and sharing privileges for members of the department. However, no one else in the Organization will have access to the folder. TOKEN USAGE Transporter doesn t use VPNs. Instead the administrator claims a Transporter 5

6 after it s connected to the network and then creates an account using an address and password. This information is then stored in the Central Service database; the password is hashed for security. When using a Transporter application on any supported device, the Central Service will issue a security token, which it validates when a user attempts to sign into their account. These tokens can easily be revoked. As a security precaution, if the user forgets their password and resets it, all authenticated applications will automatically no longer be able access Transporter until the user authenticates again. During the sign-on process the Central Service will validate the token sent from the Transporter application. This is accomplished by checking the token information against the Central Service database record. Once verified as a valid token, the Central Service then contacts all Transporter devices allocated to the account and notifies them of the validated application. Only after the access token is validated will a connection be established to the Transporter and the folders become accessible to the user. However, if the user doesn t have permission or the correct token, the Application will fail to connect. Finally, the validity of each side of the connection is accomplished using the public/private keys discussed earlier in this paper. USER PERMISSIONS Transporter users have the ability to set different permissions (read-only or read/write) on a folder-by-folder basis. This permission capability significantly varies with other traditional cloud providers, for example: Microsoft OneDrive: Does not allow a read-only shared folder to sync with a user s desktop. Shared folder (both read-only and read/write) are only available via Microsoft s website and cannot be accessed from the desktop. Box: Does not allow a read-only shared folder to sync with a user s computer and the folder is only available using their website. Google: Has read-only folder sync with a computer. However, should the user delete a file from that folder, Google announces that the folder is now mismatched and it cannot repair itself Unlike the services discussed above, Transporter does sync read only folders with the user s computer and it will repair a read-only folder should the user make a modification to the data within the folder. If a read-only file is modified, the Transporter software will rename it and mark it as un-syncable (thus, the changes are not lost). The Transporter software will then restore the original file. SHARED FOLDERS In the event a folder owner decides to rescind access to a shared folder, the folder owner simply removes the person from the access list using the Web- 6

7 based management interface. As a result, the files and folders will be removed from the disinvited person s devices within seconds. This capability is often referred to as remote wipe. LINKS Many organizational users prefer to send a link to a user instead of attaching a potentially large file to an and possibly have the server reject it due to its size. While other users are concerned about security. Transporter offers the user a better alternative, a choice between using "direct" and "standard" links. The user can select the type of link from Account Preferences located in the Transporter Management Website. "Direct" links transfer files directly from your Transporter to the recipient; your files are never uploaded to Nexsan s servers. This type of link offers a higher degree of privacy even though the recipient isn t required to create a Transporter account. To ensure security, the recipient must either authorize a web browser plug-in or download a small helper app. "Standard" links upload files to Nexsan s servers and allow recipients to download them without the need of an authorized plug-in or helper app. The recipient simply clicks the link and gets the file. When the file type allows, a preview will be displayed. While this type of link does not offer the same degree of privacy, it is easier to use. This can be especially useful for ing links to clients who don't care to authorize or install anything. Use direct links if you need a higher degree of control. NAS INTEGRATION Over the years, established IT organizations have acquired some of the best NAS solutions available but they are based on older protocols (CIFS/SMB/NFS) and don t offer file sync or mobile support like modern cloud services. Although Transporter can be deployed as a stand-alone private cloud file sharing solution, it can also easily be integrated with an existing on-premise NAS file server. By mapping shares using the Transporter Network Storage Connector feature (standard on all rack mount Transporters), users will have the same level of access and security to designated NAS folders as they would to folders located on a stand-alone Transporter. When paired with a NAS system, Transporter will bi-directionally and transparently sync with its paired NAS partner along with other Transporters that are moving data to where it s required in an enterprise. Any number of Transporters can be deployed and connected to as many NAS systems as required. ACTIVE DIRECTORY SERVICES Unlike traditional NAS systems, Transporter doesn t require a difficult or time consuming set up process. Instead, an administrator will follow the steps 7

8 outlined in the Invitations section above. Dropbox pioneered this popular self-organization approach. Businesses with large numbers of users are most likely using a directory service product like Active Directory (AD) as a user directory and central point for authenticating them via their credentials. AD CONNECTOR Transporter can leverage AD to help an administrator quickly and easily setup a their appliance. To expedite the initial setup process, we created an AD connector. This connector provides Transporter with all the information necessary to identify and prepare the system for the organizations users. As part of the setup process, the AD connector will use the information with AD to send an containing a link to each user the administrator invites to the organization. After sign up, the website walks each user through short setup process where the user sets a few account preferences and downloads the Transporter Desktop Application software for their computer Thus the IT Administrator doesn t need to preload everyone s machine, and users can securely start sharing files with each other very quickly. AD INTEGRATION Transporter uses third-party identity provider (IdP) integration to connect and integrate with AD. Nexsan will have the ability to support several IdPs over time beginning with OneLogin. As part of this deployment a OneLogin account should be created, it will then connect to the directory services of your choice, such as Active Directory, LDAP, and more. Once setup is complete, Active Directory users will be automatically provisioned in the Transporter Organization. From that point on, changes to the AD domain, such as password resets or user de-provisioning will be reflected in real time. AUDIT LOGS Many regulated industries are required to keep track of all users and file access events within their organization. In the event an unauthorized activity happens, regulated companies will need to track when these events took place and identify all users involved. Audit logs break down into two categories: device logs and web logs. Device audit logs keep track of activity between client devices and the Transporter unit itself. These logs are obtained from Transporter Desktop software. Whereas, Web audit logs keep track of activity that occurs between users and the management website (i.e., creating shared folders, changing folder membership, and creating links). Should something unexpected happen; an IT administrator is able to recreate 8

9 the sequence of events and the users involved. This capability addresses many of the concerns a company or organization may have in a regulated industry. It should be noted that once a file is pulled off Transporter to a local device, the audit log will no longer track or report on the file. CONCLUSION Despite all the built-in privacy and security, Transporter is not hard to use. Department managers and individual users are already familiar with services like Box and Dropbox, and have the necessary knowledge to establish a folder hierarchy that best suits their needs. By giving users the same simplified file sharing capabilities as these popular public cloud providers, Transporter eliminates the need for users to break corporate IT policies by moving private company data to personal accounts in the public cloud. Transporter s data security helps safeguard a company s sensitive information from being unintentionally exposed and lost. Additionally, it protects against legal exposure by helping companies conform to corporate governance and government mandated industry regulations. Transporter gives IT Administrators the type of integrated solution and deployment control they want. Its on-premise deployment model along with its peer-to-peer network, security tokens, syncing controls, and remote wipe capabilities make this one of the most secure file sync and share solutions on the market today. 9