Cyber-Ark's Inter-Business Vault offers an Instant Wide Area Network
(WAN) for connecting enterprises to their partners, customers, and sub-contractors
over the Internet. Based on its patented Vaulting Technology coupled
with its Inter-Business Server Technology™ (patent pending), Cyber-Ark
created a set of "Inter-Business" Servers, including: Inter-Business
File Server, Inter-Business Mail Server, and Inter-Business FTP Server
that provide the same functionality as their equivalent "Internal"
versions, but were designed and built to be shared as-is over the Internet
between discrete enterprises. These Inter-Business Servers enable discrete
enterprises to communicate and share information over the Internet as
if they have deployed a shared wide area network but without actually
doing so.
Connecting banks to their treasury management customers for file exchange,
connecting manufacturers to their subcontractors for design file sharing,
and connecting enterprises to their offshore software development sites
for source code sharing are just a few typical applications in which
enterprises need to be connected to partners and customers. Building
a WAN in any of these cases would require massive investments in high
speed communication lines, network security, and management tools. As
a result, these enterprises are avoiding this approach and using "workarounds",
such as so called "Secure File Transfer", "Secure Collaboration"
or "Secure email" solutions. However, all of these workarounds
are not standards compatible and not productive. There is a better option,
eliminating the need to build a WAN, but at the same time avoiding the
use of proprietary solutions that force the migration of exiting systems
and processes. By using Cyber-Ark's Inter-Business Vault, the standard
building blocks of every internal network worldwide can now be made
available for external use.
How does it Work?
An Inter-Business Server is comprised of two components: the Vault and
the Vault Connector. The Vault is a highly secured repository that is
used as an Internet Storage which can be shared between various enterprises.
The Vault Connector is a gateway that enables each of the partner enterprises
to access the Vault by standard interfaces such as file system interface
(e.g. CIFS), mail system interface (e.g. SMTP), and file transfer interface
(e.g. FTP). In addition, the Vault can be accessed directly by a standard
Web Interface (HTTP). The combination of these two modules enables the
Inter-Business Vault to overcome all Security, Performance, Manageability,
and Accessibility "behind-the-Firewall" barriers that limit
today's Extranets only to Web Servers. Now file systems, mail systems
and FTP systems can be shared over the Internet while ensuring unmatched
Security and Performance for a fraction of the TCO (Total Cost of Ownership)
of alternative approaches.
Various Modules for Various Needs:
1. Inter-Business File Server:
Enables discrete Enterprises to share "real" File Systems
by using a standard file system protocol (CIFS). This means that whether
these enterprises share Design Files, Source Code, or Office Documents
they can all manage and access these files directly from any of their
numerous existing systems and applications. There is no need to change
workflow or to train end-users.
2.
Inter-Business Mail Server:
Enables discrete Enterprises to share a "real" Mail System
using the standard mail system protocol (SMTP). This means that these
enterprises can send emails to each other directly between their private
mail systems avoiding the unsecured, slow and unpredictable public
mail system. No more quota limitations, delivery problems or security
risks.
3. Inter-Business FTP Server:
Enables discrete Enterprises to share a "real" FTP System
by using the standard file transfer protocol (FTP). This means that
whether these enterprises transfer data between back-end systems or
batch processes, they can all continue to use their countless existing
FTP scripts and batch procedures. There is no need to rewrite scripts
or to migrate existing processes.
Every enterprise has some extremely sensitive information it must never
lose. This can be the security department's emergency passwords, root
certificates, security procedures, audit reports, etc. Other departments
also have highly sensitive information, such as: financial records,
HR files, management correspondence, etc. Loss or exposure of these
data items can result in severe consequences to the organization. Typically,
sensitive data is stored on the standard file servers within the organization,
protected by the traditional security infrastructure. This approach
introduces major security problems as, statistically, over 70% of all
network breaches originate from within. The network is a complex environment,
designed for functionality rather than security. This invites potential
hackers to bypass the authentication and access control systems, using
numerous known software holes, viruses, worms and human engineering
methods in order to get to the sensitive data.
Cyber-Ark takes a different approach to information security and data
protection, which is analogous to the traditional concept of a safe
or vault: instead of building a fortress around one's house to secure
our valuables, we put them in a location that was pre-designed to provide
specific functionality - security. Cyber-Ark's Vault brings this approach
to the virtual world, closely integrating several security technologies
to provide the most secure location in the network, regardless of the
overall security of the network. The Network Vault creates a safe haven,
where files can be stored and later retrieved, providing tight control
over the data when it resides inside the Network Vault, as well as when
it is transferred over the network. The Network Vault is the first security
software product that provides a tightly integrated, multi-layer architecture
that delivers ultimate security.
Firewall & Code-Data Isolation - The Network
Vault resides on a dedicated computer, on which it is the only software
installed. The Network Vault's firewall allows only the Vault Protocol
in and out of this computer. This is the only way the Network Vault
can assure its total control over the information stored inside it.
Data in the Network Vault is never manipulated or executed, ensuring
that the data itself can't pose a security threat. This code/data isolation
methodology creates a sterile environment on top of which other security
layers can be built.
Authentication - Every connection to the Network Vault has to be authenticated.
It uses a strong two-way challenge and response authentication protocol.
Users can be authenticated using passwords, RSA SecurID tokens, USB
tokens (e.g. Aladdin's) or PKI digital certificates.
Access Control - Upon successful authentication, users
are subject to the Network Vault's access control mechanism. The Network
Vault is segmented into safes, where users are only aware of the safes
they are allowed to access. Note that, unlike other access control subsystems
that can be bypassed due to the overall system complexity and diverse
access methods, the Network Vault's Single Data Access Channel approach
provides only one path requiring the user to pass through all security
layers, eliminating any backdoor entrance.
VPN & Data Encryption - As part of the authentication
process, the Network Vault creates an encrypted session. Every user
transaction and every server response is encrypted. Files are encrypted
when they are stored inside the Network Vault as well as when they are
transmitted, using symmetric encryption with the key management handled
internally. When a file is stored inside the server, a unique encryption
key is generated for that file (or in fact, for that version of that
file). The file is encrypted by this key and transmitted to the Network
Vault. The encryption key is transferred over the encrypted session
and is stored inside the Network Vault. When a user attempts to access
the file, if authorized by the authentication and access control layers,
the file will be extracted along with the appropriate encryption key.
The Network Vault electronically signs the files ensuring their completeness
and integrity while they are stored and retrieved. Note that this architecture
exposes only the keys of files they need to access. When the user's
access is removed from a particular safe, they do not have any information
about new or updated data or keys inside that safe. This automatic key
management scheme makes encryption completely transparent to the end
user and requires no administrative intervention whatsoever.
Content Inspection - Files that are placed inside
the Network Vault are optionally stripped of any potential code, whether
it is a Microsoft Office macro, e-mail VB script or a plain executable.
This "black and white" approach guarantees that files that
are stored and shared are always virus free.
Secure Backup and Version Control - Since data is
stored encrypted inside the Network Vault, backups are encrypted as
well. Cyber-Ark has gone to great lengths to ensure standard systems
can backup the data in the Network Vault without the risk of data exposure
or corruption caused by security holes in the backup system.
Additionally, when files are placed inside the Network Vault, a new
version is always created, never overwriting existing information. This
guarantees protection against deliberate or unintentional data corruption
as well as a version control mechanism that lets users revert to and/or
examine older versions.
Visual Security - With Visual Security end-users
can receive visual indications of when their information in the Network
Vault has been accessed and/or updated. Objects inside the Vault are
marked with blue, red and green marks, indicating whether someone has
accessed, updated or placed a new file inside the safe, respectively.
Since these indications are generated and kept inside the Network Vault's
server, there is no way to bypass their creation or cover up activities.
Visual Security ensures that all operations, even actions taken by administrators,
are easily visible to several people in the organization. It thus acts
as both audit and deterrent tools, enabling security managers to be
aware of every access to the enterprise's vital information.
Manual Security - Manual Security technology forces
limitations that provide ultimate control over data access. There are
three aspects to Manual Security: Dual control, Delay, and Time limitations.
1. Dual control - Dual confirmation may be required
to open certain Safes inside a Vault, similar to the requirement for
two keys to open a safe deposit box in a bank. When attempting to
open such a Safe, a request for clearance will be sent to the Safe's
supervisor(s). The Safe will only be opened after such access is confirmed.
Similar confirmation might be required for accessing a specific data
item. Having to accept a third-party clearance prevents exposure of
information in case a single user was compromised or misused. Using
this advanced feature, digital certificates, for instance, cannot
be retrieved and used, under any circumstances, unless the security
manager(s) confirm such access.
2. Delay - A unique mechanism enables delaying the
opening of a Safe for a predefined period of time, allowing supervisors
to prevent unwanted access.
3. Time limitations - A Safe can be defined to allow
access only within certain time frames such as during hours of operation.
Geographical Security - The Network Vault can limit
access to Safes to certain network locations; similarly, users can be
permitted to log in only from limited areas. Thus the security assessment
reports, for example, can only be accessed from certain rooms and not
from the rest of the building.
Cyber-Ark's
products are based on its patented Vaulting Technology which provides
a "Safe Haven" over a network environment for secure and high-performance
information sharing and exchange. Cyber-Ark's Inter-Business Vault creates
an "external" Safe Haven that can be shared between discrete
enterprises over the Internet, while the Network Vault is used within
the corporate boundaries to "Vault" Critical information. Both
products provide unparalleled level of security, performance, and auditing.