ShareFile Enterprise: Security Whitepaper

Citrix ShareFile is an enterprise follow-me data solution that enables IT to deliver a robust enterprise file sharing and sync service that meets the mobility and collaboration needs of users and the data security requirements of the enterprise.

Securing data is critical to every enterprise and is a responsibility taken seriously by ShareFile. Savvy IT executives understand that with the plethora of free or low-cost data sharing applications available to end users, it has become critical to provide users with a more secure alternative that still empowers them to sync files across their devices and securely share files with co-workers.

This paper explores the details of how ShareFile is secure by design, and highlights the set of security controls available to ShareFile Enterprise customers.

ShareFile consists of 3 primary components: the SaaS Application Tier, StorageZones, and the client.

1. SaaS Application Tier – sometimes referred to the as the Control Plane, this is a Citrix-managed component that consists of web, database, and API servers.

2. StorageZones – this is where customer data is stored. Customers have four options when deciding where to store their data. This paper will discuss the workflow and security processes of each option.

    a. Citrix-managed cloud storage on Amazon Web Services.

    b. Citrix-managed cloud storage on Microsoft Azure.

    c. Customer-managed cloud storage on Microsoft Azure.

    d. Customer-managed storage in corporate datacenters.

3. Clients – ShareFile supports a broad device list, which includes but is not limited to Windows and Mac OSX, Android and iOS, Windows phone and Windows Metro.

SaaS Application Tier

ShareFile Servers: Web, API, and Database Overview

The ShareFile SaaS Application Tier is hosted in Citrix’s datacenter. The components include (see figure 2.):

  • NetScaler® – used to load balance client requests to the ShareFile.com/eu webs and API webservers.
  • ShareFile.com/eu webservers designed to deliver the Web UI.
  • API webservers used for client devices and tools using the HTTPS and REST API, including the Outlook plug-in, mobile and sync applications.
  • Database - SQL database instances which contain things such as account data, file and folder metadata, including access rights, user account data, logs etc. The database in the SaaS Application tier does not process or store any customer data files.

The NetScalers and web servers are installed in the DMZ with the SQL databases installed in the private network behind an additional firewall. The SQL database instances are securely replicated to a second datacenter for backup and disaster recovery purposes.

SaaS Application Tier Security

Encryption

To protect customer data in transit ShareFile supports SSL 3.0/TLS 1.0 with up to 256 bit AES encryption and no less than 128 bit encryption with the negotiation to TLS/AES-256 dependent on whether the end user’s device or proxy supports TLS/AES-256.

Hash-based Message Authentication Code

Hashing is defined as producing hash values for accessing data or for security purposes. A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

In security systems, hashes are used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If the hashes are the same, it indicates that the message was transmitted intact.

Metadata

Customer files are never processed, stored or transferred to the ShareFile SaaS application tier. Instead we store metadata which when defined means ‘data about data’ or data that describes other data. The metadata attributes that ShareFile stores in the SaaS application tier’s database servers are as follows:

User Info:
First Name
Last Name
User Login (Email Address)
Company Name (Optional)
Password Hash
Security Question
Security Answer
Access Control Lists (ACL)

File Info:
File Name
File Description
File Location
File Size
File Hash
File Creation Date
Email Notification
Access Control Lists (ACL)
IP Address from which file was uploaded

Other:
Account Subdomains on ShareFile.com/eu
Audit & Reporting

Citrix Managed StorageZones

Overview

Citrix ShareFile operates a hybrid cloud infrastructure, with separate application and storage tiers managed by separate entities. Citrix manages the SaaS application tier (no file content) while an enterprise class cloud services provider (either Amazon Web Services or Microsoft Azure, depending on customer contract) hosts the StorageZone servers, along with application servers running the FTP/FTPS, Antivirus, Indexing, and Thumbnail services.

The Citrix managed StorageZones architecture consists of the SaaS Application tier, StorageZone™ Controller server(s) and cloud storage (see Figure 3):

Securing File Upload/Download Requests

When a user uploads or downloads a file, ShareFile’s architecture prevents forged requests by using hash-based message authentication codes or HMAC’s.

1. Client requests a file.

2. A prepare message is sent by the ShareFile web application or API servers in the SaaS application tier to the StorageZone hosting the file. The location of the file is stored in the SaaS application tier database, accessed by the ShareFile web application and API servers.

3. A hash-based message authentication code (HMAC) based on the Shared Key used to establish a trust relationship between the SaaS application tier and StorageZone, is sent as part of the prepare message and is validated by the StorageZone Controller.

4. Once validated, the StorageZone confirms the validity and generates a unique one-time-use download token.

5. The ShareFile web application or API server provides the download link containing the fully qualified domain name (FQDN) of the StorageZones controller to the client with the unique download token.

6. To start the actual download, the client connects directly to the StorageZone.

7. The download token (part of the download request from the client), is validated.

8. If validation is successful, the file will be retrieved from storage, and the StorageZone will provide the file to the client.

Security

Encryption in Transit

Client files are protected in transit between the web application and storage tier using SSL 3.0/ TLS1.0 with no less than128 bit encryption depending on end-user browser configuration.

Encryption at Rest

All client files are encrypted using AES 256-bit symmetric key encryption, a FIPS approved encryption algorithm.

Data Backup

Customer files are stored redundantly within the cloud storage provider’s region and ShareFile backs up all files daily. We store and back up customer files according to the data retention and version settings your dedicated ShareFile admin configures via the ShareFile administrative web interface.

Anti-Virus

We employ dedicated antivirus servers that, based on customer preference, can scan all client files for malware. Any infected file is marked with a Red exclamation mark to warn end users of the risk associated with downloading an infected file.

Amazon Web Services Security

The ShareFile infrastructure is segmented logically from other vendors using a concept Amazon Web Services refers to as Security Groups. Think of security groups as a firewall-like implementation that segregates ShareFile’s infrastructure from other vendors.

Amazon EC2 provides a firewall solution to enable security groups; this mandatory inbound firewall is configured in a default deny mode and we must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block).

Amazon Web Services runs in geographically dispersed datacenters that comply with key industry standards for security, reliability and confidentiality, such as ISO/IEC 27001:2005, SOC 1 and SOC 2.

Microsoft Azure Security

Like Amazon Web Services, Windows Azure runs in geographically dispersed datacenters that comply ISO/IEC 27001:2005, SOC 1 and SOC 2. Datacenters are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.

In addition to datacenter, network, and personnel security practices, Windows Azure incorporates security practices at the application and platform layers to enhance security for application developers and service administrators.

Customer Managed StorageZones with On-Prem Storage

Overview

Customer managed StorageZones allow IT administrators to choose where corporate data will be processed and stored. IT can store data in the organization’s data-center to help meet unique data sovereignty and compliance requirements, or an organization can choose to host ShareFile data natively in a Microsoft Azure account, helping IT build the most cost-effective and customized solution for their organization.

The on-premise customer-managed data can be easily integrated with an organization’s existing infrastructure as it is designed to support any Common Internet File System (CIFS)-based network share. In both options the SaaS application tier is a required component.

The customer managed on-premise architecture consists of the SaaS Application tier, StorageZone Controller server(s) and customer datacenter hosted backend storage (see Figure 5.).

Securing File Upload/Download Requests

The workflow is the same as Citrix managed StorageZones. The ShareFile architecture in customer managed StorageZones prevents forged upload and download requests by using hash-based message authentication codes (HMAC) as well.

1. Client requests a file.

2. A prepare message is sent by the ShareFile web application or API servers in the SaaS application tier to the StorageZone hosting the file. The location of the file is stored in the SaaS application tier database, accessed by the ShareFile web application and API servers.

3. A hash-based message authentication code (HMAC) based on the Shared Key used to establish a trust relation between the SaaS application tier and StorageZone, is sent as part of the prepare message and is validated by the StorageZone Controller.

4. Once validated, the StorageZone confirms the validity and generates a unique one-time-use download token.

5. The ShareFile web application or API server provides the download link to the Client with the unique download token.

6. To start the actual download, the Client connects to the StorageZone.

7. The download token (part of the download request from the Client), is validated.

8. If validation is successful, the file will be retrieved from storage.

9. The StorageZones controller server will send the file to the Client.

Security

Trust and Encryption: On-Premise StorageZone

ShareFile StorageZones Controller Server

Once the pre-requisites for installation are met, installing the StorageZones Controller server software is simple and consists of launching an .MSI file and clicking through until finished.

Pre-requisites:

  • Use a publicly-resolvable Internet hostname (not an IP address).
  • Install a commercially trusted SSL certificate in IIS.
  • Allow inbound TCP requests on port 443 through the Windows firewall.

The installation file installs the following server components:

• A virtual directory and files into the IIS Default Web site. The physical location of the folder and files is c:\intetpub\wwwroot\Citrix\StorageCenter.
• An IIS application pool named StorageCenterAppPool. The installer also points the IIS Default Web Site’s application pool to the newly created StorageCenterAppPool application pool.
• 4 windows services:
    - Citrix ShareFile Cloud Storage Uploader Service
    - Citrix ShareFile File Cleanup Service
    - Citrix ShareFile File Copy Service
    - Citrix ShareFile Management Service

After installing the StorageZones Controller server software, configuration is required. Instructions on configuring the StorageZones Controller software can be found here. The configuration utility accomplishes the following tasks (see Figure 7):

  • Creates a shared zone secret key in the customer’s ShareFile account and on the StorageZones Controller server stored encrypted in the registry.
  • Creates a storage encryption key (SCKeys.txt) and encrypts that key using 128 bit encryption when a passphrase is entered in the last step of the configuration. This encryption key is only used if the ‘Enable Encryption’ box is checked during configuration which instructs the StorageZone Controller server to encrypt the files stored in your shared ShareFile data repository.
  • Creates a proprietary folder structure and the SCKeys.txt file in the ShareFile ‘Storage Location’ network share location defined during the configuration.
  • Enables StorageZone Connectors if ‘Enable StorageZone Connector for Network File Shares’ and ‘Enable StorageZone Connector for SharePoint’ are checked. Enabling the Connectors creates the IIS apps “cifs” (Connector for Network File Shares) and “sp” (Connector for SharePoint)

Encryption in Transit

If a NetScaler is not used in the architecture, customer files are protected in transit between the web application and the customer managed on-premise storage location using SSL 3.0/TLS1.0 with a minimum 128 bit encryption depending on end-user browser or proxy configuration.

If customers are using Windows Azure, files are protected in transit between the web application and the customer managed on-premise storage location and to the Windows Azure storage container using the same SSL protocols as above.

If a NetScaler is used in the architecture, the SSL connection will be terminated at the NetScaler in the DMZ and files will be sent to the storage location either over http or https, depending on your configuration. If HTTP is used, files will traverse the internal network to the storage location un-encrypted. If HTTPS is used, files will traverse the internal network to the storage location using SSL 3.0/TLS 1.0. The storage server will then decrypt the files and store them.

Encryption at Rest

The StorageZones Controller software has the ability to encrypt the files located in the Storage Location defined during configuration. If data encryption is enabled, all zone files are encrypted with 128 bit encryption using the same key stored in SCKeys.txt. It is therefore critical that the SCKeys.txt file and passphrase be backed up to a secondary secure location. If the SCKeys.txt file is lost, all zone files become inaccessible. Because this directory resides in a customer managed datacenter it is a Citrix best practice to not have the StorageZones Controller software encrypt the data and leverage encryption options from your storage subsystem instead. If encrypted by the StorageZone Controller software, processes like anti-virus scanning and file indexing will not work.

If customers are using Windows Azure, the StorageZones Controller software has the ability to encrypt the files located in the temporary storage location defined during configuration. If the files are encrypted they will be transferred to the Windows Azure storage container encrypted. Decryption happens when a file is requested for download. The file gets copied from the Azure storage container to the temporary storage location in the customer datacenter where it is decrypted and sent from the StorageZones controller server to the client.

All communications from the StorageZones servers and Windows Azure storage containers happen over SSL.

Customer Managed StorageZones with Windows Azure Storage

Overview

The Microsoft Azure customer-managed solution (Figure 8) integrates ShareFile with Microsoft Azure’s Binary Large Object (Blob) storage, a cloud service for storing large amounts of unstructured data that can be accessed from anywhere in the world via HTTP or HTTPS.

The Azure Storage architecture is similar to the customer-managed on-premise StorageZones architecture with one minor difference. Azure storage is customer-managed storage hosted in the Azure cloud. File uploads are initially deposited into a temporary storage area shared by all StorageZone controllers. Then, a background service copies those files to the Windows Azure storage container and deletes the local cached copy of the file(s).

Continue reading ShareFile Enterprise: Security Whitepaper...

 

Learn more about ShareFile Enterprise and request a personalized demo.

Ready to try ShareFile? It's free for 30 days. No credit card required.

Related Information