Keep your data safe.
Forget about the massive public cloud data breaches.

Keep your data safe where it belongs

The Æoncase Sync Appliance is deployed behind your corporate firewalls, and your data never leaves your infrastructure if you do not want it to.

Limit your security footprint by avoiding third-party services under constant attack, and which cannot guarantee the confidentiality or your data.

Enjoy the ease of mind brought by not having to cross your fingers the next time a massive public cloud data breach is made public.

Secure connections

Data in transit is secured with industry-standard Transport Layer Security (TLS) using strong ciphersuites with Perfect Forward Secrecy.

Moreover, the Sync Appliance uses a private, unique root Certificate Authority (CA) to prevent global PKI attacks.

Unlike common sync services oriented to home users, the Æoncase Sync Appliance does not rely on the global Public Key Infrastructure (PKI), and will instead use its own private root CA. This strengthens security by preventing a number of attacks related to the certificates used to secure the connection.
Extra protection

For additional security, enable client-side file encryption on a folder basis. The client encrypts files before sending them to your Sync Appliance, on top of the standard encryption used in the secure connection.

Only other clients with the encryption key can access them.

Encryption keys are transferred directly via the client using a secure process with two-fold security that ensures privacy even if your server were compromised.

It is not possible to access the contents of these files without the client-held key, even for the Sync Appliance admin.

Enhanced privacy

The Sync Appliance incorporates specific security measures to prevent attacks against source-based deduplication (which allows to skip transfers for data already available in the destination).

The Sync Appliance is protected, amongst others, against:

  • spurious ownership claims, where a modified client would try to “upload” to the server a file it does not really have

  • side-channel attacks, where knowledge on whether a file exists in the system is exploited

Strengthened environment

Sync Appliance services run in isolated containers with an un-priviledged user with limited permissions.

The attack surface can be further reduced by disabling non-critical operations on stored data with larger security footprints like image processing.
Security from the bottom up

The Sync Appliance is engineered to thwart whole classes of attacks using sound implementation techniques.

Public-facing services are implemented using memory-safe languages to prevent buffer overflows and related attacks.

Internal SQL queries are constructed and analyzed statically, so as to prevent SQL injection attacks.

HTML generation in the web server is performed using typed structures validated statically so as to prevent HTML injection attacks.

User passwords (when not using external LDAP/AD authentication) are hashed using the bcrypt key derivation function.