WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Similar documents
WHITE PAPER. Understanding Transporter Concepts

Transporter from Connected Data Date: February 2015 Author: Kerry Dolan, Lab Analyst and Vinny Choinski, Sr. Lab Analyst

FileCloud Security FAQ

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Sync Security and Privacy Brief

Security Architecture Whitepaper

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

December P Xerox App Studio 3.0 Information Assurance Disclosure

How To Secure Your Data Center From Hackers

THE COMPLETE GUIDE TO GOOGLE APPS SECURITY. Building a comprehensive Google Apps security plan

Choosing a File Sync & Share Solution. PRESENTATION TITLE GOES HERE Darryl Pace Optimal Computer Solutions

How To Use Egnyte

Security Overview Enterprise-Class Secure Mobile File Sharing

The Essential Security Checklist. for Enterprise Endpoint Backup

Secret Server Qualys Integration Guide

Egnyte Cloud File Server. White Paper

owncloud Architecture Overview

Configuration Guide. BES12 Cloud

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Active Directory Self-Service FAQ

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

White Paper. BD Assurity Linc Software Security. Overview

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

FilesAnywhere Feature List

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Xerox DocuShare Security Features. Security White Paper

vcloud Director User's Guide

Deployment Guide: Unidesk and Hyper- V

Barracuda SSL VPN Administrator s Guide

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

How To Use Quantum Rbs Inc. Small Business Backup

Tresorit s DRM. A New Level of Security for Document Collaboration and Sharing

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Introduction to the Mobile Access Gateway

Flexible Identity Federation

SMART Vantage. Installation guide

GFI White Paper PCI-DSS compliance and GFI Software products

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

OutDisk 4.0 FTP FTP for Users using Microsoft Windows and/or Microsoft Outlook. 5/1/ Encryptomatic LLC

NCSU SSO. Case Study

Xerox Mobile Print Cloud

Overview - Using ADAMS With a Firewall

Anchor End-User Guide

Leonardo Hotels Group Page 1

owncloud Architecture Overview

Web Security School Entrance Exam

Moving to the Cloud: What Every CIO Should Know

The increasing popularity of mobile devices is rapidly changing how and where we

Overview - Using ADAMS With a Firewall

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

Using Entrust certificates with VPN

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Media Shuttle s Defense-in- Depth Security Strategy

DiamondStream Data Security Policy Summary

SOOKASA WHITEPAPER SECURITY SOOKASA.COM

Network Configuration Settings

Introduction to the AirWatch Cloud Connector (ACC) Guide

UIT USpace Flexible and Secure File Manager for Cloud Storage

Feature and Technical

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Introduction to the EIS Guide

Top 7 Tips for Better Business Continuity

Security Technology: Firewalls and VPNs

Manual for Android 1.5

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

Chapter 10. Cloud Security Mechanisms

Mobile Mobile Security COPYRIGHT 2014 INTUITION ALL RIGHTS RESERVED. Copyright 2014 Intuition

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

COLLEAGUES. CLIENTS. CONNECTED. CLOUD.

When enterprise mobility strategies are discussed, security is usually one of the first topics

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Cloud Attached Storage 5.0

Comparing Box and Egnyte. White Paper

Sophos Mobile Control SaaS startup guide. Product version: 6

CBIO Security White Paper

Monitoring Hybrid Cloud Applications in VMware vcloud Air

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

SeCUritY. Safeguarding information Within Documents and Devices. imagerunner ADVANCE Solutions. ADVANCE to Canon MFP security solutions.

Xerox Mobile Print Cloud

Problem. Solution. Quatrix is professional, secure and easy to use file sharing.

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Safeguard Protected Health Information With Citrix ShareFile

Last Updated: July STATISTICA Enterprise Server Security

Introduction to Endpoint Security

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

An Enterprise Approach to Mobile File Access and Sharing

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Overview. Timeline Cloud Features and Technology

How Managed File Transfer Addresses HIPAA Requirements for ephi

Transcription:

NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

INTRODUCTION As businesses adopt new technologies that touch or leverage critical company data, maintaining the highest level of security is their most pressing concern. Often, these businesses handle increasing amounts of digital data from their customers or partners. This exposes them to increasing risks and new vulnerabilities including: viruses, malware, data intrusion, and even hackers. In the absence of an easy to use IT controlled file sharing platform and to enhance personal productivity, employees often self select a public cloud to sync, and share files (i.e., Box or Dropbox). The desire by employees to access their files in a manner that is convenient to them is promoting their use of tools and cloud services not approved by their employers. The use of unapproved cloud services can lead to data breaches and non-compliance in regulated industries. Ultimately, these discretions can result in expensive legal costs and hefty fines. To avoid these problems, IT organizations need to provide employees with a convenient, easy to use, and secure method of accessing files from their mobile devices. Such a robust file-sharing platform with comprehensive data protection will help IT avoid unintended data breach problems. Transporter for Business offers such a solution. Once established, this unique enterprise file sharing solution with world-class security, privacy and control, provides businesses with a secure file access, storage, and collaboration platform that employees actually want to use. Nexsan s Transporter is designed with end-to-end data protection and multiple levels of security at each layer. Transporter empowers IT with administrative controls for: Access, storage, network, transmission, and data Mobile data management Ability to invite users to share folders Best of all, Transporter provides users with the user interface (UI) experience they expect from a traditional cloud provider. With Transporter, there are no difficult VPNs to navigate because files stored on Transporter are immediately available to all mobile devices owned by the user. In addition, whenever a file is modified on one device, Transporter syncs these changes to the other devices ensuring the user always has access to the latest files. Should the user want to return to an earlier version of a file, Transporter s versioning capabilities enable the user to do that as well. It translates into an employee workflow tool that s easier for IT to setup and control, and ensures that all employee file activity comply with their industry s regulations and company s privacy policies. 2

TRANSPORTER FOR BUSINESS Transporter for Business private cloud appliances returns control and security of a company s data back to its IT department. That s because it easily and quickly enables businesses to build and deliver their own private cloud service for their employees and important stakeholders. In fact, the Transporter UI is similar to those from popular services like Box and Dropbox. By offering your employees the cloud features they require and the UI they demand, Transporter eliminates the temptation to use unauthorized public cloud solutions that could expose sensitive business information. Transporter s hardware deployment model gives you total control over the physical location of your data and its redundancy. Best of all, there are no recurring monthly fees. ARCHITECTURE Nexsan products like Transporter for Business are engineered with data security, user mobility, and ease of use as key design elements. To accomplish this, Transporter is deployed as an encrypted peer-to-peer private network that can reside either side of a company s firewall. It delivers multiple layers of protection, covering user permissions, data transfer, and encryption that is all distributed across a scalable and secure infrastructure. Unlike public cloud file sync and share providers, Nexsan s database stores the relationships between Transporters, and Transporters and Apps (i.e., mobile devices). It also stores user email addresses, login information and more. The main difference between Transporter and its competitors is that the data stored on your Transporter is never in Nexsan s possession. That s because we separated the data plane from the control plane. In fact, we never see or have access to your data! Data is transferred between Transporters and user owned devices using Advanced Encryption Standard (AES-256) Public/Private Key Encryption. Connections between nodes on the network are established using three different techniques. First, the Transporter will request for the network s gateway to open a port using the Universal Plug and Play (UPnP) set of networking protocols and the Network Address Translation Port Mapping Protocol (NAT-PMP). These are not supported, Transporter will establish a public port using industry standard User Datagram Protocol (UDP) hole punching techniques (a.k.a., Session Traversal Utilities for NAT and Interactive Connectivity Establishment). Finally, if neither of these techniques is successful (under 10%), Nexsan utilizes a relay server to facilitate the connection. No matter which connection technique, all data is encrypted at the end points and Nexsan has no ability to inspect the data. Web/browser-based network traffic is handled using industry standard Secure Hypertext Transfer Protocol (https) which signal the browser to use an added 3

encryption layer based on the Secure Sockets Layer/Transport Layer Security (SSL/TLS) to protect network traffic. Transporter users can access files and folders at any time from a desktop or mobile device. CENTRAL SERVICE The Central Service enables Nexsan to monitor the health and capacity usage on all deployed Transporters via their serial numbers. This service is located on protected database and web servers in a hidden private network that cannot be accessed directly from the Internet. For administrative purposes, Nexsan s web servers can be accessed from the management site through load balancers using the https protocol. Think of the Central Service in the same way you think of air traffic control, Transporters are the planes, and the folders/files are the passengers. Air Traffic Control never directly interacts with the planes or passengers they guide safely between two locations (originating airport and destination airport). Air traffic control gives the pilots information on the takeoff and landing (runways, course, altitude, and speed). Thus helping to give passengers a safe on time arrival at their destination. In this example: a user will request a file be moved between two devices. The originating device will contact the Transporter s Central Service which then tells the devices who they are allowed to communicate with using a universally unique identifier (UUID). If both devices are authorized to establish a secure connection, they will then exchange data. The devices will inform each other about the files directly, Nexsan s Central Service has no knowledge about this exchange. ENCRYPTION Most public and private cloud file sync and share providers do employ data encryption technology both in-flight and at-rest. And when you look at the data in a Web Browser, it has already been decrypted for you by the time it reaches your computer or device. Like other cloud offerings, Nexsan Transporter generates and stores your private/public encryption keys directly on your appliances and these are used to decrypt your data. This means the data is directly under your control and nobody else (including Nexsan) has any access to your files. Nexsan can never decrypt data packets sent by the relay router because they never have access to the private key. Transporter is the first business class file sync and share solution to meet the privacy requirements necessary for sensitive medical, financial, and legal data. KEY MANAGEMENT Transporter creates an Encryption key based on the AES-256 specification for the encryption of electronic data established by the U.S. National Institute of 4

Standards and Technology (NIST) in 2001. AES has been adopted by the U.S. government and is now used worldwide. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. When a transporter is born (leaves manufacturing), a record is created in the Central Service database. Once created the record is populated with all the important information that uniquely identifies that specific Transporter. When first powered on, Transporter announces itself to the Central Service and then is told it needs to create its private/public encryption key. If something unexpected happens during key generation, the Transporter will place itself into an unusable state to ensure the device isn t used in a production environment. FOLDER ACCESS EMAIL INVITATIONS When deploying Transporter for the first time, there s no top-level folder structure that needs to be created. An administrator simply deploys the Transporter on their network, claims it, and starts creating user accounts. Users within the organization receive an invitation email instructing them to complete their account registration and install the desktop application, much like they would for a public cloud service like Box or Dropbox. Once the user has installed the desktop application, they will see a newly created folder, called Transporter, that looks and works just like any other folder on their computer. Within this folder the organizational user: Creates their own folder hierarchy Shares folders Creates links Folder owners can then invite other people to share the folder and its contents. Invited users will then have organizational level privileges (read/write) or guest user privileges (read only) to all files and folders within the shared folder. Therefore, the folder owners themselves undertake responsibility for setting folder security and access privileges. For example, a folder owner may be a department manager who only invites their team to share the folder. Accepting this invitation establishes access and sharing privileges for members of the department. However, no one else in the Organization will have access to the folder. TOKEN USAGE Transporter doesn t use VPNs. Instead the administrator claims a Transporter 5

after it s connected to the network and then creates an account using an email address and password. This information is then stored in the Central Service database; the password is hashed for security. When using a Transporter application on any supported device, the Central Service will issue a security token, which it validates when a user attempts to sign into their account. These tokens can easily be revoked. As a security precaution, if the user forgets their password and resets it, all authenticated applications will automatically no longer be able access Transporter until the user authenticates again. During the sign-on process the Central Service will validate the token sent from the Transporter application. This is accomplished by checking the token information against the Central Service database record. Once verified as a valid token, the Central Service then contacts all Transporter devices allocated to the account and notifies them of the validated application. Only after the access token is validated will a connection be established to the Transporter and the folders become accessible to the user. However, if the user doesn t have permission or the correct token, the Application will fail to connect. Finally, the validity of each side of the connection is accomplished using the public/private keys discussed earlier in this paper. USER PERMISSIONS Transporter users have the ability to set different permissions (read-only or read/write) on a folder-by-folder basis. This permission capability significantly varies with other traditional cloud providers, for example: Microsoft OneDrive: Does not allow a read-only shared folder to sync with a user s desktop. Shared folder (both read-only and read/write) are only available via Microsoft s website and cannot be accessed from the desktop. Box: Does not allow a read-only shared folder to sync with a user s computer and the folder is only available using their website. Google: Has read-only folder sync with a computer. However, should the user delete a file from that folder, Google announces that the folder is now mismatched and it cannot repair itself Unlike the services discussed above, Transporter does sync read only folders with the user s computer and it will repair a read-only folder should the user make a modification to the data within the folder. If a read-only file is modified, the Transporter software will rename it and mark it as un-syncable (thus, the changes are not lost). The Transporter software will then restore the original file. SHARED FOLDERS In the event a folder owner decides to rescind access to a shared folder, the folder owner simply removes the person from the access list using the Web- 6

based management interface. As a result, the files and folders will be removed from the disinvited person s devices within seconds. This capability is often referred to as remote wipe. LINKS Many organizational users prefer to send a link to a user instead of attaching a potentially large file to an email and possibly have the email server reject it due to its size. While other users are concerned about email security. Transporter offers the user a better alternative, a choice between using "direct" and "standard" links. The user can select the type of link from Account Preferences located in the Transporter Management Website. "Direct" links transfer files directly from your Transporter to the recipient; your files are never uploaded to Nexsan s servers. This type of link offers a higher degree of privacy even though the recipient isn t required to create a Transporter account. To ensure security, the recipient must either authorize a web browser plug-in or download a small helper app. "Standard" links upload files to Nexsan s servers and allow recipients to download them without the need of an authorized plug-in or helper app. The recipient simply clicks the link and gets the file. When the file type allows, a preview will be displayed. While this type of link does not offer the same degree of privacy, it is easier to use. This can be especially useful for emailing links to clients who don't care to authorize or install anything. Use direct links if you need a higher degree of control. NAS INTEGRATION Over the years, established IT organizations have acquired some of the best NAS solutions available but they are based on older protocols (CIFS/SMB/NFS) and don t offer file sync or mobile support like modern cloud services. Although Transporter can be deployed as a stand-alone private cloud file sharing solution, it can also easily be integrated with an existing on-premise NAS file server. By mapping shares using the Transporter Network Storage Connector feature (standard on all rack mount Transporters), users will have the same level of access and security to designated NAS folders as they would to folders located on a stand-alone Transporter. When paired with a NAS system, Transporter will bi-directionally and transparently sync with its paired NAS partner along with other Transporters that are moving data to where it s required in an enterprise. Any number of Transporters can be deployed and connected to as many NAS systems as required. ACTIVE DIRECTORY SERVICES Unlike traditional NAS systems, Transporter doesn t require a difficult or time consuming set up process. Instead, an administrator will follow the steps 7

outlined in the Email Invitations section above. Dropbox pioneered this popular self-organization approach. Businesses with large numbers of users are most likely using a directory service product like Active Directory (AD) as a user directory and central point for authenticating them via their credentials. AD CONNECTOR Transporter can leverage AD to help an administrator quickly and easily setup a their appliance. To expedite the initial setup process, we created an AD connector. This connector provides Transporter with all the information necessary to identify and prepare the system for the organizations users. As part of the setup process, the AD connector will use the information with AD to send an email containing a link to each user the administrator invites to the organization. After sign up, the website walks each user through short setup process where the user sets a few account preferences and downloads the Transporter Desktop Application software for their computer Thus the IT Administrator doesn t need to preload everyone s machine, and users can securely start sharing files with each other very quickly. AD INTEGRATION Transporter uses third-party identity provider (IdP) integration to connect and integrate with AD. Nexsan will have the ability to support several IdPs over time beginning with OneLogin. As part of this deployment a OneLogin account should be created, it will then connect to the directory services of your choice, such as Active Directory, LDAP, and more. Once setup is complete, Active Directory users will be automatically provisioned in the Transporter Organization. From that point on, changes to the AD domain, such as password resets or user de-provisioning will be reflected in real time. AUDIT LOGS Many regulated industries are required to keep track of all users and file access events within their organization. In the event an unauthorized activity happens, regulated companies will need to track when these events took place and identify all users involved. Audit logs break down into two categories: device logs and web logs. Device audit logs keep track of activity between client devices and the Transporter unit itself. These logs are obtained from Transporter Desktop software. Whereas, Web audit logs keep track of activity that occurs between users and the management website (i.e., creating shared folders, changing folder membership, and creating links). Should something unexpected happen; an IT administrator is able to recreate 8

the sequence of events and the users involved. This capability addresses many of the concerns a company or organization may have in a regulated industry. It should be noted that once a file is pulled off Transporter to a local device, the audit log will no longer track or report on the file. CONCLUSION Despite all the built-in privacy and security, Transporter is not hard to use. Department managers and individual users are already familiar with services like Box and Dropbox, and have the necessary knowledge to establish a folder hierarchy that best suits their needs. By giving users the same simplified file sharing capabilities as these popular public cloud providers, Transporter eliminates the need for users to break corporate IT policies by moving private company data to personal accounts in the public cloud. Transporter s data security helps safeguard a company s sensitive information from being unintentionally exposed and lost. Additionally, it protects against legal exposure by helping companies conform to corporate governance and government mandated industry regulations. Transporter gives IT Administrators the type of integrated solution and deployment control they want. Its on-premise deployment model along with its peer-to-peer network, security tokens, syncing controls, and remote wipe capabilities make this one of the most secure file sync and share solutions on the market today. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information