Software  as  a  Service  (SaaS)  is  swiftly  being  adopted  by  organizations  that  require  security,  reliability  and  availability.  Zyncro  was  created  from  its  outset  with  these  concepts  in  mind,  enabling  corporate  collaboration  between  members  and  communication  between  organizations  and  their  customers  to  be  easily  managed,  no  matter  where  they  are  located  in  the  world.  

 

The  purpose  of  this  technical  document  is  to  provide  further  details  about  the  security  features  implemented  in  Zyncro,  which  enable  it  to  be  used  securely.  

 

Security  in  Zyncro  

 

 Security  in  Zyncro    2  

 

Nowadays,  interaction  between  employees  or  even  between  employees  and  customers  goes  beyond  the  walls  of  the  organization.  Yet  it  goes  without  saying  that  all  corporate  documentation  and  any  messaging  carried  out  still  needs  to  be  kept  secure.  Companies  need  a  service  that  is  not  only  available,  but  it  must  ensure  the  confidentiality  and  the  integrity  of  data  traffic  transferred  across  public  networks.  In  other  words,  only  authenticated  users  should  be  allowed  to  access  the  service,  preventing  outsiders  from  seeing  or  altering  the  data  being  exchanged  or  stored.  

 

Zyncro  employs  the  strictest  of  security  concepts,  both  in  terms  of  physical  security  and  platform  logic,  using  security  protocols  that  ensure  data  protection  during  storage  and  transfer-­‐  it  uses  cutting-­‐edge  data  encryption  algorithms.  

 

Scalability,  security,  and  privacy  have  been  key  in  the  designing  of  the  Zyncro  platform.  The  overall  system  is  capable  of  detecting  the  need  to  allocate  new  resources  in  order  to  maintain  the  correct  response  level  for  its  users  and  can  implement  such  resources  automatically.  

 

   

1.  Introduction  

 

 Security  in  Zyncro    3  

 

Zyncro’s  infrastructure  is  balanced  in  the  Amazon  Web  Services  compute  cloud.  This  suite  of  services  gives  the  Zyncro  platform  exceptional  reliability,  as  the  Amazon  datacenters,  which  are  located  worldwide,  have  been  deployed  with  the  highest  standards  possible  to  guarantee  service  availability.  In  addition,  Zyncro’s  specially  designed  scalability  features  enable  it  to  make  use  of  Amazon’s  Elastic  Compute  functions  to  automatically  increase  capacity  when  required  by  the  platform.  

 

Datacenters  

  Public  Cloud  

Zyncro  is  hosted  in  Amazon’s  datacenters  with  the  highest  specifications  in  terms  of  physical  security,  access  control,  component  redundancy,  monitoring,  and  24x7  availability.  

Access  to  all  servers  is  carried  out  using  continuously  renewed  Certificates  exchange  and  not  passwords.  

  Private  Cloud  

Zyncro  can  also  be  hosted  in  a  private  instance  of  Amazon’s  datacenters  letting you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch a dedicated installation of Zyncro.

  On-­‐premise  Installation  

Zyncro  can  be  installed  and  run  on  computers  on  the  Datacenter  of  an  organization,  giving  the  ability  to  supervise  and  secure  data  on  premises  that  are  locally  owned  or  controlled.  

 

Firewall  

Every  server  is  under  a  restricted  policy  configured  firewall.  All  traffic  is  denied  unless  the  one  explicitly  permitted.  The  firewall  obstructs  all  the  traffic  and  enables  on  purpose  the  traffic  from  the  services  that  are  needed.  

2.  General  Information  

 

 Security  in  Zyncro    4  

 

Storage  

Data  are  distributed  and  replicated,  so  that  99.999999999%  durability  is  guaranteed.  

 

High  availability  

The  set  of  measures  implemented  ensure  99.99%  data  availability  and  99.95%  service  availability.  

 

Scalability  

In  addition  to  the  stable  number  of  servers  in  operation  to  maintain  standard  Zyncro  performance  level,  the  Amazon  EC2  platform  enables  new  servers  to  be  started  simultaneously  within  minutes,  allowing  the  resource  level  to  be  scaled  up  according  to  requirements  at  a  given  time.  A  load  balancing  mechanism  redirects  the  traffic  towards  the  operative  servers.  

 

Backup  

Zyncro  replicates  all  data  changes  daily.  Backup  is  twofold  and  stored  on  three  Amazon  S3  sites,  meaning  that  a  durability  of  99.999999999%  and  an  availability  of  99.99%  is  guaranteed.  The  backup  storage  is  designed  to  survive  the  simultaneous  loss  of  data  in  two  facilities.  

   

 

 Security  in  Zyncro    5  

 

Zyncro  uses  two  different  encryption  schemes,  one  for  data  storage  and  another  for  data  traffic.  

 

Storage  

An  AES  (Advanced  Encryption  Standard  or  Rijndael)  algorithm  with  a  256-­‐bit  key  is  used  for  file  storage.  AES  is  a  specification  for  the  encryption  of  electronic  data  established  by  the  U.S.  National  Institute  of  Standards  and  Technology  (NIST)  in  2001.  The  National  Security  Agency  of  the  United  States  has  been  using  this  secure  algorithm  for  more  than  10  years  to  protect  classified  information.  

 

Traffic  

Every  time  data  crosses  a  communication  link,  the  SSL  protocol  is  used.  SSL  protocol  provides  confidentiality,  integrity  and  the  SSL  certificate  provides  Server  authentication.  In  such  environment  user  information  is  highly  protected  from  theft  and  tampering.  The  certificate  has  been  issued  by  GeoTrust.  Each  connection  to  Zyncro’s  secure  site  is  encrypted  using  the  AES_256_CBC  algorithm,  with  SHA1  for  message  authentication  and  DHE_RSA  to  protect  key  exchange.  

   

3.  Encryption  

 

 Security  in  Zyncro    6  

 

Zyncro  is  accessible  via  web  browser,  either  on  a  desktop  or  laptop  PC;  a  Widget  for  Microsoft  Windows  (XP  and  above)  and  also  accessible  from  a  mobile  device  using  the  Mobile  App.    

All  access  to  Zyncro  is  done  using  an  authentication  process,  by  which  users  must  identify  themselves  using  their  credentials  managed  by  Zyncro  or  an  external  LDAP  (Lightweight  Directory  Access  Protocol)  system,  for  instance  the  Active  Directory  in  the  Microsoft  environment.  

The  password  is  sent  through  secure  channels  using  HTTPS.  

 

 

Access  to  information  

Shared  documents  and  folders  in  Zyncro  are  only  visible  to  the  individuals  that  have  been  authorized  to  view  them  by  the  owner.  The  owner  is  the  only  person  that  can  determine  the  permissions  given  to  others  to  access  the  files  (read,  write,  invitation,  etc.)  

Zyncro  employees  do  not  have  access  to  user  files  and  information.  

 

Applications  

Every  integration  that  uses  the  Zyncro  APIs  has  the  same  authorization  mechanism  protocol:  OAuth,  an  open  standard  of  authorization  that  provides  a  secure  authorization  method  of  a  standard  and  secure  API  for  mobile,  web,  and  desktop.  

 

4.  Application  security  

 

 Security  in  Zyncro    7  

 

 

Special  security  settings  

Organization  administrators  can  use  the  following  options:  

• Communication  can  be  restricted  to  prohibit  communication  with  users  outside  the  organization  or  simply  to  specify  which  domains  are  allowed.  

• Every  document  and  file  uploaded  to  Zyncro  is  stored  in  an  encrypted  form  in  our  servers.  

• To  send  direct  links  to  download  files  (zlinks)  by  the  organization  users  can  also  be  restricted.  zlinks  can  be  generated  with  a  password  that  will  restrict  the  access  to  it,  and  also  with  a  specific  durability:  setting  an  expiry  date  for  the  link.  

• Administrators  can  determine  whether  organization  users  should  appear  in  the  global  user  search.  

• Inside  Groups,  the  owner  can  decide  which  permissions  has  each  participant  over  the  files  stored  in  the  group:  Reader,  Inviter,  Commentator,  Owner…  Depending  on  the  permissions,  the  member  will  be  able  to  manage  the  files  or  not.  

• IP  Whitelist.  The  administrators  of  an  organization  can  define  which  IPs  users  will  be  able  to  connect  to  Zyncro  from.  

In  addition,  although  administrators  may  not  have  direct  access  to  documents  and  folders  unless  otherwise  permitted  by  the  owner,  they  can  use  a  download  option,  which  will  generate  a  compressed,  zip  file  containing  the  whole  folder  structure  and  files  created  by  the  entire  organization  (one  structure  for  each  user).  

 

 

 

 

 

 

 Security  in  Zyncro    8  

 

Management  of  the  Zyncro  production  environment  is  performed  according  to  the  Spanish  Organic  Law  15/1999,  December  13th,  on  Personal  Data  Protection  (LOPD).  Some  of  the  security  aspects  covered  are:  

• There  is  a  policy  on  media  and  document  management.  • There  are  records  and  audits  on  accesses,  incidents,  and  software  

updates.  • Access  to  servers  is  done  using  certificate  exchange,  not  using  

passwords.  These  certificates  are  periodically  renewed  and  precious  certificates  are  forced  to  expire.  

• All  software  versions  deployed  in  the  platform  are  installed  with  the  latest  security  updates  available.  

• There  are  periodical  audits  to  ensure  compliance  with  the  highest  security  standards.  

 

To  guarantee  service  quality,  the  environment  is  monitored  continuously.  Approximately  180  variables  are  monitored  at  a  5-­‐minute  frequency  to  detect  any  anomalies  and  roll  out  support  mechanisms  where  required,  assisted  by  support  staff  that  is  on  call  24-­‐7.  

In  addition,  service  users  can  access  a  ticketing  system  where  they  can  register  and  track  any  incidents  in  Zyncro  operation  until  the  Support  Team  according  to  the  established  SLA  has  resolved  them.  

5.  Platform  management  

 

 Security  in  Zyncro    9  

 

 In  Zyncro,  security  aspects  are  considered  in  each  and  every  stage  of  the  product  engineering  process.  The  development  of  Zyncro  is  managed  according  to  the  following  life  cycle:  

 

 

All  versions  of  the  product  must  be  installed  in  development  and  integration  environments  before  being  installed  in  the  production  environment.  Each  environment  undergoes  the  corresponding  integration  and  security  testing,  in  order  to  ensure  that  all  operating  parameters  and  access  integrity  are  correct.  

Software  updates  are  managed  using  a  tracking  system  that  registers  the  change  requests  (Release  Change  Request  –  RCR),  the  final  tests  performed,  the  requirements  implemented,  the  incidents  detected  and  the  corresponding  sign-­‐off  from  the  Product  Manager,  the  Development  Manager,  the  Quality  Manager  and  the  Security  Officer.  

Requirements  can  be  traced  through  the  development  cycle,  managed  using  a  centralized  application  lifecycle  management  tool  called  SpiraTeam  (from  Inflectra).  This  provides  us  with  a  global  vision  of  version  requirements,  associated  test  cases,  test  execution  and  incident  reporting  and  resolution.  

 

6.  Development  process  

 

 Security  in  Zyncro    10  

 

7.  Quality  System  

Zyncro  has  been  certified  according  to  ISO  9001-­‐2008  by  Bureau  Veritas.    

Zyncro  is  also  certified  with  the  information  security  management  system  standard:  ISO/IEC  27001;  it  specifies  a  management  system  that  is  intended  to  bring  information  security  under  explicitly  management  control.  

Zyncro  has  two  security  certificates  supplied  by  the  leading  web  security  providers:  McAfee  and  Qualys.  These  security  seals  certify  the  positive  result  of  analyses  and  tests  performed  daily  to  protect  the  web  sites  from  phishing,  viruses,  spyware  and  other  online  threats.  

 

 

 

 

 

Moreover,  Zyncro  -­‐in  its  technological  processes-­‐  follows  the  set  of  best  practices  recommended  by  the  ITIL  standard.  

 

   

 

 Security  in  Zyncro    11  

 

Technical  Appendix  

Zyncro  and  Cookies  

Cookies  are  not  used  to  store  any  type  of  private  information  from  our  users.  The  cookies  are  protected  properly,  and  used  to  personalize  user’s  navigation  inside  the  application.  For  example,  the  cookies  allow  our  application  to  remember  the  language  preference  selected  by  the  user.  It  is  necessary  to  use  the  cookies  and  have  the  enabled  to  ensure  a  correct  performance  of  the  platform.    

Name   Description  

ItemsPerPage  Quantity  of  messages,  users  or  promotions  selected  by  the  user  for  a  page  list.  

CookieZyncroLang   Language  selected  by  the  user  

PHPSESSID   Session  identifier  

_lastWallView  Last  sorting  (by  date)  option  on  promotions  and  comments.  

_lastUrlGroup   Keeps  navigation  inside  groups.  

_lastUrlFiles   Keeps  navigation  inside  files.  

_lastUrlSimple   Keeps  navigation  for  breadcrumb.  

_lastTasksFilter   Sorting  (by  date)  on  tasks.    

_lastTasksOrder  Last  ordination  used  by  the  user  in  the  Tasks  section.  

_lastTasksOrderType  Last  ascending  or  descending  sort  direction  used  in  the  Tasks  section.  

_lastContactOrder  Last  sort  direction  used  in  the  Community  section.    

 

 Security  in  Zyncro    12  

 

_lastContactOrderType  Last  ascending  or  descending  sort  direction  used  in  the  Community  section.  

_lastDocumentsOrder  Last  sort  direction  used  in  the  Files  section.    

_lastDocumentsOrderType  Last  ascending  or  descending  sort  direction  used  in  the  Files  section.  

_lastSeccion  Last  top  menu  option  visited  from  the  Community  section.  

Ui-­‐tabs-­‐null  Last  option  visited  inside  a  group,  department  or  company,  or  profile.  

_lngLoginZyncro   Last  language  show  in  the  login  page.  

ZyncroClosedNotification_XXX  Last  closed  notification  from  Zyncro  News.  

_lastWallIdeasView  Last  sorting  (by  date)  option  on  promotions  and  comments.  

_lastEnterprisesOrder  Last  sorting  option  used  in  the  section  Companies  or  Departments  section.    

_lastEnterprisesOrderType  Last  ascending  or  descending  sort  direction  used  in  the  Companies  or  Departments  section.