The Sync Appliance protects your data in transit and at rest with:
Unless configured to use external storage backends, none of the data stored in the Sync Appliance ever leaves the boundaries of your organization (except as the result of regular sync and sharing activities).
The Sync Appliance only connects to aeoncase.com servers for specific
purposes such as retrieving updates or helping sync clients locate the server.
All communications between the sync clients and the Sync Appliance are encrypted using the TLS protocol. So as to prevent man-in-the-middle (MITM) attacks, the certificate used by the appliance is:
generated when the appliance is deployed
transferred securely to the client when the user enters the link code obtained via the client download page served by the embedded web server from the appliance over HTTPS
The connections will use strong cipher suites when supported by the
client’s OpenSSL library, such as ECDHE-RSA-AES256-GCM-SHA384.
The web service is accessed via HTTPS (TLS protocol), and the server is equally configured to use strong cipher suites whenever supported by the web browser used to access it.
The Æoncase sync engine features source-based deduplication, which allows a sync client not to transfer a file when it is already available at the server, both speeding up syncing and decreasing bandwidth usage and system load.
Source-based deduplication also works in the server-to-client direction, but in real-life scenarios it’s the other direction that yields the greatest savings.
The sync engine incorporates specific security measures against attacks on source-based deduplication.
Since the Sync Appliance is installed in your organization’s premises and access to it (i.e. user accounts) is tightly controlled, the scope of these attacks is greatly reduced compared to public cloud-based services.
A number of techniques are used to make the Æoncase Sync Appliance as secure as possible:
all public-facing services are implemented using memory-safe languages to prevent buffer overflows and similar attacks
all SQL queries are constructed and analyzed statically, so as to prevent SQL injection attacks
HTML generation in the web server is performed using typed structures validated statically so as to prevent HTML injection attacks
user passwords (when not using external LDAP/AD authentication) are hashed using the bcrypt key derivation function
updates to the Sync Appliance are performed using The Update Framework
all services are executed using the resource isolation features of the Linux kernel
the libraries and other dependencies used by the appliance internally are kept up-to-date via regular Sync Appliance updates
By and large, the greatest threat to the security of the system comes from the file processing performed on the data uploaded by the users.
Even though the components of the Sync Appliance are updated regularly as security fixes are released, processing images for instance represents a large attack surface. Such processing can be disabled in the Security tab from the admin page for increased security against zero-day vulnerabilities.
Since services offered by the Sync Appliance are not open to the public, the threat is limited compared to public cloud services, however.