vaultize cloud architecture - enterprise file sync and share (efss)
DESCRIPTION
Enterprises are facing enormous security, data loss and compliance risks with increased mobility of workforce and proliferation of consumer file sharing services together with mobile devices in the enterprise network. Vaultize is an enterprise-grade platform for secure file sharing, anywhere access, mobile collaboration, endpoint backup and mobility - together with mobile content maanagement (MCM), endpoint encryption, remote wiping and Google Apps backup - that helps enterprises mitigate these risks with complete enterprise control and visibility on the use of unstructured data. It is the only solution that does military-grade (AES 256bit) encryption together with de-duplication at source (patent pending) – making it the most secure and efficient solution in the world. Vaultize comes with highest level of enterprise-grade security, scalability, performance, robustness and reliability. Vaultize is the first EFSS vendor to fully integrate EMM into a single offering – giving enterprises complete control and visibility over the sensitive corporate data, irrespective of the device used for accessing and sharing – facilitating increased adoption of Bring-Your-Own-Device (BYOD) even in highly regulated and security-conscious verticals. Vaultize now includes Mobile Device Management (MDM) features such as remote wipe, data containerization, storage and network encryption, PIN protection and white-listing of apps for mitigation of security and protection concerns with BYOD. Vaultize goes beyond MDM with features like automatic wiping based on geo-location or IP address or time-out. It further facilitates Mobile Content Management (MCM) through access rights and allows corporate IT to prevent data loss, security and compliance breaches by controlling what users can do with corporate data on their mobile devices using natively built-in document editor.TRANSCRIPT
Vaultize Cloud Technical Details
Vaultize – Quick View
Enterprise Platform for Secure File Sharing (EFSS) and Anywhere Access with:
• Mobile Content Management (MCM) • Data Protection • Data Loss Prevention (DLP) • Mobile Device Management (MDM) feaures
‘Innovation Leadership in Enterprise File Sync and Share (EFSS)’ – 2013
‘Innovation Leadership in Enterprise Mobility Security’ - 2014
Vaultize, What it is…
Enterprise Platform for Enabling Secure Sharing, Anywhere Access and Mobile Collaboration
with End-to-End Data Security
and Flexible Deployment Options
Enables a variety of solutions: File Sharing & Sync, Managed Data Mobility, BYOD, Secure Anywhere Access, Data Loss Protection, …
VPN not required
Choice of Appliance, On-premise, Private Cloud or Public Cloud – All highly scalable and available
How Vaultize Differentiates Why Vaultize? Part I
Large enterprises including those in regulated and security conscious verticals across the globe trust Vaultize
Unmatched End-to-end Security • Encryption and de-duplication together at source (on user devices) for on-
transit data, - patent pending technology • The most secure and efficient solution – VPN-free • Others either perform encryption at or de-duplication on user device (and not
both) – compromising either security or efficiency
Privacy and Compliance • Corporate IT can own and manage keys - Data Privacy Option (DPO)
o Regulatory compliance (data residency or data sovereignty) o Data in-transit and while stored in the cloud/server is risk-free (Complete privacy) o No risk of the vendor giving out your data to authorities without your consent
(Subpoena)
How Vaultize Differentiates Why Vaultize? Part II
Enterprise Platform • Architected from the ground up as an enterprise platform • Complete end-to-end regulator-level enhanced security and privacy • Competitors are built as point products
Complete Administrative Control and Visibility • Devices can be fenced off, features disabled, or contents securely wiped
out, if the users go beyond a pre-defined geography or IP range • MCM controls - copy/paste, printing and emailing
How Vaultize Differentiates Why Vaultize? Part III
Efficiency – Optimized for Mobility • VPN-free
o builds a secure channel using patent-pending at-source encryption technology, SSL and OAuth-based authorization
• Global content-aware de-duplication o as high as 90% reduction in network bandwidth
Flexible Deployment Options • Cloud-in-a-Box - Appliance • Private Cloud – Software Only
o Perpetual License o Annual Subscription
• Public Cloud - SaaS
Vaultize Architectural Components
• This presentation covers Vaultize Public Cloud hosted on Amazon Web Services
• Private cloud deployments follow a similar architecture • Vaultize Cloud
• Load Balancers • API (REST) Servers • Meta-data (Database) Servers • Content Store (Amazon S3) • WebUI Servers
• Client Components • Vaultize Agent (Windows, Mac, Linux) • Vaultize Apps (iOS, Android)
• Centralized Web-based Administration • Web GUI
Architectural Components
Copyright © 2011-14 Vaultize Technologies. All Rights Reserved.
Content Store
Vaultize Clients
API Load Balancers
WebUI Load Balancers
API Servers
WebUI Servers
Meta-data Servers
SSL + Oauth
HTTPS Encryption
De-duplication Compression
Versioning
Vaultize Load Balancers
• Ensures high availability & responsiveness of servers • Routes traffic to API and WebUI servers (separate LBs)
• Weighted least connections algorithm
• Health check of servers • HTTPS monitoring • Application-level monitoring
Vaultize API Server s (1)
Vaultize API servers expose a JSON-based REST-ful API Stateless servers – load balancing is easy
Clients make secure API calls to server Using HTTPS – 256-bit SSL
Each API call has to be authorized using Oauth Unauthorized calls rejected, but recorded Repeated unauthorized calls result in investigation and/or ban
Server platform Typically virtual machine based Multiple NICs Stateless, so storage could be normal disks Firewalled to allow only API traffic Customized and hardened CentOS 6.x Continuously auto-monitored (see next slide)
Vaultize API Server s (2)
Web server is nginx Lightweight, high-performance and robust
Application server is in web.py framework Interaction with nginx using WSGI Some modules are in pure C for performance reasons
Monitoring & Statistics Internal - using monit, cron scripts etc. External - using health monitor in Load Balancers and other
servers Third-party - using partner services Also used for automatic load handling (see below)
Dynamic load handling and provisioning Additional servers provisioned when load increases Bad servers restarted Amazon Cloudwatch in AWS
Vaultize Database Servers
Vaultize meta-data is stored in MongoDB Scalable & high performance “document” database Built-in replication and high availability Auto-sharding for load balancing
Cluster of database servers Servers added as database grows Each server in a 3-way replica set Periodically backed up
Vaultize Content Store
Data chunks are stored in Amazon S3 in public cloud Additional encryption using Vaultize secret keys before storing
High-performance online storage (increase on-demand)
Redundant (minimum 3-way) storage At-least 3 different devices across multiple zones
Support for Azure Block Storage, Rackspace CloudFiles and file systems too
Vaultize Cloud Web UI
Web-based UI servers o Powerful administration interface o Simple end-user UI for accessing and sharing their data
System & hardware configuration similar to API servers Pages are standards-compliant
Generated using Mako Templating Engine HTML,CSS and JavaScript (jQuery)
Tested/debugged using Firebug, Google Page Speed, etc. Some pages use AJAX
E.g. Files Browser, validations Data exchanges in JSON (and not XML)
Vaultize Client Components
Vaultize Agent Talks to API Servers over HTTPS and Oauth Maintains access rights and restrictions Keeps device in sync for configuration, policies etc. Performs encryption, smart de-duplication, versioning and
compression 256-bit AES encryption at source (on client device itself) using unique
customer keys Chunking is variable-sized using sliding window technique Signatures are HMAC (SHA-256) keyed using unique customer tokens Compression using zlib
Predictive Caching (for instant restore of important data) Monitors changes to data under sync, collaboration, sharing Book keeping done using SQLite
Platform Independent Written in Python and pure C Windows, Mac and Linux
Vaultize Compatibility
Works on laptops, desktops and servers
Supported on Windows (XP SP2 onwards), Mac and Linux
iOS and Android Apps
Vaultize Solution Details
Vaultize Solutions Secure Enterprise File Sharing & Sync (EFSS)
Sharing using secure links • Easy sharing with outside party • No FTP sites or email attachments • Passwords, auto expiry, notifications • Online document viewer – control download/printing etc. • Geo, IP and time based access control
Outlook Plug-in • Replace attachments with secure link • Policy-based – size of attachments, recipients, sender, etc. • Monitoring, Revoking
Group sharing – with individual access rights
Sync data anywhere, selectively
Automatic versioning
Vaultize Solutions VPN-free Secure Anywhere Access (File Server Access)
• Securely access File Servers and NAS from anywhere
• Access with CIFS semantics
• Pass-through Mode – secure relaying of files
• Access control on server • Geo, IP, time based
• No VPN required!
• Support for SharePoint and other repositories coming soon
Vaultize Solutions Mobile Content Management (MCM)
Challenges with Mobile Device Management (MDM) • Complex • Costly • Heavy handed – controls device (privacy intrusion)
Vaultize Secures Corporate Contents through Mobile Content Management (MCM)
• Control copy-paste, print, email, sharing with other apps, etc. • Built-in document editor – MS office and PDF annotation
Mobile Data Containerization • Corporate data in secure container • Segregate corporate data from personal data • Encryption and remote wiping of container • Auto-wiping based on Geo, IP, time-expiry
Vaultize Solutions Data Protection (Endpoint Backup)
Protection policies to automatically backup files and folders Group-based policies
• Powerful Exclude and Include filters
Efficient backup of endpoints over WAN without VPN • Smart De-duplication saves up to 90% bandwidth
Continuous or Scheduled backup with pause and resume Web and Mobile access Self-restore
• a version, a folder or a point in time copy and move all data from an old device to a new device
Support for open files (including Outlook PST) • Optimized backup of large size PST
Vaultize Solutions Google Apps
Backup Google Apps Accounts – Emails and Documents • Secure Google Apps data (emails/documents) from malicious
destruction, hacking, user/software errors • Automatic Backup • Backup once-a-day (default) or as scheduled • Retention Policy • Super saving (de-dup across endpoints + Google Apps)
Easy Download • Download/restore a mail, document or a complete account
Migration • Migrate accounts within a domain or across domains
Vaultize Solutions Data Loss Prevention (DLP)
Endpoint Encryption • Policy-based on files and folders on user devices • Transparent to users • Selective - more efficient than full disk encryption which is • Leverages time-proven technology of
Windows Encrypting File System (EFS)
Tracking • Geo tracking - IP addresses and geo-locations
Wiping • Secure remote wiping of data in case of device loss or user leaving the
organization • Policy-based automatic wiping if device leaves a pre-defined geography or IP
range (Geo fencing) • Military-grade techniques • Selective wiping of files and folders based on patterns and types
Selective encryption and wiping make it very easy to do BYOD through data containerization
Vaultize Solutions Data Privacy Option (DPO)
Compliance of Data Privacy, Data Residency and Data Protection Regulations
No Need of Any Special Hardware On-Premise (like Gateway Appliances)
Enterprise Customer Retains the Full Control Over Encryption Keys
• Keys are never stored on any infrastructure not under enterprise control • Data is secured while in motion and at rest in the cloud • Ability to access data remains solely with the customer
Vaultize is the only solution that provides this option • Other solutions encrypt data at server
Enterprise-class Administration
Administrative Controls • Manage company-wide policies, settings and data • User provisioning – Active Directory, LDAP or Google Apps
based • Push policies from a centralized place • Authentication and SSO using AD and LDAP • Privacy
Quick and Easy Deployment Across Organization • Active Directory GPO based push installation • AD and LDAP authentication support
Reporting and Dashboard
Monitoring, Audit Trail and Alerts
Flexible Deployment Options
Cloud-in-a-box Appliance • Fully integrated hardware + software – “plug and play” • Support for HA and DR • Licensed by number of users and storage capacity
On premise / Private Cloud • Vaultize software on customer’s hardware or private cloud • Single or Multi-server • HA, DR and large scale cloud • Flexibility to choose storage (DAS, SAN, NAS, Cloud Storage) • Option of Perpetual license or Annual subscription • Licensing based on number of users
Vaultize as a Hosted Service / Public Cloud • Fully hosted - No hardware or software to manage • Highly available, highly scalable and disaster proof • Subscription based on users and storage capacity
How Vaultize Works in a Corporate Network
Agent-based
Agent-less
• File Sharing & Sync • Group sharing • Sharing using links • Auto Expiry • Passwords
• Mobility & Mobile Content Mgmt • Anywhere Access
• File Servers & NAS • Access Control
• Geo, IP & time • File/folder patterns
• BYOD • Data Loss Protection
• Backup, Encryption • Remote Wiping
• Centralized Admin Console • Reporting • Monitoring • Alerts
Mobiles
Intranet or
Internet
Versioning Encryption Dedupe MCM
NAS Roaming Devices
End-to-End Security (VPN not required)
Encryption At Source
Decryption At Destination
Fire
wal
l + V
PN