Tresorit s DRM. A New Level of Security for Document Collaboration and Sharing



Similar documents
WHITE PAPER

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

SOOKASA WHITEPAPER SECURITY SOOKASA.COM

Cloud storage buyer s guide

Introducing OneDrive for Business

Internet threats: steps to security for your small business

Cloud Computing for Education Workshop

Secure Cross Border File Protection & Sharing for Enterprise Product Brief CRYPTOMILL INC

Security Architecture Whitepaper

Problem. Solution. Quatrix is professional, secure and easy to use file sharing.

FileCloud Security FAQ

USER MANUAL. v Windows Client January

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Our Key Security Features Are:

OneDrive Using Office Documents

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

For example some Bookkeepers are using Dropbox to share the accounting files between them and their client.

Vs Encryption Suites

Utilizing Dropbox to Share Files

Working in the Cloud

STRONGER AUTHENTICATION for CA SiteMinder

Cloud Attached Storage 5.0

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

An Enterprise Approach to Mobile File Access and Sharing

Welcome to ncrypted Cloud!

BlackBerry Business Cloud Services. Administration Guide

SharePlus Enterprise: Security White Paper

USER GUIDE CLOUDME FOR WD SENTINEL

Enterprise Private Cloud Storage

USER GUIDE CLOUDME FOR WD SENTINEL

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Mobilize with Enterprise-Grade Security and a Great Experience

Move to the cloud without compromising security

WatchDox for Windows. User Guide. Version 3.9.5

Cloudifile: Frequently Asked Questions

ShareSync from LR Associates Inc. A business-grade file sync and share service that meets the needs of BOTH users and administrators.

Protecting Your Data On The Network, Cloud And Virtual Servers

Research Information Security Guideline

MaaSter Microsoft Ecosystem Management with MaaS360. Chuck Brown Jimmy Tsang

How To Protect Your Data From Being Hacked

Keeper Password Manager & Digital Vault

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Windows Phone 8.1 Mobile Device Management Overview

Secure Document Sharing & Online Workspaces for Financial Institutions

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Evolution from FTP to Secure File Transfer

When enterprise mobility strategies are discussed, security is usually one of the first topics

WatchDox for Windows User Guide. Version 3.9.0

1. Scope of Service. 1.1 About Boxcryptor Classic

Windows Phone 8 Security Overview

SureDrop Secure collaboration. Without compromise.

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

endpoint Antivirus Application Control Removable Device Encryption enjoy Data protection

Neat Cloud Service + Mobile App

owncloud Architecture Overview

Mobile Data Loss. Threats & Countermeasures. Michael T.Raggo, CISSP, NSA-IAM, ACE, CSI.

SOOKASA WHITEPAPER CASB SECURITY OVERVIEW.

Ensuring the security of your mobile business intelligence

Secure any data, anywhere. The Vera security architecture

Encryption. How do I send my encryption key?

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

Manual for Android 1.5

Remote Access Securing Your Employees Out of the Office

eztechdirect Backup Service Features

Frequently Asked Questions. Frequently Asked Questions SSLPost Page 1 of 31 support@sslpost.com

v Devolutions inc.

Storage Made Easy. Cloud File Server Overview

Mobile App User's Guide

Database Security SQL Server 2012

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Egress Switch Reader. User Guide 2.3

BYOD Guidance: BlackBerry Secure Work Space

Simple, Secure User Guide for OpenDrive Drive Application v for OS-X Platform May 2015

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

getting started with box 1. What is box? 2. Creating an account 3. box functions

The Benefits of SSL Content Inspection ABSTRACT

AEL Data Services LLP. LEKTZ - Digital Rights Management (DRM) Solutions

Practical Demonstration of Using the Internet Cloud for Backup USING SKY DRIVE, DROP BOX, SUGARSYNC OR

User Guide. The AMF's File Transfer Service (FTS)

December P Xerox App Studio 3.0 Information Assurance Disclosure

ADDING STRONGER AUTHENTICATION for VPN Access Control

Transcription:

Tresorit s DRM A New Level of Security for Document Collaboration and Sharing Cloud-based storage has made it easier for business users to share documents, but it has also opened up new vulnerabilities. Solutions that use client-side encryption, such as Tresorit, offer the most security for sensitive and private data as it travels from the user s desktop, to the cloud, and to the chosen collaborator s desktop. But what happens to documents after they have been shared and during the collaboration process? INDUSTRY STANDARD SECURITY Box, Dropbox, Google Drive stolen password wifi cracked broken device TRESORIT ALL PLANS heartbleed hackers corporate espionage editing saving to usb copying content emailing printing screenshoting IS A GAME-CHANGER FOR SMB DATA SECURITY: Unlike other cloud solutions, Tresorit DRM protects the data itself, not just the cloud infrastructure. DRM wards off a host of security concerns including attacks from external hacker as well as breaches from internal employees. Whether malicious or accidental, protecting against these breaches is vital: According to a PwC study of 9,600 businesses, current and former employees account for 31% and 27% of data breach incidents respectively. DRM technology has been used by commercial publishers to protect digital works such as music, videos, and e-books, and by large enterprises to manage access to sensitive documents and control content sharing. Tresorit s DRM offers the same high-level of security offered by enterprise-grade solutions, but is much simpler to use companies no longer need expensive infrastructure and large IT teams to have complete digital security. Tresorit DRM complements the Tresorit cloud-storage solution: Files are protected in transit and on the cloud with end-to-end encryption via Tresorit s storage solution; DRM offers more control to businesses by extending security to documents once they have been shared. Copyright 2014 Tresorit. All rights reserved. 1

DATA PROTECTION WITH Tresorit DRM protects data by combining strict role definition, distributed control of data, and the ability to revoke access to files to ensure complete data security in the cloud and on user devices. DEFINE ROLES Document owners often need to provide different privileges to users to control who can view a file versus those who can print, edit, copy, or share it. With Tresorit DRM, administrators can set access levels on all encrypted folders (known as tresors), defining roles across teams with ease. These granular permissions provide exceptional control for complex collaboration on sensitive documents. Once assigned, roles carry over to all of the user s devices, enforcing the granular policies that are mapped to each defined role: { } tresor [tʀeˈzoːɐ ] noun (German) 1. lockable, armoured cabinet OWNER MANAGER EDITOR READER SIMPLE RIGHTS view edit share delete a tresor print ADVANCED RIGHTS copy-paste print-screen forward Table 1: Control Every Aspect of Document Collaboration by Defining Roles in Tresorit DRM Copyright 2014 Tresorit. All rights reserved. 2

DISTRIBUTED CONTROL OF FILES: With Tresorit DRM, distributed control carries over to any device or user, because all files are encrypted individually. Even if corporate files are leaked, intruders are unable to access them due to the combined encryption layers of both Tresorit DRM and the service that powers it, Microsoft s Rights Management Service (RMS). While Tresorit regulates security policies set by the owner of the content, Microsoft s underlying technology enables local control over data. If a user tries to share a document via email or copy it onto a thumb drive, the permission rights travel with the document: no one can open a DRM-protected document without permission. MICROSOFT RMS AND DATA SECURITY Microsoft provides the Rights Management Service (RMS) for Tresorit DRM. Files stored with Tresorit DRM are protected with three separate layers: Microsoft RMS controls permission management on a file level, and Tresorit DRM provides control over a document and a secure channel to handle sensitive files. The second layer is Tresorit s end-to-end security, which uses client-side encryption to scramble files on the user s device before they are transferred to the cloud. The transfer process is protected with Transport Layer Security (TLS) a protocol for secure Internet communications that has eclipsed the previously used SSL protocol. CAN MICROSOFT READ THE CONTENT OF DRM-ENABLED TRESORS? Absolutely not. Tresorit DRM has a zero-knowledge design to ensure that neither Tresorit nor Microsoft servers have access to the uploaded information, and that user data cannot be exposed. First, Microsoft RMS servers do not have physical access to protected files at any stage of the process. This means that even with possession of the Content Key, they cannot use it to decrypt data. Second, Tresorit s client-side encryption is also applied to DRM protected files, so the content is encrypted before it is uploaded to the cloud. This means that Tresorit servers cannot ever read the client side encrypted data. Copyright 2014 Tresorit. All rights reserved. 3

HOW DOES WORK Once DRM is enabled in the Tresorit app, the Tresorit client can apply file-level encryption to documents stored in DRM-enabled tresors. Currently, Tresorit s DRM service is available on Windows to secure documents created using Microsoft s Office applications. Tresorit DRM is powered by Microsoft s RMS, and uses its security solutions in the DRM design as described below 1. SECURING FILES WITH After signing up for Tresorit Business, follow these steps: 1. Create a new tresor. 2. Set it up with DRM protection. 3. Install Tresorit DRM this will run in the background and will take about a minute. 4. The DRM-protected tresor will be displayed with an additional shield symbolizing the extra layer of security. 5. Invite new members to share documents in a tresor, and set up permissions with a click. INSTALLATION Users access Tresorit DRM by signing up to Tresorit Business; Tresorit will prompt them to download the DRM plugin. During installation, Tresorit DRM automatically creates the user s account on the Microsoft RMS servers and facilitates the creation of the user s own RMS public-private key pair and RMS certificate. The process also entails the exchange of public keys between the Microsoft RMS server and the user, and ends with Tresorit DRM signing the user into Microsoft Office. USER install DRM DRM succesfully installed create device specific key and cert (private and public) enable RMS protection start DRM install in Tresorit log in to MS Office create new RMS account Authentication: create user s cert chain (only public key and cert) 1 For a more detailed description of Microsoft Rights Management Services, read this post by Dan Plastina, Microsoft developer s, on the official Microsoft TechNet blog. Copyright 2014 Tresorit. All rights reserved. 4

CREATING A DRM PROTECTED TRESOR When the user creates a DRM-protected tresor, Tresorit first generates a matching Rights List for each file. The Rights List contains three email groups, automatically created by Tresorit on Microsoft s servers. Tresorit DRM will ensure these email groups contain the email addresses of all Readers, Editors, and Managers of a tresor, and will assign their corresponding, pre-set access rights on the file level. Tresorit also initializes Microsoft RMS protection for each file before upload. During this process, RMS creates a file-specific AES-128 Content Key, and encrypts each file with the corresponding Content Key, creating the 1st component of an RMS protected file. Once done, it combines each file s Content Key and Rights List, encrypting them with the Microsoft RMS server s public key. With this the 2nd component of the RMS-protected file is created. The final RMS protected file, made up of the encrypted file and matching 2nd component, is first encrypted with Tresorit s own AES-256 client-side protocol, then uploaded to the Tresorit cloud. USER create a tresor file specific Content key AES-128 encrypt file encrypt file specific Content key / Rights list create RMS encrypted file generate Rights list initialize RMS protection on all files before uploaded to the cloud encrypt AES 256 sync RMS encrypted file create email groups assigned to Rights lists OPENING A DRM-PROTECTED FILE When an authorized user has synced a DRM-protected file to their device via Tresorit, and opens it in Microsoft Office, the software contacts Microsoft RMS servers, sending along the user s RMS certificate and the encrypted 2nd component of the protected file. The RMS server uses its private key to decrypt the 2nd component, and gains access to both the file s Content Key and its Rights List. Using the Rights List, the server checks whether the user has access to the protected content. If so, it sends the Content Key and Rights List back to the user s device, encrypting it with the user s RMS public key. Using the user s locally stored private key, RMS then accesses the Content Key and uses it to decrypt the local copy of the file. Once done, it loads both it and the Rights List into Microsoft Office, which grants access to the user, limiting his rights as outlined in the Rights List. USER open DRM protected file access file download from the cloud + decrypt sends user s RMS cert, Content key and Rights list receives user s private key + opens Content key and Rights list use Content key to decrypt file feeds Rights list into Office authenticate user Copyright 2014 Tresorit. All rights reserved. 5

SHARING A DRM-PROTECTED FILE When a user shares a DRM-protected file with a certain permission level, Tresorit DRM first updates the corresponding email group on the Microsoft RMS servers. As the invited member downloads an RMS-encrypted file through Tresorit, the same access process plays out that was outlined above: the RMS servers check for the user s access level. Once the user is granted access, they can start working with the shared documents according to the permission level set for him in Tresorit. As the Rights List does not contain the users email addresses directly, it s not necessary to re-encrypt protected files when changing permissions. The email groups for Readers, Editors, and Managers can be instantly updated by Tresorit DRM on the Microsoft RMS servers. This means that even if a user had full access to the file a moment ago, as soon as permission is revoked, Microsoft Office will not permit him to open the file another time, ensuring that data stays under its owner s control, wherever it travels. USER 1 shares DRM protected tresor revokes user 2 s access USER 2 gets files opens file access file try to open cannot access check Rights list for user 2 check rights levels updates permission groups (Rights list update) sends files (tresor) to user 2 updates permisson groups denies access updates email groups authenticates user 2 checks Rights list, sends content list and Rights list updates email groups check rights levels no match! THE RIGHT SOLUTION FOR ADDED SECURITY Tresorit s ultra-secure cloud collaboration service may be all a company needs to keep data safe while stored on the cloud and in transit to users. But companies that need to collaborate on sensitive documents need to protect information after it has been shared. Tresorit s DRM service makes secure and controlled collaboration possible for companies of all sizes. When Tresorit s cloud storage and sharing service is paired with the DRM service, companies now have end-to-end protection for data collaboration and security. Copyright 2014 Tresorit. All rights reserved. 6