WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Similar documents
Cloud FastPath: Highly Secure Data Transfer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

SECURE DATA EXCHANGE

Layer Security White Paper

QuickBooks Online Security White Paper July 2017

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

PCI DSS Compliance. White Paper Parallels Remote Application Server

SECURITY PRACTICES OVERVIEW

Security and Compliance at Mavenlink

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

MigrationWiz Security Overview

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

ISO27001 Preparing your business with Snare

The Common Controls Framework BY ADOBE

Keys to a more secure data environment

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Watson Developer Cloud Security Overview

SECURITY & PRIVACY DOCUMENTATION

Inventory and Reporting Security Q&A

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

Security. ITM Platform

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Data Security and Privacy Principles IBM Cloud Services

Security Information & Policies

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Google Cloud & the General Data Protection Regulation (GDPR)

WHITE PAPER- Managed Services Security Practices

Zumobi Brand Integration(Zbi) Platform Architecture Whitepaper Table of Contents

The Nasuni Security Model

emarketeer Information Security Policy

IBM Security Intelligence on Cloud

The following security and privacy-related audits and certifications are applicable to the Lime Services:

Cloud-Based Data Security

TRACKVIA SECURITY OVERVIEW

BeBanjo Infrastructure and Security Overview

7.16 INFORMATION TECHNOLOGY SECURITY

Security

Migration and Building of Data Centers in IBM SoftLayer

WHITEPAPER. Security overview. podio.com

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

IPM Secure Hardening Guidelines

PrecisionAccess Trusted Access Control

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Twilio cloud communications SECURITY

Managed Services Rely on us to manage your business services

Asset Bank - Shared Hosting. Service Description

DreamFactory Security Guide

Mobility best practice. Tiered Access at Google

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Projectplace: A Secure Project Collaboration Solution

Security Specification

Secure Access & SWIFT Customer Security Controls Framework

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

NEN The Education Network

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Hybrid Data Security Overview

Awareness Technologies Systems Security. PHONE: (888)

10 FOCUS AREAS FOR BREACH PREVENTION

IP Mobility vs. Session Mobility

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

IT SECURITY FOR NONPROFITS

Information Security Policy

Information Security in Corporation

Cloud Security Standards

Google Identity Services for work

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

Architecture. Hosted. PrintMap Client. PrintMap Application Server

LOGmanager and PCI Data Security Standard v3.2 compliance

Salesforce1 Mobile Security White Paper. Revised: April 2014

Xceedium Xio Framework: Securing Remote Out-of-band Access

What can the OnBase Cloud do for you? lbmctech.com

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Verizon Software Defined Perimeter (SDP).

PROTECT YOUR DATA, SAFEGUARD YOUR BUSINESS

IBM Spectrum Protect Version Introduction to Data Protection Solutions IBM

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Internet of Things Toolkit for Small and Medium Businesses

Datasheet. Only Workspaces delivers the features users want and the control that IT needs.

AppPulse Point of Presence (POP)

Sparta Systems TrackWise Digital Solution

Hosted Testing and Grading

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

A practical guide to IT security

Dossier. Version 6.2 IT Planning Manual ARSENAULT. Associates. Fleet Asset Maintenance Management Software. Since

Unleash the Power of Secure, Real-Time Collaboration

Juniper Vendor Security Requirements

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

IBM Case Manager on Cloud

Protecting Your SaaS Investment: Monitoring Office 365 Performance

EnterpriseLink Benefits

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

WHITE PAPER. Title. Managed Services for SAS Technology

System Structure. Steven M. Bellovin December 14,

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Transcription:

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been doing this successfully for over a decade for customers that range from Fortune 100 companies in the financial services sector to small businesses with fewer than 25 employees. Despite this diversity, all of our customers are bound by a common interest: achieving the highest levels of security while their data is in motion. Cloud FastPath s unique architecture creates the most secure solution for moving data to and from cloud-based storage services, and Tervela continuously invests in robust security measures to protect customer data as it moves. This whitepaper describes our approach to making Cloud FastPath security the best in the business. The Cloud FastPath Architecture Cloud FastPath provides a simple, fast, and fully automated means of moving your files to and from cloud-based storage services. This advanced data migration solution eliminates the need to ship disks or set up manual FTP jobs, overcoming the frustration associated with moving large amounts of data to the cloud. Most importantly, Cloud FastPath has been built on a highly secure architecture that is designed to protect your critical data in a number of ways. The Cloud FastPath architecture is depicted in Figure 1. Figure 1: The Tervela Cloud FastPath Architecture

Security Begins at the Point of Presence The Tervela Cloud FastPath architecture achieves exceptional data security and performance through the use of software near the source and destination for each data transfer called Points of Presence, or POPs for short. Customers control the POPs via Tervela s easy-to-use web application, which can be found at www.cloudfastpath.com. Using Cloud FastPath, when data is transferred from a local file system or mapped network drive to a customer POP, it remains behind the firewall. Since it does not leave the customer premises, this data is sent in its native unencrypted form. When customer data needs to travel from one cloud-based file service to another, it flows only through the customer s POPs, as described in the following steps: 1. The data is first encrypted 2. It then moves from the source to a customer POP near that source 3. The encrypted data travels directly to a POP near the destination 4. It then moves from the POP to its end destination, and is unencrypted This data flow is key to ensuring that customer data remains safe. With the Cloud FastPath architecture, customer data never touches the cloudfastpath.com service. It is transmitted directly between customer POPs. Moreover, except for the few bytes flowing through the POP at a given moment, data is never stored in the POPs. Those few bytes are kept in a temporary buffer that is used for protocol transformation, and discarded at the completion of that operation. It is never cached, staged or persisted in any way. In fact, it never even touches a disk as it is being transferred. And all the data is kept encrypted at every possible stage as it moves from the source to the destination. Using the System: Why it's Secure Cloud FastPath offers an extremely secure system for data movement. This security spans every step of the process - from account setup through data transfer. Step 1: Getting Started with Cloud FastPath - Account Credential Security The first step in using Cloud FastPath is to sign up at www.cloudfastpath.com. Registration requires an email address and password. For security we do not retain this password we only retain enough information to check that the customer knows the password. If a password is lost, the customer will need to establish a new one. Customer IT personnel may be interested to know the Cloud FastPath application includes a programmable interface, or API. This facility allows customers to write scripts that use Cloud FastPath for customized data movement tasks such as regular backups or keeping two sites in sync. When using the API, ensure that the information

it requires to authenticate with the service is not exposed to untrusted parties. Two schemes are available for providing these credentials to the API: a securely permissioned configuration file and industry standard OAuth2. Step 2: Installing POPs - Understanding their Security Once you have an account you will typically install two POPs: one for your data's source and one for its destination. Ideally each POP is geographically close to the data storage system with which it is working. In the common case of moving data from your office computers or datacenter servers into the cloud, this means installing one POP on-premises and a second POP at, or close to, the cloud storage provider you are using. While you may choose to run your own POPs, Tervela provides the option to run the second POP op your behalf close to your preferred storage vendor. That is both convenient and ensures the highest consistent performance for your data transfers. The customer has many choices for how to run the on-premises POP, but the most common scenario is to download our Windows agent, which automatically installs the source POP for you. Once you have installed the POP, it is managed from the Cloud FastPath web application. POPs need access to the data they are going to be transporting. There are numerous kinds of storage systems. Popular on-premises examples include local Windows file systems, Windows network shares and mapped drives, and Unix's Network File System (NFS). In the cloud, each major vendor has its own storage system offering. Therefore, once you have installed a POP, you need to instruct it on which storage system it will be accessing. Step 3: Transferring Data: How Data in Motion is Kept Secure Once the customer has set up the POPs and informed them of the storage systems they will be accessing, the last step is to create and run a data transfer job. When this job runs, the Cloud FastPath web application orchestrates the entire transfer by instructing the source and destination POP how to contact each other. This enables the POPs to establish a high bandwidth connection in service of the transfer. To ensure that the transfer is secure, this connection is encrypted using industry standard Transport Layer Security (TLS), or more casually known as SSL. This is the encryption used for online commerce and banking that most of us know as HTTPS. Each POP authenticates with the other POP using TLS certificates issued by the Cloud FastPath in-house certificate authority. This enables Cloud FastPath to revoke the certificates, should a security issue arise. This can be done when the user deletes a POP, closes his account, or suspects that his POP may have been compromised. This design also ensures that access to an arbitrary POP, such as one belonging to another customer, is never allowed.

How Cloud FastPath Uses File System Properties The Tervela Cloud FastPath service queries a limited set of file system properties to orchestrate secure, cloud-based data migration. This information is used to facilitate file synchronization, to map user names and file permissions from the source to the destination and for reporting and accounting purposes. File system properties that may be retrieved by Cloud FastPath include basic file information such as file name, file size, creation date, last modification time, and the access control list for each file. To do this, Cloud FastPath queries the file system of the machine or service on which it is running. This information is encrypted and streamed to the Cloud FastPath secure servers, where it is used for reporting and analytics on transfer results, and to generate an account mapping spreadsheet. The operator then makes modifications to produce an accurate mapping of current user names to their corresponding account names at the destination. This spreadsheet is sent over an encrypted network connection both to and from the operator, and the resulting records are stored in a secure database within the Cloud FastPath service. NOTE: access control lists are only queried when using the account and permission mapping features of the Tervela Cloud FastPath service. The Security of Cloud FastPath Hosted Data Centers The Cloud FastPath service is hosted and managed in data centers that are compliant with SSAE 16 Type II reporting requirements, and use advanced measures for redundancy, availability, physical security and continuity. This means, among other things that: the data centers are highly available and offer n+1 or greater redundancy to ensure disaster recovery and business continuity the equipment is physically secure with on-site monitoring, guards and access controls and logging Tervela Operational Security To deliver the highest levels of security for our customers, Tervela goes beyond simply protecting the architecture of our data movement solutions, and has built security into the culture of our company. Building Security into our Policies and Procedures In addition to safe software and infrastructure, security depends on people, policies and practices. Our employees are trained on our policies and procedures which we maintain, review and update regularly. The following represent some of the many internal policies we enforce as part of our ongoing commitment to the highest levels of security.

Employee background checks Corporate facility access Password management Access privileges Software upgrade and patch management Incident response procedures Disaster recovery We also work to maintain the security of our corporate networks and files, with: Network and host intrusion detection systems Log reporting, analysis, archiving and retention Internal monitoring and reporting Vulnerability scanning Remote network access through VPNs with multi-factor authentication In addition, we engage third-party network security testing to find potential vulnerabilities. Our Incident Response Team handles any significant security or service events according to our defined policy. If, despite all other protections in place, your data is accessed without authorization, we will notify you. Responding to Security Events Cloud FastPath is designed to ensure that we can respond quickly when new security issues arise. For example, TLS is a very critical piece of software and so it is the focus of a lot of attention. As a consequence, the community that works on TLS regularly fixes flaws in its implementation. When these flaws are discovered a race unfolds to fix and deploy those fixes before bad actors take advantage of those flaws to compromise systems. One benefit of the architecture of Cloud FastPath is that it helps us win this race. Both the cloud application and the POPs can be quickly upgraded with new components that address flaws in the software. Managing Insider Risk Technology is only one part of the challenge of a good security design. People are also part of the challenge. How can we trust the people who work on Cloud FastPath? This risk is sometimes referred to as insider risk, i.e. the risk that a disgruntled member of the staff or a vendor may choose to do something inappropriate. Managing insider risk is again dramatically simplified by the design of Cloud FastPath since we have no direct access to the customer's data. Any access must be done indirectly via the POPs, which are are under the user s direct control. To further access the related storage systems requires access to the credentials for that storage system, which are inaccessible without access to both the POP and the web service.

Furthermore, we limit who in the organization has access to the running services. Their credentials for access to those services are protected by two-factor authentication. When necessary we can quickly and entirely revoke their access by revoking their credentials. That is key not only in the scenario where they lose our trust, but also in the unlikely event that they lose control over their credentials via theft or other compromise. Summary Cloud FastPath is not just designed to be fast and easy to use. It was designed from the ground up to provide the customer with a trusted way to move their data. The cornerstone of this design is that we never move customer data through our web application's servers. Access to the customer data is limited to the minimum number of points, i.e. one POP near the source and one near the destination. Then we build on that foundation by taking unique care of the credentials that enable access to the systems on which our customers data is stored. And we encrypt all data on a carefully authenticated channel, allowing the POPs to be disabled should the need arise. We maintain policies and procedures to ensure visibility, accountability, and control over our operating environment. And we take great care to ensure that the entire system is designed and operated so we can respond quickly to new security problems as they emerge, including issues that might occur with our own staff.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback