Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
security [2019_10_15 20:47] stevensecurity [2021_07_12 20:28] steven
Line 1: Line 1:
  
-====== Security ======+# Enterprise File Fabric Security
  
-SME provides a SaaS and hybrid on-premises multi-cloud content management solution called the Enterprise File Fabric.  This provides unique federationgovernance and data management features. This section of the Wiki outlines the security that is inherent within the SME hosted and on-premises versions of the File Fabric.+## Updated on Jul 122021
  
-===== 1 Data Center =====+Storage Made Easy provides a hosted and private on-premises multi-cloud content management solution called the Enterprise File Fabric.  The File Fabric provides unique content collaboration, federation, governance and data management features. This section of the Wiki outlines the security that is inherent within the hosted and on-premises versions of the File Fabric.
  
-For the hosted SaaS service SME uses multiple data centres in USA and Europe. All data centres are Tier IV facilities and are:+### See Also
  
-USA: SSAE16 SOC1/2 compliant, have 24x7 armed security, facility surveillance, biometric + keycard access to the data floor, keycode access to the cage, plus our own surveillance on top of the facility surveillance.+ * [[compliance|Compliance Standards]]
  
-Europe:   The Data Centers have ISO27001:2005, ISO9001:2008 certification, plus 24x7 security, facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with physical key access+## Data Center
  
-UK:   This is a new facility, currently undergoing the iso 27001/9001 process and also has 24x7 security,   facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with keycode access+For the hosted SaaS service SME uses multiple data centres in USA and Europe. All data centres are Tier IV facilities.
  
-All data centres have 24/7 physical security, facility surveillance, biometric ,   keycard entry authentication and mantrap access to the data floor uninterruptible power and backup systems.+ * **USA**: SSAE16 SOC1/2 compliant, have 24x7 armed security, facility surveillance, biometric keycard access to the data floor, keycode access to the cage, plus our own surveillance on top of the facility surveillance.
  
-===== 2 Encrypted Data in Motion =====+ * **Europe**: The Data Centers have ISO27001:2005, ISO9001:2008 certification, plus 24x7 security, facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with physical key access
  
-HTTPS is configured by default for all users of the Cloud File Server SaaS users and Appliance.+ * **UK**: This is a new facility, currently undergoing the iso 27001/9001 process and also has 24x7 security, facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with keycode access 
 + 
 +All data centres have 24/7 physical security, facility surveillance, biometric, keycard entry authentication and mantrap access to the data floor uninterruptible power and backup systems. 
 + 
 +## Encryption - Data in Motion 
 + 
 +HTTPS is configured by default for all users of the hosted version of the File Fabric and the Enterprise edition of the File Fabric.
  
 A commercial server that uses HTTPS must have a public key certificate issued that verifies the entity. The end-user can verify the entity by clicking on the HTTPS icon from the browser. A commercial server that uses HTTPS must have a public key certificate issued that verifies the entity. The end-user can verify the entity by clicking on the HTTPS icon from the browser.
Line 27: Line 33:
  
 [[https://www.ssllabs.com/ssltest/analyze.html?d=storagemadeeasy.com|Check out]] our online sites using [[https://www.ssllabs.com/index.html|Qualys SSL Labs site check]]. [[https://www.ssllabs.com/ssltest/analyze.html?d=storagemadeeasy.com|Check out]] our online sites using [[https://www.ssllabs.com/index.html|Qualys SSL Labs site check]].
-===== 3 Encryption Algorithm ===== 
  
-The Enterprise File Fabric can be used to encrypt data transmitted to any cloud that is mapped to a user personal, Cloud File Server, or Appliance account. The File Fabric uses [[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard|AES]]-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:+{{::screenshot_2020-05-28_at_13.01.52.png?600|}} 
 + 
 +## Encryption - Data at Rest 
 + 
 +Customer data is stored on storage services controlled by you, not stored on the applicance. 
 + 
 +Amazon S3 Server Side Encryption can be enabled from the provider settings page under the Dashboard. 
 + 
 +The appliance does have the ability to add additional encryption to that provided by storage providers. This can be added to nominated folders or to all folders and a key management system can be used (See Policies > Encryption) 
 + 
 + 
 +## Encryption Algorithm 
 + 
 +The Enterprise File Fabric can be used to encrypt data transmitted to any storage provider that is under management by the solution. The File Fabric uses [[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard|AES]]-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:
   * an initial Round Key addition   * an initial Round Key addition
   * Nr-1Rounds   * Nr-1Rounds
   * a final round.   * a final round.
  
-The chaining variable goes into the input€ and the message block goes into the â€œCipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;+The chaining variable goes into the input and the message block goes into the Cipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;
  
 Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https://storagemadeeasy.com/clients_and_tools#Mac|Mac]], [[https://storagemadeeasy.com/clients_and_tools#Windows|Windows]] and [[https://storagemadeeasy.com/clients_and_tools#Linux|Linux]] that enable the decryption of a file if you download it directly from a mapped cloud ie. without any access to the File Fabric service. Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https://storagemadeeasy.com/clients_and_tools#Mac|Mac]], [[https://storagemadeeasy.com/clients_and_tools#Windows|Windows]] and [[https://storagemadeeasy.com/clients_and_tools#Linux|Linux]] that enable the decryption of a file if you download it directly from a mapped cloud ie. without any access to the File Fabric service.
 +
 +[[https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?product=8582|View]] the online NIST certification.
  
 See also [[https://storagemadeeasy.com/pressrelease/FIPS-140-2-compliance/|FIPS U.S. Federal Government Validation of the Enterprise File Fabric™ Cryptographic Algorithm]]. See also [[https://storagemadeeasy.com/pressrelease/FIPS-140-2-compliance/|FIPS U.S. Federal Government Validation of the Enterprise File Fabric™ Cryptographic Algorithm]].
-===== 4 Authentication Security =====+ 
 +## Identity Authentication
  
 {{:/security:steps:sme_4_authentication_secur.png}} {{:/security:steps:sme_4_authentication_secur.png}}
  
-Clients can be authenticated against the internal user databaseor any directory service. The File Fabric includes out of the box support for Microsoft Active Directory, and services that support LDAP and SAML. One authenticated clients use the authentication token for the remainder of the session.+Clients can be authenticated against the internal user database or any directory service. The File Fabric includes out of the box support for Microsoft Active Directory, and services that support LDAP and SAML. Once authenticated clients use the authentication token for the remainder of the session.
  
-Two factor authentication may also be required with the options of Google Authentication, an emailed code, or a shared secret supported.+[[2fa| Two-factor authentication]] may also be required with the options of Google Authentication, an emailed code, or a shared secret supported.
  
-Our staff have no way to access a password as it is stored encrypted. There is a means to access meta-data in the logs and database related to an account if a user requests help with a problem, and this is only ever used if a user requests us to look at a problem or issue with an account. Even so this still requires an Administrator to authorise access, and it still does not grant any access to any encrypted passwords.+Our staff has no way to access a password as it is stored encrypted. There is a means to access meta-data in the logs and database related to an account if a user requests help with a problem, and this is only ever used if a user requests us to look at a problem or issue with an account. Even sothis still requires an Administrator to authorise access, and it still does not grant any access to any encrypted passwords.
  
-If a Cloud Provider supports [[http://oauth.net/|OAuth]], which is a mechanism to connect to a Cloud Provider without revealing password details, then SME uses this delegation mechanism to access the resource. For Cloud Providers that don't use OAuth, authentication details are stored encrypted. The key to un-encrypt is stored on a key server and we do this when we need to on a per session basis+If a storage provider supports [[http://oauth.net/|OAuth]], which is a mechanism to connect to a Cloud Provider without revealing password details, then the File Fabric uses this delegation mechanism to access the resource. For storage providers that don't use OAuth, authentication details are stored encrypted (AES-256 Rijndael CBC with salt).
  
 +For more information see [[iam]].
  
-===== 5 Data Loss Protection ===== 
  
-{{ :security:steps:sme_5_document_security.png }}+## Data Loss Protection 
  
-Documents can be securely shared using the SME platform in a number of ways:+Documents can be securely shared using the File Fabric in a number of ways:
   * Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user.   * Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user.
   * Private links can be created for documents and these can be combined with passwords to secure the document.   * Private links can be created for documents and these can be combined with passwords to secure the document.
Line 63: Line 84:
   * [[contentdiscovery|Content Discovery]] monitors documents for sensitive data which can generate an email, quarantine, or initiate a workflow.   * [[contentdiscovery|Content Discovery]] monitors documents for sensitive data which can generate an email, quarantine, or initiate a workflow.
  
-===== 6 Access Control Security =====+## Access Control Security
  
 {{:/security:steps:sme_6_access_control_secur.png}} {{:/security:steps:sme_6_access_control_secur.png}}
  
-The File Fabric supports Access Control Permissions at a Role, User, or folder level for shared folders. The Permissions can be taken from Active Directory if single sign-on is being used.+The File Fabric supports Access Control Permissions at a Role, User, or folder level for shared folders. The Permissions can be taken from Active Directory / LDAP if single sign-on is being used.
  
-===== 7 Restrict by IP Address =====+## Restrict by IP Address
  
-The File Fabric supports the ability to whitelist or blacklist IP addresses. This can be done at the Organization level (tenant) or on a per user basis. For more information see [[geoip]].+The File Fabric supports the ability to whitelist or blacklist IP addresses to allow / deny connections. This can be done at the Organization level (tenant) or on a per user basis.
  
-===== 8 Audit Security =====+For more information see [[geoip]].
  
 +## Audit Security
  
 {{:/security:steps:sme_7_audit_security.png}} {{:/security:steps:sme_7_audit_security.png}}
  
-SME Cloud File Server SaaS or Appliance users have access to reporting abilities that can comprehensively audit all events that occur within the Cloud File Server recording the user, event , date/time, and IP Address. Reports can be accessed online, archived, and also exported as .cvs or excel files.+All file events that occur when using the File Fabric are recorded
  
 +Reports can be accessed online, archived, and also exported as .cvs or excel files or the audit events can be configured to be output in syslog format so that log aggregators such as Splunk can be used to monitor / collate the resultant logs.
  
-===== 9 Governance Options =====+ 
 +## Governance Options
  
 {{ :security:steps:security-policies.png |}} {{ :security:steps:security-policies.png |}}
  
-Cloud File Server Saas and Appliance users can set governance options for all users and control almost all levels of security for users.+There are comprehensive governance / compliance / security options which can e configured by a File Fabric Administrator.
  
  
-===== 10 Bring your own Device security =====+## Bring your own Device security
  
-{{:/security:steps:sme_9_bring_your_own_devic.png}} 
  
-The Cloud File Server   (CFS) Admin controls which devices and access clients that each user of the Cloud File Server can connect from. By default all devices and access clients are enabled.  \\ \\ The Admin can entirely disable a user or just choose to disable access from any of the devices/access clients from the users settings instantly disabling user access.+The File Fabric Administrator controls which devices and access clients that each user can connect from. By default all devices and access clients are enabled.  \\ \\ The Admin can entirely disable a user or just choose to disable access from any of the devices/access clients from the users settings instantly disabling user access.
  
-===== 11 Compliance Report =====+## Compliance Report
  
 The compliance report recommends settings that could be changed to enhance security. The user can jump from the online report directly to where the setting can be changed. The compliance report recommends settings that could be changed to enhance security. The user can jump from the online report directly to where the setting can be changed.
Line 100: Line 123:
 {{ :security:steps:compliance-report.png |}} {{ :security:steps:compliance-report.png |}}
  
-===== 12 Data Security =====+## Data Security
  
 In addition to encryption the solution includes a number of features for data security: In addition to encryption the solution includes a number of features for data security:
Line 110: Line 133:
  * **Disaster Recovery** - The [[foreverfile|ForeverFile™ archive]] is a backup, disaster recovery and ransomware protection feature that continuously protects data, wherever it is stored. For each primary storage provider that is being protected, a separate secondary or Backup provider is configured. For maximum availability the backup cloud should be located in another data center. It could also be with different cloud vendor, storage technology or tier.  * **Disaster Recovery** - The [[foreverfile|ForeverFile™ archive]] is a backup, disaster recovery and ransomware protection feature that continuously protects data, wherever it is stored. For each primary storage provider that is being protected, a separate secondary or Backup provider is configured. For maximum availability the backup cloud should be located in another data center. It could also be with different cloud vendor, storage technology or tier.
  
-===== 13 Cyber Essentials =====+ * **Antivirus** - See [[antivirus]]. 
 + 
 +## Product Design and Testing  
 + 
 +The File Fabric is developed using the OWASP principle of Security by Design. Each product release, service pack, and patch is security audited and tested through the use of multiple third party security products. 
 + 
 +Our own hosted Enterprise File Fabric Service, which features the latest iteration of bug fixes and features, is security tested daily. 
 + 
 +## Website Security 
 + 
 +{{ :security:trustedsite_logo.png?nolink&200 |}} 
 + 
 +Our public websites is scanned regularly through [[https://www.trustedsite.com/verify?host=storagemadeeasy.com| Trusted Site]] for security issues including malware, malicious links, and phishing. 
 + 
 +We follow best practices in developing secure software, as mandated by GDPR, protecting for example against injection attacks, cross-site request forgery and session hijacking. We perform a third-party vulnerability code scan for each release. 
 + 
 +These are the formats of the cookies are used. <site> is the unqualified hostname of the web address. The unqualified hostname of %%https://files.example.com%% is files. 
 + 
 +^ Cookie ^ Type ^ What for ^ Retention ^ 
 +| PHPSESSID | Functional | Unique ID of session | Session | 
 +| %%<site>__just_logged_in%% | Functional | Start page logic (0 or 1) | 1 year | 
 +| autologin | Functional | Token for remember me feature | 14 days | 
 +| %%<site>__<various>%% | Functional | Remembers settings between sessions such as what folders and panels are collapsed, and the last sort order. e.g. %%files__mainTree_openedFoldersKeys%% | 1 year | 
 + 
 +## Cyber Essentials
  
 Storage Made Easy is [[https://www.cyberessentials.ncsc.gov.uk/cert-search/?query=storage%20made%20easy|Cyber Essentials Certified]].Cyber Essentials is a UK government information assurance scheme operated by [[https://www.ncsc.gov.uk|the National Cyber Security Centre]] (NCSC) that encourages organisations to adopt good practice in information security.It includes an assurance framework and a set of security controls to protect information from threats coming from the internet. Storage Made Easy is [[https://www.cyberessentials.ncsc.gov.uk/cert-search/?query=storage%20made%20easy|Cyber Essentials Certified]].Cyber Essentials is a UK government information assurance scheme operated by [[https://www.ncsc.gov.uk|the National Cyber Security Centre]] (NCSC) that encourages organisations to adopt good practice in information security.It includes an assurance framework and a set of security controls to protect information from threats coming from the internet.
 +
 +It specifically covers:
 +
 +* Boundary firewalls and internet gateways
 +
 +* Secure configuration
 +
 +* Access control
 +
 +* Malware protection
 +
 +* Patch management
  
 It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government. It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government.
  
-===== 14 London Office of Regional CyberSecurity Advancement (LORCA) =====+{{ ::cybercertificate.png?600 |}} 
 + 
 +## London Office of Regional CyberSecurity Advancement (LORCA)
  
 Storage Made Easy [[https://www.infosecurity-magazine.com/news/lorca-announces-additions-1-1/|was selected]] to be one of the CyberSecurity innovators of LORCA's third cohort. Storage Made Easy [[https://www.infosecurity-magazine.com/news/lorca-announces-additions-1-1/|was selected]] to be one of the CyberSecurity innovators of LORCA's third cohort.
Line 125: Line 186:
  
 This includes ensuring products are secure as standard, rather than requiring an add-on solution, and at code level, as this remains a challenge across the sector. This includes ensuring products are secure as standard, rather than requiring an add-on solution, and at code level, as this remains a challenge across the sector.
 +
 +
 +