Embed Size (px)
Citation preview
White Paper
Advanced, multi-layer security
to provide the highest level of
protection for today's enterprise
inSync
Enterprise-Class Security
White Paper
2inSync Security
Table of ContentsinSync Security Overview ............................................................................................................4
Data in Transit .............................................................................................................................4
Data at Rest ..................................................................................................................................4
Secure Client Authentication ................................................................................................... 5
inSync On-Premise ........................................................................................................................6
inSync On-Premise Secure Deployment ............................................................................... 6
inSync On-Premise Ports .......................................................................................................... 9
inSync On-Premise AD Integration ......................................................................................... 9
inSync Cloud ...................................................................................................................................10
inSync Cloud Security Objectives ...........................................................................................12
Ensuring Data Security During Bi-directional Transfer Between Client Machines and Servers ................................................................................12
Segregation of Customer Data ..............................................................................................12
2-Factor Encryption Key Management & Authentication ...............................................13
inSync Cloud AD Integration ..................................................................................................15
File Retention and Version Control ......................................................................................15
inSync Cloud Management Control Panel ..........................................................................16
inSync Cloud Access by Druva Employees .........................................................................16
Data Center Security ................................................................................................................16
Additional Security Mechanisms to Protect Cloud Infrastructure and Data Assets .............................................................................................17
Third-Party Security Certifications ........................................................................................18
Backup Security ............................................................................................................................19
Client Triggered Architecture .................................................................................................19
Data Backup Session Security ...............................................................................................20
Data Restore Session Security ..............................................................................................20
White Paper
3inSync Security
Device Security ..............................................................................................................................21
Data Encryption ........................................................................................................................21
Remote Wipe .............................................................................................................................22
Geo-location Features .............................................................................................................23
Security for Smartphones and Tablets ................................................................................24
Mobile Access ............................................................................................................................24
Policy-based Access .................................................................................................................24
Secure Authentication .............................................................................................................25
Securing Data in Transit ..........................................................................................................25
Private Container for Corporate Data Accessed on a Mobile Device ..........................25
Protecting Mobile Devices ......................................................................................................26
Data Encryption ........................................................................................................................26
File Share Security .......................................................................................................................27
IT Control ....................................................................................................................................27
Control on employees who can share data .......................................................................28
Control on who can share and what can be shared .......................................................28
Control on sharing data with external partners and collaborators .............................28
Encryption ..................................................................................................................................29
Protecting Shared Data ...........................................................................................................29
Summary .........................................................................................................................................29
About Druva ...................................................................................................................................30
White Paper
4inSync Security
Overview With Druva inSync, you can rest assured that your enterprise’s data is completely secure end to end. inSync comprehensively protects your corporate data by adhering to strict standards that keep your data private and safe from external threats.
With data protection as its number one priority, inSync is engineered to ensure data security at every step – data transmission, data storage, and data access.
The remainder of this document will provide a more detailed review of the security guidelines and measures that Druva has put in place to protect customer data in multiple environment configurations, including; The inSync Core Service, On premise and Public Cloud deployments, mobile device support and in our inSync Share file-sharing service.
inSync ServerAt the foundation of inSync is the core server that provides connectivity to endpoints for data storage and retrieval. Within the server, data is handled following these methods:
Data in Transit
inSync is designed from the ground up for endpoints with the understanding that endpoints often connect over WANs and VPN-less networks. inSync always encrypts data in transit with 256-bit TLS encryption, ensuring enterprise-grade security over these networks.
Data at Rest
In addition to strict authentication and access controls, inSync secures data on storage nodes with 256-bit AES encryption.
LDAP/HTTPS
256 TLS Encryption
256 AES Encryption
White Paper
5inSync Security
Secure Client Authentication
inSync clients can either be mass-deployed using Integrated Mass Deployment (IMD) tools or can be activated by end users individually.
For IMD, inSync uses a one-time activation token that is used to uniquely activate endpoints. Once activated, the client re-negotiates the authentication parameters. These authentication parameters are then stored in the inSync client for all subsequent connections with the inSync server.
Even when a user self-deploys inSync on his or her device with a user ID and password, the client and server use the authentication key mechanism in the background to authenticate and authorize client activities such as backups, setting changes, and restores.
Every time the authentication key is regenerated or the credentials are reset by an administrator, the existing authentication key is reset, this feature ensures that data never lands in the hands of a malicious user.
White Paper
6inSync Security
inSync On-PremiseinSync On-Premise is a deployment of inSync in an enterprise’s own data center. Available in multiple editions to address enterprises of varying sizes, inSync features a future-proof, scale-out architecture that enables linear scaling with the addition of customer provisioned storage as needed.
inSync On-Premise Secure DeploymentinSync on-premise servers can be deployed behind the firewall without requiring VPN connections from end users as depicted by Figure 1.
Druva inSyncEnterprise
Server
Active DirectoryServer
LAN192.168.15.4:6061
Wireless192.168.15.1:6061
192.168.15.5:6061
202.141.81.84:6061202.141.81.84:443
Web Browsers
1. Client initiates connection
1. Client initiates connection
2. Client authenticates with AD credentials
Local PCs, Laptops, and Mobile Devices connect to inSync Server using Ethernet LAN IP (192.168.15.4) and Wireless LAN IP (192.168.15.1)
Druva inSync Server can tightly integrate with Active Directory Server for automaticuser provisioning and authentication forall devices (including mobile)
IP Address Configuration of inSync ServerThe following should be the different IP addresses
in the network configuration of Druva inSync Server:192.168.15.4:6061
192.168.15.4202.141.81.84:6061
202.141.81.84:443 (web based access only)
The firewall allows the access to on-premise inSync Server usinga Public IP addressCorporate Firewall
Headquarter Premises
Figure 1. Deployment behind a firewall
White Paper
7inSync Security
Active DirectoryServer
192.168.15.4:6061
192.168.15.1:6061202.141.81.84:6061202.141.81.84:443
Web Browsers
1. Client initiates connection1. Client initiates
connection
2. Client authenticates with AD credentials
Local PCs, Laptops, and Mobile Devices connect to inSync Server using IP (192.168.15.5)
GatewayThe Gateway allows directaccess to on-premise inSyncServer using a Public IP address in DMZ zone
Druva inSync Server can tightly integrate with Active Directory Server for automatic user provisioning and authentication for all devices (including mobile)
IP Address Configuration of inSync Server
The following should be the different IP addresses in the network configuration
of Druva inSync Server:202.141.81.84:4:6061
202.141.81.84:443 (web based access only)192.168.15.5:6061 (for internal access)
Firewall
Headquarter Premises
Firewall
192.168.15.5:6061
Druva inSync Enterprise Server
DMZ zone
Figure 2. Deployment in the DMZ
inSync on-premise servers may also be deployed in the DMZ as shown by Figure 2.
White Paper
8inSync Security
Edge 1Firewall
inSync clients
Internet
Master server
Storage node 1
Storage node 2
inSync network
Storage nodes connecting
via WAN
DMZ
Edge 2Firewall
Storage node 3
Storage node 4
Figure 3. Deployment of inSync Private Cloud with Edge Server
The inSync Server can be deployed behind the firewall along with the Edge Server, which is deployed in the DMZ. This ensures no ports need to be opened up for inbound traffic as shown in Figure 3.
White Paper
9inSync Security
inSync On-Premise PortsinSync on-premise servers require the following ports to be opened to allow secure connections to the server from outside:
• Endpoint Backup: 6061
• Endpoint Restore: 443
• Administrator Web Console (HTTPS access): 443
inSync On-Premise AD IntegrationinSync on-premise can be configured to integrate with on-premise Active Directory for:
• Integrated mass deployment of the inSync client
• Automatic user provisioning/deprovisioning
• User authentication
• User management
White Paper
10inSync Security
inSync Cloud inSync Cloud is a fully-automated, enterprise-class endpoint protection solution offered as a software as a service (SaaS). Powered by Amazon’s state-of-the-art AWS technology, inSync Cloud offers elastic, on-demand storage that can grow to handle any number of users and data. The service can be instantly provisioned to a global user base with policies that lock user storage to specific regions.
inSync Cloud offers secure, lightning-fast data backups and restores. It operates within multiple storage regions across the world to address the needs of the global enterprise. The service provides high availability and enterprise-scale RPO and RTO. The service’s enterprise-class security is compliant with international standards such as SOC-1, SOC-2, and SOC-3.
Full administrative control to inSync Cloud is provided via a secure Web-based administrator control panel over HTTPS, which allows corporate policies to be defined for groups of protected users, including the ability to enable or disable users to change settings on their accounts.
On the client side, the inSync Cloud agent is a lightweight, non-intrusive client application that manages data backup along with other endpoint services such as DLP and file sharing on each protected device. With IT having centralized policy setting and controls they can enable end users to manage their preferences such as folder selection and scheduling, while also providing them to access their shared and backed up data including data from their other devices.
SOC1•2•3
White Paper
11inSync Security
Active DirectoryFederation Server
cloud.druva.com
Web Browsers
1. Client initiates
connection
2. SAML integration
with inSync Cloud
3. Client Authentication
using SAML
4. ClientHandover to
respectiveZone
n1
n3
n2
Local PCs, Laptops, and Mobile Devices connect to inSync Server using FQDN cloud.druva.com on port 80, 6061/6071 or 443.
inSync Cloud can be integrated with ActiveDirectory Federation Server (SAML 2.0) toauthenticate all devices (including mobile).
FQDN and Ports Used by inSync CloudinSync cloud uses FQDN as cloud.druva.com to
which all the devices connect and then are routedto their respective nodes. The ports used are as
follows: 6061, 6071, and 443.
Corporate Firewall
Third Party IdP
Amazon Web Services
WAN
Headquarter Premises
Europe Region
APAC RegionUS Region
Figure 4. inSync Cloud Architecture
White Paper
12inSync Security
inSync Cloud Security ObjectivesDruva strictly adheres to the following set of objectives to ensure the security of inSync Cloud:
• Ensuring data security during bi-directional transfer between client machines and servers
• Segregation of customer data
• Two-factor encryption key management and authentication
• Data center security
• Additional security mechanisms to protect Cloud infrastructure and data assets
• Third-party security verifications
Ensuring Data Security During Bi-directional Transfer Between Client Machines and ServersSee Overview (page 4) and Backup Security (page 19) sections
Segregation of Customer DatainSync Cloud segregates each customer’s data from other customers’ data, thereby resulting in a virtual private cloud for each customer.
Virtual Private Cloud for each customer is realized by:
• Compartmentalization of customer configuration based on access credentials
• Compartmentalization of customer metadata within Dynamo DB
• Compartmentalization of customer data within S3 buckets
• Encrypting data of each customer using a unique 256 AES encryption key
White Paper
13inSync Security
2-Factor Encryption Key Management & AuthenticationTo uphold the highest security standards for enterprises, key management in inSync Cloud is modeled after a bank lockbox system, in which both parties hold part of the key. The encryption and authentication keys are mutually shared between the customer and the Cloud. Consequently, neither has full, unencrypted access to any data on the cloud independently.
Key Points to Note:
Both authentication and encryption depend upon two pieces of information:
• UPn password (held ONLY by the customer)
• UTn token (held ONLY by inSync)
• Both these pieces (UPn and UTn) are required to authenticate the user and get the final key AK, which is used to encrypt and decrypt user data.
• At no time is the actual key (AKn) saved by inSync; it exists only until a user or admin is authenticated and is then destroyed.
Figure 5. Two pieces of information required for access. Both the inSync and Customer components required to decrypt user data. Actual key is never saved by inSync.
UPn password heldonly by Customer
UTn token heldonly by inSync
White Paper
14inSync Security
Steps followed by inSync Cloud to create an account and secure data in the cloud:
1. Primary admin (A1) opens a new account with inSync Cloud with a randomly generated password P1
2. inSync Cloud creates a new virtual private instance with AES 256-bit encryption key : AK1. This is a customer specific encryption key
3. inSync Cloud creates a new storage based on AK1, reminds the administrator that they take steps to remember the password.
4.inSync Cloud then creates a new security token to be stored in the cloud. The new key is created as follows: New Token T1 = encrypted with P1 (AK1 + P1 + salt) where salt is a random string generated for this operation.
5. The token T1 is saved in inSync Cloud while the password (P1) is held only by the admin (and NOT saved in the cloud).
6.inSync Cloud strongly recommends that the admin create a secondary admin account (A2), which results in the creation of a new password (P2) and a token T2. This is needed for potential scenarios where an admin forgets his or her password and only a secondary admin can reset it. Because of Druva’s stringent password policy, Druva is unable to reset admin passwords for any customer.
7.When a new backup user account is created (U1), inSync saves a new token (UT1) based on the user’s password (UP1), which only the user knows. Likewise, for all other users, inSync Cloud creates a username (Un) and a customized token (UTn).
Authentication and encryption steps:
1. A user or admin authenticates with a password, e.g., UP1
2. The password is used to decrypt the associated token UT1 and determine if a meaningful combination of AK1, UP1 and salt can be achieved.
3. If inSync Cloud gets a meaningful combination, the user is authenticated and AK1 is used to encrypt/decrypt the user backup stream.
4. The key is finally discarded when the user exits.
White Paper
15inSync Security
inSync Cloud AD IntegrationinSync’s Cloud AD-connector extends all the benefits of deep AD integration to inSync Cloud enabling integrated mass deployment of the inSync client, automatic user provisioning/deprovisioning, user authentication, and user management. Additionally, inSync Cloud supports SAML, an XML based open standard for exchanging authentication and authorization data between security domains. SAML permits users to securely log into inSync using their credentials on external identity services such as Microsoft Active Directory.
• AD Federation Services (AD FS 2.0) can be set up to be the ID provider for inSync Cloud
• Mobile app access can be set up for AD authentication using SAML
• SAML can provide integration with other 3rd party ID providers, providing MFA services as well
File Retention and Version Control inSync Cloud enables its customers to hold infinite restore points for protected data. Administrative control provides the ability to specify file retention at an individual backup policy level. If this option is chosen, an automatic process (Compaction) runs daily to remove any files outside of the retention rules.
Administrators with appropriate rights also have the ability to selectively remove restore points from individual accounts where required. End users of the system have no control over removal of stored files, thus keeping the ownership of protected data with the administrator.
White Paper
16inSync Security
inSync Cloud Management Control Panel • Administrative access to each inSync Cloud instance is provided via an Admin
Control Panel.
• Administrators access inSync Cloud using a web console over an HTTPS connection.
• inSync Cloud does not store the admin password but uses the authentication methodology defined in section above.
• An administrator can create multiple other admins based on roles. There are two primary types of administrators:
- Server administrator: Has overall administrator rights across all areas of service
- Profile administrator: Has tiered rights on user profiles. Each profile admin can have one or more of following rights: create users, restore data, and run reports.
• No Druva employee has Server or Profile Administration based access to the instance.
• Only server administrators can revoke access of another admin at any time by removing the appropriate admin account via the web-based admin control panel.
inSync Cloud Access by Druva EmployeesDruva employees have no access to any of customers’ inSync Cloud instances. Access to cloud infrastructure by Druva employees is limited to its cloud operations team that follows strict rules and regulations defined under the Druva security policies document. This access is granted for the purpose of security patching, service upgrades, and monitoring tasks.
Data Center SecurityinSync Cloud is built on top of the Amazon Web Services (AWS) technology stack. Amazon has several years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate
White Paper
17inSync Security
business need to have such information know the actual location of these data centers, and the data centers themselves are secure and meet SOC-1, SOC-2, and SOC-3 certification requirements.
The AWS network provides significant protection against network security issues including (but not limited to):
• Distributed denial-of-service (DDoS) attacks
• Man-in-the-middle (MITM) attacks
• IP spoofing
• Port scanning
• Packet sniffing by other tenants
For details, please refer Amazon Web Services - Overview of Security Processes.
Additional Security Mechanisms to Protect Cloud Infrastructure and Data AssetsRedundancy
AWS data centers are designed to anticipate and tolerate failure while maintaining service levels and are built in clusters in various global regions. inSync Cloud provides multi-zone replication of various elements of customer data including configuration, metadata and the actual data, thereby ensuring that customer data is available in multiple availability zones to handle failure of any zone.
Redundancy measures provided by Amazon include ( but not limited to) :
• Fire detection and suppression
• Power
• Climate and temperature
• Management
For details, please refer Amazon Web Services - Overview of Security Processes.
White Paper
18inSync Security
Third-Party Security CertificationsAWS has achieved compliance with the following 3rd party standards and/or frameworks. The list of certifications includes (but is not limited to):
• SOC 1 (SSAE 16/ISAE 3402) and SOC 2 and SOC 3
• PCI DSS Level 1
• ISO 27001
• FedRAMP
• DIACAP and FISMA
• ITAR
Regularly updated details about compliance certifications completed by Amazon can be found at : http://aws.amazon.com/compliance/
ISAE 3000 Type II
Druva has undergone it's own certification processes, which include ISAE 3000 Type II certification by KPMG. The ISAE audit covers the following elements:
• Description of Druva’s system related to general operating environment supporting inSync Cloud Operations
• Design of controls related to the control objectives stated in the description
TRUSTe EU Safe Harbor
Druva has achieved TRUSTe EU Safe Harbor certification facilitating compliance with the European Union’s Data Protection Directive.
HIPAA
Druva has passed a review by KPMG validating the company’s security and privacy controls for handling HIPAA-compliant protected health information (PHI).
These certifications are available from Druva upon request.
SOC1•2•3
ISAE3402TYPE I
White Paper
19inSync Security
Backup SecurityClient Triggered Architecture With Druva inSync, backup and restore requests are always initiated by the inSync client, which aids in security and scalability of the server. The servers never initiate any request, and both backup and restore use the same (default 443) port for all configuration, control and data requests.
All backup and restore activities are secured using 256-bit TLS encryption.
Amazon Web Services Certifications Certified Cloud Operations
ITAR SOC 1, 2, 3 FISMA Moderate
HIPAA PCI DSS
ISAE 3402FIPS 140-2
ISO 27001
MPAA
ISAE 3000
HIPAA BAA
TRUSTe
EU Safe Harbor
Amazon Web Services Druva Certified Cloud
Certifications
White Paper
20inSync Security
Data Backup Session Security:
1. The agent contacts the inSync server via TCP/IP socket.
2. 256-bit TLS encryption is used for all communication by inSync.
3. Server authenticates users with the encryption key.
4. As required, the client sends the server blocks of data for backup over the secure TLS connection.
5. Blocks of data are stored encrypted on the server using 256 AES encryption.
Data Restore Session Security:
1. User launches client agent, selects files from the restore points required.
2. The agent contacts the inSync server via TCP/IP socket.
3. 256-bit TLS encryption is used for all communication of authentication details.
4. The client agent sends a list of files to the server to retrieve.
5. The server selects required blocks, and transmits the blocks to the client over the secure TLS connection.
6.inSync offers optional support for data restore over a Web browser. User authentication can be mandated prior to restore, which can utilize Active Directory authentication. This enables end-users to select and restores files, which are then transferred via a secure 256-bit TLS connection.
White Paper
21inSync Security
Device SecurityinSync includes a simple but highly effective solution that reduces the economic impact to an enterprise from a lost or stolen endpoint. Its device-level security features provide powerful, multi-layered protection of critical corporate data on endpoints.
Data Encryption With inSync, critical files and folders on laptops and mobile devices can be selected for data encryption to ensure that they are protected with the highest encryption standards.
On-device data encryption features (requires Druva DLP to be enabled):
• Uses endpoint operating system’s built-in encryption tools (e.g., Windows’ Encrypting File System or EFS).
• Selective encryption of files or folders avoids need for a heavy, full-disk encryption. Any file on the endpoint, which has been selected for backup, is encrypted. This approach is superior to alternatives that require a heavyweight full disk encryption or placing all files on a single location, either of which is sub-optimal.
• Encryption and decryption are transparent, with no need for any additional user steps. Users logging into their endpoint device automatically have decrypted access to their files.
White Paper
22inSync Security
Remote Wipe In order to prevent data breach on lost or stolen devices, inSync provides remote wipe capabilities across both laptops and smart-devices that can be executed either by an administrator or an auto-delete policy.
Remote Wipe Features:
• Administrators can initiate a remote decommission operation on a lost or stolen device, so the device’s data is wiped the next time time the device connects with inSync.
• An auto-delete policy can be configured to automatically wipe data if a device hasn’t connected for a specified number of days.
• Data deletion meets NSA Security Standards and protects lost or stolen devices from data breach.
Steps followed during remote wipe (for Windows):
1. inSync overwrites all files that were backed up. If a file cannot be overwritten (possible with encrypted files) then the file is deleted right away.
2.inSync then overwrites the entire free space of that partition by creating an SErase file and increasing the size of SErase until it gets a 'No free space error.’ By doing so, it is able to clean up the free space of the drive, with data written by a secure algorithm.
3. Next, inSync deletes all backed up or sync/shared files.
4.Then, it creates 0 byte SMFT files untill it exhausts MFT records and can't create any more of them. This overwrites the records in the MFT table so that no one can see the name of the files that were there on the system.
5. inSync finally deletes the SErase file (the file used to fill up the free space).
White Paper
23inSync Security
Steps followed during remote wipe (for Mac):
1. inSync uses the srm tool to do safe delete of data.
2. SRM ensures each file is overwritten, renamed, and truncated before it is unlinked. This prevents other people from undeleting or recovering any information about the file.
3. Additionally, the overwrite process is implemented with 7 US DoD compliant passes (0xF6, 0x00, 0xFF, random, 0x00, 0xFF, random)
Geo-location Features:inSync provides the ability to track the geographical location of devices with an accuracy of near to 20 meters at any point in time.
• An embedded software engine uses advanced hybrid positioning algorithms based on data from Wi-Fi access points, GPS satellites, and cell towers to keep track of all your endpoints.
• Geo-location provides details such as street, city, state, or country.
• A familiar Google Maps interface provides a quick view of the coordinates for every endpoint device available on the inSync management console.
White Paper
24inSync Security
Security for Smartphones and TabletsinSync’s mobile application allows users to access backed up and shared data from any of their mobile devices. inSync provides administrators a variety of policy options to protect devices and data on both BYOD and corporate-owned devices.
Administrators can allow users to choose their backup & device protection policies; however, the corporate data (accessed using the inSync mobile app) on these mobile devices is always under administrator control.
Additionally, for advanced deployments, where organizations are currently utilizing an MDM/EMM solution (e.g. MobileIron) to manage device policies and data loss prevention, inSync can work alongside these services in a highly complimentary manner.
All of inSync’s features - secure client authentication, client triggered architecture, data backup session, data restore session and data in transit security features are applicable to mobile devices as well.
White Paper
25inSync Security
Mobile AccessinSync ensures that access to corporate data (backed up, shared) is secure in order to prevent data leaks from mobile devices. the inSync mobile app is enabled with the following security features:
1. Policy-based Access
Access to inSync data on mobile devices is enabled at a profile level that is assigned to a user. By making it a profile setting, inSync gives the option to allow only select employees mobile access to corporate data based on their roles, privileges, and security levels or even based on the projects they work on.
2. Secure Authentication
To access their data, employees need to login to the inSync mobile app using their Email ID and Password. The inSync mobile app is equipped to authenticate using inSync’s base credentials, Active Directory password or even with an organization’s single sign-on solution using SAML 2.0.
In addition, administrators can configure policies to enforce a user-defined PIN to access the inSync mobile app. This will ensure that corporate data in the inSync mobile app is secure even if an employee hasn’t configured a PIN for the mobile device.
3. Securing Data in Transit
Communication between the server and the mobile device is encrypted using 256-bit TLS encryption. This ensures that data at all levels is secure until it is received by the device and presented to the authenticated employee using the the inSync mobile app.
4. Private Container for Corporate Data Accessed on a Mobile Device
inSync recognizes that IT administrators need to have control over corporate data stored on all endpoints - company-owned devices or employee-owned (BYOD) devices. To help administrators achieve this, inSync employs a private container that allows administrators to wipe critical data in a compartmentalized manner.
White Paper
26inSync Security
inSync ensures that data on stolen or lost mobile devices can be protected. Administrators can remotely wipe a device and the data is wiped whenever the device is turned on even if a new data/SIM card is used on the stolen mobile device.
In addition, admins can enforce policies to disable downloads of files accessed via inSync on personal devices as well as prevent the opening of files in third party apps.
Protecting Mobile DevicesIT administrators can configure inSync to enforce backup and device protection on mobile devices. Employees cannot access their data using the inSync mobile app until these settings are accepted and configured successfully. Administrators can configure inSync to backup Contacts, Photos, and Videos on these mobile devices and even SD-card content on Android devices. These settings are configured on the mobile devices using encrypted certificates generated by the enterprise.
The inSync mobile app periodically backs up the selected data based on the configured settings and also updates the latest location of the device from where it was backed up. With this configuration, inSync gives administrators the option to deactivate the entire device (as against wiping just the inSync Container). Deactivating the entire device will lead to all the data on the device being lost - equivalent to a new device purchased from the store. All the backed up data, however, continues to reside on the server.
Data EncryptioninSync ensures that no data is stored in an unencrypted form on mobile devices. inSync leverages iOS' Full Disk AES 256-bit hardware encryption on devices with passcode enabled. On Android inSync uses 128-bit AES-CBC and ESSIV:SHA256, with an option to strengthen the encryption with PIN which administrators can mandate.
White Paper
27inSync Security
File Sharing SecurityinSync’s security capabilities encompass data synced/shared using inSync Share. inSync Share offers administrators the ability to configure policies for sharing data within the enterprise or with external users. In addition, all shared data is encrypted on the wire, on the server, and also on the endpoints with the DLP option.
IT ControlinSync provides IT with three-tiered control over shared data within the enterprise. It also offers administrators visibility into data sharing activities and access at all levels to monitor and check for any unsecure sharing practices.
White Paper
28inSync Security
1.Control on employees
who can share data
IT can control which employees can share data using inSync. Administrators can enable this setting at a group/user profile level based on an employee’s functional role, or projects that the employee works on.
Administrators have complete visibility over an employee’s shared data. Administrators can view sharing activities including what data has been shared and when, in the context of a single employee as well as globally (all employees).
inSync also offers requisite privacy settings for companies with policies disallowing administrator access to employee data. Employees can configure privacy settings if they don’t want IT to view their confidential data.
2.Control on
who can share and
what can be shared
IT administrators can control whether a user can share data with all other employees or only with selected groups of employees within the enterprise. This setting is part of the user profile and is configured by specifying the user profiles that data can be shared with. This setting allows administrators to configure inSync for employees working in groups that have data sharing restrictions.
3.IT control
on sharing data with external partners
and collaborators
IT administrators can control whether a user can share data using links and whether a user can collaborate with external parties via guest accounts. Shared links allow external partners to view or download the shared files depending on the link configuration. Guest accounts further allow external users to edit and upload files to a shared folder.
Administrators can determine how long shared links remain valid by setting automatic expiry policies. Administrators and employees can also manually delete links to any documents shared with external partners with immediate effect. Links can be password protected and configured as view-only.
Administrators have complete visibility on the usage of links shared with external partners and can see the number of link views and downloads. Administrators further have visibility into all activity related to guest accounts.
USER LEVEL SHARING
FILE LEVEL SHARING
EXTERNAL PARTY SHARING1. 2. 3.
White Paper
29inSync Security
EncryptionAdministrators can choose to encrypt data added to the inSync Share folder as part of their organizations DLP policies. Data is encrypted using the endpoint’s operating system’s native encryption algorithms, giving much better performance than application-level encryption algorithms. For example, inSync leverages Windows’ Encrypted File System services to encrypt and decrypt data on the fly.
Protecting Shared DatainSync’s remote wipe & auto delete DLP policies also encompass shared data. Data in the inSync Share folder can be remotely wiped by administrators by decommissioning the device. The inSync Share folder on all devices of the employee can be automatically deleted by setting an auto-delete policy in the inSync user profile.
SummaryData protection is Druva’s number one priority, and inSync guarantees security at every step. By adhering to strict standards, inSync keeps your corporate data private, protected, and safe from threats.
About Druva
Druva provides integrated data protection and governance solutions for
enterprise laptops, PCs, smartphones and tablets. Its flagship product, inSync,
empowers an enterprise's mobile workforce and IT teams with backup, IT-
managed file sharing, data loss prevention and rich analytics. Deployed in public
or private cloud scenarios or on-premise, inSync is the only solution built with
both IT needs and end user experiences in mind. With offices in the U.S., India
and U.K., Druva is privately held and is backed by Nexus Venture Partners,
Sequoia Capital and Tenaya Capital. For more information, visit www.Druva.com.
Druva, Inc. Americas: +1 888-248-4976Europe: +44.(0)20.3150.1722APJ: [email protected]
Q216-CON-10520
