Changes

Jump to navigation Jump to search
no edit summary
Line 20: Line 20:  
</div>
 
</div>
   −
==Product Architecture Overview==
+
==Security Design and Data in myViewBoard==
   −
<gallery widths="300" heights="300">
+
Security is always the highest priority of our concerns. myViewBoard had introduced different techniques to ensure you could use our service always in the good and safe environment.  
Security_arch_chart.png
  −
Security_prod_arch_overview.png
  −
</gallery>
     −
==Storing and Managing Encryption Keys in the Cloud==
+
===Security design and implementation===
 +
myViewBoard introduced the firewall to protect all the assets for the system. All the traffic had been monitored by a firewall to ensure there is no malicious connection connecting to our systems.  Also, we introduced the PKI infrastructure to ensure the identity of the servers. The PKI could provide the integrity to ensure the service had been served in the proper secure way.
   −
Security measures that rely on encryption require encryption keys. In the cloud, as in an on-premises system, it is essential that access keys are secure. Combining server-side encryption with AWS key management and storage capabilities, Amazon Web Services is able to provide an HSM service in the cloud known as AWS CloudHSM.  
+
Besides the above, myViewBoard had already applied SSL certificates to encrypt all the transactions between you and our system. All the traffic you send and get through from our system is in private. myViewBoard uses SHA 256 with RSA encryption algorithm to ensure that all traffic is safe during data transmission. We do not allow any open-text connections to [myviewboard.com]  so that all your connections would be in a highly secured way to connected with us.  
    +
Moreover, myViewBoard employed different cloud vendors for infrastructure support. By the empower of cloud vendors, your data and data transmission are placed in the most secure way that the top-tier cloud vendor provided. Inside the access, the encryption keys are required to use as the mandatory identity validation method. myViewBoard also deployed the Web Application Firewall (WAF) to protect your connection within the safe and proper good way for transmitting data. By the empowering of our WAF, DDoS protection and network vulnerability prevention had been formed into our infrastructure to provide you a clean and safe space for using our service.
   −
AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers.
+
===Data Segregation===
   −
<div class="res-img" style="width:50%;height:auto;">
+
In myViewBoard, your data will be saved on our secure database system which only a limited number of our internal colleagues could touch for. In most scenarios, myViewBoard would not directly access your data.  
[[File:Security_mng_encrypt_keys.png]]
  −
</div>
  −
 
  −
Reference: Amazon Web Services
  −
 
  −
==Protecting Data in Transit to Amazon S3==
  −
 
  −
Like AWS service management, Amazon S3 is accessed over HTTPS. This includes all Amazon S3 service management requests, as well as user payload, such as the contents of objects being stored/retrieved from Amazon S3 and associated metadata. When the AWS service console is used to manage Amazon S3, an SSL/TLS secure connection is established between the client's browser and the service console endpoint. All subsequent traffic is protected within this connection. When Amazon S3 APIs are used directly or indirectly, an SSL/TLS connection is established between the client and the Amazon S3 endpoint. All subsequent HTTP, and user payload traffic is encapsulated within the protected session.
  −
 
  −
<div class="res-img" style="width:50%;height:auto;">
  −
[[File:Security_Amazon_S3.png]]
  −
</div>
  −
 
  −
Reference: Amazon Web Services
      +
To perform the good data segregation standard, myViewBoard uses a different system to isolate our colleagues who could touch what category of data. We are working from the least privileged model which means your colleagues will not be able to access the data they do not need.
 +
Also, by the segregation of data concept, myViewBoard only collects the data need to perform our tasks. All the data and information you provided will be under our security protocol to perform regular access audits and review the control procedures.
   −
==Protecting Data in Transit to Amazon RDS==  
+
===Data Encryption===
   −
Connecting to Amazon RDS from Amazon EC2 in the same region relies on the security of the AWS network. Connection from the internet uses SSL/TLS for additional protection. SSL/TLS provides peer authentication via server X.509 certificates, data integrity authentication, and data encryption for the client-server connection. SSL/TLS is currently supported for connections to Amazon RDS MySQL and Microsoft SQL instances. For both products, Amazon Web Services provides a single self-signed certificate associated with the MySQL or Microsoft SQL listener. Amazon RDS for Oracle Native Network Encryption encrypts the data as it moves into and out of the database. Oracle Native Network Encryption encrypts network traffic travelling over Oracle Net Services using industry standard encryption algorithms such as AES and Triple DES.  
+
In myViewBoard, all data will be encrypted and store in our database system. Besides the data at rest, myViewBoard also takes good care of data in transit.  
   −
<div class="res-img" style="width:50%;height:auto;">
+
For all services in myViewBoard, we had enabled the SSL/TLS encryption between different parties. All the traffic is transferred under the SHA256 encryption by our SSL certification. The certificate will be continuously updated and renew by us to ensure the safety of the data passing.  
[[File:Security_amazon_rds_vpc.png]]
  −
</div>
     −
Amazon RDS VPC
+
===Data Usage===
 
  −
==Protecting Data in Transit to Amazon DynamoDB==  
  −
 
  −
Connecting to DynamoDB from other services from AWS in the same region relies on the security of the AWS network. Connecting to DynamoDB across the internet uses HTTP over SSL/TLS (HTTPS) to connect to DynamoDB service endpoints. Avoid any HTTP for access to DynamoDB and for all connections across the internet.
  −
 
  −
 
  −
<div class="res-img" style="width:50%;height:auto;">
  −
[[File:Security_dynamoDB.png]]
  −
</div>
      +
Besides the above, myViewBoard is concerned with all your data shared with us. All your temporary files will be deleted when you exit the application, sign out, switch users, or reach idle time.
 +
And as per the architecture by OAuth 2.0, we do not store your password on our system when you use other identity providers to access our system.
 +
In myViewBoard, we will not share or sell your data to a third party for any other purpose which means we will not allow other parties to access your information for any purpose.
 +
For the collection of data and its usage, including GDPR protection policy, please reference to https://myviewboard.com/policy  for more details.
    
==Secure Streaming Service==  
 
==Secure Streaming Service==  
Line 133: Line 113:  
</div>  
 
</div>  
   −
==Addendum==  
+
==Incident handling for myViewBoard==  
 +
 
 +
Nowadays, the cyber-attacks would be a more serious problem in the world. In myViewBoard, we had clearly defined the incident handling approaches internally and had internal procedures. 
   −
Changes to the system environment:  
+
[[File:Security.png|700px]]
   −
This document relates exclusively to the details of the product or project specified above. This section is designed to provide requested details on how the product in question interacts with the system environment in question.  
+
The flow mainly divided the incidents into four different risk levels and handling with different approaches.
 +
* '''Critical'''
 +
: The critical level is the risk of data leakage and the vulnerability found that would cause service impact or leading to affect the usage of myViewBoard. For the issue defined in this category, myViewBoard security team would immediately notice our management group and the virtual incident response team led by senior management and security experts had been formed to tackle the issue as soon as possible. Our incident handling team will include all related department's representatives and handled the reported issue in their highest priority to resolve the issue. myViewBoard also will document the total steps that we are performed in such incidents and will provide the lesson learned to the team.
 +
: The critical level risk would also notice the related parties and myViewBoard management group about the solution or adjustment that should aware on operations and handling skills to our team.  
 +
* '''High'''
 +
: The high-risk level defined there is service impact on myViewBoard but the contingency system had been uplinked to support the service. The high-risk level may also fall by criteria of server impacts that may create threats or vulnerabilities that affect customer use of the system.
 +
: In myViewBoard, the high-risk level will also trigger the formation of the virtual incident response team with all related parties' representatives with security experts to resolve the problem.
 +
: For the operations, the management level in myViewBoard will receive the notice on the issue defined as high-risk level and the incident response team will keep reporting to the management group till the incident is resolved.
 +
: myViewBoard will document the total steps that we are performed in such incidents and will provide the lesson learned to the team.
 +
* '''Medium'''
 +
: The risk defined at the medium level will mainly cause a minor impact on the service and not affect any of the daily operations in myViewBoard. The medium risk level in myViewBoard will mainly follow the pre-defined guidelines and procedures to handle and resolve the issue. The solution may need to be patched or updated in order to use out internal change management process to perform.
 +
: All the tasks and logs collected during the incident handling will be listed in detail in myViewBoard internal directory and shared with the internal team only.
 +
* '''Low'''
 +
: The problem that myViewBoard defined as low-risk level will not affect any provided service or business operation. The low-risk level issue will be handled with the regular handling procedures by myViewBoard team. The low-risk level issue will also be listed on our intranet and shared with the team without identifiable information.
   −
This product has software components that are installed in standard user directories. Any exceptions to this are listed below:
+
==Addendum==
   −
* Crossmatch Fingerprint SDK
+
Besides the above sections, myViewBoard also needs the following port open to allow access to our system.
* SQLCipher
+
* TCP Port 443 (HTTPS): outbound
 +
* UDP and TCP port 3478 bidirectional to the WebRTC servers
 +
* UDP Ports 49,152 – 65,535 (RTP/sRTP/RTCP) bidirectional to the WebRTC servers. These ports are optional; if blocked, media will be proxied using TURN on port 3478.
   −
This software component also adds or makes modifications to the following system attributes and configurations (such as registry entries, firewall settings, digital certificates, kernel mode drivers, and browser plugins):
+
The above ports are the minimum request on linking the service from your organization and it would help to ensure the availability of our service.
    +
The client software component also adds or makes modifications to the following system attributes and configurations (such as registry entries, firewall settings, digital certificates, kernel mode drivers, and browser plugins):
 
* Registry Keys:  
 
* Registry Keys:  
HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\Products\U.are.U RTE
+
: HKEY_LOCAL_MACHINE\SOFTWARE\ViewSonic\vBoard (Whiteboard for Windows)
 
  −
 
  −
Services: The following are uses of cryptography:
  −
 
  −
* Hashing Algorithms: SHA25
  −
* Public-Key Algorithms: RSA-204
  −
* SSL Schemes: TLS 1.2
      +
* Services:
 +
: The following are used for cryptography:
 +
:・Hashing Algorithms: SHA256
 +
:・Public-Key Algorithms: RSA-2048
 +
:・SSL Schemes: TLS 1.2
   −
The following is a list of all known third party components used in this product:
+
==Resiliency of myViewBoard==
 +
myViewBoard not only considers the confidential aspect of the service provided, but also concerns about the availability of the service provided. In myViewBoard, all our infrastructure is running under N+1 design. To ensure we provide the services running in smooth and high availability mode, our infrastructure vendors are basically running in 99.999% availability.
   −
* WebRTC
  −
* mqtt
  −
:- MQTT 3.1 and 3.1.1 compliant
  −
:- QoS 0 and QoS 1 
   
----
 
----
 
{{ent:Get_more_information}}
 
{{ent:Get_more_information}}
Approvers, DutchOffice, FranceOffice, GermanOffice, Image-reviewer, JapanOffice, RussiaOffice, SpanishOffice, TaiwanOffice, TurkeyOffice, VietnamOffice, Bureaucrats, Interface administrators, Administrators, Upload Wizard campaign editors
6,575

edits

Navigation menu