In Part 1 of the Securing SaaS series, we offered a background of the hybrid SaaS Architecture that Media Shuttle relies on for safe, easy media transfer. Part 2 looked specifically at security related to customer provisioning, user rights, and transfer validation. Now, we can look at specific design principles including data storage, audit collection, and secure-by-default.
User initiated transfers are performed using a browser plug-in that interacts with Media Shuttle web pages. Browser plug-ins and installed applications that interact with web pages operate outside the browser security sandbox with broader access to the user’s files and other resources.
Plug-ins and applications can be used by malicious web pages as a point of attack when associated threats are not mitigated in their design. For example, a rogue web page that detects the presence of the plug-in can instruct it to upload a sensitive file or download and overwrite a sensitive system file without the user’s knowledge.
The Signiant transfer plug-in has been designed so that all file access performed by the plug-in is explicitly authorized by the user to eliminate this threat. Interactions between installed software and web pages are an open attack point in many products.
All file transfers are protected from eavesdropping and modification in transit using Transport Layer Security. However, to enhance protection of files on storage, users can specify a unique transfer password.
The content of the file is then encrypted on storage with a random encryption key, which is in turn protected with the user-supplied password. To gain access to the unencrypted content of the file, users must specify the correct password.
All user and file transfer activity is logged by the system. Specifically failed and successful user logins and transfers initiated by users are logged and visible to administrators.
Audit information can be analyzed in real-time to identify suspicious access patterns and analyzed in retrospect for forensic purposes.
Media Shuttle architecture pays equal attention to maintaining service availability in the event of both internal component failures and malicious attacks.
N+1 local redundancy is used in combination with multiple geographically distributed data centers to remove single points of failure.
The system utilizes elastic cloud infrastructure that is automatically scaled up and down to handle current load. The system is monitored 24×7 for availability and suspicious activity patterns.
Every task in the system should be performed with the least privileges possible both in terms of scope of resources that can be accessed and the duration of time that resources can be accessed.
A corollary of least privilege is that mechanisms used to control access to resources should never be shared.
Preventing the unpredictable nature of human factors while maintain usability are key components of secure design.
A system is secure by default when the default settings put the system in a secure state. This ensures file sharing security features aren’t circumvented for the sake of convenience.
A defense-in-depth design strategy involves layering security controls for the system such that multiple security compromises are required to gain access to critical resources.
We’ve thought long and hard about design principles in Media Shuttle. If you have any questions about specific strategies, we’d love to talk more. If you’d like to read more about security, part 4 of this series looks at the file sharing service operational policies and procedures.