CTERA End-to-End Security. Whitepaper by CTERA Networks
|
|
- Samuel Armstrong
- 8 years ago
- Views:
Transcription
1 CTERA End-to-End Security Whitepaper by CTERA Networks
2 Copyright CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written permission from CTERA Networks Ltd. Information in this document is subject to change without notice and does not represent a commitment on part of CTERA Networks Ltd. CTERA, C200, C400, C800, CloudPlug, NEXT3, Cloud Attached Storage, and Virtual Cloud Drive are trademarks, service marks, or registered trademarks of CTERA Networks Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. patents, foreign patents, or pending applications. Tip For legal information and for the end user license agreement, refer to Legal Information in the CTERA Portal User Guide.
3 The CTERA Cloud Attached Storage End-to-End Security Solution CTERA Networks was founded by seasoned veterans of the network security industry, who employed their extensive experience and knowledge of network security to develop and design the CTERA Cloud Attached Storage solution. Let's take a look at the solution's components and its various security features, in order to understand how CTERA provides end-to-end security. The Solution's Components The CTERA Cloud Attached Storage platform is comprised of the following key components: The CTERA Portal The CTERA Portal is a scalable cloud service delivery platform that enables the creation, delivery and management of cloud storage applications, including file sharing and sync, backup, and mobile collaboration. It serves as the middleware connecting the datacenter storage infrastructure to the CTERA clients/endpoints. We'll take a closer look at the CTERA Portal's components later on. CTERA Cloud Storage Gateways CTERA Cloud Storage Gateways are hardware appliances that can be deployed on-premises in remote branches or offices. They serve as local, cloud-integrated, NAS appliances that enable data aggregation for multiple users and optimized backup and restore to the CTERA Portal. CTERA Agents CTERA Agents are software clients installed on desktop and server stations. They can operate in Local Mode, enabling hybrid file-level and disk-level backup with a CTERA Cloud Storage Gateway, or they can operate in Cloud Mode, enabling file-sync & share and backup directly to the CTERA Portal. CTERA Mobile The CTERA Mobile is a smartphone application that enables secure access to the data stored on CTERA Portal, while providing collaboration capabilities.
4 The following diagram describes how these components fit into the Cloud Attached Storage architecture. The CTERA Portal's Components As the CTERA Portal is the "heart" of the Cloud Attached Storage solution, let's take a closer look at its components: Main Database The CTERA Portal leverages PostgreSQL as its primary database server for maintaining system-related information, including user accounts, CTERA clients, provisioning, and so on. The main database server stores sensitive metadata, such as user names and secret keys. Only the application servers need to connect to this high-security zone; therefore, when considering the security architecture, the main database should reside in a private network without direct Internet access. Catalog Node Catalog nodes are PostgreSQL server nodes that maintain object-related information on files and blocks that CTERA clients backed up to the CTERA Portal. By default, the main database is configured to operate as a catalog node. The catalog nodes store sensitive metadata such as file names. Only the application servers need to connect to this high-security zone; therefore, when considering the security architecture, the catalog nodes should reside in a private network without direct Internet access. Front-End Application Server
5 The CTERA Portal leverages the Apache Tomcat Web server to enable user access to the CTERA Portal Web interface and mobile application. The Apache Tomcat Web server also serves as the endpoint for CTERA clients connections. In its default and recommended configuration, the application server communicates only over HTTPS and TLS connections, which are encrypted using AES (Advanced Encryption Standard) and authenticated using 2048 bit RSA X.509 certificates. The application servers can be placed in a world-facing DMZ network and protected by standard Web Application Firewall (WAF) and IDS/IPS systems. Storage Infrastructure The CTERA Portal supports storing data in private and public storage systems from a wide variety of vendors, including EMC, IBM, DDN, Amazon, and Hitachi. All data at rest on the storage nodes is encrypted using AES-256 encryption, with keys that are stored in the main database only. Data-at-rest encryption applies to all storage (backup folders, home drives, and projects). No cleartext data is ever stored on the object storage system, so even if an attacker gains read access to the object storage system, they still cannot see any of the files' content. Furthermore, each file is protected by an HMAC-SHA-1 signature to prevent malicious tampering or corruption by people with access to the storage infrastructure, and each individual data block is protected against corruption by an MD5 hash. This is used as a secondary integrity check, (which can be validated with no need for the encryption key). CTERA Portal deployment is supported on either a standalone server or in a multi-instance environment. In a standalone environment, a single CTERA Portal server will serve as both the main database, catalog node, and the front-end Web server for user and CTERA client connections. In a multi-instance environment, a single node operates as the main database server, and the remaining nodes can be configured as the catalog node, front-end Web server, or both. All internal communications between CTERA Portal servers is authenticated to prevent unauthorized access. However, to implement the in-depth defense philosophy, it is good practice to place the CTERA application servers and database servers each in their own separate network, isolated from the corporate network by a firewall. This means that only the application servers need to face the Internet, shielding the sensitive catalog nodes and main database from the hazards of unsecured networks. The Solution's Security Features Now that we've learned about the CTERA Cloud Attached Storage solution's components, we're ready to explore the cornucopia of security features they provide.
6 The CTERA Portal X.509 Certificate The CTERA Portal uses a 2048-bit X.509 security certificate to do the following: Authenticate CTERA Portal servers for TLS connections from CTERA Cloud Storage Gateways and Cloud Agents to CTERA Portal servers Authenticate the Web server for HTTPS connections from Web browsers to the CTERA Portal
7 CTERA Portal Multi-Tenancy Multi-tenancy is when a single instance of software is used to serve multiple customers, called tenants. CTERA Portal multi-tenancy enables delegating aspects of service delivery to channel partners or departments, by using virtual portal instances (tenants) of the CTERA Portal, each of which acts as a software blade and shares the same underlying infrastructure settings as the other instances, but is completely isolated from the other instances. The CTERA Portal supports two types of virtual portal instances (tenants) team portals and reseller portals and enables creating as many of them as desired. (You can learn more about the differences between team and reseller portals, by referring to the CTERA Portal Administrator Guide Datacenter Edition.) User accounts created in different virtual portal instances are completely separated, as is their backed up data. In addition, CTERA Portal supports assigning a dedicated storage bucket to each virtual portal instance. This means that the stored data of user accounts in different instances will be stored on different storage buckets. This can be done for tiering purposes, regulatory reasons, or security purposes. CTERA Portal Access Control The CTERA Portal provides two ways of restricting access to its Web interface: IP-Based Access Control
8 It is possible to configure a list of specific IP address ranges, from which administrators can access the CTERA Portal's Web interface. This configuration is available for global administrators, as well as for instance-level administrators. Role-Based Access Control Every user account in CTERA Portal is assigned a role, which indicates the user account's authorization level in the system. Likewise, every administrator account, whether global or instance-level, is assigned a role indicating the administrator's authorization level in the system. In addition, it is possible to customize the permissions included in each administrator role. Regardless of their role, an administrator cannot mimic a user s login or perform actions that appear to have been performed by a user. Administrator activity is restricted using role-based access controls and fully logged as part of the audit log, along with the identity of the administrator that performed the action.
9 CTERA Active Directory Integration Full Active Directory integration is available on the CTERA Portal and CTERA Agent. When using a single password and Single Sign On (SSO) with Active Directory, each user need only remember a single organization-wide password that is securely stored and managed by Active Directory. It is not necessary to maintain any additional passwords. Furthermore, storing the password in a central location enables full control of the password strength and rotation policy by the organization's password lifecycle policies. CTERA Portal The CTERA Portal platform supports integrating each virtual portal instance, whether team or reseller, with Active Directory services or an LDAP server. CTERA Cloud Storage Gateways
10 The CTERA Cloud Storage Gateway supports integration with Active Directory, thereby enabling users to access the device via Web interface using supported protocols, and to access CTERA Agents using their domain accounts. In both cases, Active Directory integration can be established using LDAP or LDAP over SSL. Furthermore, integration with a cross-forest Active Directory setup is supported. The CTERA Portal periodically synchronizes user accounts that were modified on Active Directory, to promptly detect and adapt to any group membership changes. If desired, you can map a user's Active Directory groups, and the user s administrative roles on the CTERA Portal. Role mappings, allow controlling what the user can do on the CTERA Portal, based on their Active Directory groups.
11 It is also important to note that Active Directory user passwords are never persistently stored on CTERA Portal or CTERA Cloud Storage Gateway. Instead, authentication is performed using the Kerberos protocol. In addition to Active Directory integration, the CTERA Portal also supports LDAP-based authentication and authorization. As with Active Directory, when LDAP is used, user passwords are never persistently stored on the CTERA Portal. Instead all user authentications are performed directly using the LDAP protocol. CTERA Transport Protocol For maximum security of read and write procedures between CTERA clients and the CTERA Portal, CTERA Networks developed a highly efficient, WAN-optimized file-transfer protocol called CTERA Transport Protocol (CTTP). CTTP is a TCP-based protocol that is encrypted in transit by the industry-standard TLS protocol using a configurable cipher. (The default cipher is AES-256.) Backup, restore, and sync procedures are performed using CTTP over TCP port 995 as follows: 1 As mentioned in The CTERA Portal X.509 Certificate (page 6), the CTERA Portal uses a 2048-bit X.509 certificate for authenticating connections between CTERA clients and the CTERA Portal, as well as for connections between Web browsers and the CTERA Portal's Web interface. 2 For initial enrollment, the CTERA client establishes a connection with the CTERA Portal using user/password authentication, after which it receives a unique 256-bit authentication key. 3 The CTERA client stores all file fragments at rest and encrypts them with AES-256 CBC. 4 The data encryption keys (DEK) are never stored persistently on the client. The CTERA Portal acts as a key server and provides DEK keys to the client on a need-to-know basis. (That is, if the client is granted access to a cloud folder, the key is provided.) 5 The Cloud Backup service supports secret passphrase protection mode. From the passphrase, the client derives a key encrypting key (KEK) using the PBKDF2 key derivation algorithm. (If the client is a CTERA Cloud Storage Gateway, KEK is stored persistently in its flash memory.) 6 The CTERA Portal does not receive the KEK or DEK. Instead, KEK is used to encrypt DEK using the AES-256 key wrapping algorithm as defined in RFC-3394, and the result is stored on the CTERA Portal as an encrypted folder key (EFK). 7 To decode the files, the client first requests the EFK from the CTERA Portal for a specific folder. 8 The CTERA Portal checks whether the client has permission to access the folder, and if so, the CTERA Portal returns the EFK.
12 9 The client then decodes the EFK using the KEK, to obtain the DEK. Then it uses the DEK to successfully back up or restore files in the folder. CTERA Audit Log Both the CTERA Portal and the CTERA Cloud Storage Gateway Web maintain extensive logging of all configuration and data changes. One of the log types displayed are Audit logs, which document various configuration changes. Audit logs include information on the action type, account name, date, timestamp, target, and more. The CTERA Portal can also log all file changes and file accesses. In CTERA Portal, the Audit Log Viewer is available for both global administrators and virtual portal instance (team or reseller) administrators. CTERA audit logs can be automatically forwarded to an organizational Syslog server for log analysis, threat detection, protection against log tampering, and long-term storage.
13 CTERA Portal Built-in Defenses The CTERA Portal employs best practices to secure its data. It uses Oracle Java technology, which ensures buffer overruns are checked for automatically. The system also includes HTML validation technology that defeats Cross-Site Scripting (XSS) attacks and performs specific checks to defeat potential attacks such as Cross-Site Request Forgery (CSRF), XEE, ClickJacking, and more. The CTERA Portal is provided as a VMWare-based, hardened virtual appliance. Only minimal initialization settings (IP addresses and so on) are stored on the virtual appliance's file system, and access to those files is protected by an SSH password or certificates. The rest of the configuration is stored inside the PostgreSQL database and protected by PostgreSQL security mechanisms. Configuration changes are logged, along with the user name that executed them, to the CTERA Portal's audit log. These log messages can optionally be sent to external systems via the Syslog protocol. All successful and failed access attempts are logged. In addition, it is possible to configure the system to send alerts to the administrator, upon specific log events. If a client fails to log in due to entering an incorrect user name and/or password three times in a row, all logins from the same source are automatically banned for five minutes. This mechanism severely limits the rate of password guessing attacks, which makes them unfeasible.
14 CTERA Protection Against OWASP Top-Ten Attacks CTERA uses a variety of methods to protect against OWASP top-ten attacks: A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References The CTERA Portal sanitizes user inputs and uses bind variables, to prevent SQL injection attacks. Furthermore, CTERA uses code reviews and third-party vulnerability scanning to detect the presence of potential injection attacks. For another layer of protection, it is possible to deploy the CTERA Portal behind a WAF. Widely used and established Active Directory protocols (LDAPS and Kerberos) are used for authentication and authorization. When used with a directory service (Active Directory or LDAP), the system does not store user passwords in its database; rather, it delegates all user authentications to Active Directory. Sessions automatically time out after a short interval of inactivity, and session IDs are rotated after every new successful login. Persistent cookies are never used for storing session IDs or other authentication data, and passwords, session IDs, and other credentials are never sent over unencrypted connections. Code reviews and third-party vulnerability scanning are used to detect the presence of potential session management vulnerabilities. The CTERA Portal automatically escapes all data sent to the browser, to prevent XSS attacks. CTERA has performed extensive black-box testing via third-party security experts to detect such potential attacks. Code reviews are also performed regularly to find XSS vulnerabilities. For another layer of protection, it is possible to deploy the CTERA Portal behind a WAF. The CTERA Portal's security engine is designed to perform an access-control check, to ensure that the user is authorized for the requested object, before using a direct object reference from an untrusted source. Code reviews and black-box testing are used regularly to prevent insecure direct object references.
15 A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) The CTERA Portal uses a strong application architecture, which separates components so as to allow for multiple layers of security between product modules. (For example, in recommended production environments, database servers and storage servers are separated from application servers.) The CTERA Portal also includes hardened OS installation that is specifically customized to remove all unnecessary services and open ports. All default passwords are changed as part of the product installation process. All sample applications, application server management consoles, and data are removed from production servers. CTERA's application servers disable directory listings. CTERA has in place a process to ensure that the OS, application servers, development frameworks, database, applications, and all third-party code libraries used by CTERA are regularly patched as needed, based on risk assessments. Multiple layers of security are used to protect sensitive data, including AES-256 data encryption at rest, SHA-1 fingerprinting of all data, and TLS encryption of all data in transit. No sensitive data is ever transmitted in cleartext, and the system is configured not to allow use of old, insecure ciphers. All access to the CTERA Portal OS console is secured by SSH public/private key pairs. Secure X.509 certificates with 2048-bit key length are used for server authentication. As another layer of protection against exposure of sensitive data, role-based access control is employed. In addition, the system is designed to be completely private with no shared components, and it is entirely self-hosted with no required SaaS components. The CTERA Portal's presentation (UI) layer is never used to enforce security rules. All security rules are enforced by the backend at the authorization module, which is located below the API level. The enforcement mechanism built into the CTERA Portal denies all access by default and requires an administrator account to be explicitly granted specific roles in order to access to each function. The system has been tested and confirmed by a third-party testing lab to be immune from CSRF attacks. All API PUT/POST requests require a special CSRF prevention token (x-ctera-token).
16 CTERA has in place a process to ensure that the OS, application servers, development frameworks, database, applications, and all third-party code libraries used by CTERA are regularly A9-Using Components with Known Vulnerabilities patched as needed, based on risk assessments. CTERA has in place security policies governing component use, including requiring source code access, requiring acceptable licenses, and assessment of security risks involved in using each third-party component. Forwards are not used. Redirects are always validated to contain safe destinations only. Code reviews and third-party A10-Unvalidated Redirects and Forwards vulnerability scanning are used to detect the presence of potential unvalidated forwarding attacks. For another layer of protection, it is possible to deploy the CTERA Portal behind a WAF. Session Management CTERA provides session security, by focusing on preventing session prediction, capture, and hijacking. Session prediction refers to guessing a valid session identifier. With the CTERA Portal, session identifiers cannot be predicted, because the session ID is an extremely long number, generated using a cryptographically secure random number generator. Session capture is prevented by using only encrypted communication mediums. (In its default configuration, the CTERA Portal never sends the session ID using clear protocols.) Session hijacking is prevented by using a special CSRF protector header, and by changing the session identifier on every login so as to prevent session fixation attacks. The system automatically logs out inactive users after 30 minutes of inactivity. CTERA Appliance Security The CTERA Cloud Storage Gateway is based on a minimal, security-hardened version of Linux, in which virtually all standard services are disabled, to minimize potential attack footprints. The CTERA Cloud Storage Gateway supports creating encrypted volumes. When the administrator chooses to encrypt the contents of a volume, they are prompted to input a passphrase. Password-Based Key Derivation Function 2 (PBKDF2) is used to harden the volume passphrase (that is, to make the passphrase more secure), and the passphrase is then used to encrypt the encryption key using AES-256. Volume encryption is based on Linux Unified Key Setup (LUKS). This method is an implementation of the TKS1 key setup scheme.
17 Two-Factor Authentication CTERA supports collaboration with guests by means of guest invitations. Guest invitations are special time-limited URLs containing a secret code that grants the recipient the ability to view a specific file or folder and to optionally collaborate on those items. The CTERA Portal allows the organization to define which users are allowed to collaborate with external guests at the per-user or per-group level. CTERA Portal supports two-factor authentication for guest invitations, based on random numeric passcodes (consisting of six numeric digits) or "challenges" which are sent to the user (by SMS or ), in response to an attempt to access a guest invitation. This feature offers protection against unintended recipients accessing the guest invitation URL. Two-factor authentication is protected against brute force attacks: Each user is given five tries to enter the code, after which the code is disabled. In addition, rate limits are employed to restrict the number of authentication requests, so as to protect against denial of service attacks. On private computers, after successfully authenticating using two-factor authentication, the user is given the option of setting their computer as "Trusted". When this option is selected, a 256-bit, unique random key is stored on the user's computer, allowing the user to bypass two-factor authentication challenges and avoid answering challenges from the same device for the next 30 days. All accesses to invitations, as well as successful or failed two-factor authentication attempts, are logged.
18 CTERA Mobile CTERA Mobile stores all data fully encrypted at rest, "sandboxed" from other applications, with a remote wipe feature for lost or de-authorized devices. Encryption keys are generated on the client side during the first service enrollment, using a secure random number generator. CTERA Mobile does not store the password for connecting to the CTERA Portal locally. Instead, upon first connecting to the CTERA Portal, the mobile app exchanges a secure 256-bit access key that does not depend on the password. Only the access key is stored on the mobile device. The access key is unique to each device and is stored in the Android/iOS secure keychain. Secure Development Lifecycle CTERA's development lifecycle for software and hardware is highly methodical and includes specific provisions for code reviews and inspections, as well as thorough automatic and manual testing procedures, to minimize security vulnerabilities and other defects. As part of CTERA's development methodology, CTERA has developed an extensive test automation system to validate the integrity of data processing and storage by the CTERA Portal. The test system is automatically run on each new version to ensure that the CTERA Portal operates optimally while under stress, and that even under extreme conditions, the stored data can always be read back correctly without corruption or data loss. In addition to quality assurance, code reviews are performed during the development stage to ensure that changes in the core data processing paths do not introduce a risk of data corruption or data loss. CTERA's core team is composed of the people who designed and developed Unified Threat Management (UTM) and VPN appliances of one of the world's top security firms. Therefore, security is CTERA's DNA, and we see it as one of our top priorities. CTERA has developed an internal security standard based on a combination of industry best practices and standards. CTERA conducts periodic secure coding training and issues reminders to all developers, covering generally recognized secure coding standards and industry practices such as the Open Web Application Security Project (OWASP) "Top Ten Projects", the CWE/SANS "Top 25 Programming Errors", and more. These courses are provided by third-party security experts. In addition, CTERA has performed black and gray-box penetration tests with multiple third-party labs. CTERA has a policy of performing at least two penetration tests per year, by well-known third-party security testing labs that are independent of CTERA. CTERA has an internal code review process in which every code change is reviewed for quality and security. In addition to internal code reviews, a well-known third-party certification lab retained by CTERA regularly performs independent code review for security-critical code segments.
Cloud Portal Guest Invitations 4.0
Release Notes Cloud Portal Guest Invitations 4.0 January 2014 Cloud Portal Guest Invitations 4.0 Release Notes Copyright sentence ( 2014, CTERA Networks. All rights reserved) 1 Release Contents Copyright
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationConnectivity to Polycom RealPresence Platform Source Data
Polycom RealAccess Security White Paper The Polycom RealAccess service is delivered using the Software as a Service (SaaS) model. This white paper outlines how the service protects sensitive customer data
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationRelease Notes. CTERA Portal 4.0. November 2013. CTERA Portal 4.0 Release Notes 1
Release Notes CTERA Portal 4.0 November 2013 CTERA Portal 4.0 Release Notes 1 1 Release Contents Copyright 2009-2013 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationCTERA Portal Datacenter Edition
Administrator Guide CTERA Portal Datacenter Edition November 2013 Version 4.0 Copyright 2009-2013 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationOur Key Security Features Are:
September 2014 Version v1.8" Thank you for your interest in PasswordBox. On the following pages, you ll find a technical overview of the comprehensive security measures PasswordBox uses to protect your
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationSECURITY DOCUMENT. BetterTranslationTechnology
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationactivecho Driving Secure Enterprise File Sharing and Syncing
activecho Driving Secure Enterprise File Sharing and Syncing activecho Overview In today s enterprise workplace, employees are increasingly demanding mobile and collaborative solutions in order to get
More informationPRIVACY, SECURITY AND THE VOLLY SERVICE
PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationiphone in Business Security Overview
iphone in Business Security Overview iphone can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods
More informationSecurity Architecture Whitepaper
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
More informationVMware Horizon Workspace Security Features WHITE PAPER
VMware Horizon Workspace WHITE PAPER Table of Contents... Introduction.... 4 Horizon Workspace vapp Security.... 5 Virtual Machine Security Hardening.... 5 Authentication.... 6 Activation.... 6 Horizon
More informationRelease Notes. CTERA Portal 4.1. July 2014. CTERA Portal 4.1 Release Notes 1
Release Notes CTERA Portal 4.1 July 2014 CTERA Portal 4.1 Release Notes 1 1 Release Contents Copyright 2009-2014 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any
More informationipad in Business Security
ipad in Business Security Device protection Strong passcodes Passcode expiration Passcode reuse history Maximum failed attempts Over-the-air passcode enforcement Progressive passcode timeout Data security
More informationRelease Notes. CTERA Portal 3.2.43. May 2013. CTERA Portal 3.2.43 Release Notes 1
Release Notes CTERA Portal 3.2.43 May 2013 CTERA Portal 3.2.43 Release Notes 1 1 Release Contents Copyright 2009-2013 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced
More informationData Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment
White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based
More informationCTERA Agent for Linux
User Guide CTERA Agent for Linux September 2013 Version 4.0 Copyright 2009-2013 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
More informationManaged File Transfer and the PCI Data Security Standards
"The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The PCI
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s
S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationEnsuring the Security of Your Company s Data & Identities. a best practices guide
a best practices guide Ensuring the Security of Your Company s Data & Identities Symplified 1600 Pearl Street, Suite 200» Boulder, CO, 80302» www.symplified.com» @Symplified Safe and Secure Identity Management
More informationHow To Secure Your Data Center From Hackers
Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard
More informationSecurity Controls for the Autodesk 360 Managed Services
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationMIGRATIONWIZ SECURITY OVERVIEW
MIGRATIONWIZ SECURITY OVERVIEW Table of Contents Introduction... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Database Level Security... 4 Network Security...
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationCasper Suite. Security Overview
Casper Suite Security Overview JAMF Software, LLC 2015 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide is accurate. JAMF Software 301 4th Ave S Suite
More informationAcano solution. Security Considerations. August 2015 76-1026-01-E
Acano solution Security Considerations August 2015 76-1026-01-E Contents Contents 1 Introduction... 3 2 Acano Secure Development Lifecycle... 3 3 Acano Security Points... 4 Acano solution: Security Consideration
More informationWhen enterprise mobility strategies are discussed, security is usually one of the first topics
Acronis 2002-2014 Introduction When enterprise mobility strategies are discussed, security is usually one of the first topics on the table. So it should come as no surprise that Acronis Access Advanced
More informationRelease Notes. Cloud Attached Storage 2.5.32
Release Notes Cloud Attached Storage 2.5.32 January 2011 Copyright 2009-2011 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationSecuring SaaS Applications: A Cloud Security Perspective for Application Providers
P a g e 2 Securing SaaS Applications: A Cloud Security Perspective for Application Providers Software as a Service [SaaS] is rapidly emerging as the dominant delivery model for meeting the needs of enterprise
More informationSecure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications. www.vidyo.com 1.866.99.VIDYO
TECHNICAL NOTE Secure VidyoConferencing SM Protecting your communications 2012 Vidyo, Inc. All rights reserved. Vidyo, VidyoTechnology, VidyoConferencing, VidyoLine, VidyoRouter, VidyoPortal,, VidyoRouter,
More informationMedia Shuttle s Defense-in- Depth Security Strategy
Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among
More informationWhite Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com
Protecting Mobile Apps with Citrix XenMobile and MDX citrix.com Mobility is a top priority for organizations as more employees demand access to the apps and data that will make them productive. Employees
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationSecurity Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2
BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationEnsuring the security of your mobile business intelligence
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationCTERA Agent for Mac OS-X
User Guide CTERA Agent for Mac OS-X June 2014 Version 4.1 Copyright 2009-2014 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without written
More informationPCI DSS 3.0 Compliance
A Trend Micro White Paper April 2014 PCI DSS 3.0 Compliance How Trend Micro Cloud and Data Center Security Solutions Can Help INTRODUCTION Merchants and service providers that process credit card payments
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationManaged File Transfer and the PCI Data Security Standard
IPSWITCH FILE TRANSFER WHITE PAPER Managed File Transfer and the PCI Data Security Standard www.ipswitchft.com The Payment Card Industry (PCI) Data Security Standard (DSS) are intended for use by merchants,
More informationA Guide to New Features in Propalms OneGate 4.0
A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013 Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously
More informationBuilding Energy Security Framework
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationInstallation Guide. SafeNet Authentication Service
SafeNet Authentication Service Installation Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
More informationRSA Authentication Manager 7.1 Security Best Practices Guide. Version 2
RSA Authentication Manager 7.1 Security Best Practices Guide Version 2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks
More informationCloud Attached Storage 5.0
Release Notes Cloud Attached Storage 5.0 March 2015 2015 Cloud Attached Storage 5.0 Release Notes 1 1 Release Contents Copyright 2009-2015 CTERA Networks Ltd. All rights reserved. No part of this document
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationCTERA Agent for Mac OS-X
User Guide CTERA Agent for Mac OS-X September 2013 Version 4.0 Copyright 2009-2013 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means without
More informationCTERA Portal Datacenter Edition
User Guide CTERA Portal Datacenter Edition September 2011 Version 3.0 Copyright 2009-2011 CTERA Networks Ltd. All rights reserved. No part of this document may be reproduced in any form or by any means
More informationAn Overview of Samsung KNOX Active Directory and Group Policy Features
C E N T R I F Y W H I T E P A P E R. N O V E M B E R 2013 An Overview of Samsung KNOX Active Directory and Group Policy Features Abstract Samsung KNOX is a set of business-focused enhancements to the Android
More informationSECURE YOUR DATA EXCHANGE WITH SAFE-T BOX
SECURE YOUR DATA EXCHANGE SAFE-T BOX WHITE PAPER Safe-T. Smart Security Made Simple. 1 The Costs of Uncontrolled Data Exchange 2 Safe-T Box Secure Data Exchange Platform 2.1 Business Applications and Data
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationUser Identification and Authentication
User Identification and Authentication Vital Security 9.2 Copyright Copyright 1996-2008. Finjan Software Inc.and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationIntroduction to the Mobile Access Gateway
Introduction to the Mobile Access Gateway This document provides an overview of the AirWatch Mobile Access Gateway (MAG) architecture and security and explains how to enable MAG functionality in the AirWatch
More informationowncloud Architecture Overview
owncloud Architecture Overview owncloud, Inc. 57 Bedford Street, Suite 102 Lexington, MA 02420 United States phone: +1 (877) 394-2030 www.owncloud.com/contact owncloud GmbH Schloßäckerstraße 26a 90443
More informationDeploying iphone and ipad Security Overview
Deploying iphone and ipad Security Overview ios, the operating system at the core of iphone and ipad, is built upon layers of security. This enables iphone and ipad to securely access corporate services
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationThe Security Behind Sticky Password
The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and
More informationApplication Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant
Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified
More informationFileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application
FileRunner Security Overview An overview of the security protocols associated with the FileRunner file delivery application Overview Sohonet FileRunner is a secure high-speed transfer application that
More informationSecurity Overview Enterprise-Class Secure Mobile File Sharing
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
More information