Technical Information¶
FastDrive is based on Citrix ShareFile Enterprise Edition, and consists of 3 primary components:
SaaS Application Tier (hosted by Citrix) – sometimes referred to the as the Control Plane, this is a Citrix-managed component that consists of web, database, and API servers
StorageZones (hosted by UKFast) – this is where Customer Data is stored.
Clients – ShareFile / FastDrive supports a broad device list, which includes but is not limited to Windows and macOS, Android and iOS, Windows phone and Windows Metro
SaaS Application Tier¶
The ShareFile SaaS Application Tier is hosted in Citrix’s Data Centre. The components include:
NetScalers, used to load balance client requests to the ShareFile web and API web servers
ShareFile web servers designed to deliver the Web user interface
API web servers used for client devices and tools using the HTTPS and REST API, including the Outlook plug-in, mobile and sync applications
Database – SQL database instances which contain things such as account data, file and folder metadata, including access rights, user account data, logs etc. The database in the SaaS Application tier does not process or store any customer data files
The NetScalers and web servers are installed in the DMZ with the SQL databases installed in the private network behind an additional firewall. The SQL database instances are securely replicated to a second Data Centre for backup and disaster recovery purposes.
Encryption¶
To protect customer data in transit ShareFile supports TLS 1.2 with up to 256 bit AES encryption and no less than 128 bit encryption with the negotiation to TLS/AES-256 dependent on whether the end user’s device or proxy supports TLS/AES-256.
Hash-based message authentication code¶
Hashing is defined as producing hash values for accessing data or for security purposes. A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
In security systems, hashes are used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If the hashes are the same, it indicates that the message was transmitted intact.
Metadata
Customer files are never processed, stored or transferred to the ShareFile SaaS application tier. Instead we store metadata (defined as data which describes other data). Citrix uses SSAE 16 Type II accredited or ISO 27001 certified Data Centres to host the SaaS application and metadata. All files are stored in SSAE 16 Type II (SOC1), SOC2 and ISO 27001 accredited Data Centres with high availability and durability ratings.
Customer files are never processed, stored or transferred to the ShareFile SaaS application tier. Instead we store metadata (defined as data which describes other data). Citrix uses SSAE 16 Type II accredited or ISO 27001 certified Data Centres to host the SaaS application and metadata. All files are stored in SSAE 16 Type II (SOC1), SOC2 and ISO 27001 accredited Data Centres with high availability and durability ratings.
StorageZone Tier¶
Upload/Download Speed¶
The following process describes how files are uploaded to, or downloaded from, the FastDrive application and the security measures employed;
Client requests a file.
A prepare message is sent by the ShareFile web application or API servers in the SaaS application tier to the StorageZone hosting the file. The location of the file is stored in the SaaS application tier database, accessed by the ShareFile web application and API servers.
A hash-based message authentication code (HMAC) based on the Shared Key used to establish a trust relation between the SaaS application tier and StorageZone, is sent as part of the prepare message and is validated by the StorageZone Controller.
Once validated, the StorageZone confirms the validity and generates a unique one-time-use download token.
The ShareFile web application or API server provides the download link to the Client with the unique download token.
To start the actual download, the Client connects to the StorageZone.
The download token (part of the download request from the Client), is validated.
If validation is successful, the file will be retrieved from storage.
The StorageZones controller server will send the file to the Client.
Encryption in Transit¶
Customer files are protected in transit between the web application and the UKFast on premise storage location using TLS with using 256 bit encryption.
Encryption at Rest¶
UKFast stores client files at rest using AES 256-bit encryption, a Federal Information Processing Standards (FIPS) encryption algorithm.
Redundancy/Backup¶
Every element of the UKFast infrastructure used to host the FastDrive service is designed to N+1 standards, including:
Cisco ASA Firewalls which are locked down to Citrix SaaS Application Tier
UKFast Load Balancers
Cisco UCS Blades
Enterprise HP3PAR SAN Storage
Citrix StorageZone Controllers
eCloud Vault Storage used to store Customer Data
All Citrix StorageZone Controller data is backed up on a daily basis using UKFast’s Enterprise Commvault Backup.
UKFast can guarantee 100% power and connectivity to the FastDrive solution
There is a 45 day retention policy on all customer data. This is a global policy set on the platform. If a customer deletes a file, each customer has the ability through their own customer portal to restore these files.
Cloud Vault stores three copies of each file stored in FastDrive – this is a standard feature of the product
Access/Security¶
FastDrive is a secure self-managed platform. Each customer will be provided with their own portal URL provided by the Citrix SaaS Tier and an Administrator User created. This Administrator user can login to the portal and manage:
Check-In / Check-Out Functionality
File/Folder Upload and Download Permissions
Email Alerts and Notifications on Upload/Downloads
Employees – paid for users who require all FastDrive features and functionality
Clients – free of charge users who are not employee users i.e.; 3rd party contractors who require access to particular files/folders. These users do not have the full functionality that FastDrive offers.
Multi-Factor Authentication – Customers may setup a multi-factor (strong) authentication process that requires submission of the account password and a secondary authentication such as SMS or Text, in order to access the account.
Password Policies that are set per customer account that include password history, expiration and complex controls such as length, uppercase and lowercase letters, at least one number and at least one special character
Optional SSO and Active Directory integration that requires an ADFS configuration applied at the customers site
Customisable Terms and Condition Login Pages to indicate compliance with the terms before logging in
Account Lockout policies, Account Activity Reporting, Email Encryption and Access Log Retention
Read Only Access to Files, Offline Access and IP Restrictions
Apps include – Windows/Mac/Linux. Print and Scan directly to the FastDrive account. Drive Mapper. Sync Tools and more.
Mobile Device Security including: File Self-Destruct, External Application Interaction, Encryption, Remote Wipe.
ANS Data Centres are ISO 27001 certified, PCI-compliant and secured up to UK government IL4 standards, which ensures your solution is protected by exceptional levels of both physical and virtual security at all times.