Egnyte (FS2 Replacement) : Security Review Request

RESOLVED WONTFIX

Status

mozilla.org
Security Assurance: Review Request
RESOLVED WONTFIX
6 years ago
5 years ago

People

(Reporter: jen, Assigned: ygjb)

Tracking

Details

(Whiteboard: [pending secreview][start 05/18/2012][target mm/dd/yyyy])

Attachments

(1 attachment)

18.05 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
(Reporter)

Description

6 years ago
We would like to use Egnyte as a replacement for FS2.  

1) Contact: Jennifer Hayashi
2) Egnyte is hybrid cloud based storage that we'd like to use for sharing data and team collaboration for all the offices and remote users.
3) Company page is:  www.egnyte.com   Our eventual domain will be similar to mozilla.egnyte.com
4)  No, it does not block another bug.  But for more information about what we were looking for, Bug 727134 has more information.

5)  Initially we would like to set it up with LDAP authentication, but eventually move it over to SSO with SAML once we get a vendor.  It will also house all department and team data so there would be data/information stored on their site.
Assignee: nobody → yboily
(Reporter)

Comment 1

6 years ago
The Egnyte demo site is:
https://mocotest.egnyte.com/home.do

I'll setup an account and send it your way.  


I'm still waiting on the security contact information.

Jen
(Assignee)

Comment 2

6 years ago
Hi Jennifer, 

Can you forward these questions on to the vendor:

Vendor Assessment Security Questions

Purpose

This document will be completed by any vendors used by Mozilla that will have access to user data.
Questionnaire

The following suggested questions should be adjusted for the specific services offered by the vendor
Overall

Please describe the overall purpose of the system and how Mozilla data will be integrated

Security Management

Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.

Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?

How do you protect Mozilla data that will be stored on your servers or within your applications?

How do you prevent other customers of your service from obtaining access to data provided by Mozilla?

What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?

Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
   
What other large engagements/clients have you supported with this application?

Technical Design

Do you support full SSL communication for all inbound and outbound communications?
    
Describe the technology stack of the application and infrastructure.
    
What options do your support for authentication?
        username/password
        certificate based authentication
        secret token
    
Do you use third party servers or do you host the servers yourself?
    
Do you use any third party services or communicate with any third parties from this application?

Security Verification

The Mozilla Infrastructure Security team will perform a security review of the designed application.

    
Will testing of the running application be possible?
    
Will source code for their application be available?
Status: NEW → ASSIGNED
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
(Reporter)

Comment 3

6 years ago
Hi -

Here's the perm url for Egnyte so you can do your testing.  I'm still waiting to hear back on the answers from the questions I sent over.

https://mozilla.egnyte.com

Jen
(Assignee)

Comment 4

6 years ago
Thanks Jen,  do we have explicit permission to perform security testing?  I can test the service, but doing anything that might trigger a vulnerability may be a violation of the ToS and is generally not permitted until we have that.
(Reporter)

Comment 5

6 years ago
Yvan -  I talked to the sales guy and he said you could go ahead and do the testing.  I told him if that there were any problems to let me know and I would update you.  He also said that he should be able to have the completed questions back to us tomorrow.

Did you get the accounts ok?

Jen
(Reporter)

Comment 6

6 years ago
Hi Yvan -

I just got a follow-up email from Egnyte.  They are asking that you hold off testing.  Here is a copy of the email below:

Hi Jen,

 

Egnyte actually runs third party audits and we recently just completed one with WhiteHat.  Over the next week our security team is addressing any and all concerns/action items noted during the audit.  We will also be happy to share the results of our WhiteHat audit with Mozilla.  I would suggest that your IT Security team hold off for a week.  This way they don't feel compelled to run their tests over again once any changes have taken place.  I've started to discuss a timeline with our CSO, but I should have an exact date nailed down for next week by Monday.

 

It's standard protocol for customer's security testing to be coordinated with account reps and Egnyte's security team.  We've run security testing with customers like Lincoln Financial before, and I know my team would appreciate some coordination on Mozilla's testing plans.  Can we setup a call, anytime next week, for both of our teams to have a quick planning discussion?

 

I'll be sending over the completed security questionnaire first thing tomorrow morning.  Please let me know what times next week work best for Mozilla's IT Security team.

 

Thank you,

Matt

 

 

Matt Booth | Commercial Sales

w: 650.282.3492 | c: 408.410.3796

Sign up for a 15-day Free Trial: http://www.egnyte.com
(Reporter)

Comment 7

6 years ago
Yvan -  Which time works best for you?

Hi Jen,
 
Thank you for passing on my “hold off” message to the security team.  The security questionnaire responses are attached to this e-mail.
 
Does the morning of the 16th, or 11am, 1pm on the 17th work for Mozilla’s IT Security team?
 
I’m trying to nail something down early so that you don’t have to worry about scheduling while you’re out next week.
 
Enjoy training and let me know if any of those times work.
 
Thank you,
Matt
 
 
Matt Booth | Commercial Sales
w: 650.282.3492 | c: 408.410.3796

Sign up for a 15-day Free Trial: http://www.egnyte.com
(Reporter)

Comment 8

6 years ago
Security Management


Have you performed internal security audits of your code or application that,
at a minimum, addressed the OWASP Top 10? If so, please provide a description
of the review and results.
We have engaged WhiteHat to run security audits for us.  We will share the results of this audit with Mozilla.

Has a security audit been performed by an external third party? If so, who
performed this audit and are the results available?
We have engaged WhiteHat to run security audits for us.  We will share the results of this audit with Mozilla.

How do you protect Mozilla data that will be stored on your servers or within your applications?
1.	Data is mirrored on at least two RAID6 storage nodes to protect against media failure. In the event of media failure, replication count will be restored by mirroring to another available storage node.
2.	Data is encrypted at rest with a customer unique key (AES256) to protect against media theft.
3.	We also offer the option to mirror data to an offsite location for an additional fee.

How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
1.	Each customer’s metadata, data is logically sharded across the entire Egnyte stack. 
2.	Each customer’s data is encrypted with a separate key.
3.	Egnyte does not de-dup data across customers.
4.	All access within the Mozilla account is completely controlled by Mozilla account administrators and governed using access policies and roles determined by the Mozilla account administrator.


What is your disclosure policy to customers in the event of a compromise of
your servers, applications or any related infrastructure that interacts with
the applications holding Mozilla data?
All potential breaches are investigated by our security team and reviewed by our CSO.  If the breach it deemed material to a customer’s account, the account administrator is notified of the incident within 24 hours along with a detailed incident report, and associated mitigation plan.

Have you suffered a security compromise in the past 24 months? If so, please
provide details and remediation that occurred as a result.
No. 


What other large engagements/clients have you supported with this application?
Egnyte is currently used by over 10,000 businesses spread across the globe.  The customer base spans businesses of different sizes and across regulated industry verticals (e.g. financial services, medical etc.).  Sample customers are Lincoln Financial, Young & Rubicam, Best Buy, etc.

Technical Design


Do you support full SSL communication for all inbound and outbound
communications?
Yes. 

Describe the technology stack of the application and infrastructure.
➢	Load balancer: LVS
➢	Front-tier: Apache
➢	Application load-balancer: Haproxy
➢	Application-tier:  Python and Java application servers
➢	Database: Mysql
➢	Storage: Egnyte object store (content replicated across RAID6 storage nodes).
➢	Misc: Caching servers, LDAP servers, Messaging Queue.

Architecture is designed to scale out horizontally with application clusters fronted by s/w load balancers, databases organized into "pods" (serving a slice of customer base), and storage scaling by adding more storage nodes.

What options do your support for authentication?
     username/password

Yes. 
Password (if using Egnyte directory services) is stored hashed with bcrypt. Egnyte can also integrate with external directory services (via SAML, ldaps, AD (ADAM), etc), in which case authentication is delegated. 

certificate based authentication
No. 

Secret token
We would require more clarifications on your questions, but please note our APIs support OAUTH 2.0.

Do you use third party servers or do you host the servers yourself?
Servers are owned by us and hosted in SSAE 16 compliant data centers. 

Do you use any third party services or communicate with any third parties from
this application?
Yes. We provide integrations with Salesforce, Google Apps and customer directory services. All these are configured by customers and on their request and are optional services.

Security Verification


The Mozilla Infrastructure Security team will perform a security review of the
designed application.


Will testing of the running application be possible?
Yes.  We ask that you coordinate this through your Egnyte account representative.


Will source code for their application be available?
We do not normally share source code.  We would appreciate more context on your request so we can best serve this need.
(Reporter)

Comment 9

6 years ago
Created attachment 623347 [details]
Security Question Responses
(Reporter)

Comment 10

6 years ago
Hi Jen,

 

I hope that your training week is going well.

 

Does tomorrow the 16th at  9am or 3pm, or Thursday the 17th at 11am, 1pm or 3:30pm work for Mozilla’s IT Security team?

 

Please let me know.

 

Thank you,

Matt

 

 

Matt Booth | Commercial Sales

w: 650.282.3492 | c: 408.410.3796

Sign up for a 15-day Free Trial: http://www.egnyte.com
(Reporter)

Updated

6 years ago
Blocks: 759373
(Assignee)

Updated

6 years ago
No longer blocks: 759373
(Assignee)

Updated

6 years ago
Blocks: 727134
(Assignee)

Comment 11

6 years ago
This review is on hold pending completion of the privacy and legal review.  We need the privacy/legal team to determine if the fact that Egnyte has access to the encryption keys and are able to decrypt our data is a blocker for us using the Egnyte service.
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start 05/18/2012][target mm/dd/yyyy]
(Reporter)

Comment 12

6 years ago
We will not be going with Egnyte due to their ability to decrypt any of our data.  Closing the bug.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
changing to wontfix as this was not fixed but moed off
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.