Introduction
The Qbox file sharing and collaboration application, developed and sold by CoralTree, Inc., is used by professionals from financial, legal, property management, retail, education, non-profit, and other industry segments to share mission-critical desktop application files and collaborate in real-time. In order to ensure that the user’s critical information is not lost, altered, corrupted, or compromised, Qbox uses the most modern Physical, Information, and Application security techniques to secure the client data. This includes storing data in data centers that are compliant with modern security standards, transmitting all data over secure HTTPS connections that use 256-bit SSL encryption, and only allowing authenticated, role-based access to client data. In addition, security best practices are built into all aspects of product design, development, testing, and deployment.
Qbox benefits from the extensive experience its founders and engineering members have in building highly secure and reliable applications that are used by Fortune 500 companies. This experience, combined with the use of the latest Web 2.0 secure development and testing techniques ensures that Qbox provides a highly secure and reliable environment for clients’ critical data.
The rest of the whitepaper provides an overview of the various security capabilities in Qbox. These include:
- Physical Security: Security and controls in place to ensure that only authorized personnel have physical access to the hardware used to run the Qbox application, or the hardware used to store the data.
- Information Security: Techniques and procedures that ensure that only authorized personnel can see the data in the Qbox application, either at rest or in transit. Also ensuring that data is not lost, or corrupted.
- Application Security: The capabilities in the Qbox application to ensure that unauthorized users cannot compromise the application using techniques like XSS, CSRF, SQL Injection, etc. while also ensuring that authorized users can access the data they are allowed to (and only the data they are allowed to access).
Qbox ensures that unauthorized or unscrupulous individuals can never access application data. This is ensured both when the data is in transit (over the Internet), or when data is at rest (inside the data centers).
To ensure data security during transit, all communication between the user’s browser and the Qbox servers is over HTTPS using 256-bit SSL encryption. This ensures that there is no way for someone to intercept and look at the data (“man in the middle” attack). Qbox uses Premium SSL Certificates that provide the highest levels of security in modern browser-based applications.
To secure the data at rest, Qbox databases are behind multiple levels of secure firewalls in the data center. Access to these servers is only available using X.509 certificates (no password access is enabled to these servers). Only a very small subset of authorized CoralTree, Inc. employees have access to these X.509 certificates that allow them access to these servers, primarily to perform routine maintenance and backup.
Finally, Qbox databases are replicated (in real-time) and regularly backed up so that application data is never lost or corrupted due to hardware or disk failures, or natural disasters like lightning, earthquakes, etc.
Application Security
Qbox utilizes the latest Web 2.0 application security design, development, testing, and deployment techniques to secure itself against well-known security attacks like XSS, CSRF, SQL Injection, and session hijacking. In addition, CoralTree has hired the services of WhiteHat Security, one of the top-rated security specialists in the industry, to conduct daily scans and periodic penetration testing on the Qbox web application to detect security attacks and vulnerabilities. Any vulnerabilities reported by WhiteHat Security are quickly fixed and retested.
Qbox ensures that no critical data is persistently stored on the user’s desktop, or in the browser’s cookies. User passwords are encrypted before they are stored in the Qbox database. Credit card information provided by users while paying bills is not stored on the Qbox database. This information is sent directly to BrainTree Payment gateway for storage and processing. You can view the BrainTree data security best practices at BrainTree Data Security.
Users need to authenticate themselves at all times before they can access the Qbox web application for administrative purposes, after which they can only see or modify data that they have been authorized to access. Qbox Client running on the user’s computer can only access folders and files set up by or shared with the user. Sharing of a folder and files in the folder can be initiated only by an account owner or team members of the account owner, who need to be on the same private email domain as the owner. These features are implemented using role-based access control to the Qbox application.
Conclusion
Qbox provides comprehensive Physical, Information, and Application security of user data, while still allowing them to perform Qbox operations and file sharing more efficiently over the Internet, saving them both money and time.