Security feature

Detail

Threat mitigation

Transparent encryption of transfer files at rest and in transit.

Vault-GENERAL™not only encrypts the transfer files "in transit" but also "at rest". Data encryption is transparent. There is no requirement to change the application code or install an agent at the client end to achieve encryption. The encryption process does not alter the end-user's experience. Data can selectively be encrypted based on business importance at the “share” level. This saves time and increases performance. Vault-GENERAL™ platform uses the AES algorithm for encryption. The key length used is 256.

Man in the middle attack

Privileged insider attack

Physical loss of media

Lifetime key management using FIPS 140-2 compliant smart-cards

The security of any cryptography-enabled system ultimately depends on the security of the cryptographic keys and certificates used. Key generation, storage, and/or distribution are always critical aspects of any distributed secure system. Vault-GENERAL™ uses several cryptographic keys to provide a comprehensive solution. FIPS 140-2 Level2/3 compliant smart-cards (with EAL5/EAL5+ chip and EAL4+ operating system) are used for key management. In order to satisfy various compliance requirements, provisions have been made to securely generate, distribute, rotate and revoke keys.

Encryption key disclosure

Encryption key abuse

Unavailability of the encryption key

Protection against privileged insiders

Misplaced trust in the privileged user (“root”) exposes a regular file transfer server to ever-increasing malicious activity. This occurs because the underlying operating system implicitly trusts the privileged user which leads to many problems. For example, a malicious privileged user can view data stored in any file that is being transferred. Moreover, the malicious privileged user can launch subtle attacks by changing data. Any record of such activity can be easily altered or deleted by the privileged user. This not only violates the corporate trust but also results in regulatory non-compliance. Vault-GENERAL™ eliminates this very critical flaw. A regular "privileged user" has no control over Vault-GENERAL™. In fact the privileged user is not even allowed to view the information stored in the transfer files.

Data breach due to "malicious" or "compromised" root

Role-based platform management

Role Based Access Control (RBAC) is the establishment of access rights based on a user’s role. Vault-GENERAL™ platform uses advanced Role-based access control (RBAC) to ensure the best possible security while simplifying administration. Administration of the various aspects of the Vault-GENERAL™ platform is partitioned among several different classes of administrators – each type of administrator has access to and control over only the aspects of Vault-GENERAL™ operation required to successfully fulfill their responsibilities. There is no single “privileged user” to manage the appliance; rather, different aspects are managed by distinct entities that are responsible for different aspects of the appliance.

Data disclosure

Tamper-resistant file access logs

Insider attacks