Security Overview

Enterprise-Class Secure Mobile File Sharing

Copyright © 2016-2017 Accellion, Inc. All rights reserved.

These products, documents, and materials are protected by copyright law and distributed under licenses restricting use, copying,
distribution, and decompilation.
Accellion and the Accellion logo, are registered trademarks of Accellion, Inc. All other trademarks are properties of their respective
owners.

© Accellion, Inc. 1
Table of Contents
Overview .............................................................................................................................. 4
End-to-End Security .............................................................................................................. 4
Account Access and Authentication .................................................................................................................................. 4
Login Security Features ................................................................................................................................................. 4

Access Security ..................................................................................................................... 5

File Sharing Security Features ............................................................................................... 5
Architecture.......................................................................................................................... 6
Application Tier Security ................................................................................................................................................... 6
Encryption ..................................................................................................................................................................... 6
Security .............................................................................................................................................................................. 8
Encryption in Transit ..................................................................................................................................................... 8
Encryption at Rest ......................................................................................................................................................... 8
Data Replication ............................................................................................................................................................ 8
Anti-Virus/DLP ............................................................................................................................................................... 8

Flexible and Robust Secure Workspace Permissions ............................................................. 8

Secure File Synchronization Security Features ...................................................................... 9
Enterprise Security................................................................................................................ 9
Auditing and Reporting ................................................................................................................................................. 9
Anti-Virus ....................................................................................................................................................................... 9
Restricted Admin Access to Content ................................................................................................................................. 9
SSO – SAML/Kerberos ................................................................................................................................................... 9
LDAP/AD Integration ................................................................................................................................................... 10
FIPS: 140-2 Certified .................................................................................................................................................... 10
DLP ............................................................................................................................................................................... 10

Authentication and Authorization ...................................................................................... 10

OAuth Integration ........................................................................................................................................................... 11
Overview...................................................................................................................................................................... 11
How OAuth Authentication Works.............................................................................................................................. 11
Advantages .................................................................................................................................................................. 11

Security Overview Whitepaper .2

 Two-factor Authentication Integration ........................................................................................................................... 11
Overview...................................................................................................................................................................... 11
How Two-factor Authentication Works ...................................................................................................................... 12
Advantages .................................................................................................................................................................. 12

DLP (Data Loss Prevention) ................................................................................................. 12

Overview ......................................................................................................................................................................... 12
Which DLP systems are supported? ................................................................................................................................ 13

Mobile Access Security Features ......................................................................................... 14

Kitepoint Security Features ................................................................................................. 14
Storage ............................................................................................................................... 15
Private Cloud ................................................................................................................................................................... 15
Public Cloud ..................................................................................................................................................................... 15
Mix of Public and Private Cloud ...................................................................................................................................... 15
Additional Storage ....................................................................................................................................................... 16

Encryption .......................................................................................................................... 16
Restricted Admin Access to Content ............................................................................................................................... 16

Audit Trail ........................................................................................................................... 16

Data Loss Prevention ....................................................................................................................................................... 17
Global Settings................................................................................................................................................................. 17
Data Retention ................................................................................................................................................................ 17
FIPS 140-2 Level 1 ............................................................................................................................................................ 17

Accellion Public Cloud – Amazon EC2 .................................................................................. 18

Reports and Certifications ............................................................................................................................................... 18
Physical Security .............................................................................................................................................................. 18
Data Privacy ..................................................................................................................................................................... 18

Accellion 3rd Party Auditing................................................................................................ 18

Security Overview Whitepaper .3

Overview
More than 2,000 Enterprise corporations and government agencies and 11 million enterprise users have chosen
Accellion for securely sharing files and collaborating with colleagues, partners and vendors across organizational
boundaries and across devices. Ensuring enterprise data security is a top priority for corporations and
government agencies and is reflected throughout the Accellion Secure Mobile File Sharing solution, in our
processes, procedures and product design.

This document provides an overview of the Accellion security features designed to ensure protection of your
enterprise data.

End-to-End Security
One of the best ways to understand the multiple levels of security of the Accellion Secure Mobile File Sharing solution is
to follow the path of a file from desktop, laptop, or mobile device through the Accellion system as users collaborate and
share files. We have created a secure mobile file sharing system that allows organizations to protect their Enterprise
content throughout the file sharing process.

Account Access and Authentication

Starting with login to an Accellion account, let’s take a look at the security features of the Accellion Secure Mobile File
Sharing Solution.

Login Security Features

Robust and Flexible Password Policies

IT Administrators can create configurable password policies:

 Password strength (number of characters, number of numeric character(s) between 0-9, number of special
characters, number of upper and lower case characters)
 Password resets (a configurable time period)
 Password re-use restrictions
 Notifications after a configurable number of failed attempts
 Overall maximum session duration

Single Sign-on
Accellion offers Active Directory/multi-LDAP integration for Enterprise accounts. This gives IT Administrators
centralized control and management over user accounts.

Accellion supports single sign-on through SAML (Secure Assertion Markup Language) 2.0. SAML is an industry standard
protocol for exchanging authentication and authorization information between different security domains. Enterprises
can implement multi-factor authentication and then seamlessly exchange authentication information with Accellion
through SAML integration.

Security Overview Whitepaper .4

Accellion also provides single sign-on via Kerberos.

The Accellion server supports either the SAML 2.0 protocol or Kerberos protocol for Single Sign On use. This allows the
Accellion server to leverage existing SSO resources for user authentication.

For information on Accellion single sign-on integrations, contact support@accellion.com.

Access Security
The following list some of Accellion’s access security:
 Password Policy
- Administrator control of password policy including length of password, upper-case, lower-case, special
characters, numeric characters, password expiration and password history
 LDAP/AD Integration
 LDAP Group Integration
 Integration with external systems for authentication and authorization
- SAML SSO
 Kerberos SSO
 OAuth Integration Authentication
 Two-factor Authentication Integration
 SFTP Certificate Authentication
 Secure Coding Practices
 Seamless connection to Enterprise Content sources using ECM native rights
 Configurable watermarking of recipient’s email or viewer’s email
 Restricted Folder providing the ability to restrict access to users

File Sharing Security Features

After logging into the Accellion solution, users can quickly create secure workspaces, upload files, share files, add
comments, subscribe to notifications, synchronize files, and send files to stakeholders internal and external to the
organization.

All files on an Accellion system are encrypted in transit and at rest. Data in transit is encrypted with TDES (168 bits) or
AES (128/256 bits) depending on the web browser. Accellion uses AES encryption for data at rest.

Accellion has optional anti-virus software, provided by F-secure, to scan files on upload and download. When a file
containing a virus is uploaded to Accellion it will be quarantined.

Security Overview Whitepaper .5

Architecture

Application Tier Security

Encryption
To protect customer data in transit Accellion supports TLS 1.2 with up to 256-bit AES encryption and no less than 128-
bit encryption with the negotiation to TLS/AES-256 dependent on whether the end user’s device or proxy supports
TLS/AES-256.

NOTE: Accellion supports TLS 1.2. The administrator has the option to disable TLS 1.0 and TLS 1.1.

List of Ciphers
The following is a list of ciphers Accellion currently uses:
ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

Security Overview Whitepaper .6

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL

Current Ciphers Suite on Accellion FIPS

| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

Security Overview Whitepaper .7

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 – strong

Security
Encryption in Transit
Client files are protected in transit between the web, application and storage servers using SSL/TLS and AES Encryption.

Encryption at Rest
All client files are encrypted using AES 256-bit symmetric key encryption, a FIPS approved encryption algorithm.

Data Replication
Customer files are stored redundantly within the cluster. Data Replication can be configured so as to replicate data in
different regions and also create high-availability for the stored data with multiple servers.

Anti-Virus/DLP
Accellion enables you to configure anti-virus servers in your cluster that can be setup as a dedicated role to scan client
files for malware.

Flexible and Robust Secure Workspace Permissions

IT Administrators can control access to Enterprise content across the organization.

File Tracking – Workspace managers can view activity logs to see who has accessed the workspace, downloaded,
uploaded, and deleted files, and who has added comments, etc.

Notifications – Managers and contributors in a secure workspace can subscribe to notifications to receive emails when
workspace members add files or make comments to files in their workspace.

Workspaces – IT Administrators can set workspace and file expiration dates for their organization. Workspace
managers can also set workspace and file expirations within the parameters set by IT.

Secure Links – Users can easily share files by sending stakeholders a secure link to a file in their Accellion secure
workspace. Users can decide that: 1) the file can be downloaded by only the recipient of the email, 2) the recipient can
forward the file to others, or 3) all authenticated users can download the file. Users can set file link expiration dates
and can automatically get return receipts when files are downloaded.

Collaboration – Secure workspaces are designed to be shared with internal and external stakeholders. Workspace

Security Overview Whitepaper .8

managers can manage users in their workspace and assign to them specified user roles depending on business
requirements.

Secure File Synchronization Security Features

Accellion provides robust, secure, and flexible file synchronization, including kitedrive continuous sync and workspace
on-demand sync. Administrators have the ability to enable sync for their organization. Furthermore, they can specify if
they want users to have access to kitedrive and/or workspace sync. Once workspace sync is enabled, users with
manager privileges can enable and disable sync for their individual workspaces.

Specific Accellion file synchronization security features:

 Accellion supports end-user authentication to the kitedrive sync client through LDAP and SAML.
 Kitedrive sync never stores or sends passwords in the clear.
 Kitedrive session authentication is done through OAuth.
 Kitedrive works in conjunction with data leak protection (DLP) solutions to ensure that file synchronization is
based on corporate policies for the protection of intellectual property.
 IT Administrators can view kitedrive activity logs and track which files are being synchronized.

Enterprise Security
Enterprise Security comprises of the following features:

Auditing and Reporting

Accellion provides both end-user and administrator reports. All end-user and administrator activity is logged and is
accessible in the Administrator interface. Logs can be exported to an external syslog server.

The Activity Dashboard provides end-users with a feed of recent activity within Accellion. Users can view file uploads,
downloads, deletions and comments and tasks for folders they have access to, as well as files sent or received in
Accellion. Each Accellion folder has its own activity log which tracks file uploads, downloads, and deletions as well as
the creation or deletion of nested folders.

Anti-Virus
Accellion server uses F‐Secure anti‐virus to check incoming and outgoing files.

Restricted Admin Access to Content

Accellion enables system admins to have restricted access to content.

SSO – SAML/Kerberos
SSO (SAML and Kerberos) work independent from LDAP but can be used in conjunction. If a user is found in LDAP,
Profile Filters and Mapping will work for the user.

Security Overview Whitepaper .9

LDAP/AD Integration
Accellion can be integrated with LDAP/AD so users can sign in with their network password. Additionally, Accellion
allows admins to add LDAP groups.

FIPS: 140-2 Certified

DLP
Accellion integrates with several market-leading DLP products enabling content-aware sharing restrictions.

Intrusion Detection
The Accellion system has an intrusion detection system where it will flag any suspicious activities. For example, when
any files are changed or a new file is created or inserted into the codebase, the system quarantines the file and sends
an alert notification email to the administrator of the system.

Hardened Security Process

The Accellion MySQL user accounts are tightened with a stricter usage privileges and several critical files are now
updated with stricter user permissions.

For the software update process new hardened software update servers are introduced for additional security.

Whitehat and Pen Test Programs

Accellion now engages an external third-party pen test company to periodically review and do whitebox and blackbox
pen tests on our systems. Customers are able to access to these pen test reports. In addition, Accellion has a whitehat
bounty program where public whitehats have access to our system and are able to do a blackbox pen test and send us
any vulnerability that they found.

Authentication and Authorization

The following features that make Accellion a secure solution are:

1. IAM Service LDAP

2. Kerberos SSO
3. SAML Integration
• SAML/OAuth Sign In Process
• OAuth
• OAuth - Mobile
• OAuth - Service Provider
• OAuth High Level
• 2FA Using Radius
• 2FA Using One Time Password
4. SFTP Certificate Authentication
5. Accellion Key Management

Security Overview Whitepaper .10

OAuth Integration
Overview
OAuth is an open protocol to allow secure authorization in a simple and standard method from web, mobile, desktop,
and 3rd party client applications.

Accellion uses OAuth authentication for user sign in to the server and gives access to the client application. Users are
required to enter their user name and password on a login page hosted by Accellion server. Upon successful
authentication, the client application retrieves an access token from the server that is used in further communications
with the server during the session.

Accellion OAuth 2.0 framework allows mobile apps, desktop client, and Outlook Plug-In and 3rd party client
applications to obtain limited access tokens.

How OAuth Authentication Works

1. User opens a client application and initiate login.
2. The client application opens authorization end-point on the Accellion server using a Web-view component.
3. After verifying the client application’s id, the Accellion vserver redirects the web-view to the login page.
4. The Accellion vserver authenticates the user, and optionally (for 3rd party client applications) asks the user’s
consent to grant the client application an access.
5. Upon a successful authentication, the Accellion vserver redirects the web-view to a designated redirect URI and
provides an authorization code for the client application.
6. The client application requests an access token to the Accellion server using the provided authorization code and
the client application’s credentials.
7. After verifying the authorization code and the client application’s credentials, the Accellion server provides an
access token to the client application.
8. The client application uses the access token to access user’s resources stored in the Accellion server.

Advantages
• Allows access for client applications without providing user passwords to the client applications.
• Access tokens given to the client applications are limited in scope and time.
• For 3rd party applications, administrators can specify a fine-grained access control by defining the scope on
which access tokens are valid.
• Administrators and users can review currently active access token sessions and revoke them when necessary.

Two-factor Authentication Integration

Overview
Two Factor Authentication (2FA) is an additional layer of security that is known as "multi-factor authentication" that
requires the user to provide two means of identification from separate categories of credentials; one is typically a
physical token, such as a card, and the other is usually something memorized, such as a security code. The three most
common categories are often described as something you know (the knowledge factor), something you have (the
possession factor) and something you are (the inherence factor).

Security Overview Whitepaper .11

For enterprises that use 2FA, Accellion leverages the industry standard RADIUS protocol to integrate with the
customer’s 2FA solution. Accellion supports both simple single access request flow and access-challenge flow.

2FA for Accellion can be integrated using the RADIUS protocol. Accellion passes the user’s authentication credentials
over the RADIUS protocol to the 2FA RADIUS server. The server’s response determines if the user can sign in or not.

NOTE: 2FA is limited to the Accellion IDP. External SSO is required to fulfill all aspects of Authentication and
Authorization which includes 2FA. Accellion, the Service Provider follows after Authentication and
Authorization and does not currently utilize 2FA in post AAA capacity.

Accellion guides customers in choosing the authentication flow that is appropriate and required for their 2FA solution
number for external users without access to an enterprise’s internal RADIUS system. 2FA by OTP (One Time Passcode)
allows a user to authenticate with their username/password and then be challenged for a passcode which is sent to
their email address. The user supplies the code from their email to Accellion to complete the sign in process.

How Two-factor Authentication Works

1. User enters his username and password in the Accellion application
2. Accellion application then prompts the user for the 2FA code
3. User enters his/her 2FA authentication code
4. Accellion application then passes the authentication code (optionally also user's credentials, if required) to the
customer's RADIUS server for validation.
5. (Optional) If the RADIUS server returns an Access-Challenge response, the challenge message is shown to the
user, and the user is prompted to enter a challenge response.
6. Depending on the result of the RADIUS call, access to the user is granted or rejected.

Advantages
• Attacker cannot login even if user's password is compromised
• Leverages existing enterprise 2FA authentication solution
• Eliminates threat to hack the Accellion application using just the user password

DLP (Data Loss Prevention)

Overview
Data Loss Prevention is designed to detect potential data breaches/data ex-filtration transmissions and prevent them
by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-
rest (data storage). In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious
intent or inadvertent mistake. Such sensitive data can come in the form of private or company information, intellectual
property (IP), financial or patient information, credit-card data, and other information depending on the business and
the industry.

Accellion integrates with several market-leading DLP products enabling content-aware sharing restrictions. Documents
stored in your on-premises can be examined by any third-party DLP security suite that supports ICAP, a standard

Security Overview Whitepaper .12

network protocol for inline content scanning. Sharing and access privileges can then be adjusted based on the results of
the DLP scan and your preferences for how strictly you want to control access.

Which DLP systems are supported?

Accellion integrates with the ICAP protocol. Because we rely on the ICAP standard for interaction with your DLP server
the Accellion DLP integration will work with any ICAP-compliant solution and requires no changes to policies or servers
in your existing security suite. ICAP-compliant solutions include:

• Symantec (Vontu)
• RSA Data Loss Prevention
• Fidelis
• Palisades
• Websense TRITON AP-DATA
• Code Green

Tying Accellion security policies to your existing DLP security suite means you can maintain a single point of policy
management for data inspection and security alerts. If you already use one of the solutions mentioned above for
scanning outgoing email attachments or web traffic, you can point Accellion to the same server.

Accellion has developed a flexible policy-based system that offers granular access and sharing controls based on a new
classification attribute that will be associated with each file. The system uses the DLP scan results to classify every
version of every file. There are three data classifications:

1. Scanned: OK – Files that were scanned by a DLP system and passed OK.
2. Scanned: Blocked – Files that were scanned by a DLP system and were found to contain sensitive data.
3. Unscanned – Files that have not yet been scanned (in cases where files exist before DLP is configured, or when
the external DLP system is unavailable or slow to respond).

Next, it enforces different access and sharing restrictions for each data classification. For each of the three categories,
the administrator chooses which actions to allow:

• Whether to download and share the file

• Whether 3rd-party users can download and share the file
• Whether anonymous users can download the file

These settings constrain the normal permissions and sharing controls available to users as they interact with their data
and collaborate with others. For instance, when sending someone a file, users could choose to block anonymous access
even if the DLP settings would allow them to share it anonymously. But if they attempt to share a file in a way that the
DLP settings prohibit, the system prevents them from doing so.

This flexibility allows you to control the trade-offs between security and usability as best fits your organization. If a
document is flagged as sensitive, you could still allow sharing between employees but block sending to anyone outside
your organization. Or you could take a stricter approach and block all users (even the owner of the file) from
downloading or sharing the file with anyone. If you block downloads, an employee would not be able to access

Security Overview Whitepaper .13

Accellion from an unmanaged device, get the file and share it by other means.

For any files that are not yet scanned, you can configure the same sets of constraints. This means Accellion could take
an “innocent until proven guilty” or “guilty until proven innocent” approach according to your approach for impeding
the flow of information.

When the Accellion Controller sends files to the DLP system for scanning, it includes metadata indicating the owner of
the file and the folder path where the file resides in Accellion. This allows the DLP server to log incidents and create
notifications with enough detail to be actionable.

Mobile Access Security Features

Mobile users can securely access their Accellion accounts through mobile browsers or the Accellion Mobile Apps for
iPad, iPhone, Android and BlackBerry devices.

Accellion Mobile Apps support authentication through LDAP, ensuring that only authorized users gain access to secure
workspaces. Files saved on the mobile device are stored in a secure container with

256-bit AES encryption. Files shared with others via email are sent via the SSL protocol. Files downloaded to the device
are password protected and encrypted while at rest. Users choose a six digit passphrase to access encrypted files
downloaded to the mobile device using Accellion Mobile Apps.

With Accellion, administrators can centrally manage and control mobile access to corporate resources. They can enable
or disable mobile access. They can select Edit or View access for users depending on security requirements. For users
with View only access, Accellion offers server side viewing, enabling users to securely view content without the ability
to download files. They can set expiration dates on files accessed through mobile devices. They can whitelist
applications that are allowed to open files from Accellion. They can immediately disable an Accellion account if a
phone is lost or stolen. They have access to workspace activity logs ensuring data security and compliance. There are
five Admin configurable PIN settings- Always ask, Never ask, for local files, Idle timeout and Max PIN attempts.

In conjunction with MDM solutions such as MobileIron, BoxTone and Good, IT Administrators can also ensure that only
authorized apps are downloaded, users have the latest software updates, and users are not using excessive bandwidth.
And, if phones are lost or stolen, they can be remotely wiped using MDM solutions to protect corporate data from
getting into the wrong hands. Lastly, with application technology partners such as Mocana organizations can not only
secure confidential files on the device but also secure the application data.

Kitepoint Security Features

Kitepoint provides secure mobile access to enterprise content stored in Microsoft SharePoint® and other enterprise
content stores – anytime, anywhere, without a VPN. With Accellion, organizations control every aspect of their
deployment. Kitepoint leverages the existing enterprise infrastructure rather than replicating content out to external
file stores, simplifying and supporting corporate information management, compliance and security policies.

Security Overview Whitepaper .14

 • Each kitepoint enterprise connect management system (ECM) connector securely communicates through
the firewall to Accellion using HTTPS and a secure Web Socket connection.
• Kitepoint authenticates users against enterprise Active Directory server - only authenticated users can
access content.
• Kitepoint respects existing users, groups and roles in place around content - kitepoint does not change any
access controls or user permissions.
• Kitepoint maintains existing information hierarchy - documents continue to exist in the relevant context in
which they were published.
• Kitepoint maintains “Document of Record” - users have access to the most current copy of the document
stored in SharePoint; Back-end policy systems such as Digital Leak Protection (DLP) and Records
Management (RM) are not compromised by duplicating the content to other systems.
• Accellion provides complete logs of all transactions on content stored in the ECM systems. Logs can be
downloaded and exported to third-party reporting and audit systems.
• IT Administrators can centrally provision users and manage security policies including access rights for
auditing, reporting and demonstrating compliance. The system can also be configured so users cannot
access highly-secure ECM sites via mobile devices.

Storage
Files uploaded to Accellion are stored either in the private cloud (on-premise using VMware, Citrix XenServer, or
Microsoft Hyper-V), Accellion public cloud (Amazon EC2), or in a hybrid cloud depending on the deployment option you
choose for your organization. Accellion also gives you the ability to leverage NFS/ EMC Atmos storage with your
Accellion on-premise deployment.

Private Cloud
Accellion supports private cloud on-premise deployment in VMware, Citrix XenServer, or Microsoft Hyper-V
environments. Private clouds help organizations ensure the availability, integrity and confidentiality of their
information. Located inside a company’s firewall, private clouds are owned and controlled by IT allowing information
to be solely controlled by enterprises rather than managed by third party cloud providers.

Public Cloud
Accellion provides single and multi-tenant storage in Amazon’s EC2 public cloud. Amazon security details are available
in a later section of this document.

Mix of Public and Private Cloud

Accellion Mobile File Sharing offers the only true hybrid deployment model. Organizations can mix and match public
and private cloud (on-premise via virtual machine) deployments. Data can be segregated between private (on-premise)
and public cloud servers. Note that automatic synchronization of local and online files is not supported.

Security Overview Whitepaper .15

Using Accellion, organizations can utilize a private cloud environment for specific locations or regions (for example,
European or Canadian data can be separated from US data), while other offices can use the public cloud (such as those
in the US). Administrators can set up rules restricting the movement of data. For example, they can specify that all files
uploaded in a particular country or region, stay in that region. Organizations can also segregate the data that users
access in one location between the public and private cloud. Rules can be created by which external users access a
public cloud and internal users access a private cloud. In that case internal users (marked as LDAP users) trying to
authenticate on the DMZ controller will receive a “Please login via VPN” message. External users authenticate on the
DMZ controller using passwords specific to Accellion.

With a mixed public and private cloud deployment, data can be replicated, but the public and private cloud data are not
commingled.

Data replication can be precisely controlled. Administrators can replicate only certain instances or all instances of
Accellion data and can decide to replicate only certain file types.

Additional Storage
Accellion supports integration of NFS/ EMC Atmos storage with Accellion on-premise deployment. Accellion currently
supports EMC Atmos storage by mounting it as an NFS disk. EMC Atmos storage can be utilized in all Accellion
virtualized and physical hardware deployments.

Encryption
In virtualized (VM) and cloud deployments, by default, files are stored within the Accellion system on an encrypted
partition using AES 128-bit encryption. Additionally, each file can be encrypted with a unique key. The file encryption
key is not stored on the server, so even if the server is compromised, the decryption keys for stored files cannot be
obtained from the compromised server. Data is also encrypted in transit using SSL/HTTPS.

Accellion’s security mechanisms guard against malicious access:

• File names are de-referenced when stored on Accellion to ensure that files are inaccessible.
• Files may be stored encrypted for added security.
• Data can be accessed only through the file URL embedded in the email.
• Each URL call is authenticated individually.

Restricted Admin Access to Content

IT Administrators do not have access to files once they are uploaded to the Accellion system. However, they can view
the list of files and delete, replicate, and set life cycle rules on these files. Administrators can also view reports and logs
in relation to file access events.

Audit Trail
As an Enterprise-class mobile file sharing solution, Accellion automatically logs all file and user activities in the

Security Overview Whitepaper .16

application. The audit log provides administrators insight into what is being done in the system, which users are
accessing files, what files are being uploaded, and how the system is working overall. Audit trails and comprehensive
file tracking help enterprise organizations demonstrate compliance with industry and government regulations. Audit
logs are date/time stamped and tracked by user, email address, IP address, and action taken. Administrators can sort by
these attributes and also export the audit log either as a CSV file or to a Syslog server. Administrators determine how
long logs are stored on Accellion.

Data Loss Prevention

Accellion Mobile File Sharing supports integration with commercially available DLP solutions via the ICAP protocol. The
Accellion DLP module enables organizations to not only secure the sharing of files but also monitor and analyze the
contents of file sharing, and filter file sharing based on corporate policy, for protection of IP and compliance
requirements.

Tested solutions include DLP products from Symantec (Vontu), RSA, Fidelis, Palisades, Websense, and Code Green
Networks.

Global Settings
Accellion Mobile File Sharing is designed for enterprise organizations and is deployed and centrally managed by IT.
Administrators have the ability to centrally manage users across the globe through an Admin Console. They can set
restrictions globally on user accounts, including:

• Who can create workspaces or upload files

• How long files are retained in the system
• Who can use Accellion Mobile Apps and whether users have View or Edit permission
• How many versions of a file are retained
• How long after files are deleted or expired can files be recovered
• Whether users can delete files

Data Retention
IT Administrators can set file and workspace life cycle rules and as well as select how long deleted and expired files are
retained in the Accellion system. Organizations can have files stay in the trash from 1 to 180 days.

FIPS 140-2 Level 1

Accellion offers a FIPS 140-2 Level 1 certified module in its secure file sharing solution for both on- premise and off-
premise, virtual, cloud and hosted deployments. For Accellion mobile applications, organizations can take advantage
of FIPS 140-2 Level 1 certified modules provided by technology partners such as Good and Mocana.

Security Overview Whitepaper .17

Accellion Public Cloud – Amazon EC2
The Accellion Hosted Cloud Service enables organizations to rapidly implement mobile file sharing to quickly scale
resources and teams and manage peaks in usage. Accellion offers both single and multi- tenant public cloud
deployment options through Amazon EC2.

Reports and Certifications

Amazon Web Services (AWS) has completed multiple SAS70 Type II audits, and now publishes a Service Organization
Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. AWS has also
achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment
Card Industry (PCI) Data Security Standard (DSS).

Physical Security
AWS datacenters are housed in nondescript facilities. Authorized staff must pass two-factor authentication a minimum
of two times to access datacenter floors.

Data Privacy
AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and
redundancy procedures for services so that customers can gain greater understanding of how their data flows
throughout AWS.

Accellion 3rd Party Auditing

Accellion products undergo regular 3rd party security audits. For more information, please contact Accellion.

Security Overview Whitepaper .18