Media Shuttle s Defense-in- Depth Security Strategy



Similar documents
Media Shuttle. Secure, Subscription-based File Sharing Software for Any Size Enterprise or Workgroup. Powerfully Simple File Movement

Cloud-Delivered Software Lets Users Move Media Fast Without File Size Limits or Security Risks.

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security Controls for the Autodesk 360 Managed Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Projectplace: A Secure Project Collaboration Solution

Media Exchange. Enterprise-class Software Lets Users Anywhere Move Large Media Files Fast and Securely. Powerfully Simple File Movement

CyberArk Privileged Threat Analytics. Solution Brief

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security It s an ecosystem thing

FileCloud Security FAQ

Autodesk PLM 360 Security Whitepaper

Security Whitepaper: ivvy Products

Centrify Cloud Connector Deployment Guide

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Last Updated: July STATISTICA Enterprise Server Security

PCI Compliance for Cloud Applications

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Security Architecture Whitepaper

White Paper: Librestream Security Overview

The increasing popularity of mobile devices is rapidly changing how and where we

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Cyber Essentials Scheme

Securing the Service Desk in the Cloud

Security Policy JUNE 1, SalesNOW. Security Policy v v

SENSE Security overview 2014

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

PCI Requirements Coverage Summary Table

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Identity & Access Management in the Cloud: Fewer passwords, more productivity

BMC s Security Strategy for ITSM in the SaaS Environment

Top Five Security Must-Haves for Office 365. Frank Cabri, Vice President, Marketing Shan Zhou, Senior Director, Security Engineering

MaaS360 Mobile Enterprise Gateway

FMCS SECURE HOSTING GUIDE

Service Updates and Enhancements

Guideline on Auditing and Log Management

MaaS360 Mobile Enterprise Gateway

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Tableau Online Security in the Cloud

FormFire Application and IT Security. White Paper

KeyLock Solutions Security and Privacy Protection Practices

Assuring Application Security: Deploying Code that Keeps Data Safe

White Paper How Noah Mobile uses Microsoft Azure Core Services

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Blue Jeans Network Security Features

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Chapter 10. Cloud Security Mechanisms

GoodData Corporation Security White Paper

Security, trust and assurance

THE BLUENOSE SECURITY FRAMEWORK

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Five keys to a more secure data environment

Secure, private, and trustworthy: enterprise cloud computing with Force.com

How To Secure Your Data Center From Hackers

Advanced Service Desk Security

F G F O A A N N U A L C O N F E R E N C E

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Security & Infra-Structure Overview

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Adobe Digital Publishing Security FAQ

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Enterprise Software Lets Users Move Large Media Files Fast and Securely.

How To Secure An Emr-Link System Architecture

The Security Behind Sticky Password

Security Information & Policies

Security Issues in Cloud Computing

Web Plus Security Features and Recommendations

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Information That Should Help You Sleep at Night

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Xerox Mobile Print Cloud

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

LOG MANAGEMENT: BEST PRACTICES

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Flexible Identity Federation

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

QuickBooks Online: Security & Infrastructure

INFORMATION PROTECTION

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

OneLogin Integration User Guide

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

The Education Fellowship Finance Centralisation IT Security Strategy

Strengthen security with intelligent identity and access management

ITAR Compliant Data Exchange

Configuration Information

Workday Mobile Security FAQ

Transcription:

Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among the various players on your team isn t something you want to think about. That s why Signiant designed Media Shuttle as a file sharing solution especially for media production that also eases the minds of tireless IT professionals responsible for keeping cyber criminals at bay. Leaders in media and entertainment depend on Signiant to move petabytes of high-value digital content every day. Our customers trust us with their intellectual property, delivery timelines, and ultimately their reputation. But mostly they simply want a solution that allows them to focus on their work, without having to track the security of it. Effective security is complicated, however it must encompass all aspects of product development and daily operations, and requires thoughtful application of both policy and technology. This white paper provides an overview of the methods used to secure Signiant s Media Shuttle hybrid SaaS offering. Starting with a description of the Media Shuttle architecture and associated security mechanism, the paper continues with a summary of the secure design principles incorporated into all aspects of Media Shuttle and finishes with an overview of SaaS operational policies and procedure. www.signiant.com

Media Shuttle s Defense-in-Depth Security Strategy 2 Architecture The Media Shuttle architecture incorporates a file transfer tier, made up of file transfer clients and servers, and a transfer logistics tier hosted in the cloud. Media Shuttle s hybrid SaaS technology is unique in offering you a choice between storing your files on-premise or in the cloud, while the software that actually moves files is a true cloud-managed SaaS offering. This eliminates the security risk of popular consumer file transfer services your files are never stored in the same file system or cloud storage tenancy as other people s files. The advantages of segregated storage are numerous, but from a security perspective it provides an extra layer of containerization. To break it down a bit: the cloud tier of Media Shuttle delivers the browser-based user interface and provides file transfer logistics support. The cloud tier interacts with transfer clients and servers to move files between user storage and transfer server storage. A transfer client runs as a native browser plug-in for user-initiated transfers. The following diagram illustrates these components and how they interact: Fig. 1: Media Shuttle Components Secure Web Communications All web interactions utilize standard Transport Layer Security (TLS) to authenticate the server and encrypt information exchanged between the browser and the server. Users log in to the Media Shuttle web interface using their username and password. Strong password policies are enforced and users can optionally authenticate using SAML-based Web Single Sign-On (SSO) with usernames and passwords managed in enterprise and cloud directories.

Media Shuttle s Defense-in-Depth Security Strategy 3 Web SSO also enables alternate authentication schemes, like multi-factor authentication, and enables enterprise specific password policies. When web SSO is used, user passwords are never exposed to Media Shuttle web servers. Instead, Media Shuttle utilizes a trust relationship to interact with identity gateways, like the Active Directory Federated Services gateway, to securely retrieve and validate access tokens for users. For users managed exclusively in Media Shuttle, passwords are stored using secure salted one-way hashes. Passwords are not stored in clear text and what is stored can only be used to determine if a password provided by a user is correct. Passwords provided by users are tested by applying the hashing process and comparing the result to the stored value. The salt is random data that is included in the hash to prevent brute force dictionary attacks on the password database in the unlikely event of a breach. This is just one layer in the defensein-depth strategy incorporated in the Media Shuttle design. Customer Provisioning The trust model for an individual customer begins with the creation of a customer account and assignment of top-level administrators for the account. The initial account creation step is performed by Signiant Customer Care as part of the customer provisioning process. The next step is to setup and associate file transfer servers with the account. Signiant Customer Care may also assist in this step. Each transfer server installation securely binds with the cloud tier and the customer account using a one-time setup key generated by the cloud tier for this purpose. This one-time key is used to securely establish and exchange security credentials, which are then used to validate and encrypt all future communication between the cloud and the transfer server. Portal and Member Management Once transfer servers are registered with an account, the administrator can create new Portals that allow communities of users, called Members, to securely exchange files. Portals have their own unique Web URL and can be branded with portal specific wallpaper, logos, icons, color schemes and messaging. From an information security perspective, it s relevant that a portal is associated with a specific area of storage visible to a transfer server or visible to a set of redundant transfer servers. Portals can be configured so that members of the portal can browse the associated storage, in portal Share mode, or so that member have no storage visibility and only utilize the associated storage as transient transfer storage, in portal Send mode. Using a portal in share mode involves FTP-like upload and download interactions. Using a portal in send mode involves email-attachment-like send and receive interactions.

Media Shuttle s Defense-in-Depth Security Strategy 4 Administrative rights to manage certain aspects of the portal, like membership, can be delegated to operations staff within the organization. The access rights of regular members can be controlled by top-level administrators and delegated administrators, as allowed by top-level administrators. File Transfer Mechanics When a user initiates a file transfer via the cloud-served graphical user interface, or a transfer is initiated by an unattended sync operation, transfer instructions are generated for and delivered to the transfer client. Transfer instructions include a unique transfer security token and are delivered via secure web communications. The transfer client then connects to the transfer server and delivers the transfer instructions. The transfer server validates the transfer instructions by contacting the cloud tier with the transfer instructions including the transfer token. This round trip check ensures that transfers are authorized and valid at the time of transfer and are fully tracked by the cloud tier. Transfer Plug-in Security User initiated transfers are performed using a browser plug in that interacts with Media Shuttle web pages. Browser plug-ins and installed applications that interact with web pages operated outside the browser security sandbox with broader access to the user s files and other resources. Plug-ins and applications can be used by malicious web pages as a point of attack when associated threats are not mitigated in their design. For example, a rogue web page that detects the presence of the plug-in can instruct it to upload a sensitive file or download and overwrite a sensitive system file without the user s knowledge. The Signiant transfer plugin has been designed so that all file access performed by the plug-in is explicitly authorized by the user to eliminate this threat. Interactions between installed software and web pages are an open attack point in many products. Data Storage All file transfers are protected from eavesdropping and modification in transit using Transport Layer Security. However, to enhance protection of files on storage, users can specify a unique transfer password. The content of the file is then encrypted on storage with a random encryption key, which is in turn protected with the user-supplied password. To gain access to the unencrypted content of the file, users must specify the correct password. Audit All user and file transfer activity is logged by the system. Specifically failed and successful user logins and transfers initiated by users are logged and visible to administrators. Audit information can be analyzed in real-time to identify suspicious access patterns and analyzed in retrospect for forensic purposes.

Media Shuttle s Defense-in-Depth Security Strategy 5 Service Availability Media Shuttle architecture pays equal attention to maintaining service availability in the event of both internal component failures and malicious attacks. N+1 local redundancy is used in combination with multiple geographically distributed data centers to remove single points of failure. The system utilizes elastic cloud infrastructure that is automatically scaled up and down to handle current load. The system is monitored 24x7 for availability and suspicious activity patterns. Least Privilege Every task in the system should be performed with the least privileges possible both in terms of scope of resources that can be accessed and the duration of time that resources can be accessed. A corollary of least privilege is that mechanisms used to control access to resources should never be shared. Secure by Default Preventing the unpredictable nature of human factors while maintain usability are key components of secure design. A system is secure by default when the default settings put the system in a secure state. This ensures that security features aren t circumvented for the sake of convenience. Defense-in-Depth A defense-in-depth design strategy involves layering security controls for the system such that multiple security compromises are required to gain access to critical resources. Service Operations Operational policies and procedures are key to the security of any SaaS offering. Signiant operational policies and procedures are established in accordance with industry standards for service organization controls. Connectivity between the production service environment and Signiant business operations is restricted in accordance with least privilege and defense-indepth principals. Fully independent production and development Media Shuttle environments are also maintained. This section of the paper highlights some of the operational controls in place for production elements of the cloud environment. Physical Security All Signiant services and infrastructure are hosted by Amazon Web Services. AWS maintains strict physical access policies that utilize sophisticated physical access control mechanisms. Environmental controls like uninterruptable power and non-destructive fire suppression are integrated elements of all data centers. Signiant uses multiple geographically distributed data centers as part of a comprehensive disaster recovery strategy.

Media Shuttle s Defense-in-Depth Security Strategy 6 Access to production infrastructure is managed on a least privileges basis and is limited to the Signiant operations team. Background checks are performed and security training is provided to ensure the background and skills of operations staff are consistent with security objectives. Sensitive product service data stored in service databases never leaves the production system and access is controlled according to least privilege principles. NEXT STEPS www.mediashuttle.com 781-221-4051 mediashuttle@signiant.com Firewalls rules are maintained so that production systems can only be accessed for maintenance from defined Signiant locations using secured access mechanisms. Systems are maintained in a hardened state with defined baselines for all host and network equipment. All changes to systems are tracked and managed according to well-established change management policies and procedures. The patch level of third-party software on systems in regularly updated to eliminate potential vulnerabilities. Breach Detection and Response Signiant continuously monitors using external monitoring tools. System logs are aggregated and archived centrally facilitating both continuous analysis for suspicious access patterns and future forensic analysis. Regular external vulnerability scanning is also performed. In the event of a breach, Signiant has the ability to isolate components of the system to contain the breach and maintain ongoing operations. Signiant s incident response team is at the ready to notify customers of security or service impacting events according to defined notification policies. Independent Security Evaluation Signiant engages independent third parties on an ongoing basis to review the security of Signiant products and services. Services performed by these third parties include design, implementation and deployment assessments as well as white and black box penetration testing. Third parties are given full access to design documentation and source code as part of these reviews. Signiant believes that quality independent third party review provides invaluable insight into system security and how to continuously improve it. Summary Signiant recognizes how critical our products and services are to our customers. This recognition is reflected in an organization wide commitment to information security and resilience. The commitment starts with secure design principles and encompass every aspect of product development and daily operations. For more information on Media Shuttle and our commitment to exceptional customer experiences, please contact Signiant (www.signiant.com). ABOUT SIGNIANT Used by the world s top content creators and distributors, Signiant is the market leader in intelligent file movement software for the media and entertainment industry. The company s powerful software suite optimizes existing enterprise network infrastructure and media technologies to ensure secure digital media exchanges, workflow efficiency and superior user experiences. SKU-062014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information