Cyber-Ark's Inter-Business Vault is designed to protect confidential files in an extranet environment, where secure file sharing with remote offices and business partners is demanded. This requires a combination of secure file storage, encryption for files in transit, authentication and access control. There are many products that tackle these problems individually. For example, a virtual private network (VPN) encrypts files in transit, and access controls are built into modern operating systems. However, OS access controls can often be bypassed simply because unhardened operating systems are themselves so easy to compromise. Inter-Business Vault aims to address all of these problems by integrating a VPN, authenticated access controls and encrypted file storage in a very secure solution.
Inter-Business Vault must be installed on a dedicated server that is running Windows 2000 (Professional, Server or Advanced Server), Solaris and Linux. Inter-Business Vault even installs its own firewall. Since it is installed on a dedicated computer, this firewall can filter out any transmissions that are not addressed directly to Inter-Business Vault. The only things that can get through the firewall are valid Inter-Business Vault commands.
Specific instructions are given on hardening the operating system, including disabling all unnecessary user accounts and services. This leads to a very secure platform on which to store files. Inter-Business Vault also provides its own backup utilities, which can be integrated with the existing enterprise backup scheme as well as offering transparent integration with existing backup systems.
Inter-Business Vault handles access control and authentication in a manner that can be seamlessly integrated with the usual Windows NT/2000 domain authentication for single sign-on, or can be based on passwords, PKI digital certificates, and tokens (such as USB tokens or RSA SecurID for two-factor authentication).
Users may use either the Inter-Business Vault Windows client or a standard web browser to access the data stored in the 'vault.' However, there is also seamless integration with applications that use the standard Windows file system interface (CIFS), FTP or web-based file access - this is achieved via Inter-Business Vault gateways. The CIFS and FTP gateways must run on a separate platform running Red Hat Linux 7.2 or higher. The HTTP gateway can be integrated with IIS version 5 or higher.
Inter-Business Vault uses a choice of 128-bit 3DES or 256-bit AES algorithms for bulk data encryption. This approach is made even more secure because different randomly generated keys are used for each file stored, and all the keys are managed totally transparently in a central secure location. This eliminates the need to deploy an expensive PKI solution for simple file encryption tasks. All the key management is done internally inside the server, with the end user and administrator being totally unaware of it.
Whichever client is used all data is encrypted in transit. With the Windows client, most of the encryption processing is carried out by the client itself. With the HTTP gateway, 128-bit SSL encryption is used between the client and the gateway, while the gateway off-loads the 3DES or AES encryption from the Inter-Business Server. Either way, the Inter-Business Vault is relieved of 95 percent of the encryption and decryption tasks. The server never re-encrypts the data it receives, but only stores it as is. This has huge advantages for server performance and, because data is also compressed in transit, remote access over even a slow internet connection is dramatically improved in comparison to a standard extranet file-sharing implementation.
Inter-Business Vault uses the concept of 'safes' that are created within the Inter-Business 'vault.' This is the analogy used for separate secure folders within the Inter-Business Vault secure server. A 'safe' is a logical storage unit within the secure server 'vault' and may be shared by multiple users if desired. A nice feature is colour-coded alerts attached to 'safe' and file icons to indicate whether anyone else has accessed each safe or file. This helps with file sharing, since you immediately know which 'safes' and files have been added to, modified, updated or merely read.
When a user's access authority is removed from a safe, they can no longer access that data and they do not have any encryption key that can be used to access that data. In other words, revoking someone's access to data is totally handled by the transparent key-management system and access-control features. Thus there is no need to destroy encryption keys and re-encrypt files, which would be necessary with other solutions.
When a user authenticates to Inter-Business Vault, a standard two-way challenge-and-response protocol is used to verify the user's identity and to exchange the session encryption key, which is changed for every user-authenticated session. Once established, all information transmitted between the client and the server is encrypted by the VPN.