SHARPCLOUD SECURITY STATEMENT

Similar documents
ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Server Installation ZENworks Mobile Management 2.7.x August 2013

Technical specifications

Server Software Installation Guide

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

ControlPoint. Advanced Installation Guide. Publication Date: January 12, Metalogix International GmbH., All Rights Reserved.

Interact Intranet Version 7. Technical Requirements. August Interact

WhatsUp Gold v16.3 Installation and Configuration Guide

Help. F-Secure Online Backup

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Data Protection Act Guidance on the use of cloud computing

SECURITY DOCUMENT. BetterTranslationTechnology

Implementing Microsoft Azure Infrastructure Solutions

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

Use of Exchange Mail and Diary Service Code of Practice

OneDrive for Business User Guide

ANZ transactive

Enterprise level security, the Huddle way.

Installation Guide Version 3.0

FileCloud Security FAQ

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

MIGRATIONWIZ SECURITY OVERVIEW

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

CLOUD SERVICES FOR EMS

EmpLive Technical Overview

AVG Business Secure Sign On Active Directory Quick Start Guide

MS 20532B - Developing Microsoft Azure Solutions

BeBanjo Infrastructure and Security Overview

GENERAL TRAINING ACCOUNTS

Flexible Identity Federation

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Frequently Asked Questions for logging in to Online Banking

Egnyte for Power and Standard Users. User Guide

ASUS WebStorage Client-based for Windows [Advanced] User Manual

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

4.0 SP2 ( ) May P Xerox FreeFlow Core Installation Guide: Windows Server 2008 R2

ShareSync from LR Associates Inc. A business-grade file sync and share service that meets the needs of BOTH users and administrators.

IBackup Drive User Guide

Blue Jeans Network Security Features

How To Use Egnyte

USER GUIDE CLOUDME FOR WD SENTINEL

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Introduction to Google Apps for Business Integration

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

Internet Banking. Getting Started Guide Australia

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

ez Agent Administrator s Guide

Workday Mobile Security FAQ

Google Apps Deployment Guide

Aspera Connect Linux 32/64-bit. Document Version: 1

Single Sign-On Administrator s Guide

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

Content Filtering Client Policy & Reporting Administrator s Guide

NetClient CS Document Management Portal User Guide. version 9.x

Getting Started with Attunity CloudBeam for Azure SQL Data Warehouse BYOL

Implementing Microsoft Azure Infrastructure Solutions

Hang Seng HSBCnet Security. May 2016

MEGA Web Application Architecture Overview MEGA 2009 SP4

GO!Enterprise MDM Device Application User Guide Installation and Configuration for BlackBerry

Groove Management Server

G-CLOUD FRAMEWORK RM1557-vi 5DRIVE PERSONAL CLOUD BACKUP

AVG Business SSO Connecting to Active Directory

Autodesk PLM 360 Security Whitepaper

Sophos Mobile Control SaaS startup guide. Product version: 6

Mobile Admin Architecture

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Cloudwork Dashboard User Manual

E21 Mobile Users Guide

Security, Audit, and e-signature Administrator Console v1.2.x

DroboAccess User Manual

AVG Business SSO Partner Getting Started Guide

Overview. Timeline Cloud Features and Technology

NextGen Patient Portal User Guide. Version 2.0

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Advantage for Windows Copyright 2012 by The Advantage Software Company, Inc. All rights reserved. Client Portal blue Installation Guide v1.

isupplygw Site Login Troubleshooting

USER GUIDE CLOUDME FOR WD SENTINEL

WebEx Security Overview Security Documentation

Daily Traffic Control Log

ArcGIS for Server in the Amazon Cloud. Michele Lundeen Esri

Security Service tools user IDs and passwords

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

Fus - Exchange ControlPanel Admin Guide Feb V1.0. Exchange ControlPanel Administration Guide

Table of Contents. OpenDrive Drive 2. Installation 4 Standard Installation Unattended Installation

System Administration Training Guide. S100 Installation and Site Management

NextGen Patient Portal User Guide. Version 2.0

GlobalSign Enterprise PKI Support. GlobalSign Enterprise Solution EPKI Administrator Guide v2.4

File Share Navigator Online 1

CloudDesk - Security in the Cloud INFORMATION

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

Cloud Computing: What IT Professionals Need to Know

Web Plus Security Features and Recommendations

AT&T Business Messaging Account Management

Transcription:

SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014)

Contents Overview... 2 1. The SharpCloud Service... 2 2. Why did we select Microsoft Azure?... 2 3. Where is the data processed and stored?... 2 4. Who has access to the SharpCloud application servers and data?... 3 5. What level of service availability can I expect?... 3 6. Design, testing and best patterns & practices... 3 SharpCloud Architecture... 4 Data Security... 6 7. Identity management and access control... 6 8. Account Creation and Licence management... 6 9. Data recovery and backup... 6 10. What user activity data does SharpCloud audit and log?... 6 11. How do I get my data?... 7 12. Who can see my stories?... 7 Appendix A - SharpCloud architecture and application notes... 8 13. Firewall: Azure firewall ports... 8 14. Cookie usage... 8 15. Username recovery and password reset... 8 Backup and restore procedures... 9 16. Backup procedure... 9 17. Restore procedure... 9 Appendix B SharpCloud user types and user permissions... 10 18. Premium or Basic (paid or free)... 10 19. Packs, Teams, Directories & The Public Directory... 10 20. Access Permissions Data... 10 Last Updated: 19 th Dec 2014 1

Overview This document is aimed at IT security professionals who need to understand the levels of security they can expect from the SharpCloud public cloud service. 1. The SharpCloud Service SharpCloud is a Software as a Service (SaaS) application for creating and sharing business Stories. The service is available from a public URL (https://my.sharpcloud.com) and allows users to create, share and collaborate on stories. Users of SharpCloud are provided with personal, privately shared and public environments, giving them choice and control over how they work (see Appendix B for details). SharpCloud is a rich internet application using Microsoft Silverlight and resides on Microsoft's Azure cloud computing infrastructure to deliver scalable, real-time interaction. We have been using the Microsoft Azure Cloud Service for our production service since 2010. Further information on Microsoft Azure can be found at http://www.microsoft.com/windowsazure/. 2. Why did we select Microsoft Azure? Cloud technologies offer unrivalled competitive advantage for delivering SaaS products over the Internet. We believe Microsoft possess the experience and capabilities required to deliver and support a global cloud platform. Some of the key reasons SharpCloud chose to use Microsoft Azure are: Scalability and security: the SharpCloud service can take advantage of Microsoft Azure automated service management, global datacentre presence and almost infinite storage capabilities to provide a secure and high-availability service to customers. This provides our customers with the confidence that the SharpCloud service can scale along with their needs. Management: Microsoft Azure is a PaaS model (platform as a service) and so offers the automatic management, upgrading, and patching of servers. This results in SharpCloud's infrastructure always having the latest recommended patches and software as soon as they are released. This provides our customers with a consistent, high quality platform at all times. Trustworthy: SharpCloud receives enterprise class service backed by reliable service level agreements. This ensures we can deliver an excellent level or service to our customers. 3. Where is the data processed and stored? All of the SharpCloud application data is processed and stored within Microsoft Azure in an affinity group with the geographic location of " US (North Central US)" which restricts SharpCloud data to a US based data centre and no other geographic region (i.e. outside of the US). This includes replicated data used by Microsoft Azure for recovering from system failure scenarios. Last Updated: 19 th Dec 2014 2

Under Microsoft's Safe Harbour agreement, Microsoft processes personal data as a data processor on behalf of SharpCloud which adheres to EU Data Protection Legislation. 4. Who has access to the SharpCloud application servers and data? Nobody from SharpCloud has physical access to the data centres where the application is hosted. Access to these data centres is restricted to security cleared Microsoft personnel only. Only SharpCloud support staff that have been authorised by SharpCloud s Directors to have virtual access to the SharpCloud servers and data, can access them for support and maintenance purposes. 5. What level of service availability can I expect? We expect our service to be accessible to all users with an availability of >99.9%. The availability of the SharpCloud service is directly determined by the availability of both Azure compute and Azure data services. Each of these services runs with an expected availability of at least 99.95%. Microsoft s SLA s for Windows Azure can be viewed here: http://www.microsoft.com/windowsazure/sla/ The service also requires that the end user has a network infrastructure capable of supporting Internet connectivity suitable for using SharpCloud. Poor connectivity, bandwidth, proxy servers, out of date service pack on browsers and client computers etc. can all impact the functionality of the service beyond the reasonable control of SharpCloud. Additionally, SharpCloud continually upgrade and improve the service at regular intervals. Occasionally (at the discretion of SharpCloud) the service may become temporarily unavailable whilst certain upgrades are performed. However, it is usual to upgrade without impacting the service availability (using the built in VIP switch in Azure where a staging implementation is swapped out for the current production release), but on rare occasions the service may become temporarily unavailable while upgrades are applied. 6. Design, testing and best patterns & practices SharpCloud follows the designs and best practices recommended by Microsoft and the Microsoft Azure team for web products. We continually monitor and review our software design and architecture to ensure we are following the latest best practices. We are actively engaged with penetration testing agencies to ensure that SharpCloud can offer the highest level of assurance that it is secure by design and the service cannot be compromised. In addition, we continue to follow EU data protection guidelines and review our Safe Harbour status. Last Updated: 19 th Dec 2014 3

SharpCloud Architecture SharpCloud is currently delivered through a desktop Internet Browser via the Microsoft Silverlight plug-in, (more information on Silverlight can be found at: http://www.silverlight.net), and a native ipad app (optional). We are actively working to migrate away from Silverlight to pure HTML in the next few months. Towards the end of 2014 viewers will be able to access stories via HTML5 on modern browsers (IE10 or later, Chrome, Firefox and Safari). In 2015 we will gradually implement more editing capability, giving users a choice of HTML for modern browsers, and Silverlight for IE9 or older. All communication sent from the SharpCloud client (Silverlight or HTML) to the SharpCloud web servers is sent using HTTPS which is a combination of HTTP and Transport Layer Security (TLS) using industry standard 128 bit encryption scheme (SHA-1 with RSA encryption) and provides communication payload encryption and secure identification of the server. The SharpCloud server application is hosted on the Microsoft Azure Cloud Computing platform. This platform includes firewall protection, load balancing and on-demand compute processing power. All data is stored within the Microsoft Azure Storage services (these services include SQL Azure, blob, message bus and queue storage) which have built in mechanisms for failover, resilience and redundancy. All network traffic passed between the user s browser, Microsoft Azure Cloud Computing infrastructure and Windows Cloud Storage is sent over secure HTTP (HTTPS). A high level overview of the SharpCloud service architecture is presented below: Last Updated: 19 th Dec 2014 4

A schematic of the SharpCloud server application is shown below. More web roles and application worker roles can be scaled out on demand, but a minimum of two are required to meet the 99.95% Microsoft Azure SLA. The cache, database and blob storage mechanism are also High Availability, but part of the Microsoft Azure platform and therefore beyond the scope of this document. Last Updated: 19 th Dec 2014 5

Data Security 7. Identity management and access control As SharpCloud is a public facing SaaS, its data storage is multi-tenant and is logically partitioned by the application based on the identity of the data owner i.e. there is no separate database instance based on the customer or company account. This application design allows any user to collaborate with any other, regardless of company if required. If you require your data to be physically separated from other users you can consider a privately hosted instance (within your own data centre or on a cloud provider of your choice). 8. Account Creation and Licence management Each SharpCloud user has a unique user name and a password which must be entered each time they log on to the application. SharpCloud user passwords are hashed using a one-way hash algorithm (SHA1). Existing passwords are never accessible, even to SharpCloud administration staff (see password reset below). SharpCloud allows users to sign up and create an account by visiting the signup page (https://my.sharpcloud.com/signup). Users must supply first name, surname, a username, email address and password. The email address must be validated before the account is activated and can be used (i.e. it is not possible to sign up and gain access to information without having access to the registered email account). It is possible to set the username to be the same as the registered email at signup, but we recommend creating a personal username that is not based on your email. Unlike some systems, you do not have the choice to login using either your email or username. For login purposes, usernames are not case sensitive. Passwords must be a minimum of 6 alphanumeric characters and have an infinite lifetime unless they are explicitly changed or reset by the user. Passwords can be changed at any time in accordance with your password policy. Details on username recovery and password reset procedures are covered in Appendix A. 9. Data recovery and backup As part of the Microsoft Azure Service, all data is replicated in triplicate between data centres (see Where is the data processed and stored? ) to prevent data loss during a system failure. SharpCloud also runs continuous database backups to cloud storage should there be a requirement to restore customer data to a previous version. The data is stored to blob storage in the Azure data centre and is only accessible by senior development staff. (See Appendix A). 10. What user activity data does SharpCloud audit and log? Apart from the specific data entered by each user, SharpCloud uses the Microsoft Azure diagnostics infrastructure to audit and log user activity and system activity within the SharpCloud application. The logged data is used for support, security and performance purposes and is not used for other purposes. Log data that is no longer of use is deleted periodically. Last Updated: 19 th Dec 2014 6

11. How do I get my data? Your data remains accessible in various forms at all times. Some data can be exported via an Excel like data grid. Full copies of stories (including all images, documents, comments etc.) can be downloaded in a single zip file format if required at any time. Depending on your requirements data can be exported using other formats if required. 12. Who can see my stories? When stories are first created they are completely private and cannot be accessed by anyone (including SharpCloud staff) until the story owner decides to share it in some way. Stories can be shared directly with other users (via email - peer to peer) or via a team site, and the access level can be set from: full control over structure and content (admin), to content only (edit), or just for review and comment (view). Additionally, stories can be shared securely with larger groups via directories with view only permission. See Appendix B. Stories can also be set to be shared publicly via a URL. Note that this is only possible if the team administrator has explicitly allowed it, and the permission can be revoked by the owner at any time. In this case anyone (logged in or not) can view the story making it possible to embed a story into a public website etc. Last Updated: 19 th Dec 2014 7

Appendix A - SharpCloud architecture and application notes 13. Firewall: Azure firewall ports The SharpCloud server side application sits behind the Microsoft Azure firewall. Only ports 80 for http and 443 for https are open for traffic both in and out of the service. Http traffic is automatically redirected to https. 14. Cookie usage When a user is successfully authenticated SharpCloud issues a session "cookie" only to record encrypted authentication information for the duration of a specific session. By default the session lasts 5 hours but this can be extended by the user for convenience to prevent logging on at each session, or terminated at any point by using the log-out option. The session cookie does not include either the username or password of the user. SharpCloud does not use cookies to store other confidential user information, and there is no session state stored on SharpCloud's application servers. Usernames, passwords and cookies are sent over https so cannot be intercepted over the wire. 15. Username recovery and password reset If a user is unable to remember their current password, they can request that the password be reset from the login page. A temporary link will be emailed to the user that guides them to a password reset page. The link contains a unique reference that can only be used once and is only valid for one hour. If the user fails to complete the process, they will need to request a new reset link. A confirmation email ( your password was changed ) is sent to the registered email address to notify the user whenever a password is changed. The user can then use this password (along with their username) to sign-in to the application where they can then change their password to one of their choosing. NB. The existing password can never be sent to the user, or viewed by anyone (even SharpCloud staff) because it is never stored within the system. Five (5) incorrect password attempts within ten (10) minutes will result in the account being locked out. Accounts can only be unlocked by contacting SharpCloud support. For additional security, SharpCloud recommend using a different email address to send username and password details in the same email. Users are reminded of their chosen username in the welcome email, directly after they have signed up to SharpCloud. Last Updated: 19 th Dec 2014 8

Backup and restore procedures 16. Backup procedure All data stored within the Microsoft Azure datacentre is both resilient and redundant. The data is backed up at least in triplicate across multiple hardware nodes and data locations by the Azure PaaS. However, as an additional precaution we run a continuous backup process against the SQL Azure database allowing us restore data in the event of customer request. The backup process is a continuous operation which runs on the SharpCloud service hosted within the Azure data centres and allows us to restore the database to any point in time over the last 30 days. 17. Restore procedure In the event of user or application error, backup data can be restored to another SQL Azure database, and required data can be exported to the production environment. Last Updated: 19 th Dec 2014 9

Appendix B SharpCloud user types and user permissions 18. Premium or Basic (paid or free) Two types of customer accounts are available: Premium or Basic. Premium accounts have full editing capability (providing permissions have been set), whilst basic users may only ever view and comment on content. Premium users can be identified by having a blue border around their avatar. 19. Packs, Teams, Directories & The Public Directory Packs are issued to customers to manage their Premium users. At least one pack administrator will be issued to the customer to allow addition and removal of premium accounts via an admin portal. New users can be invited to the pack via an email address before or after their account has been created. Teams allow logical groups of users (Premium or Basic) to work & collaborate together on stories. Any number of teams can be created by each Premium user (providing the pack admin has allowed this), and more than one team admin can be assigned. Teams are the most powerful way for organisations to manage content because; they logically group the active stories together, and they allow team admins to transfer ownership and permissions if required. Directories are another logical group for giving secure view only access to a large number of users. Teams are given permission to publish content to one or more directories. A directory may be able to have content published from many teams, and a team may be able to publish to more than one directory, although often this is a one to one relationship. Members of the directory are defined by email address only, and the list can be bulk uploaded via csv files, or on a case by case basis. If a user is a member of the directory they will be granted view access to the stories published in it. 20. Access Permissions Data Within the SharpCloud application, data can be set to require certain levels of authorization for read and write permissions, this is controlled by the owner of the data (e.g. Story owner) and authorization checks are applied by the application when attempting to access restricted data. (See Appendix B). Only Premium users can access data with edit or above permissions. Premium users are managed by pack administrators, or by SharpCloud staff system administrators. Pack admins do not necessarily need to be premium users Last Updated: 19 th Dec 2014 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information