Citrix ShareFile for Enterprise: Security Whitepaper

To protect customer data in transit ShareFile supports SSL 3.0/TLS 1.0 with up to 256 bit AES encryption and no less than 128 bit encryption with the negotiation to TLS/AES-256 dependent on whether the end user’s device or proxy supports TLS/AES-256.

Hashing is defined as producing hash values for accessing data or for security purposes. A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

In security systems, hashes are used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If the hashes are the same, it indicates that the message was transmitted intact.

Customer files are never processed, stored or transferred to the ShareFile SaaS application tier. Instead we store metadata which when defined means ‘data about data’ or data that describes other data. The metadata attributes that ShareFile stores in the SaaS application tier’s database servers are as follows:

User Info:

First Name
Last Name
User Login (Email Address)
Company Name (Optional)
Password Hash
Security Question
Security Answer
Access Control Lists (ACL)

File Info:

File Name
File Description
File Location
File Size
File Hash
File Creation Date
Email Notification
Access Control Lists (ACL)
IP Address from which file was uploaded

Other:

Account Subdomains on ShareFile.com/eu
Audit & Reporting

Client files are protected in transit between the web application and storage tier using SSL 3.0/ TLS1.0 with no less than128 bit encryption depending on end-user browser configuration.

All client files are encrypted using AES 256-bit symmetric key encryption, a FIPS approved encryption algorithm.

Customer files are stored redundantly within the cloud storage provider’s region and ShareFile backs up all files daily. We store and back up customer files according to the data retention and version settings your dedicated ShareFile admin configures via the ShareFile administrative web interface.

We employ dedicated antivirus servers that, based on customer preference, can scan all client files for malware. Any infected file is marked with a Red exclamation mark to warn end users of the risk associated with downloading an infected file.

The ShareFile infrastructure is segmented logically from other vendors using a concept Amazon Web Services refers to as Security Groups. Think of security groups as a firewall-like implementation that segregates ShareFile’s infrastructure from other vendors.

Amazon EC2 provides a firewall solution to enable security groups; this mandatory inbound firewall is configured in a default deny mode and we must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).
Amazon Web Services runs in geographically dispersed datacenters that comply with key industry standards for security, reliability and confidentiality, such as ISO/IEC 27001:2005, SOC 1 and SOC 2.

Like Amazon Web Services, Windows Azure runs in geographically dispersed datacenters that comply ISO/IEC 27001:2005, SOC 1 and SOC 2. Datacenters are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.

In addition to datacenter, network, and personnel security practices, Windows Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators.

Once the pre-requisites for installation are met, installing the StorageZones Controller server software is simple and consists of launching an .MSI file and clicking through until finished.

Pre-requisites:

• Use a publicly-resolvable Internet hostname (not an IP address).
  
• Install a commercially trusted SSL certificate in IIS.
  
• Allow inbound TCP requests on port 443 through the Windows firewall.
  

The installation file installs the following server components:

• A virtual directory and files into the IIS Default Web site. The physical location of the folder and files is c:\intetpub\wwwroot\Citrix\StorageCenter.
  
• An IIS application pool named StorageCenterAppPool. The installer also points the IIS Default Web Site’s application pool to the newly created StorageCenterAppPool application pool.
  
• 4 windows services:
  
  • Citrix ShareFile Cloud Storage Uploader Service
    
  • Citrix ShareFile File Cleanup Service
    
  • Citrix ShareFile File Copy Service
    
  • Citrix ShareFile Management Service

After installing the StorageZones Controller server software, configuration is required. Instructions on configuring the StorageZones Controller software can be found here. The configuration utility accomplishes the following tasks (see Figure 7):

• Creates a shared zone secret key in the customer’s ShareFile account and on the StorageZones Controller server stored encrypted in the registry.
• Creates a storage encryption key (SCKeys.txt) and encrypts that key using 128 bit encryption when a passphrase is entered in the last step of the configuration. This encryption key is only used if the ‘Enable Encryption’ box is checked during configuration which instructs the StorageZone Controller server to encrypt the files stored in your shared ShareFile data repository.
• Creates a proprietary folder structure and the SCKeys.txt file in the ShareFile ‘Storage Location’ network share location defined during the configuration.
• Enables StorageZone Connectors if ‘Enable StorageZone Connector for Network File Shares’ and ‘Enable StorageZone Connector for SharePoint’ are checked. Enabling the Connectors creates the IIS apps “cifs” (Connector for Network File Shares) and “sp” (Connector for SharePoint)

If a NetScaler is not used in the architecture, customer files are protected in transit between the web application and the customer managed on-premise storage location using SSL 3.0/TLS1.0 with a minimum 128 bit encryption depending on end-user browser or proxy configuration.

If customers are using Windows Azure, files are protected in transit between the web application and the customer managed on-premise storage location and to the Windows Azure storage container using the same SSL protocols as above.

If a NetScaler is used in the architecture, the SSL connection will be terminated at the NetScaler in the DMZ and files will be sent to the storage location either over http or https, depending on your configuration. If HTTP is used, files will traverse the internal network to the storage location un-encrypted. If HTTPS is used, files will traverse the internal network to the storage location using SSL 3.0/TLS 1.0. The storage server will then decrypt the files and store them.

The StorageZones Controller software has the ability to encrypt the files located in the Storage Location defined during configuration. If data encryption is enabled, all zone files are encrypted with 128 bit encryption using the same key stored in SCKeys.txt. It is therefore critical that the SCKeys.txt file and passphrase be backed up to a secondary secure location. If the SCKeys.txt file is lost, all zone files become inaccessible. Because this directory resides in a customer managed datacenter it is a Citrix best practice to not have the StorageZones Controller software encrypt the data and leverage encryption options from your storage subsystem instead. If encrypted by the StorageZone Controller software, processes like anti-virus scanning and file indexing will not work.

If customers are using Windows Azure, the StorageZones Controller software has the ability to encrypt the files located in the temporary storage location defined during configuration. If the files are encrypted they will be transferred to the Windows Azure storage container encrypted. Decryption happens when a file is requested for download. The file gets copied from the Azure storage container to the temporary storage location in the customer datacenter where it is decrypted and sent from the StorageZones controller server to the client.

All communications from the StorageZones servers and Windows Azure storage containers happen over SSL.