Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
uniscon.com
Sealing technology makes virtual data rooms
more secure, easier to use and more flexible
than ever
White paper:
Virtual
data rooms
uniscon.com
2
Content
1. Basic requirements for virtual data rooms .................................................................................................. 3
2. Why encryption alone is not enough ........................................................................................................... 3
3. Exclude operator access in the data center ................................................................................................. 4
4. More usability and comfort thanks to sealing ............................................................................................. 5
5. Advantages in terms of security .................................................................................................................. 6
6. The functions in detail .................................................................................................................................. 7
7. Setup and administration .......................................................................................................................... 10
8. Checking and testing the properties of idgard® and the sealed cloud ...................................................... 11
9. Further information ................................................................................................................................... 12
10. Bibliography ............................................................................................................................................... 12
uniscon.com
3
1. Basic requirements for virtual data rooms
Historically, the term "data room" was coined in connection with the sale and purchase of companies and
parts of companies (Merger & Acquisition, M&A). A well-guarded room was set up in which all documents required for a so-called due diligence—such as, audit documents and company analysis—were stored. The group of people who were granted access to the data room was precisely defined and presences were accurately registered and documented by a security guard.
Although such physical data rooms are still in use, virtual data rooms have become very popular. Especially the much lower costs and the possibility to view and edit documents without having to travel to the office
give virtual data rooms the edge.
Moreover, the functions available in virtual data room aim at replicating the situation in a physical data room. For example:
the presence in the data room is documented,
unauthorized access is denied and abuse and unauthorized copying of documents is prevented
In addition, further practical functions can be added electronically:
Notifications when new documents are uploaded
Reminders that there are still "unread" documents Setting up several data rooms with different group of authorized users
Formal and informal communication between different authorized persons in the data
room context
With this variety of functions, virtual data rooms are spreading far beyond their use for M&A to applications for cross-company projects, cross-organizational teams and, in general, to electronic communication that
requires careful documentation, for instance, between contractors or lawyers and their clients or further
stakeholders, etc. Take a look on our website https://www.idgard.de/cloud-anwendungen/datenraum/ for
further information on the various applications in detail.
2. Why encryption alone is not enough
Secure data rooms are primarily associated with the technology of encryption. This allows physical access to
signals and data to be tolerated without having to fear unauthorized reading of the content. Data can be
securely transmitted from a sender to a central processing unit, where it can be securely stored and securely
forwarded to a recipient.
There are two types:
1. Encryption is carried out by the provider of the data room in the data center. The security level is determined by organizational measures and is therefore weak. Most data room providers rely on this
method.
uniscon.com
4
2. The encryption takes place in the end devices and the data is encrypted end-to-end. Here only a subset of the functions described above can be implemented. Furthermore, the metadata—for example, who wrote or read which data and when—, as well as the presence in the data room are openly available to the operator and are only secured there by organizational measures. This
situation is illustrated in Figure 1:
Figure 1: Illustration of the security situation in conventional data rooms
In addition to these security weaknesses, conventional data rooms are complex to set up. Each participant
must be given credentials in a trustworthy way and sometimes it is necessary to install software locally on
the end devices. These weaknesses can be circumvented with the idgard® data rooms, which we will approach later.
3. Exclude operator access in the data center
The "sealed cloud" technology on which the virtual idgard® data room is based prevents access to the physical signals even during processing. The data is stored in encrypted form in such a way that the operators
of the service and the infrastructure cannot read the it due to the key distribution. Thus idgard® and the sealed cloud complete the basic IT security calculation. Figure 2 outlines the set of technical measures for securing the data in a sealed cloud.
First, in the infrastructure of a sealed cloud, the data center is divided into several segments. Electro-
mechanical controls and backups allow employees to access only one of these segments at a time if
necessary, for example, for maintenance purposes. Access authorization is granted by an instance that is itself excluded from physical and logical access to the system. The access itself is comprehensively logged. In addition, a so-called "data clean-up" is triggered both in the
event of planned access by employees and in the event of an unplanned access attempt (attack). This means that the active sessions of cloud users are moved to an unaffected segment of the data center and all data
in the affected segment is deleted. With idgard® sealed cloud, this is done so thoroughly that even for 10 seconds the power is taken from the application servers which are operated without persistent storage, thus preventing any ice-spray attacks.
uniscon.com
5
During restart, an integrity check is performed over the entire software stack, this is, from the hardened operating system through all software layers to the application software. For example, if the waiting engineer were to import non-certified software, the application server could not restart after the segment was closed.
A complete and accurate scientific explanation of the innovative technical measures is given in [1] and [2].
Figure 2: The set of technical measures for securing the data in a sealed cloud.
4. More usability and comfort thanks to sealing
Since the sealed cloud technology automatically centralizes all key management, neither the person
responsible for setting up the data room nor the users invited by them need to worry about the complexity of key management.
With idgard® no local installation is required. It can be used from any browser and can also be registered
online. The administrator just needs to select a username and password online and name the registering company. Once this is done, you can start using idgard® immediately. After creating an account (which can
also be a non-binding trial), you must confirm that you accept the agreement for the processing of data by
order. The administrator can then immediately invite to the employees and external guests to the data room with
just two clicks. The persons concerned are informed by e-mail and SMS. The e-mail contains a link that leads the recipient to a form in which the employees or guests can choose their own username and password.
uniscon.com
6
They receive a pass code by SMS which is requested during registration. Alternatively, an LDAP or MS Active Directory integration of idgard® is also possible.
The Admin or employees designated by the Admin can set up a data room with just a few clicks. The
employees and external guests can easily be selected from a list and invited to this data room. To sum up, idgard® offers the following operating and comfort advantages compared to conventional data rooms:
Online registration without buying: idgard® use can start within a few minutes. No waiting times for
buying, no local installation and no training necessary.
100% adjustable: licenses can be added or removed individually online. All your bookings are billed
by day and appear on the monthly invoices. Payment is made according to usage.
Employees and guests can securely join an idgard® account with an e-mail and SMS and can be invited
to different data rooms by just “clicking”—without complicated key management.
5. Advantages in terms of security
If the conventional security calculation is based on encryption and organizational measures, two challenges
remain unsolved: (1) The protection of content and metadata when unencrypted data is processed, and (2)
the protection of metadata that can be analyzed particularly easily, even when encrypted data is routed. The canonical set of technical measures [1], on which the sealing is based, completes the basic security concept.
With the technical sealing, the user data can be protected against attacks from outside and inside.
This sealing protects both content and metadata from any unauthorized access.
uniscon.com
7
6. The functions in detail
Table 1 lists the most important functions for operating virtual data room and evaluates them regarding four different classes of data room.
Table 1: Functions overview regarding four different types of data room
Functions Data room with encrypted transmission
Data room with encrypted
transmission and
storage
Data room with E2E client encryption
Data room offer based on the sealed cloud
(idgard®, the sealed
cloud)
Protection against
unauthorized access
Protection against interception during
transmission
o.k. through encrypted
transmission
o.k. through encrypted
transmission
o.k. through encrypted
transmission
o.k. through encrypted
transmission
Protection against
unauthorized access to documents
Unauthorized persons can get
hold of documents relatively
easily
Protection against unauthorized persons relatively good. Disloyal
employees of the provider can
decrypt documents
o.k. through E2E encryption o.k. by combining encryption and sealing
Protection against tapping
metadata, for example, who is a
member of the data room, when,
how often and which document
was viewed, etc.
Employees of the data room provider can misuse metadata
Employees of the data room provider can misuse metadata
Employees of the data room provider can misuse metadata
o.k. by combining encryption and sealing
Documentation of the data room
visitors
Journal / Audit trail o.k. o.k. o.k. o.k.
Easy export o.k. o.k. o.k. o.k.
Protection against document distribution by data room
visitors
“Read only” files o.k. o.k. o.k. o.k.
Watermark o.k. o.k. o.k. o.k.
Notification for mass downloads
to the data room admin
- - - o.k.
Additional functions and costs
Setup and installation - local installation usually recommended
local installation usually necessary
no installation needed
Support of mobile devices - partially partially o.k.
Communication with other
authorized persons
partially partially partially messages, chat and
voting function
Cost structure usually setup costs + user fees usually setup costs + user fees usually setup costs + user fees No setup costs, 100% customizable, data room are
charged per day of use
We have gathered below some screenshots on data room functions to illustrate how easy they are to use.
Figure 3 shows how an ordinary PrivacyBox can be turned into a data room in idgard®, provided the employee has been authorized by the administrator:
uniscon.com
8
Figure 3: Checkbox to convert an ordinary idgard® Privacy Box to a data room. This checkbox appears in the Box properties when a new PrivacyBox is created or an existing one is edited.
Figure 4 shows the usual view of a PrivacyBox when it is configured as a data room. Also, as in any PrivacyBox, folders and subfolders can be created to structure the information. Additionally, a journal is available.
Figure 4: Screen view of the new data room. The journal button is now available. The view shows an empty subfolder.
Figure 5 shows the data room journal. The buttons for the exporting the data room journal, as well as uploading, downloading, deleting, and viewing files are now visible.
uniscon.com
9
Figure 5: Screen view of the journal.
Finally, Figure 6 shows the data room settings that are available after uploading a file: "Watermark", "Read
only", "None".
Figure 6: Available options once a file is uploaded.
Operating idgard® data rooms is so simple that the instructions can be summed up in these four screenshots.
uniscon.com
10
7. Setup and administration
The setup and administration of the data room functions is just as easy. Here you can have a look at the
corresponding screenshots. Figure 7 shows the contract status page of an administrator account. The status of the bookings is always shown. The number of employee licenses, guest licenses and data rooms available can be adjusted individually.
Figure 7: Buying more data rooms the self-service area.
The Admin must authorize the individual employees to convert idgard® PrivacyBoxes to data rooms. Figure 8
shows the list of idgard® users of the sample account and how an Admin can authorize an employee to create data rooms.
Figure 8: Authorization of an employee to set up data rooms
uniscon.com
11
8. Checking and testing the properties of idgard® and the sealed cloud
uniscon, the operator of idgard®, works according to IT-Grundschutz, a sustainable management system for information security designed by the German Federal Office for Information Security. Parts of the service are
already certified by TÜV-iT. uniscon GmbH is one of four service providers which, along with Telekom AG, SAP AG, and regio-IT GmbH, are involved in the pilot project for data protection certification of the German
government.
In addition, we would like to refer to the extensive documentation and certificate package of uniscon GmbH [4], containing among others the documentation on uniscon GmbH, the service idgard® and the certification. During the certification process, based on the selected and documented certification strategy, the necessary
documents (approx. 35 documents) are included.
uniscon.com
12
9. Further information
idgard® Brochure: Simple & Secure Communication via patented Sealed Cloud
idgard® Privacy Boxes are a safe and yet easy alternative to Email. Find out how idgard® provides for legally compliant communication and work with business partners.
idgard® – Features | Applications | Software & Apps
An overview of idgard® license types, features and additional software.
Secure Mail: How to protect yourself against phishing attacks
Companies are particularly frequently targeted by criminal phishing attacks. We show you how to recognize suspicious e-mails and what you can do to effectively protect yourself and your employees against phishing attacks.
10. Bibliography
[1] Hubert Jäger et al., “A Novel Set of Measures against Insider Attacks - Sealed Cloud”, in: Detlef Hühnlein, Heiko Roßnagel (Ed.): Proceedings of Open Identity Summit 2013, Lecture Notes in Informatics, Volume
223, ISBN 978-3-88579-617-6, pp. 185-195.
[2] Hubert Jäger, et al., “The First Uniscast Communication System protecting both Content and
Metadata”, in the proceedings of the World Telecommunication Congress 2014.
[3] Steffen Kroschwald, Verschlüsseltes Cloud Computing, Anwendung des Daten- und Geheimnisschutzrechts auf „betreibersichere“ Clouds am Beispiel der „Sealed Cloud“, in: Taeger, J., Law as a Service (LaaS), Recht im Internet- und Cloud-Zeitalter , Tagungsband Herbstakademie 2013 (Band 1), 289.
[4] Documentation and certificate package for uniscon GmbH and the service idgard®. Available upon
request at [email protected], 2014.
uniscon.com
13
uniscon — a company of the TÜV SÜD Group uniscon GmbH is a company of the TÜV SÜD Group. As part of TÜV SÜD’s digitalization strategy, uniscon offers high-security cloud applications and solutions for secure, legally compliant data traffic. TÜV SÜD is one of the world’s leading technical service providers with over 150 years of industry-specific experience and more than 24,000 employees at around 1,000 locations in 54 countries. Within this strong network, uniscon
is able to reliably implement large-scale international projects in the IoT and Industry 4.0 sectors with the Sealed Cloud and its products.
Further information on partners and products: www.uniscon.com
Contact: uniscon GmbH – Sealed Cloud Technologies
E-mail: [email protected]
Webpage: www.uniscon.com Phone: +49 (89) 4161 5988 100
Published by:
uniscon GmbH
Managing director: Karl Altmann
Ridlerstraße 57 · 80339 Munich · Phone: +49 (0)89 / 4161 5988
100 Amtsgericht (Local Court) in Munich HRB 181797