Data Guard File Sharing

Introduction

Active Cypher’s Data Guard product is the File Sharing, data protection, and ransomware mitigation for Servers and Win10 devices. Data Guard protects data, both on file servers and end-devices from ransomware altering your data, while also providing control over how files are used when they are sent outside of your organization’s control.

Key File sharing benefits include:

  • Files Shared by right-click mouse, pop-up menu with data permissions and expiration control.
  • Protection from Ransomware on file servers and endpoints.
  • File activity logging and reporting.
  • Shared file control of email attachments.
  • File-access control, Read-Only, Print, and Download.
  • Access to shared files is easily revoked.
  • Real-time File backup: Customer’s Azure Storage, 3rd Party Storage, Private Cloud Storage.
  • Complies with GDPR, CCPA, HIPAA, and other consumer protection laws.

General features include:

  • Zero-Data File Share Options renders files without sending data to the recipient.
  • Zero Inbox Data prevents attachments from being saved as email attachments.
  • Secure File transfer in/out. HTML5 web interface.
  • Attribute Based Access Control, driven by teams, locations, machines, and content including; Identity & Machine Authorization.

Medical Viewing features include:

  • Wide range DICOM-compatible features in support of DICOM data sets, directory (DICOMDIR), secure communication, security, 2D and 3D viewers, video playback, and medical-specific image viewing and processing.
  • HTML5/JavaScript Zero-footprint DICOM Viewer is a fast, lightweight DICOM viewer that includes the features 3D volume rendering, DICOM Overlay, and Softcopy Presentation State.
  • DICOM and Medical Image Annotation can be added to DICOM, bitonal, color, and grayscale images, either on a presentation layer or burned into the image data. Flexible annotation object storage options include DICOM data sets (Grayscale Softcopy Presentation State), image files, separate annotation files, database, memory, and XML.
  • Full support for part 15 of the DICOM specification, including BCP195 and TLS 1.2, sensitive data sent between DICOM nodes is encrypted, using the TLS and ISCL secure transport connection profiles.

 

Data Guard – End-User Medical Viewer experience:

The Data Guard DICOM Viewer for HTML/JavaScript is packed with features, including:

  • View DICOM images from your local archive or a remote third-party PACS using vendor-neutral DICOM communication, WADO, or DICOMWeb.
  • Multi-Resolution and Tiled Image technology to view images up to 1TB.
  • Client-side caching of DICOM pixel data for fast reloads and network traffic reduction.
  • Fast, client-side tools such as window level, series stack, image processing, Hounsfield unit, probe, spy glass, shutter, and Cobb angle.
  • DICOM export (with DICOMDIR) in zip with option to anonymize.
  • Full cine feature set that includes play, pause, first, previous, forward, backward, and loop, including ability to play multiple Stress Echocardiography datasets.
  • Render encapsulated PDF documents.
  • Render DICOM Waveform data sets.

 

HTML5 Canvas/JavaScript Viewer Control – Cross-platform viewing of 150+ formats on many browsers and devices. The control’s features include access to mouse and multi-touch (gesture) user input and pre-defined interactive modes such as pan, scale, zoom to rectangle, pinch, and zoom, center on point, and magnifying glass. Built-in image processing functions help to overcome common issues related to image display include rotate, flip, resize/scale, invert color, and color adjustments: hue, saturation, lightness, brightness, and contrast. Extended grayscale (12-16 bit) functionality, such as window leveling, is fully supported.

Mobile DICOM Viewer– Display tags, pixel data, and more! It includes tools such as window-leveling and stack panning. This app is designed to connect, communicate, and retrieve images from PACS Servers.

Data Guard – End-User File Sharing experience:

Data Guard is an enterprise file sharing, data protection system that is deployed into the Customer’s tenant and on their File Servers and Workstation devices and allows sharing internally or externally to a wide variety of device types and operating systems to deliver a robust data sharing and sync service that meets the mobility and collaboration needs of users and the data security requirements of the enterprise.

Securing data is critical to every enterprise and is a responsibility taken seriously by Data Guard. With the concern over the plethora of free or low-cost data sharing apps and sites available to end-users, providing users with a more secure alternative that still empowers them to share files with co-workers has become an extremely high priority at every level of management these days.

Data Guard is secure by design and this paper highlights some of the security surfaces available to Data Guard Enterprise customers.

Data Guard consists of three primary components: Sharing Management, Data Controls, and the Data Guard User Controls.

 

  1. Sharing Management: Enterprise-level visibility and control of internally and externally connected Authentication and Identity Providers. Provides Auth0 Database and Connectors to many other identity providers for securely sharing with external entities, requiring them to authenticate in their native Identity system and be authorized in Customer’s Azure Active Directory as a short-term Guest in their tenant.
  2. Data Controls: Customer policies control the level of visibility and data access is available across the Sharing Management controls. Data Controls can be placed around AD Security Groups, External Domains, geographic location, or device. Higher Risk groups may allow View-Only access to shared files, removing the ability to Print, or Download the shared file from their browser. Data Guard does not transmit any metadata or file data in View-Only mode, an “data-free” version of the file is displayed to the end-user without any file data on their device.
  1. Application and Viewer Management: Data Guard offers native apps for Windows with macOS, Android and iOS require the HTML5 web browser interface.

Data Guard HTML5 browser viewer supports over 200 file types including radiology and streaming media.

Data Guard services.

1.Sharing Management

    • Architecture

2.The Sharing Management within Data Guard consists of the following components:

  • Azure Active Directory B2B Guest Invite flow.
  • Auth0 Database in Customer’s tenant.
  • Data Guard Identity Connection Manager API.
  • Connection Monitor logging and alerts.

2. Data Guard management plane

2.1.  Architecture

The Data Guard management planes consist of the following components:

  • Integrated Cloud Fortress and Data Guard Server Service.
  • Web servers hosting the Data Guard HTML5 Viewer in the Customer’s tenant.
  • Web servers hosting the Data Guard API services in the Customer’s tenant.
  • Database services in Customer’s tenant.

The Data Guard management planes are operated independently, no customer data is being replicated between the two management planes. The management planes share a single list of all Data Guard tenant subdomain names, where a subdomain name can only be used on either the US-hosted or EU-hosted management plane.

The Data Guard management plane provides PowerBI Analysis tools, Dashboard, and KPI across the entire file lifecycle.

2.2 Communication with the Data Guard management plane

2.2.1 Secure connections

The Data Guard management planes have been configured to only support TLS 1.2 connections with the Customer’s 2048 RSA X.509 Certificate.

Information about the file objects is stored inside a customer’s tenant by Data Guard, as well as information about the user objects is stored inside the Customer’s tenant. This metadata describes the properties of the objects that are shared.

2.3.1 Metadata for user objects

For user management purposes, as well as to provide detailed information for reporting, user attributes are stored for each user in the Data Guard management plane (this list represents a subset of the overall fields stored):

  • First Name
  • Last Name
  • User Login (Email Address)
  • User IP with Geo-Coding Options
  • Device\Machine identifiers
  • Company Name (Optional)
  • Access Control Lists (ACL)

2.3.2 Metadata for file (file) objects

No customer files are processed by, stored in, or transferred outside of the Customer’s tenant. Files are processed in the Customer’s tenant and are shared out via endpoints in their tenant as well.

Metadata describing the shared files are stored inside the management plane. This data allows us to identify the stored file objects, the permissions to these objects, as well as the collaboration taking place on these file objects. The following metadata attributes are written to the Data Guard management plane:

  • File Name
  • Device Name
  • File Location
  • File Size
  • File Hash
  • File Creation Data
  • Email Notification
  • Access Control Lists (ACL)
  • IP address from which the file was uploaded

2.4 User Types

The Data Guard service maintains the User file sharing details in the SQL Database in the Customer’s tenant. Internal users have control over the expiration, printing, downloading, and revocation of their own shared files, administrators can control the sharing across all users.

2.4.1 Employees and external users

Data Guard differentiates between Employee and Client (external) users. Employee users are licensed users with access to all the capabilities of the Data Guard service subscribed to and allowed by their tenant account administrators. Client users are limited to the Data Guard web interface and can only access files and folders that are shared with this external user.

Client user accounts are automatically created upon sharing files and folders where authentication is required. The external user will receive an email to activate their Data Guard user account, set a password and then get access to the shared files and folders.

2.4.3 Data Guard User Service

The Data Guard User Service is a lightweight Windows application that runs in the customer environment. It connects to the customer’s Active Directory to retrieve Security Group.

Disabling or deleting a user account from Active Directory will disable the user account inside Data Guard shutting down access to all shared files, data controls, and sharing management.

2.5 Authentication to Data Guard

By default, authentication occurs through the Azure AD (O365) authentication with external entities authenticated in the native tenant or directory with Auth0.

2.5.1 Data Guard credentials

Authentication to Data Guard is performed by authentication in the Azure AD tenant by providing the username (the email address of the user) and password.

2.5.1.2 Two-step verification

Two-step verification can be enabled in the Azure Active Directory to add a second step for users authenticating. The verification takes place through a verification code that is being sent to the user via text message (SMS) or voice call or through a time-based one-time passcode (TOTP) authenticator app.

2.5.2 Authentication with enterprise credentials

Data Guard is integrated with the Office365\Azure Active Directory authentication flow and supports MFA, OTP, SAML, and external authentication hubs such as Auth0.

2.5.2.1 Access and OAuth token

After completing the SAML authentication flow, all Data Guard apps store access and an OAuth token for authentication purposes to enhance the user experience.

The access token has a default lifetime duration of 72 hours (about 3 days); however, the long-term OAuth token can be configured by the tenant administrator.

2.5.2.3 Multi-factor authentication

Multi-factor authentication to Data Guard is supported through the configured SAML identity provider. Refer to the vendor of your identity provider for supported multi-factor solutions for their platform.