CBIO Security White Paper



Similar documents
MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

The increasing popularity of mobile devices is rapidly changing how and where we

Security Overview Enterprise-Class Secure Mobile File Sharing

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Flexible Identity Federation

White Paper. BD Assurity Linc Software Security. Overview

FileCloud Security FAQ

Perceptive Experience Single Sign-On Solutions

CA Performance Center

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Agenda. How to configure

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

How To Secure Your Data Center From Hackers

SAML Authentication Quick Start Guide

EmpLive Technical Overview

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Tableau Online Security in the Cloud

GTS Software Pty Ltd. Remote Desktop Services

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Google Identity Services for work

Mobile Security. Policies, Standards, Frameworks, Guidelines

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Xerox Mobile Print Cloud

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

How To Use Salesforce Identity Features

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Introduction to SAML

Compulink Advantage Cloud sm Software Installation, Configuration, and Performance Guide for Windows

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Autodesk PLM 360 Security Whitepaper

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Cloud Portal for imagerunner ADVANCE

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Leveraging SAML for Federated Single Sign-on:

Blue Jeans Network Security Features

Xerox SMart esolutions. Security White Paper

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

TOP SECRETS OF CLOUD SECURITY

Projectplace: A Secure Project Collaboration Solution

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Five keys to a more secure data environment

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ShareFile Security Overview

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

RSS Cloud Solution COMMON QUESTIONS

SAML 2.0 SSO Deployment with Okta

Data Protection: From PKI to Virtualization & Cloud

Software Version 1.0 ConnectKey TM Share to Cloud April Xerox ConnectKey Share to Cloud User / Administrator s Guide

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

Configuring Salesforce

Authentication and Single Sign On

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Remote Services. Managing Open Systems with Remote Services

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Symantec Enterprise Vault.cloud Overview

Oracle Cloud Hosting and Delivery Policies Effective Date: June 1, 2015 Version 1.5

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Copyright

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

IT Architecture Review. ISACA Conference Fall 2003

The BiGuard SSL VPN Appliances

Ensuring the security of your mobile business intelligence

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Security Controls What Works. Southside Virginia Community College: Security Awareness

Understanding Enterprise Cloud Governance

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Avoid the Hidden Costs of AD FS with Okta

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Addressing Cloud Computing Security Considerations

The Essential Security Checklist. for Enterprise Endpoint Backup

HP Software as a Service. Federated SSO Guide

Connectivity to Polycom RealPresence Platform Source Data

Ebook Review - NOVA Time 4000 SaaS

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

Microsoft Office 365 Using SAML Integration Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

NCSU SSO. Case Study

Troux Hosting Options

Workday Mobile Security FAQ

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Security Controls for the Autodesk 360 Managed Services

What is an SSL Certificate?

Injazat s Managed Services Portfolio

ProjectManager.com Security White Paper

HP Software as a Service

Architecture Guidelines Application Security

Single Sign On for ShareFile with NetScaler. Deployment Guide

Transcription:

One Canon Plaza Lake Success, NY 11042 www.ciis.canon.com CBIO Security White Paper Introduction to Canon Business Imaging Online Canon Business Imaging Online ( CBIO ) is a cloud platform for Canon s business applications. CBIO provides customers access to Canon s latest technology on the cloud including services that are integrated with MFDs (multi-function devices) and printers, including Canon imagerunner Advance devices. Canon considers the security and privacy of customers to be of the utmost importance; therefore, CBIO is hosted at a secure data center with the latest, industry standard security measures. CBIO provides many benefits to customers: Affordable: Without having large up-front costs, customers can use cloud based services with a subscription model. Stable: Applications are installed on a powerful, secure, and redundant hardware infrastructure. Quick Deployment: Since the applications are cloud based, customers can start using the services right away. Compatible: Since the applications are web based, services can be accessed from anywhere. In addition, upgrades are handled in the cloud, so customers don t have to worry about version control. Forms and Print Services for Salesforce is available in US market through Canon Information and Imaging Solutions, Inc. ( CIIS ). Canon anticipates adding more services to the CBIO platform in the near future. 1

Introduction to Forms and Print Services for Salesforce Forms and Print Services for Salesforce is used to create forms that include data from end user s salesforce.com, Inc. account and print them to MFDs and printers, including Canon imagerunner Advance devices. Basic functions include: Create highly visual and attention grabbing forms and reports (in PDF format) with salesforce.com data and preview them on any PC, laptop, or mobile device. Print created forms to Canon imagerunner Advance devices directly, without printer drivers.* Authenticate, retrieve** and print created forms from Canon imagerunner Advance devices. Attach PDF forms to the source/account page on salesforce.com Forms and Print Services for Salesforce may not be appropriate for the management, collection or storage of certain highly confidential or sensitive data. Use of the service for the management, collection or storage of protected information is solely at customer s determination. * If you are not printing to a Canon imagerunner ADVANCE device, you can download and print a PDF from another printer with the use of a print driver. ** The PDF forms are stored on the CBIO for a maximum of forty-eight (48) hours. 2

CBIO Infrastructure Architecture CBIO offers enterprise-class security and reliability by leveraging services from a recognized and dependable third-party cloud infrastructure service provider. The data centers that host CBIO are Tier III certified, and offer the highest levels of data protection, reliability of service, and security. Below are some of the key architectural design points for the CBIO Infrastructure. Shared Infrastructure Responsibility Model Infrastructure responsibilities are shared between Canon and the infrastructure service provider. The infrastructure service provider is responsible for all aspects of the physical security of the data centers that host CBIO, as well as the virtualization layers related to shared infrastructure components, such as physical storage for data. Encryption (AES128) is used by the infrastructure service provider to protect data partitions within physical storage areas. Canon is responsible for the virtual servers, operating systems (including security updates) and applications that provide CBIO services. CBIO applications, such as the Authentication Services and Print Services, further enhance data security by encrypting customer data utilizing AES256 using unique keys for each customer. 3

Physical and Environmental Security The facilities used to host CBIO are located in Japan, in cutting-edge earthquake resistant data centers. It is anticipated that in the future, data centers will also be located in the U.S. These facilities are protected by the following range of technologies: Strict access controls imposed on sections, server rooms, and other locations. Centralized ID management for employees and visitors, including whereabouts tracking via RFID. Palm and vein authentication is associated with employee and visitor IDs for further control access. Tailgate detection to ensure that access to a secured area is granted to a single person for each valid security card presented. Association of surveillance video with event logs, and long term storage of security video and event logs. Systems Security The following practices and technologies are utilized on CBIO related host systems: Patch management for security updates Use of antivirus software for malware and virus detection Use of host-based firewalls Log management Independent security assessments Business Continuity and Data Management CBIO employs numerous levels of redundancy for major components such as servers, storage, network devices and power supply equipment in order to eliminate single points of failure. Backups of infrastructure components are handled by the service provider. Further, Canon performs backups of CBIO systems, applications and customer data in order to achieve business continuity management. Monitoring and Log Management CBIO systems are configured to store event logs locally, as well as forward events to centralized log management servers. All systems synchronize time via NTP to ensure accurate time stamps of events, and enable event correlation between various security systems. For example, video surveillance logs can be matched with system access entries. Logs are saved for a period of 5 years. 4

Privacy CBIO customers own all rights to any content submitted through the CBIO. CIIS collects and processes information related to the customer s Salesforce account and any customer devices or computers strictly to provide Forms and Print Services for Salesforce. Additionally, CIIS collects technical or diagnostic information related to the customer s use of Forms and Print Services for Salesforce to support, improve and enhance Canon s products and services. Incident Management Policies, processes and procedures are established to rapidly and accurately manage information security incidents and escalation procedures to apprise end users of relevant incidents to meet regulatory and legal compliance. Further, Canon constantly monitors security related information for new developments and potential issues in order to maintain the high levels of security. Related Certifications The following certifications have been attained by Canon and/or its service provider for CBIO related infrastructure: ISO9001 ISO14001 ISO20000 ISO27001 Privacy mark (JIS Q15001) Independent Security Assessments Prior to launch, the CBIO Infrastructure and systems underwent extensive internal and external penetration testing by an independent security company. Independent security assessments are also performed on periodic basis to ensure the highest security standards are maintained. 5

CBIO Core Services Overview CBIO provides a set of core services which the Forms and Print Service for Salesforce is built upon. This set of services includes Authentication and Authorization Services, Management Services (such as User and Tenant), and Log Services. Users can log into CBIO via a Web browser and Canon imagerunner ADVANCE devices. Authentication and Authorization Services Authentication and Authorization Services are used to enable access to CBIO based on a User ID and strong password and managed user roles. The unified authentication process helps prevent malicious users from accessing CBIO services. Authentication and Authorization Services are used by all CBIO services. Authentication Service can provide SSO with other provider s cloud services to provide seamless connections. With Forms and Print Services for Salesforce, SAML2.0 protocol is used for SSO with salesforce.com. Management and Log Services Management and Log Services are used to manage CBIO ID information (subscriptions) as well as operation information. CBIO manages the following users and usage activities: Tenant information User ID/password information User roles All user activities (user operations) are tracked and managed by Log Services. 6

CBIO Security Overview A high-level summary of security features for CBIO is described in the chart below. Item Data center Certification Network protocol Authentication How Secured ISO9001/ISO14001/ISO20000/ISO27001 https(ssl3.0) ID, strong password required to log in Single sign on protocol SAML 2.0 Data center security Data Separation, Access Control, Encryption of print data (AES256). Print content data is deleted after 48 hours Data Center facility security Palm and vein authentication for entrance 24 hour monitoring Whereabouts tracking using RFID tags monitors all employees and visitors Locked racks Single Sign On In order to use the services of CBIO, users must be authenticated. CBIO supports SAML2.0 (Security Assertion Markup Language) and provides Single Sign-On function with salesforce.com via the web browser. There are various scenarios to log-in to CBIO. User connects to CBIO and enters their user ID and password for CBIO. User connects to CBIO and enters their user ID and password for salesforce.com. This user can access their salesforce.com account without entering their user ID and password. User connects to salesforce.com and enters their user ID and password for salesforce.com. This user can access CBIO without entering their user ID and password for CBIO. User logs-in to the Canon imagerunner ADVANCE device with a Smart Card or enters their user ID and password that is registered (by the device owner) in CBIO. By authenticating to this device, a user can connect to CBIO without separately entering their user ID and password for CBIO. 7

SAML SAML is an XML standard established by the information standards association OASIS, and is used for exchanging authentication information between different sites safely and in such a way that it enables single sign-on. To perform SAML 2.0-based Single Sign-On with CBIO, a metadata file issued by salesforce.com that contains information about the site and the customer that is needed to enable Single Sign-On with CBIO. Single Sign-On for the Direct Print Scenario The figure and table below depict the basic flow of Single Sign-On from salesforce.com to CBIO cloud services that leverage SAML. salesforce.com CBIO Identity Provider (IdP) Service Provider (SP) Authenticates user by receiving login credentials from the user and issues the SAML assertion. Relies on the assertion issued by the IdP and authenticates the request without requiring an additional sign-in to CBIO. IdP: The provider that authenticates user by receiving sign-on from the user and issues the SAML assertion. In this case, salesforce.com acts as the IdP. SP: The provider that relies on the assertion issued by IdP and authenticates the user trying to access the service. In this case CBIO and Forms and Print Services for Salesforce are the service provider. Single Sign-On for the Authenticated Print Scenario The following is the use case scenario for Authenticated Print using Single Sign-on: A user walks up to a Canon imagerunner Advance device, authenticates using a Smart Card or entering user ID and password, and selects a print job stored in CBIO to print. 8

SSO Configuration Some configuration must be done to accomplish single-sign on between salesforce.com and CBIO for the Direct Print use case and between a Canon imagerunner ADVANCE device and CBIO for the Authenticated Print use case. For the Direct Print use case, this is summarized as follows: In salesforce.com Setup a sub-domain of salesforce.com for your organization. Using salesforce.com configuration tools, enable your salesforce.com organization (based on the sub-domain entered in step 1) as an Identity Provider (i.e. IdP). Configure CBIO as a Service Provider within your salesforce.com organization. Download a metadata file and a digital certificate created via salesforce.com based upon input provided in steps 1-3 above. In CBIO Upload the metadata file and digital certificate obtained in step 4 above and wait for Canon to process the information accordingly within CBIO (takes 1-2 days). Setup authentication mapping of user accounts between CBIO and salesforce.com. See screenshot below. Register the printing devices to be used for this use case in CBIO. jdoe@ciis.canon.demo1 For the Authenticated Print Use Case, the Administrator has to perform the following operations within CBIO before users can log into a print device to release CBIO print jobs: Register the printing devices to be used for this use case with CBIO. Associate/map each CBIO user with their device user login ID together. 9

Data Transmission Security for CBIO Solutions The communication protocol between a Web browser and CBIO server is via HTTPS (HTTP over SSL/TLS) protocol. Additionally, communication between the Web browser and the print device that is done as part of the Direct Print case and can also be secured via SSL/TLS (optional). The CBIO Server Certificate is signed by VeriSign and installed in CBIO server enabling data encryption through SSL connection. The Canon imagerunner ADVANCE devices have the root VeriSign certificate pre-installed and any modern web browser used by the client PC should as well thus no additional configuration is needed for SSL communications to CBIO. To achieve SSL communication between the CBIO-registered imagerunner ADVANCE device and the client PC-device for the Direct Print case, the CA certificate that corresponds with device certificate is required to be trusted by the client PC. If the device certificate is selfsigned (by the device), the CA certificate is the device certificate. The figure below depicts this situation. 10

Customer Data Security Canon considers the security and privacy of customer data to be of utmost importance. In Forms and Print Services for Salesforce, the only customer data stored by CBIO is basic account information. The print data that is sent to a print device only resides within CBIO for a maximum of forty-eight (48) hours (this is relevant to the Authenticated Print case). Nevertheless, the security of that data is important and it is therefore stored within CBIO encrypted, using strong encryption via the AES256 algorithm. All communication with CBIO is done via the SSL/TLS protocol (including the client PC browser as well as CBIO-enabled printing devices). A CBIO customer or tenant is a corporation or group within corporations that use CBIO. Only users that belong to a contracted group and have created a CBIO account in that group can use CBIO. Canon Business Imaging Online implements an intermediary virtual partition layer between a tenant and user data that makes it appear to the tenant as though its data is the only data in the user data storage. Tenant settings use access control lists to determine who can access data and what they can do with it. User print data is encrypted with a unique encryption key for each tenant/customer and utilizes the AES256 encryption algorithm. 11

Summary Canon s cloud platform for its business applications, Canon Business Imaging Online (CBIO), provides its customers access to Canon s latest technologies and services on the cloud. Canon is committed to the security and privacy of its customers and therefore, CBIO is hosted at a secure data center with the latest, industry standard security measures and precautions in place. At the platform level, key architectural design points are built-in to the CBIO infrastructure. At the service level, CBIO provides a set of core services including Authentication and Authorization Services, Management Services, and Log Services. All of which help prevent unauthorized users from accessing CBIO services. As cloud computing continues to grow and Canon s cloud offerings increase, customers should feel confident that their information will remain secure and private. Canon will ensure that the flexibility, speed, and reliability they are used to, remains intact while the services offered through CBIO continue to expand. 12

About Canon / CIIS Canon U.S.A., Inc. launched Canon Information and Imaging Solutions, Inc. as a wholly owned subsidiary to harness the power of two of Canon s greatest intangible assets: in depth knowledge of information flow and the best in imaging technology. As a market leader in integrating office equipment and software into organizations network environments, Canon U.S.A., Inc., has gained tremendous insight into the way companies handle information - - whether it is on paper or in back-end systems. Ever since Canon U.S.A. introduced its award winning line of multifunction devices and began connecting them into company networks, Canon Solution Consultants have been optimizing vital business processes, enabling companies to save money in the process. Canon U.S.A., Inc. has a history of introducing market leading products and new technologies that foster new industries. Throughout this experience, Canon U.S.A., Inc. has developed an expertise in understanding how information flows within an organization. Canon Information and Imaging Solutions, Inc. is initially comprised of Canon USA s Professional Services personnel who were transferred to the new company. The team includes solution consultants, process analysts and project management experts with experience across many industries. These individuals possess multiple certifications including Project Management Professional (PMP) and Microsoft Windows Administrator as well as a variety of industry specific certifications. The in house engineering talent is top notch, with development experience in a variety of imaging and enterprise technologies. Salesforce is a trademark of salesforce.com, inc. CANON and imagerunner are registered trademarks of Canon Inc. in the United States and may also be a registered trademark or trademark in other countries. //LOOKFORWARD and the LOOKFORWARD design marks are trademarks of Canon Information and Imaging Solutions, Inc. All other referenced product names and marks are trademarks of their respective owners and are hereby acknowledged. Specifications are subject to change without notice. 2012 Canon Information and Imaging Solutions, Inc. All rights reserved. 13