Building on the core Transport Layer Security (TLS) built into the Signiant transfer protocol, Media Shuttle contains a variety of security features that adhere to the information assurance principle of “defense in depth”. A defense-in-depth design strategy incorporates several security controls for a system so that multiple security failures must occur before an attacker can gain access to critical resources. Two key components of this strategy are the principles of “least privilege” and “secure by default”. Least privilege works on the basis that every task in the system should be performed with the least privileges possible both in terms of scope of resources and duration of time that resources can be accessed. A corollary of least privilege is that mechanisms used to control access to resources should never be shared. A system is secure by default when the default settings put the system in a secure state, ensuring that overt action must be taken to disable security features.
The first Media Shuttle security element is provided by the hybrid SaaS nature of Media Shuttle: customers can store their files on-premises or in the cloud, while the software that orchestrates the file movement is a true cloud-native SaaS offering. The content storage itself is always under the customer’s control. This eliminates the security risk of popular consumer online file sharing services, since customer files are never stored in the same file system or cloud storage tenancy as other people’s files. The advantages of segregated storage are numerous, but from a security perspective it provides an extra layer of containerization.
The second key security feature begins with the creation of a customer account and assignment of top-level administrators for the account. The next step is to set up and associate file transfer servers with the account. Each transfer server installation securely binds with the cloud tier and the customer account using a one-time setup key generated by the cloud tier for this purpose. This one-time key is used to securely establish and exchange security credentials, which are then used to validate and encrypt all future communication between the cloud and the transfer server.
Once transfer servers are registered with an account, the administrator can create new portals that allow communities of users to securely exchange files. Each portal is associated with a specific area of storage visible to a transfer server or visible to a set of redundant transfer servers. ‘Share’ portals are configured so that portal users can browse the associated storage. With ‘Send’ portals, users have no storage visibility and only utilize the associated storage as a transient cache during a transfer. ‘Share’ portals also obscure the single defined storage location from the users. This ability to assign and manage specific storage locations for each portal adds a third element of security.
User interactions with the Media Shuttle system are also highly secure. When users log in to a portal using their username and password, all web interactions utilize standard TLS to authenticate the server and encrypt information exchanged between the browser and the server. For users managed exclusively in Media Shuttle, passwords are stored using secure salted one-way hashes. Passwords are not stored in clear text and what is stored can only be used to determine if a password provided by a user is correct. Passwords provided by users are tested by applying a hashing process and comparing the result to the stored value. The salt is random data that is included in the hash to prevent brute force dictionary attacks on the password database in the unlikely event of a breach.
A final element of security derives from Shuttle’s file transfer mechanics. When a user initiates a file transfer via the cloud-served web interface, or a transfer is initiated by an unattended sync operation, transfer instructions must be generated for, and delivered to, the transfer client. These transfer instructions include a unique transfer security token and are delivered via secure web communications. The transfer client then connects to the transfer server and delivers the transfer instructions. The transfer server validates the transfer instructions by contacting the Signiant control plane SaaS with the transfer instructions including the transfer token. This round trip check ensures that transfers are authorized and valid at the time of transfer and are fully tracked by the Signiant SaaS.