Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2020_05_27 16:44] – steven | security [2024_03_19 18:56] – [See Also] steven | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | # Nasuni Access Anywhere Security | ||
- | ====== Security ====== | + | #### Updated on Mar 19, 2024 |
- | SME provides | + | Access Anywhere |
+ | ### See Also | ||
- | ===== 1 Data Center ===== | + | * [[governance|]] |
+ | * [[compliance|Compliance Standards]] | ||
+ | * [[cloudappliance/ | ||
+ | * [[organisationcloud/ | ||
- | For the hosted SaaS service SME uses multiple data centres in USA and Europe. All data centres are Tier IV facilities and are: | + | Security related features include: |
- | USA: SSAE16 SOC1/2 compliant, have 24x7 armed security, facility surveillance, | + | * [[:cloudappliance/syslog]] |
+ | * [[:2fa]] | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[: | ||
+ | * [[fips]] | ||
- | Europe: The Data Centers have ISO27001: | + | ## Encryption - Data in Transit |
- | UK: This is a new facility, currently undergoing the iso 27001/9001 process and also has 24x7 security, facility surveillance, | + | HTTPS is configured by default for all users. |
- | All data centres | + | A commercial server that uses HTTPS must have a public key certificate issued that verifies |
- | ===== 2 Encrypted Data in Motion ===== | + | Clients should connect to the server using a URL that starts with HTTPS. (This is the default). |
- | HTTPS is configured by default for all users of the Cloud File Server SaaS users and Appliance. | + | Administrators should also connect to storage providers using HTTPS. For storage providers with a fixed endpoint including AWS S3, Azure, Google Cloud Storage |
- | + | ||
- | A commercial | + | |
- | Clients should connect to the File Fabric appliance using a URL that starts with HTTPS. (This is the default). | + | ## Encryption - Data at Rest |
- | Administrators should also connect to storage | + | Customer data is stored on storage |
- | [[https:// | ||
- | ===== 3 Encryption Algorithm | + | ## Encryption Algorithm |
- | The Enterprise File Fabric | + | The Access Anywhere server |
* an initial Round Key addition | * an initial Round Key addition | ||
* Nr-1Rounds | * Nr-1Rounds | ||
* a final round. | * a final round. | ||
- | The chaining variable goes into the input | + | The chaining variable goes into the input and the message block goes into the Cipher |
- | Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https:// | + | Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https:// |
- | See also [[https://storagemadeeasy.com/pressrelease/FIPS-140-2-compliance/|FIPS U.S. Federal Government Validation of the Enterprise File Fabric™ Cryptographic Algorithm]]. | + | [[https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details? |
- | ===== 4 Authentication | + | See also [[https:// |
+ | ## Identity | ||
- | {{:/ | + | Clients can be authenticated against the internal user database or any directory service. Nasuni Access Anywhere includes out of the box support for Microsoft Active Directory, and services that support LDAP and SAML. Once authenticated clients use the authentication token for the remainder of the session. |
- | Clients can be authenticated against | + | [[2fa| Two-factor authentication]] may also be required with the options of Google Authentication, |
- | Two factor authentication may also be required with the options of Google Authentication, | + | Our staff has no way to access a password as it is stored encrypted. There is a means to access meta-data in the logs and database related to an account if a user requests help with a problem, and this is only ever used if a user requests us to look at a problem or issue with an account. Even so, this still requires an Administrator to authorise access, and it still does not grant any access to any encrypted passwords. |
- | Our staff have no way to access | + | If a storage provider supports [[http:// |
- | If a Cloud Provider supports | + | For more information see [[iam]]. |
- | ===== 5 Data Loss Protection | + | ## Data Loss Protection |
- | {{ : | + | Documents can be securely shared in a number of ways: |
- | + | ||
- | Documents can be securely shared | + | |
* Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user. | * Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user. | ||
* Private links can be created for documents and these can be combined with passwords to secure the document. | * Private links can be created for documents and these can be combined with passwords to secure the document. | ||
Line 65: | Line 77: | ||
* [[contentdiscovery|Content Discovery]] monitors documents for sensitive data which can generate an email, quarantine, or initiate a workflow. | * [[contentdiscovery|Content Discovery]] monitors documents for sensitive data which can generate an email, quarantine, or initiate a workflow. | ||
- | ===== 6 Access Control Security | + | ## Access Control Security |
{{:/ | {{:/ | ||
- | The File Fabric | + | The platform |
- | ===== 7 Restrict by IP Address | + | ## Restrict by IP Address |
- | The File Fabric | + | The platform |
For more information see [[geoip]]. | For more information see [[geoip]]. | ||
- | ===== 8 Audit Security | + | ## Audit Security |
{{:/ | {{:/ | ||
- | SME Cloud File Server SaaS or Appliance users have access to reporting abilities that can comprehensively audit all events that occur within the Cloud File Server recording the user, event , date/time, and IP Address. Reports can be accessed online, archived, and also exported as .cvs or excel files. | + | All file events that occur when using Access Anywhere are recorded. |
+ | Reports can be accessed online, archived, and also exported as .cvs or excel files or the audit events can be configured to be output in syslog format so that log aggregators such as Splunk can be used to monitor / collate the resultant logs. | ||
- | ===== 9 Governance Options | + | |
+ | ## Governance Options | ||
{{ : | {{ : | ||
- | Cloud File Server Saas and Appliance users can set governance | + | There are comprehensive |
+ | ## Acceptable Use Policies | ||
- | ===== 10 Bring your own Device security ===== | + | Acceptable use policies allow organizations to present policies and optionally required acceptance for access to the system. Policy acceptance is logged and can also be required by users downloading shared files and folders. |
- | {{:/security:steps:sme_9_bring_your_own_devic.png}} | + | {{:cloudappliance:acceptable_use_policies:available-policies.png?700|}} |
- | The Cloud File Server (CFS) Admin controls which devices and access clients that each user of the Cloud File Server can connect from. By default all devices and access clients are enabled. \\ \\ The Admin can entirely disable a user or just choose to disable access from any of the devices/access clients from the users settings instantly disabling user access. | + | See [[cloudappliance/acceptable_use_policies]] for more information. |
- | ===== 11 Compliance Report | + | ## Bring your own Device security |
+ | |||
+ | |||
+ | The Administrator controls which devices and access clients that each user can connect from. By default all devices and access clients are enabled. | ||
+ | |||
+ | The Admin can entirely disable a user or just choose to disable access from any of the devices/ | ||
+ | |||
+ | ## Compliance Report | ||
The compliance report recommends settings that could be changed to enhance security. The user can jump from the online report directly to where the setting can be changed. | The compliance report recommends settings that could be changed to enhance security. The user can jump from the online report directly to where the setting can be changed. | ||
Line 103: | Line 125: | ||
{{ : | {{ : | ||
- | ===== 12 Data Security | + | ## Data Security |
In addition to encryption the solution includes a number of features for data security: | In addition to encryption the solution includes a number of features for data security: | ||
Line 113: | Line 135: | ||
* **Disaster Recovery** - The [[foreverfile|ForeverFile™ archive]] is a backup, disaster recovery and ransomware protection feature that continuously protects data, wherever it is stored. For each primary storage provider that is being protected, a separate secondary or Backup provider is configured. For maximum availability the backup cloud should be located in another data center. It could also be with different cloud vendor, storage technology or tier. | * **Disaster Recovery** - The [[foreverfile|ForeverFile™ archive]] is a backup, disaster recovery and ransomware protection feature that continuously protects data, wherever it is stored. For each primary storage provider that is being protected, a separate secondary or Backup provider is configured. For maximum availability the backup cloud should be located in another data center. It could also be with different cloud vendor, storage technology or tier. | ||
- | ===== 13 Website Security ===== | + | * **Antivirus** - See [[antivirus]]. |
- | + | ||
- | {{ : | + | |
- | + | ||
- | Our public websites is scanned regularly through [[https:// | + | |
- | + | ||
- | We follow best practices in developing secure software, as mandated by GDPR, protecting for example against injection attacks, cross-site request forgery and session hijacking. We perform a third-party vulnerability code scan for each release. | + | |
- | + | ||
- | The following cookies are used. < | + | |
- | + | ||
- | * PHPSESSID - Unique ID of session. Retention: Session | + | |
- | + | ||
- | * site__just_logged_in - Start page logic. Retention: 1 year | + | |
- | + | ||
- | * autologin - token for remember me feature. Retention: 14 days | + | |
- | + | ||
- | * site__various | + | |
- | + | ||
- | ===== 14 Cyber Essentials ===== | + | |
- | + | ||
- | Storage Made Easy is [[https:// | + | |
- | + | ||
- | It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government. | + | |
- | ===== 15 London Office of Regional CyberSecurity Advancement (LORCA) ===== | + | ## Product Design and Testing |
- | Storage Made Easy [[https:// | + | The platform is developed using the OWASP principle |
- | LORCA is one of two cyber innovation centres as part of the National Cyber Security Strategy objective to grow the UK’s cybersecurity sector | + | Our own hosted service, which features the latest iteration |
- | Security by Design was selected as one of the most pressing challenges. The office is now on the lookout for cybersecurity solutions that make it significantly cheaper or easier for products to be made secure. | ||
- | This includes ensuring products are secure as standard, rather than requiring an add-on solution, and at code level, as this remains a challenge across the sector. |