zyncro security
TRANSCRIPT
Software as a Service (SaaS) is swiftly being adopted by organizations that require security, reliability and availability. Zyncro was created from its outset with these concepts in mind, enabling corporate collaboration between members and communication between organizations and their customers to be easily managed, no matter where they are located in the world.
The purpose of this technical document is to provide further details about the security features implemented in Zyncro, which enable it to be used securely.
Security in Zyncro
Security in Zyncro 2
Nowadays, interaction between employees or even between employees and customers goes beyond the walls of the organization. Yet it goes without saying that all corporate documentation and any messaging carried out still needs to be kept secure. Companies need a service that is not only available, but it must ensure the confidentiality and the integrity of data traffic transferred across public networks. In other words, only authenticated users should be allowed to access the service, preventing outsiders from seeing or altering the data being exchanged or stored.
Zyncro employs the strictest of security concepts, both in terms of physical security and platform logic, using security protocols that ensure data protection during storage and transfer-‐ it uses cutting-‐edge data encryption algorithms.
Scalability, security, and privacy have been key in the designing of the Zyncro platform. The overall system is capable of detecting the need to allocate new resources in order to maintain the correct response level for its users and can implement such resources automatically.
1. Introduction
Security in Zyncro 3
Zyncro’s infrastructure is balanced in the Amazon Web Services compute cloud. This suite of services gives the Zyncro platform exceptional reliability, as the Amazon datacenters, which are located worldwide, have been deployed with the highest standards possible to guarantee service availability. In addition, Zyncro’s specially designed scalability features enable it to make use of Amazon’s Elastic Compute functions to automatically increase capacity when required by the platform.
Datacenters
Public Cloud
Zyncro is hosted in Amazon’s datacenters with the highest specifications in terms of physical security, access control, component redundancy, monitoring, and 24x7 availability.
Access to all servers is carried out using continuously renewed Certificates exchange and not passwords.
Private Cloud
Zyncro can also be hosted in a private instance of Amazon’s datacenters letting you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch a dedicated installation of Zyncro.
On-‐premise Installation
Zyncro can be installed and run on computers on the Datacenter of an organization, giving the ability to supervise and secure data on premises that are locally owned or controlled.
Firewall
Every server is under a restricted policy configured firewall. All traffic is denied unless the one explicitly permitted. The firewall obstructs all the traffic and enables on purpose the traffic from the services that are needed.
2. General Information
Security in Zyncro 4
Storage
Data are distributed and replicated, so that 99.999999999% durability is guaranteed.
High availability
The set of measures implemented ensure 99.99% data availability and 99.95% service availability.
Scalability
In addition to the stable number of servers in operation to maintain standard Zyncro performance level, the Amazon EC2 platform enables new servers to be started simultaneously within minutes, allowing the resource level to be scaled up according to requirements at a given time. A load balancing mechanism redirects the traffic towards the operative servers.
Backup
Zyncro replicates all data changes daily. Backup is twofold and stored on three Amazon S3 sites, meaning that a durability of 99.999999999% and an availability of 99.99% is guaranteed. The backup storage is designed to survive the simultaneous loss of data in two facilities.
Security in Zyncro 5
Zyncro uses two different encryption schemes, one for data storage and another for data traffic.
Storage
An AES (Advanced Encryption Standard or Rijndael) algorithm with a 256-‐bit key is used for file storage. AES is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. The National Security Agency of the United States has been using this secure algorithm for more than 10 years to protect classified information.
Traffic
Every time data crosses a communication link, the SSL protocol is used. SSL protocol provides confidentiality, integrity and the SSL certificate provides Server authentication. In such environment user information is highly protected from theft and tampering. The certificate has been issued by GeoTrust. Each connection to Zyncro’s secure site is encrypted using the AES_256_CBC algorithm, with SHA1 for message authentication and DHE_RSA to protect key exchange.
3. Encryption
Security in Zyncro 6
Zyncro is accessible via web browser, either on a desktop or laptop PC; a Widget for Microsoft Windows (XP and above) and also accessible from a mobile device using the Mobile App.
All access to Zyncro is done using an authentication process, by which users must identify themselves using their credentials managed by Zyncro or an external LDAP (Lightweight Directory Access Protocol) system, for instance the Active Directory in the Microsoft environment.
The password is sent through secure channels using HTTPS.
Access to information
Shared documents and folders in Zyncro are only visible to the individuals that have been authorized to view them by the owner. The owner is the only person that can determine the permissions given to others to access the files (read, write, invitation, etc.)
Zyncro employees do not have access to user files and information.
Applications
Every integration that uses the Zyncro APIs has the same authorization mechanism protocol: OAuth, an open standard of authorization that provides a secure authorization method of a standard and secure API for mobile, web, and desktop.
4. Application security
Security in Zyncro 7
Special security settings
Organization administrators can use the following options:
• Communication can be restricted to prohibit communication with users outside the organization or simply to specify which domains are allowed.
• Every document and file uploaded to Zyncro is stored in an encrypted form in our servers.
• To send direct links to download files (zlinks) by the organization users can also be restricted. zlinks can be generated with a password that will restrict the access to it, and also with a specific durability: setting an expiry date for the link.
• Administrators can determine whether organization users should appear in the global user search.
• Inside Groups, the owner can decide which permissions has each participant over the files stored in the group: Reader, Inviter, Commentator, Owner… Depending on the permissions, the member will be able to manage the files or not.
• IP Whitelist. The administrators of an organization can define which IPs users will be able to connect to Zyncro from.
In addition, although administrators may not have direct access to documents and folders unless otherwise permitted by the owner, they can use a download option, which will generate a compressed, zip file containing the whole folder structure and files created by the entire organization (one structure for each user).
Security in Zyncro 8
Management of the Zyncro production environment is performed according to the Spanish Organic Law 15/1999, December 13th, on Personal Data Protection (LOPD). Some of the security aspects covered are:
• There is a policy on media and document management. • There are records and audits on accesses, incidents, and software
updates. • Access to servers is done using certificate exchange, not using
passwords. These certificates are periodically renewed and precious certificates are forced to expire.
• All software versions deployed in the platform are installed with the latest security updates available.
• There are periodical audits to ensure compliance with the highest security standards.
To guarantee service quality, the environment is monitored continuously. Approximately 180 variables are monitored at a 5-‐minute frequency to detect any anomalies and roll out support mechanisms where required, assisted by support staff that is on call 24-‐7.
In addition, service users can access a ticketing system where they can register and track any incidents in Zyncro operation until the Support Team according to the established SLA has resolved them.
5. Platform management
Security in Zyncro 9
In Zyncro, security aspects are considered in each and every stage of the product engineering process. The development of Zyncro is managed according to the following life cycle:
All versions of the product must be installed in development and integration environments before being installed in the production environment. Each environment undergoes the corresponding integration and security testing, in order to ensure that all operating parameters and access integrity are correct.
Software updates are managed using a tracking system that registers the change requests (Release Change Request – RCR), the final tests performed, the requirements implemented, the incidents detected and the corresponding sign-‐off from the Product Manager, the Development Manager, the Quality Manager and the Security Officer.
Requirements can be traced through the development cycle, managed using a centralized application lifecycle management tool called SpiraTeam (from Inflectra). This provides us with a global vision of version requirements, associated test cases, test execution and incident reporting and resolution.
6. Development process
Security in Zyncro 10
7. Quality System
Zyncro has been certified according to ISO 9001-‐2008 by Bureau Veritas.
Zyncro is also certified with the information security management system standard: ISO/IEC 27001; it specifies a management system that is intended to bring information security under explicitly management control.
Zyncro has two security certificates supplied by the leading web security providers: McAfee and Qualys. These security seals certify the positive result of analyses and tests performed daily to protect the web sites from phishing, viruses, spyware and other online threats.
Moreover, Zyncro -‐in its technological processes-‐ follows the set of best practices recommended by the ITIL standard.
Security in Zyncro 11
Technical Appendix
Zyncro and Cookies
Cookies are not used to store any type of private information from our users. The cookies are protected properly, and used to personalize user’s navigation inside the application. For example, the cookies allow our application to remember the language preference selected by the user. It is necessary to use the cookies and have the enabled to ensure a correct performance of the platform.
Name Description
ItemsPerPage Quantity of messages, users or promotions selected by the user for a page list.
CookieZyncroLang Language selected by the user
PHPSESSID Session identifier
_lastWallView Last sorting (by date) option on promotions and comments.
_lastUrlGroup Keeps navigation inside groups.
_lastUrlFiles Keeps navigation inside files.
_lastUrlSimple Keeps navigation for breadcrumb.
_lastTasksFilter Sorting (by date) on tasks.
_lastTasksOrder Last ordination used by the user in the Tasks section.
_lastTasksOrderType Last ascending or descending sort direction used in the Tasks section.
_lastContactOrder Last sort direction used in the Community section.
Security in Zyncro 12
_lastContactOrderType Last ascending or descending sort direction used in the Community section.
_lastDocumentsOrder Last sort direction used in the Files section.
_lastDocumentsOrderType Last ascending or descending sort direction used in the Files section.
_lastSeccion Last top menu option visited from the Community section.
Ui-‐tabs-‐null Last option visited inside a group, department or company, or profile.
_lngLoginZyncro Last language show in the login page.
ZyncroClosedNotification_XXX Last closed notification from Zyncro News.
_lastWallIdeasView Last sorting (by date) option on promotions and comments.
_lastEnterprisesOrder Last sorting option used in the section Companies or Departments section.
_lastEnterprisesOrderType Last ascending or descending sort direction used in the Companies or Departments section.