Citrix ShareFile is an enterprise follow-me data solution that enables IT to deliver a robust enterprise file sharing and sync service that meets the mobility and collaboration needs of users and the data security requirements of the enterprise.
Securing data is critical to every enterprise and is a responsibility taken seriously by ShareFile. Savvy IT executives understand that with the plethora of free or low-cost data sharing applications available to end users, it has become critical to provide users with a more secure alternative that still empowers them to sync files across their devices and securely share files with co-workers.
This paper explores the details of how ShareFile is secure by design, and highlights the set of security controls available to ShareFile Enterprise customers.
ShareFile consists of 3 primary components: the SaaS Application Tier, StorageZones, and the client.
SaaS Application Tier
The ShareFile SaaS Application Tier is hosted in Citrix’s datacenter. The components include (see figure 2.):
The NetScalers and web servers are installed in the DMZ with the SQL databases installed in the private network behind an additional firewall. The SQL database instances are securely replicated to a second datacenter for backup and disaster recovery purposes.
SaaS Application Tier Security
To protect customer data in transit ShareFile supports SSL 3.0/TLS 1.0 with up to 256 bit AES encryption and no less than 128 bit encryption with the negotiation to TLS/AES-256 dependent on whether the end user’s device or proxy supports TLS/AES-256.
Hashing is defined as producing hash values for accessing data or for security purposes. A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
In security systems, hashes are used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If the hashes are the same, it indicates that the message was transmitted intact.
Customer files are never processed, stored or transferred to the ShareFile SaaS application tier. Instead we store metadata which when defined means ‘data about data’ or data that describes other data. The metadata attributes that ShareFile stores in the SaaS application tier’s database servers are as follows:
User Login (Email Address)
Company Name (Optional)
Access Control Lists (ACL)
File Creation Date
Access Control Lists (ACL)
IP Address from which file was uploaded
Account Subdomains on ShareFile.com/eu
Audit & Reporting
Citrix Managed StorageZones
Citrix ShareFile operates a hybrid cloud infrastructure, with separate application and storage tiers managed by separate entities. Citrix manages the SaaS application tier (no file content) while an enterprise class cloud services provider (either Amazon Web Services or Microsoft Azure, depending on customer contract) hosts the StorageZone servers, along with application servers running the FTP/FTPS, Antivirus, Indexing, and Thumbnail services.
The Citrix managed StorageZones architecture consists of the SaaS Application tier, StorageZone™ Controller server(s) and cloud storage (see Figure 3):
Securing File Upload/Download RequestsWhen a user uploads or downloads a file, ShareFile’s architecture prevents forged requests by using hash-based message authentication codes or HMAC’s.
Client files are protected in transit between the web application and storage tier using SSL 3.0/ TLS1.0 with no less than128 bit encryption depending on end-user browser configuration.
All client files are encrypted using AES 256-bit symmetric key encryption, a FIPS approved encryption algorithm.
Customer files are stored redundantly within the cloud storage provider’s region and ShareFile backs up all files daily. We store and back up customer files according to the data retention and version settings your dedicated ShareFile admin configures via the ShareFile administrative web interface.
We employ dedicated antivirus servers that, based on customer preference, can scan all client files for malware. Any infected file is marked with a Red exclamation mark to warn end users of the risk associated with downloading an infected file.
The ShareFile infrastructure is segmented logically from other vendors using a concept Amazon Web Services refers to as Security Groups. Think of security groups as a firewall-like implementation that segregates ShareFile’s infrastructure from other vendors.
Amazon EC2 provides a firewall solution to enable security groups; this mandatory inbound firewall is configured in a default deny mode and we must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).
Amazon Web Services runs in geographically dispersed datacenters that comply with key industry standards for security, reliability and confidentiality, such as ISO/IEC 27001:2005, SOC 1 and SOC 2.
Like Amazon Web Services, Windows Azure runs in geographically dispersed datacenters that comply ISO/IEC 27001:2005, SOC 1 and SOC 2. Datacenters are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.
In addition to datacenter, network, and personnel security practices, Windows Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators.
Customer Managed StorageZones with On-Prem Storage
Customer managed StorageZones allow IT administrators to choose where corporate data will be processed and stored. IT can store data in the organization’s data-center to help meet unique data sovereignty and compliance requirements, or an organization can choose to host ShareFile data natively in a Microsoft Azure account, helping IT build the most cost-effective and customized solution for their organization.
The on-premise customer-managed data can be easily integrated with an organization’s existing infrastructure as it is designed to support any Common Internet File System (CIFS)-based network share. In both options the SaaS application tier is a required component.
The customer managed on-premise architecture consists of the SaaS Application tier, StorageZone Controller server(s) and customer datacenter hosted backend storage (see Figure 5.).
Securing File Upload/Download RequestsThe workflow is the same as Citrix managed StorageZones. The ShareFile architecture in customer managed StorageZones prevents forged upload and download requests by using hash-based message authentication codes (HMAC) as well.
Once the pre-requisites for installation are met, installing the StorageZones Controller server software is simple and consists of launching an .MSI file and clicking through until finished.
The installation file installs the following server components:
After installing the StorageZones Controller server software, configuration is required. Instructions on configuring the StorageZones Controller software can be found here. The configuration utility accomplishes the following tasks (see Figure 7):
If a NetScaler is not used in the architecture, customer files are protected in transit between the web application and the customer managed on-premise storage location using SSL 3.0/TLS1.0 with a minimum 128 bit encryption depending on end-user browser or proxy configuration.
If customers are using Windows Azure, files are protected in transit between the web application and the customer managed on-premise storage location and to the Windows Azure storage container using the same SSL protocols as above.
If a NetScaler is used in the architecture, the SSL connection will be terminated at the NetScaler in the DMZ and files will be sent to the storage location either over http or https, depending on your configuration. If HTTP is used, files will traverse the internal network to the storage location un-encrypted. If HTTPS is used, files will traverse the internal network to the storage location using SSL 3.0/TLS 1.0. The storage server will then decrypt the files and store them.
The StorageZones Controller software has the ability to encrypt the files located in the Storage Location defined during configuration. If data encryption is enabled, all zone files are encrypted with 128 bit encryption using the same key stored in SCKeys.txt. It is therefore critical that the SCKeys.txt file and passphrase be backed up to a secondary secure location. If the SCKeys.txt file is lost, all zone files become inaccessible. Because this directory resides in a customer managed datacenter it is a Citrix best practice to not have the StorageZones Controller software encrypt the data and leverage encryption options from your storage subsystem instead. If encrypted by the StorageZone Controller software, processes like anti-virus scanning and file indexing will not work.
If customers are using Windows Azure, the StorageZones Controller software has the ability to encrypt the files located in the temporary storage location defined during configuration. If the files are encrypted they will be transferred to the Windows Azure storage container encrypted. Decryption happens when a file is requested for download. The file gets copied from the Azure storage container to the temporary storage location in the customer datacenter where it is decrypted and sent from the StorageZones controller server to the client.
All communications from the StorageZones servers and Windows Azure storage containers happen over SSL.
Customer Managed StorageZones with Windows Azure Storage
The Microsoft Azure customer-managed solution (Figure 8) integrates ShareFile with Microsoft Azure’s Binary Large Object (Blob) storage, a cloud service for storing large amounts of unstructured data that can be accessed from anywhere in the world via HTTP or HTTPS.
The Azure Storage architecture is similar to the customer-managed on-premise StorageZones architecture with one minor difference. Azure storage is customer-managed storage hosted in the Azure cloud. File uploads are initially deposited into a temporary storage area shared by all StorageZone controllers. Then, a background service copies those files to the Windows Azure storage container and deletes the local cached copy of the file(s).
Continue reading ShareFile Enterprise: Security Whitepaper...
Learn more about ShareFile Enterprise and request a personalized demo.