Vault-GENERAL™
A secure file transfer appliance and a service
Vault-GENERAL™ is a secure file vault that allows two or more parties to share/transfer regulated files in a secure and compliant manner. Vault-GENERAL™ eliminates headaches that are associated with creating a homegrown FTP/SFTP server. It neatly packages security and compliance features into a ready to deploy appliance specially designed to handle the regulated data. HIPAA/HITECH covered entities can exchange "protected health information" files in a secure and compliant manner while merchants can use Vault-GENERAL™ to share/transfer cardholder data files in accordance with the PCI mandates.
- Multiple protocol support - SMB/SSHFS from the inside and SFTP from the outside
- Transparent encryption of data at rest and in transit
- No out-of-band key exchange
- Cryptographically signed file transfer logs
- Transitive trust model based data security
- Role-based platform management
- Ready to deploy appliance
Available models/services:
Model # | VG-100 | VG-V | VG-V-NT | VG-V-M | VG-V-H |
Type of offering | Hard Appliance | Virtual appliance | Virtual appliance | Managed virtual | Hosted virtual |
CPU - Quad-code Intel Xeon 2.4GHz 4 x 12M Cache, Turbo, HT, L2 Cache 8MB L3 Cache, 1066MHz Max Mem | 1 | SMP Virtual Appliance | SMP Virtual Appliance | SMP Virtual Appliance | SMP Virtual Appliance |
Memory - Registered w/ ECC 1333MHz Dual Ranked RDIMMs | 4GB | Minimum 2GB | Minimum 2GB | Minimum 2GB | 2GB |
Storage - SATA 10000-RPM 16MB Cache 3.0Gb/s | 500GB RAID-5
| Configurable | Configurable | Configurable | 250GB |
Disks | 4 | n/a | n/a | n/a | n/a |
NIC/LOM | 2x GbE LOM | n/a | n/a | n/a | n/a |
Availability | Hot-swap HDD; 500W Redundant PSU; Memory RAS | n/a | n/a | n/a | n/a |
Enclosure | 1U | n/a | n/a | n/a | n/a |
Power Supplies | Redundant 500W (80+GOLD) Auto Ranging 100V ~240V) | n/a | n/a | n/a | n/a |
Dimensions | 1.69 x 17.09 x 24.69 (in) | n/a | n/a | n/a | n/a |
Weight | 35.02lbs (15.9Kg) | n/a | n/a | n/a | n/a |
Operating Environment | 50 to 95 °F 10 to 35 °C | n/a | n/a | n/a | n/a |
Operating System | Secure PG-OS | Secure PG-OS | Secure PG-OS | Secure PG-OS | Secure PG-OS |
Security Specifications | Description | VG- | VG- | VG- | VG- | VG- |
Encryption algorithm used | Advanced Encryption Standard (AES) - symmetric-key encryption standard (U.S. FIPS PUB 197 (FIPS 197). | Y | Y | Y | Y | Y |
Key size | 256 bits | Y | Y | Y | Y | Y |
Key storage | Federal Information Processing Standard (FIPS) Publication 140-2/3 based smart cards running EAL4/EAL5 operating system. | Y | Y* | N | N | N |
Key distribution | Secure distribution is conducted during the installation process. | Y | Y | n/a | n/a | n/a |
Key revocation | Authenticated revocation - a single step process. | Y | Y | n/a | n/a | n/a |
Key rotation | Built-in key rotation. | Y | Y | Y | Y | Y |
Non-repudiation | Cryptographically signed reports stored in an encrypted data vault. | Y | Y | Y | Y | Y |
Protection against a malicious privileged user | Privileged insiders are not allowed to view/alter file data stored in "Crypto-Shares". | Y | Y | Y | Y | Y |
Transfer file data encryption | Transparent encryption of all file types. “On-demand” per "Crypto-Share" encryption. No client side agent is required. | Y | Y | Y | Y | Y |
Transfer tracking (logs) | All file accesses are logged. Logs are stored in a tamper-resistant encrypted vault. | Y | Y | Y | Y | Y |
Supported file access protocols | SMB, SFTP/SSHFS | Y | Y | Y | Y | Y |
Protection against physical loss | No file data can be accessed unless "Crypto-Share" service is running. Only an authorized File-GENERAL™ administrator with a smart card can start this service. | Y | Y | Y | Y | Y |
Firewall | Built-in customized firewall. | Y | Y | Y | Y | Y |
Reduced attack surface | Minimal set of services that are needed for a secure and controlled operation. | Y | Y | Y | Y | Y |
Separation of duties (SOD) | Role-based platform management. | Y | Y | Y | Y | Y |
Security updates | Automated and tested updates. | Y | Y | Y | Y | Y |
System logs | Privileged operation logs are cryptographically signed & stored in encrypted format. | Y | Y | Y | Y | Y |
Hardened appliance | Total footprint < 700MB. | Y | Y | Y | Y | Y |
* Certain limitations apply
Vault-GENERAL™ has been specifically designed to enable compliance.
Feature | Detail | Compliance |
Ready-to-deploy secure appliance | Vault-GENERAL™ provides file transfer functionality in a secure manner. Only a minimal set of required services are installed on the appliance. | Fulfills PCI DSS 2.2.1, 2.2.2, 2.2.4 |
The appliance is configured to provide maximum security and performance | Being an appliance, Packet General security experts pre-configure the operating environment to provide maximum security. The appliance uses a "transitive trust model" to control the entire data path, not just data. | Enables compliance with PCI DSS 2.2.3 |
Transparent encryption of transfer files at rest and in transit | Vault-GENERAL™ not only encrypts the transfer files "in transit" but also "at rest". Data encryption is transparent. There is no requirement to change the application code or install an agent at the client end to achieve encryption. The encryption process does not alter the end-user's experi- ence. Data can selectively be encrypted based on business importance at the “share” level. This saves time and increases performance. Vault-GENERAL™ platform uses the AES algorithm for encryption. The key length used is 256. | Enables compliance with the PCI DSS 2.3, 3.4, 3.4.1.c and 4.1
HIPAA/HITECH |
Lifetime key management using FIPS 140-2 compliant smart-cards | The security of any cryptography-enabled system ultimately depends on the security of the cryptographic keys and certificates used. Key generation, storage, and/or distribution are always critical aspects of any distributed secure system. Vault-GENERAL™ uses several crypto- graphic keys to provide a comprehensive solu- tion. FIPS 140-2 Level2/3 compliant smart-cards (with EAL5/EAL5+ chip and EAL4+ operating system) are used for key management. In order to satisfy various compliance requirements, provisions have been made to securely generate, distribute, rotate and revoke keys. | Fulfills PCI DSS requirement 3.4.1.b, 3.5, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.7
|
Protection against privileged insiders | Misplaced trust in the privileged user (“root”) exposes a regular file transfer server to ever-increasing malicious activity. This occurs be- cause the underlying operating system implicitly trusts the privileged user which leads to many problems. For example, a malicious privileged user can view data stored in any file that is being transferred. Moreover, the malicious privileged user can launch subtle attacks by changing data. Any record of such activity can be easily altered or deleted by the privileged user. This not only violates the corporate trust but also results in regulatory non-compliance.
Vault-GENERAL™ eliminates this very critical flaw. A regular "privileged user" has no control over Vault-GENERAL™. In fact the privileged user is not even allowed to view the information stored in the transfer files. | Enables compliance with PCI DSS 7.1, 7.2
HIPAA/HITECH |
Data integrity | A successful attacker can alter the data stored in transfer files or alter the functionality of the server so that sensitive information is revealed. Users and administrators of the system remain unaware since it's done without altering the expected behavior. Vault-GENERAL™ eliminates data tampering. It computes checksums before data is written to the disk. Upon receipt of a read request, the integrity of data is re-established by matching the expected checksum values against the actual checksum values. These powerful capabilities ensure data integrity. | HIPPA/HITECH |
Role-based platform management | Role Based Access Control (RBAC) is the estab- lishment of access rights based on a user’s role. Vault-GENERAL™ platform uses advanced Role-based access control (RBAC) to ensure the best possible security while simplifying administration. Administration of the various aspects of the Vault-GENERAL™ platform is partitioned among several different classes of administrators – each type of administrator has access to and control over only the aspects of Vault-GENERAL™ operation required to successfully fulfill their responsibilities. There is no single “privileged user” to manage the appliance; rather, different aspects are managed by distinct entities that are responsible for different aspects of the appliance. | Enables compliance with PCI DSS 7.1.1, 7.1.2, 7.1.4
HIPAA/HITECH |
Tamper-resistant file access logs | Every file transfer or access operation is logged and cryptographically signed and stored in an encrypted vault. Even the Vault-GENERAL™ administrators are denied access to this critical evidentiary material. | PCI DSS 10.1, 10.2, 10.2.2, 10.2.4, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5, 10.5.1, 10.5.2, 10.5.5, 10.7
|
Single Touch™ updates | Packet General's service model helps customers maintain integrity of their data on a non-stop basis. Packet General security experts monitor all security advisories, and test their suggested resolutions (patches). Packet General appli- ances, located at the customers sites, securely and automatically download the necessary updates. Single Touch™ application of security updates, enables a quick and assured resolution to a known security problem, eliminating the window of vulnerability between the availability and the installation of a security patch. Our technical personnel are available to assist our customers with product integration, configuration, diagnostics and troubleshooting on a 7x24x365 basis. | PCI DSS 6.1, 6.2, 6.2.b |
