IntroductionThe Qbox file sharing and collaboration application, developed and sold by CoralTree, Inc., is used by professionals from financial, legal, property management, retail, education, non-profit and other industry segments to share mission critical desktop application files and collaborate in real time. In order to ensure that user’s critical information is not lost, altered, corrupted or compromised, Qbox uses the most modern Physical, Information and Application security techniques to secure the client data. This includes storing data in datacenters that are compliant with modern security standards, transmitting all data over secure HTTPS connections that use 256-bit SSL encryption, and only allowing authenticated, role-based access to client data. In addition, security best practices are built into all aspects of product design, development, testing and deployment.
Qbox benefits from the extensive experience its founders and engineering members have in building highly secure and reliable applications that are used by Fortune 500 companies. This experience, combined with the use of latest Web 2.0 secure development and testing techniques ensure that Qbox provides a highly secure and reliable environment for client’s critical data.
The rest of the whitepaper provides an overview of the various security capabilities in Qbox. These include:
• Physical Security: Security and controls in place to ensure that only authorized personnel have physical access to the hardware used to run the Qbox application, or the hardware used to store the data.
• Information Security: Techniques and procedures that ensure that only authorized personnel can see the data in the Qbox application, either at rest or in transit. Also ensuring that data is not lost, or corrupted.
• Application Security: The capabilities in the Qbox application to ensure that un-authorized users cannot compromise the application using techniques like XSS, CSRF, SQL Injection, etc. while also ensuring that authorized users can access the data they are allowed to (and only the data they are allowed to access).
Physical SecurityAll Qbox data is stored in Amazon data centers that are compliant with a variety of security standards including PCI DSS 1, ISO 27001 and SOC 1. More details on the Amazon data center security processes and certifications can be found in the AWS security white paper that can be downloaded at AWS Security Best Practices.
All Qbox servers are secured in the above facilities, and have 24×7 secured access, video surveillance and security alarms. Any physical access to the servers is audited, and is only available to authorized Amazon employees who have gone through extensive background checks and security training.
Qbox ensures that unauthorized or unscrupulous individuals can never access application data. This is ensured both when the data is in transit (over the Internet), or when data is at rest (inside the data centers).
To ensure data security during transit, all communication between the user’s browser and the Qbox servers is over HTTPS using 256-bit SSL encryption. This ensures that there is no way for someone to intercept and look at the data (“man in the middle” attack). Qbox uses Premium SSL Certificates that provide the highest levels of security in modern browser-based applications.
To secure the data at rest, Qbox databases are behind multiple levels of secure firewalls in the data center. Access to these servers is only available using X.509 certificates (no password access is enabled to these servers). Only a very small subset of authorized CoralTree, Inc. employees have access to these X.509 certificates that allows them access to these servers, primarily to perform routine maintenance and backup.
Finally, Qbox databases are replicated (in real-time) and regularly backed up so that application data is never lost or corrupted due to hardware or disk failures, or natural disasters like lightning, earth quakes, etc.
Qbox utilizes the latest Web 2.0 application security design, development, testing, and deployment techniques to secure itself against well-known security attacks like XSS, CSRF, SQL Injection and session hijacking. In addition, CoralTree has hired the services of WhiteHat Security, one of the top rated security specialists in the industry, to conduct daily scans and periodic penetration testing on Qbox web application to detect security attacks and vulnerabilities. Any vulnerabilities reported by WhiteHat Security is quickly fixed and retested.
Qbox ensures that no critical data is persistently stored on the user’s desktop, or in the browser’s cookies. User passwords are encrypted before they are stored in the Qbox database. Credit card information provided by users while paying bills is not stored on Qbox database. This information is sent directly to BrainTree Payment gateway for storage and processing. You can view the BrainTree data security best practices at BrainTree Data Security.
Users need to authenticate themselves at all times before they can access the Qbox web application for administrative purposes, after which they can only see or modify data that they have been authorized to access. Qbox Client running on the user’s computer can only access folders and files setup by or shared with the user. Sharing of a folder and files in the folder, can be initiated only by an account owner or team members of the account owner, who need to be on the same private email domain of the owner. These features are implemented using role-based access
control to the Qbox application.
Qbox provides comprehensive Physical, Information and Application security of user data, while still allowing them to perform Qbox operations and file sharing more efficiently over the Internet, saving them both money and time.