Differences

This shows you the differences between two versions of the page.

--- security [2018_01_30 19:15] – [3 Data Security] steven
+++ security [2024_04_22 21:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+# Nasuni Access Anywhere Security
+#### Updated on Mar 19, 2024
+Access Anywhere provides content collaboration, federation, governance and data management features.
+### See Also
+ * [[governance|]]
+ * [[compliance|Compliance Standards]]
+ * [[server/bestpractices]]
+ * [[admin/byod]]
+ * [[advisories/hardeningfeb2019]]
-====== Security ======
+Security related features include:
+ * [[:server/syslog]]
+ * [[:2fa]]
+ * [[:server/acceptable_use_policies]]
+ * [[:appmanagement]]
+ * [[:geoip]]
+ * [[:admin/saml]]
+ * [[:admin/activedirectory/activedirectoryintegration]]
+ * [[:cloudencryption]]
+ * [[:antivirus]]
+ * [[:features/md5hash]]
+ * [[:cloudbackup]]
+ * [[fips]]
-SME provides a SaaS and hybrid on-premise Cloud solution which provides unique Cloud federation, governance and management features. This section of the Wiki outlines the security that is inherent within the SME hosted and on-premise appliance.
+## Encryption - Data in Transit
-===== 1 Data Center =====
+HTTPS is configured by default for all users.
+A commercial server that uses HTTPS must have a public key certificate issued that verifies the entity. The end-user can verify the entity by clicking on the HTTPS icon from the browser.
+Clients should connect to the server using a URL that starts with HTTPS. (This is the default).  A valid certificate is required.
-{{:/security:steps:sme_1_data_center.png}}
+Administrators should also connect to storage providers using HTTPS. For storage providers with a fixed endpoint including AWS S3, Azure, Google Cloud Storage the Access Anywhere server always uses HTTPS.
-For the hosted SaaS service SME uses multiple data centres in USA and Europe. All data centres are Tier IV facilities and are:\\ \\ USA: SSAE16 SOC1/2 compliant, have 24x7 armed security, facility surveillance, biometric + keycard access to the data floor, keycode access to the cage, plus our own surveillance on top of the facility surveillance.\\ \\ Europe:   The Data Centers have ISO27001:2005, ISO9001:2008 certification, plus 24x7 security, facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with physical key access\\ \\ UK:   This is a new facility, currently undergoing the iso 27001/9001 process and also has 24x7 security,   facility surveillance, biometric + keycard + mantrap access to the data floor, locking cabinets with keycode access\\ \\ All data centres have 24/7 physical security, facility surveillance, biometric ,   keycard entry authentication and   mantrap access to the data floorm uninterruptible power and backup systems\\
+## Encryption - Data at Rest
+Customer data is stored on storage services controlled by you. It is not stored on the appliance.
-===== 2 On the wire security =====
+## Encryption Algorithm
+The Access Anywhere server can be used to encrypt data transmitted to any storage provider that is under management by the solution. The plarform uses [[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard|AES]]-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:
+  * an initial Round Key addition
+  * Nr-1Rounds
+  * a final round.
-{{:/security:steps:sme_2_on_the_wire_security.png}}
+The chaining variable goes into the input and the message block goes into the Cipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;
-HTTPS can be configured for all users of the Cloud File Server Saas users and Appliance. HTTPS is an acronym for hypertext transfer protocol secure. HTTPS is similar to the normal hypertext transfer protocol, except tt is different because the âSâ at the end identifies it as having a secure HTTP connection.  \\ \\ A HTTPS connection is used often in businesses where sensitive information, such as credit card numbers, are being passed along at point of purchase sites or other commerce sites The https protocol gives assurance that potential hackers are not able to intercept the message containing sensitive data as it is sent to its destination.\\ \\ A commercial server that uses HTTPS must have a public key certificate issued that verifies the entity. The end-user can verify the entity by clicking on the HTTPS icon from the browser.
+Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https://storagemadeeasy.com/clients_and_tools#Mac|Mac]], [[https://storagemadeeasy.com/clients_and_tools#Windows|Windows]] and [[https://storagemadeeasy.com/clients_and_tools#Linux|Linux]] that enable the decryption of a file if you download it directly from a mapped cloud ie. without any access to the service.
+[[https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?product=8582|View]] the online NIST certification.
-===== 3 Data Security =====
+See also [[https://storagemadeeasy.com/pressrelease/FIPS-140-2-compliance/|FIPS U.S. Federal Government Validation of Access Anywhere™ Cryptographic Algorithm]].
+## Identity Authentication
+Clients can be authenticated against the internal user database or any directory service. Nasuni Access Anywhere includes out of the box support for Microsoft Active Directory, and services that support LDAP and SAML. Once authenticated clients use the authentication token for the remainder of the session.
+[[2fa| Two-factor authentication]] may also be required with the options of Google Authentication, an emailed code, or a shared secret supported.
-{{:/security:steps:sme_3_data_security.png}}
+Our staff has no way to access a password as it is stored encrypted. There is a means to access meta-data in the logs and database related to an account if a user requests help with a problem, and this is only ever used if a user requests us to look at a problem or issue with an account. Even so, this still requires an Administrator to authorise access, and it still does not grant any access to any encrypted passwords.
-Storage Made Easy can be used to encrypt data transmitted to any cloud that is mapped to a user personal, Cloud File Server, or Appliance account. SME uses [[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard|AES]]-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. The cipher Rijndael consists of:
+If a storage provider supports [[http://oauth.net/|OAuth]], which is a mechanism to connect to a Cloud Provider without revealing password details, then Access Anywhere uses this delegation mechanism to access the resource. For storage providers that don't use OAuth, authentication details are stored encrypted (AES-256 Rijndael CBC with salt).
-  * an initial Round Key addition
-  * Nr-1Rounds
-  * a final round.
-The chaining variable goes into the input and the message block goes into the âCipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael;
+For more information see [[iam]].
-Any AES-256 decryption tool that supports the Rijndael cipher with 16 byte blocksizes can be used to un-encrypt files. We also provide free desktop decryption tools for [[https://storagemadeeasy.com/clients_and_tools#Mac|Mac]], [[https://storagemadeeasy.com/clients_and_tools#Windows|Windows]] and [[https://storagemadeeasy.com/clients_and_tools#Linux|Linux]] that enable the decryption of a file if you download it directly from a mapped cloud ie. without any access to the SME service.
-The Wiki entry on encryption has further details.
+## Data Loss Protection
+Documents can be securely shared in a number of ways:
+  * Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user.
+  * Private links can be created for documents and these can be combined with passwords to secure the document.
+  * Links can be set to be time expired and/or combined with private links and password for further additional document security.
+  * [[watermarking|Watermarks]] unique to each file preview or shared file download can be added to enable tracing back how a file was leaked.
+  * [[contentdiscovery|Content Discovery]] monitors documents for sensitive data which can generate an email, quarantine, or initiate a workflow.
-===== 4 Authentication Security =====
+## Access Control Security
+{{:/security:steps:sme_6_access_control_secur.png}}
+The platform supports Access Control Permissions at a Role, User, or folder level for shared folders. The Permissions can be taken from Active Directory / LDAP if single sign-on is being used.
-{{:/security:steps:sme_4_authentication_secur.png}}
+## Restrict by IP Address
-Storage Made Easy username and passwords   are stored in an encrypted fashion. User login is required in order to obtain a token for a session, which allows a user to access a specific Storage Made Easy resource without using a username and password each time. Once the token has been obtained, the user uses the token, that offers access to a Storage Made Easy resource, for up to 1 hour (it times out if there are no user interactions or is removed if the user logs out). This mechanism of authentication be complimented or replaced with other authentication systems, such as Active Directory which is available by default for Cloud File Server business users, when using our service. Please <ask> for our Security integration whitepaper for further information on this.\\ \\ Our staff have no way to access a password as it is stored encrypted. There is a means to access meta-data in the logs and DataBase related to an account if a user requests help with a problem, and this is only ever used if a user requests us to look at a problem or issue with an account. Even so this still requires an Administrator to authorise access, and it still does not grant any access to any encrypted passwords.  \\ \\ If a Cloud Provider supports [[http://oauth.net/|OAuth]], which is a mechanism to connect to a Cloud Provider without revealing password details, then SME uses this delegation mechanism to access the resource. For Cloud Providers that don't use OAuth,authentication details are stored encrypted. The key to un-encrypt is stored on a key server and we do this when we need to on a per session basis.
+The platform supports the ability to whitelist or blacklist IP addresses to allow / deny connections. This can be done at the Organization level (tenant) or on a per user basis.
+For more information see [[geoip]].
-===== 5 Document Security =====
+## Audit Security
+{{:/security:steps:sme_7_audit_security.png}}
+All file events that occur when using Access Anywhere are recorded.
-{{:/security:steps:sme_5_document_security.png}}
+Reports can be accessed online, archived, and also exported as .cvs or excel files or the audit events can be configured to be output in syslog format so that log aggregators such as Splunk can be used to monitor / collate the resultant logs.
-Documents can be securely shared using the SME platform in a number of ways:
-  * Documents can be encrypted on upload using 256 bit AES security. The private key is not stored on the platform and only known by the user.
-  * Private links can be created for documents and these can be combined with passwords to secure the document.
-  * Links can be set to be time expired and/or combined with private links and password for further additional document security.
+## Governance Options
-===== 6 Access Control Security =====
+{{ :security:steps:security-policies.png |}}
+There are comprehensive governance / compliance / security options which can be configured by an Administrator.
+## Acceptable Use Policies
-{{:/security:steps:sme_6_access_control_secur.png}}
+Acceptable use policies allow organizations to present policies and optionally required acceptance for access to the system. Policy acceptance is logged and can also be required by users downloading shared files and folders.
-SME supports Access Control Permissions at a Role, User, or folder level for shared folders. The Permissions can be taken from Active Directory if single sign-on is being used.
+{{:server:acceptable_use_policies:available-policies.png?700|}}
+See [[server/acceptable_use_policies]] for more information.
-===== 7 Audit Security =====
+## Bring your own Device security
+The Administrator controls which devices and access clients that each user can connect from. By default all devices and access clients are enabled.
-{{:/security:steps:sme_7_audit_security.png}}
+The Admin can entirely disable a user or just choose to disable access from any of the devices/access clients from the users settings instantly disabling user access.
-SME Cloud File Server SaaS or Appliance users have access to reporting abilities that can comprehensively audit all events that occur within the Cloud File Server recording the user, event , date/time, and IP Address. Reports can be accessed online, archived, and also exported as .cvs or excel files.
-===== 8 Governance Options =====
+## Compliance Report
+The compliance report recommends settings that could be changed to enhance security. The user can jump from the online report directly to where the setting can be changed.
+{{ :security:steps:compliance-report.png |}}
-{{:/security:steps:sme_8_governance_options.png}}
+## Data Security
-Cloud File Server Saas and Appliance users can set governance options for all users and control almost all levels of security for users.
+In addition to encryption the solution includes a number of features for data security:
+ * **Trash** - Folders and files that are updated or deleted are saved in trash and can be restored.
-===== 9 Bring your own Device security =====
+ * **Versions** - Unlimited or limited versions of files can be saved.
+ * **Disaster Recovery** - The [[foreverfile|ForeverFile™ archive]] is a backup, disaster recovery and ransomware protection feature that continuously protects data, wherever it is stored. For each primary storage provider that is being protected, a separate secondary or Backup provider is configured. For maximum availability the backup cloud should be located in another data center. It could also be with different cloud vendor, storage technology or tier.
+ * **Antivirus** - See [[antivirus]].
-{{:/security:steps:sme_9_bring_your_own_devic.png}}
+## Product Design and Testing
-The Cloud File Server   (CFS) Admin controls which devices and access clients that each user of the Cloud File Server can connect from. By default all devices and access clients are enabled.  \\ \\ The Admin can entirely disable a user or just choose to disable access from any of the devices/access clients from the users settings instantly disabling user access.\\ \\ \\
+The platform is developed using the OWASP principle of Security by Design. Each product release, service pack, and patch is security audited and tested through the use of multiple third party security products.
+Our own hosted service, which features the latest iteration of bug fixes and features, is security tested daily.