16
Xerox App Gallery 3.0 Information Assurance Disclosure Version 1.0 April 2016 702P04368

Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0

Information Assurance Disclosure

Version 1.0

April 2016 702P04368

Page 2: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Page 2 of 16

April 2016

©2016 Xerox® Corporation. All rights reserved. Xerox®, Xerox, Design®, and ConnectKey® are trademarks of Xerox Corporation in the United States and/or other countries. Microsoft®, SQL Server®, Microsoft® .NET, Windows®, Windows Server®, SharePoint®, and Windows 7® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Xerox® PDF Reader Powered by Foxit Software Company (http://www.foxitsoftware.com)

This product includes software developed by Aspose (http://www.aspose.com)

BR18116

Page 3: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 3 of 16

April 2016

Contents Introduction ................................................................................................................................. 4

Purpose ........................................................................................................................................................................ 4

Target Audience ..................................................................................................................................................... 4

Disclaimer ................................................................................................................................................................... 4

System Workflows .................................................................................................................. 5

Gallery Account Creation and Activation Workflow .......................................................................... 5

Browse the App Gallery Workflow ............................................................................................................... 6

Install of App from App Gallery Workflow ............................................................................................... 7

License Workflow ................................................................................................................................................... 8

Security Description ........................................................................................................... 10

Xerox App Gallery Network Protocols and Port Numbers Diagram ..................................... 11

Individual System Components .................................................................................................................. 11

Xerox App Gallery – Rackspace Catalog Servers, Design Servers, Load

Balancers ............................................................................................................................................................... 11

Xerox eCommerce Server ........................................................................................................................... 12

Xerox Corporate Licensing system ....................................................................................................... 12

Xerox App Gallery User Web Pages .................................................................................................... 13

Devices .................................................................................................................................................................... 13

Xerox Backup Server ..................................................................................................................................... 13

MySQL Database Server ............................................................................................................................. 13

Cloud File Storage ........................................................................................................................................... 13

App Gallery Portal App .................................................................................................................................. 14

Communication between System Components ............................................................................... 14

The Role of Xerox® ............................................................................................................. 16

Page 4: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 4 of 16

April 2016

Introduction

Xerox App Gallery is a Xerox® Marketplace that allows users to browse Xerox® ConnectKey® device Apps and install the Apps on the devices themselves.

Purpose The purpose of this document is to disclose information for the Xerox App Gallery with respect to system security. System Security, for this paper, is defined as follows:

1. How scan and print jobs are created and submitted

2. How user information is stored and transmitted

3. How the product behaves in a networked environment

4. How the product may be accessed, both locally and remotely

NOTE: The customer must be responsible for the security of their network and the Xerox App Gallery does not establish security for any network environment.

The purpose of this document is to inform Xerox customers of the design, functions, and features of Xerox App Gallery relative to Information Assurance (IA).

This document does not provide tutorial level information about security, connectivity, PDLs, or Xerox App Gallery features and functions. This information is readily available elsewhere. We assume that the reader has a prior knowledge of these types of topics.

Target Audience The target audience for this document is Xerox field personnel and customers concerned with IT security.

Disclaimer The information in this document is accurate to the best knowledge of the authors, and is provided without warranty of any kind. In no event shall Xerox Corporation be liable for any damages whatsoever as a result of user's use or disregard of the information provided in this document which includes direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages.

Page 5: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 5 of 16

April 2016

System Workflows

Gallery Account Creation and Activation Workflow

Step 1: User connects to the Xerox App Gallery login web page.

Step 2: User selects option to create a Xerox App Gallery account.

Step 3: User enters required information to create an account and submits the request.

Step 4: Xerox App Gallery creates account and activates it

Step 5: User is sent back to login page where they enter user id and password to successfully login

Page 6: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 6 of 16

April 2016

Browse the App Gallery Workflow

Step 1: User logs in to Xerox App Gallery.

Step 2: User selects the gallery tab.

Step 3: User can browse through the apps in the app gallery.

Step 4: User can select an app and choose information option.

Step 5: User will see the detailed information for the app including screenshots and demo video.

Page 7: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 7 of 16

April 2016

Install of App from App Gallery Workflow

Step 1: User logs into Xerox App Gallery.

Step 2: User selects the app in the app gallery they want to install and selects install.

Step 3: User selects the device they wish to install the app to.

Step 4: Xerox App Gallery installs the app to the chosen device.

Step 5: If the app is a cloud repository app, the app and device are registered with the cloud middleware.

Page 8: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 8 of 16

April 2016

License Workflow

Step 1: Gallery user logs into Xerox App

Gallery.

Step 2: Gallery user selects the Licenses

tab.

Step 3: Gallery user selects the Purchase

button.

Step 4: Gallery user is instructed where to

purchase licenses or they can click the link to go to the eCommerce site to purchase licenses. Once purchased the user will receive an activation key via e-mail. Note: This step is purposely outside of App Gallery control. It is not the responsibility of App Gallery to provide security for this step.

Step 5: Gallery user selects the Add button.

Step 6: Gallery user enters activation key to activate the licenses purchased for App Gallery.

Step 7: Gallery user can see the licenses purchased, the total and remainder of the license’s count.

Page 9: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 9 of 16

April 2016

Step 8: Gallery user can now install an app from app gallery and apply a license to the app.

Page 10: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 10 of 16

April 2016

Security Description

The security considerations are three-fold:

1. The security of the apps found in the Xerox App Gallery

2. The security of the user account information required by the Xerox App Gallery system

3. The security of the devices registered within the system by the user

As one can see from the below diagram, information travels through multiple system components over a combination of wired and wireless networks. All use normal, industry-standard technologies and built-in security capabilities. These capabilities do need to be enabled, and the choice of which are used at each point in the system varies. This section captures the security considerations of Xerox App Gallery in the areas shown below:

1. Protocols and Port numbers used by the system

2. Individual system components

a. Xerox App Gallery – Rackspace Catalog server (2) b. Xerox App Gallery – Rackspace Designer server (2) c. Xerox eCommerce server d. Xerox Corporate Licensing System e. Xerox App Gallery – User Web Pages f. Devices g. Rackspace Load Balancer servers h. Xerox Backup server i. MYSQL Database server j. Cloud File storage k. App Gallery Portal App

3. Communication between system components

a. Communication between Xerox App Gallery – User Web Pages and Rackspace Catalog server, Rackspace Designer server and Rackspace Load Balancer servers

b. Communication between Rackspace Design server and Xerox Corporate Licensing System

c. Communication between Rackspace Catalog server, Rackspace Design Server and Devices

d. Communication between the Xerox Backup Server and the Rackspace Catalog server e. Communication between Rackspace Catalog servers, Rackspace Design servers and

the Rackspace MYSQL Database server f. Communication between Rackspace Catalog servers, Rackspace Design servers and

the Rackspace Cloud Files storage g. App Gallery Portal App

Page 11: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 11 of 16

April 2016

Xerox App Gallery Network Protocols and Port Numbers Diagram This diagram shows the protocols used in the system. Port numbers are not configurable. For non-secure connection, port number 80 is used. For secure connection, port number 443 is used. For the SMTP server port 25 is used.

SNMP/HTTP

ActiveX Deploy

Design

SNMP/HTTP

Rackspace Cloud Servers

MYSQL Database Server

Load Balancers

MySQL

Ruby on Rails App Catalog

SQL Server Express

Code Gen Web Svc

License Activation Web Svc

HTTPS

HTTPS

HTTPS

Xerox eCommerce

Xerox eCommerce Server

Xerox Licensing

XCLS License Server

HTTPS

HTTPS

Enterprise / SMB

Xerox UK

Xerox Backup Server

(Desired State)

Windows Design Web Server

Ubuntu Linux Catalog Server

HTTPS

Cloud Repositories

Azure Cloud Service

Middleware

AzureXAS App

HTTPS

HTTPS

SMTP Router

SMTP Server (Main)

SMTP Server (Back-up)

ConfirmationE-mail Request

ConfirmationE-mail

Azure Storage

Register &Unregister Apps

and Devices

HTTPS

Azure Cloud Service

Middleware

File Server

Azure Cloud VM

Document Conversion

HTTPS

Individual System Components

Xerox App Gallery – Rackspace Catalog Servers, Design Servers, Load Balancers

The Xerox App Gallery Servers, which are located in the United Kingdom, run in the Rackspace Platform. There are two considerations for security based on this architecture as follows:

1. Rackspace specific security information

2. Xerox App Gallery Servers specific security information

Each consideration is covered below.

Page 12: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 12 of 16

April 2016

Rackspace Platform Specific

Rackspace is an open source cloud company which offers various degrees of security options. Xerox App Gallery have opted to use the security option that comes with the Managed Service level for cloud servers.

Rackspace managed service security highlights:

System installation to a hardened patched OS

System patches are configured by Rackspace to provide continued protection from exploits in the extent that this is offered and accomplished by Microsoft Server and Ubuntu Linux

Dedicated firewall and VPN services to help block unauthorized system access

Data protection with Rackspace managed backup solutions

Dedicated intrusion detection devices to provide an additional layer of protection against unauthorized system access

Distributed Denial of Service (DDoS) mitigation services based on proprietary Rackspace PrevenTier system

Risk assessment and security consultation by Rackspace professional services teams

ISO17799-based policies and procedures regularly reviewed as part of SAS70 Type II audit process

All passwords encrypted in transit and while in storage at Rackspace

Please visit the Rackspace web site for more information:

http://www.rackspace.com/managed_hosting/services/security/

Xerox App Gallery Cloud Service Specific

All communications to and from the Xerox App Gallery Cloud Service are over https, with the exception of communication between the devices and the Rackspace Design server license activation service. Data is transmitted securely and is protected by TLS security for both upload and download.

Xerox eCommerce Server

The Xerox eCommerce Server is purposely left outside of the Xerox App Gallery workflows. When the button to purchase licenses is pushed, a message is displayed to the user to go to the eCommerce web site to purchase licenses for App Gallery. Xerox App Gallery is not responsible for the security of communication with the eCommerce server.

Xerox Corporate Licensing system

The Xerox Corporate Licensing System is accessed with https (Hyper Text Transfer Protocol) from the license activation service in the Rackspace – Design server.

Page 13: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 13 of 16

April 2016

Xerox App Gallery User Web Pages

All user web pages are accessed with https from a Web Browser.

Xerox App Gallery users have to authenticate with the Xerox App Gallery Service to access the user web pages. Once authenticated the user can view:

1. All apps that reside in the App Gallery system.

2. All devices registered by the user in the App Gallery system.

Devices

Xerox® devices have a variety of security features that can be employed to increase security. Availability of these features depends based on model. It is the customer’s responsibility to understand and implement appropriate controls for devices behavior.

Some examples are as follows:

1. Xerox Image Overwrite electronically shreds information stored on the hard drive of devices as part of the routine job process.

2. Data Encryption uses state of the art encryption technology on data stored within the device as well as for data in motion in and out of the device.

For more information about the above examples as well as for other device security related technologies please see http://www.xerox.com/information-security/product-security.

The Xerox App Gallery only supports Xerox® ConnectKey devices. It is the customer’s responsibility to understand the security features of these Xerox® devices which are used in the Xerox App Gallery system.

Communication between the device and the License Activation Web Service has been changed to use https.

Xerox Backup Server

The Xerox Backup Server uses https to access the Rackspace – Catalog server. Xerox App Gallery backup files are copied from the Catalog server to the backup server which is located in a Xerox® facility.

MySQL Database Server

MySQL database server stores the data used by the designer server and catalog server. MySQL database server uses https to communicate with the Rackspace Catalog server and the Rackspace Designer server.

Cloud File Storage

Cloud file storage stores files used by the designer server and catalog server. The Rackspace Catalog server and the Rackspace Designer server use https to access the Cloud file storage.

Page 14: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 14 of 16

April 2016

App Gallery Portal App

The Xerox App Gallery Portal App is an app which will be delivered with all NextWave and ConnectKey 2.0i devices. The Xerox App Portal App will give users of the NextWave and ConnectKey 2.0i devices access to the Xerox App Gallery. The Xerox App Gallery Portal App will have the ability to associate a Xerox App Gallery Account with the app which will allow any user walking up to the device to have access to the Xerox App Gallery. The associated credentials will be saved on the device’s local storage and will be encrypted for security.

Communication between System Components

Communication between Xerox App Gallery, Rackspace Catalog Servers, Design Servers and Load Balancers and Xerox App Gallery Web Pages

The Xerox App Gallery servers use the https protocol for all communication with the Xerox App Gallery Web Pages. It establishes an https secure connection with the Xerox App Gallery Service which relies on the web page OS to validate the security certificate as part of creation of the TLS connection. The TLS certificate is issued by Comodo (a trusted certificate authority) and ensures that the Xerox App Gallery webserver is in communication with the user’s web browser, and no third party can pretend to be that webserver or intercept traffic between the web browser and the webserver.

Xerox App Gallery requires users to authenticate before they can use any of its features. Basic authentication is performed with the Xerox App Gallery that provides username and password information over the https protocol.

Once authentication is complete, data is passed between the Xerox App Gallery servers and the Xerox App Gallery Web Pages to enable the features of the service within the Xerox App Gallery. This includes all data for apps, information for registered devices, and user data.

Communication between Xerox App Gallery, Rackspace Design Server, and Xerox Corporate Licensing System

The Xerox App Gallery – Rackspace License Activation Service uses the https protocol for all communication with the Xerox Corporate Licensing System. It establishes an https secure connection when the Xerox Corporate Licensing System relies on the certificate authority configuration of the Windows server on which it resides to validate the security certificate as part of establishment of the TLS connection with the Xerox Corporate Licensing System.

Page 15: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 15 of 16

April 2016

Communication between Xerox App Gallery – Rackspace Catalog and Design Servers and Devices

The Xerox App Gallery uses SNMPv2 to discover printers and printer capabilities. Customers can configure the community name strings for the agent to use if they have configured their printers to use non-default values.

Xerox App Gallery also uses SOAP messages transmitted over the https protocol to communicate with devices in order to accomplish app installation and uninstallation. The WSSE standard for SOAP messages is used to transmit nonce-protected hashes of device administrator credentials to the device to provide authorization. These device administrator credentials are supplied by the user and stored as part of the device record in Xerox App Gallery.

The devices communicate directly with the Xerox App Gallery Design server when it tries to validate a license for an App that has been installed on the device. This communication is done via https.

Communication between Xerox Backup Server and Xerox App Gallery – Rackspace Catalog Server

The Xerox Backup Server is a password protected server which communicates via https with the Xerox App Gallery Rackspace Catalog server at a regularly scheduled interval to copy the backup files of Xerox App Gallery to the Xerox Backup Server. The Xerox Backup server is located at a Xerox® facility in the United Kingdom.

Communication between Xerox App Gallery Portal App and the Xerox App Gallery

The Xerox App Gallery Portal App communicates with the Xerox App Gallery via https and the data is transmitted securely and is protected by TLS security. The Xerox App Gallery Portal App can associate App Gallery credentials with the device. These credentials are encrypted on the device.

Page 16: Xerox App Gallery 3...Xerox App Gallery 3.0 Information Assurance Disclosure Page 12 of 16 April 2016 Rackspace Platform Specific Rackspace is an open source cloud company which offers

Xerox App Gallery 3.0 Information Assurance Disclosure

Page 16 of 16

April 2016

The Role of Xerox®

Xerox® strives to provide the most secure software product possible based on the information and technologies available while maintaining the product performance, value, functionality, and productivity.

Xerox® will:

Run industry standard security diagnostics tests in development to determine vulnerabilities. If found, the vulnerabilities will either be fixed, minimized, or documented

Monitor, notify, and supply necessary security patches provided by third party software vendors used with the App Gallery software.