vaultize security brief
TRANSCRIPT
Data Security Brief
Summary
• End-to-end Security – No VPN required • Encryption at source and Decryption only at destination (AES 256-bit) • All network channels encrypted (SSL 256-bit) • Data kept encrypted at server/cloud (AES 256-bit)
• DRM, Endpoint Encryption, Wiping and Geo tracking/fencing • Native Digital Rights Management (DRM aka IRM) capabilities • Keep folders and files encrypted on endpoint disk/storage • Remotely and/or automatically wipe selected folders or files • Works on mobile devices
• Secure Mobility with mobile data containerization
• Data Privacy Option – Manage your keys yourself
Corporate Network
Agent-based
Agent-less
• Data Loss Protection • Backup • File/Folder Encryption • Remote/Auto Wiping • Data Retention
• File Sharing & Sync • Auto Expiry • Authentication
• Mobility & Mobile Content Mgmt • Anywhere Access
• File Servers & NAS • Access Control
• Geo, IP & time • File/folder patterns
• BYOD • Centralized Admin Console
• Reporting • Monitoring • Alerts
Mobiles
Intranet or
Internet
Versioning Encryption Dedupe MCM
NAS Roaming Devices
End-to-End Security (VPN not required)
Encryption At Source
Decryption At Destination
Platform Overview
End-to-End Security – No VPN required
• Encryption at Source and Decryption only at Destination • Encrypt data at source before it is put on network (US patent pending
technology) • Military-grade encryption (AES 256-bit) at source • Integrated with de-duplication – Efficiency!
• Additional Security • OAuth – Each server requested uniquely authorized • All communication always over secure network (256-bit SSL) • Additional layer of encryption on server storage (AES 256-bit)
• AES-256 at source, SSL-256 on network and OAuth make Vaultize more secure than VPN
Copyright © 2011-13 Anoosmar Technologies. All Rights Reserved.
Keys
• Each key is a pair of random strings • Minimum 1024 bits • First part is a token, used for authorization • Second part is a secret, used for signing and encryption/decryption • Both are required for the whole system to work
• Who gets a key? • Users • Groups, including those used for internal collaboration • Organization
• By default, keys are kept on server – very securely • Enables Web Access capabilities • Keys always kept encrypted (AES 256-bit) in a secured database • Only 1 process has access to the database • Keys can be invalidated any time
Data Privacy Option (DPO)
• DPO allows removal of keys from server • No need of any special hardware (like “Cloud Gateway” Appliance) • Admin downloads the keys and manages them any way he/she wants
• Customer retains full control over keys • Useful with Data Residency/Sovereignty laws and compliances • Keys are never stored on any infrastructure not under enterprise control • Data is secured while in motion and at rest in the cloud • Ability to access data remains solely with the customer
• Vaultize is the only solution that can provide this option • Because, other solutions encrypt data at server
Encryption at Source
• Each data (like a file or an email) is divided into variable-sized chunks
• For de-duplication – if a chunk is already there with server, it is skipped • Lookup “rsync algorithm” for an explanation on dedupe
• Each new chunk is encrypted using a chunk key • Chunk key is a combination of a random string and the organization secret • Chunk key is 256-bit long because we use AES 256
• Chunk key is also encrypted, using user key or group key, depending on if the file is shared
• So, if a key is compromised, only files for that user or group can be compromised
• Encrypted chunk and the encrypted chunk key are sent to server
Decryption at Destination
• Each file/email is re-constructed from its chunks • Again, de-duplication – if a chunk is already fetched, it is not fetched again • Vaultize apps keep a cache of popular chunks in their encrypted form
• Decryption of chunk requires its chunk key • Encrypted chunk key is retrieved from server using OAuth • Keys are not stored on clients or inside apps
• Chunk key is decrypted using user’s or group’s key
• Chunk is decrypted using decrypted chunk key • Chunk key is now deleted from memory
Digital Rights Management (DRM)
• Each file stored inside its own container • Patent-pending technology called micro-containerization • Container is agnostic of file format • File contents cannot be accessed without container being open • Supports features like password, automatic expiry and self destruct
• Each micro-container encrypted using it’s own unique key • Encryption done using AES 256 • Keys are not stored inside container, they are stored on server
• When a container has to be opened: • First, password, expiry, policies, etc are checked with the server • Then, Vaultize Rights Management Client gets the container key from server
using Diffie-Hellman key exchange over SSL 256
Endpoint Encryption and Wiping
• Endpoint Encryption & Wiping with Admin Control • Ensure Data Loss Prevention (DLP) from loss, theft or unauthorized access • Centralized management • Invisible to end-users • Wiping can be on command or automatic based on geo, IP or time-out based
policies
• Selectively Encrypt and/or Wipe Corporate Files and Folders • Based on file types, file/folder name patterns, size, age, etc. • Encrypt or wipe only corporate data – separate from personal data – great
for BYOD • Full disk encryptions from other vendors slowdown the system
• Works on Roaming Laptops and Smartphone/Tablets • Encryption on laptops/desktops – Windows NTFS only
Secure Mobility
• Secure Mobile Access • Access data inside the corporate network anywhere – easily and securely • Access data from laptops, desktops, file servers, NAS, SharePoint, etc. • VPN not required – encryption at source and decryption only on user access
• Encryption • Data always sent encrypted (AES 256) over a secure channel (SSL 256) • Data always stored in encrypted form on mobile device storage (AES 256) • Decryption happens only when user accesses a file • Encryption cannot be disabled, keys not kept on device
• Wiping and Blocking • Wipe data on mobile devices, remotely or automatically • Block selective devices or users
Copyright © 2011-13 Anoosmar Technologies. All Rights Reserved.
Mobile Content Management (MCM)
• Data Usage Rights • Control what users can do with data on their mobile devices (usage rights) • Copy-paste of content and files, sharing, opening files in third-party apps,
printing, email and so on • Control who users can share data with
• Built-in Document Editor • Edit and upload Office and PDF documents • Data need not go outside the secure app – reduced risk of data loss • Decryption keys not kept on device
Copyright © 2011-13 Anoosmar Technologies. All Rights Reserved.
Centralized Control
• Web-based Centralized Admin Console • Manage all aspects of Vaultize solution from single place • Push policies for protection, sharing, mobility, wiping, access control etc. • Users, groups, delegated administration, etc. • Reporting, audit trail, alerts, monitoring, dashboard, etc.
• Integration with Active Directory and LDAP • Use AD/LDAP authentication transparently • Import user and groups from AD • Mass deployment using AD • SAML support coming soon
Access Control
• Server based rules to control who can access data and how • Works for download, restore, view, share, sync etc. • Works for unmanaged as well as managed accesses/users • Integrated with mobility
• Geo and IP fencing, time-based access • Filter accesses by country, IP addresses/ranges/CIDR, etc. • Filter by multiple time windows
• Permissions • What is allowed or disallowed • Upload, download, edit, view, sharing, passwords mandatory, etc.
Audit Trail, Reporting, etc.
• Schedule any number of reports • Daily, weekly, dates of a month, etc. • Reports in MS Excel and/or PDF formats • Popular canned reports
• Monitoring • Activity stream • View all data of all users, shared data etc. • Privacy: admin cannot download/view user data
• Alerts • Select when users or admins get alerted
• Audit Trail • Capture all operations on Vaultize server • Download monthly audit logs
http://www.vaultize.com