IBM Aspera Security with web applications
The IBM Aspera web applications (IBM Aspera on Cloud (AoC), IBM Aspera Faspex 5, and IBM Aspera Shares) are centralized transfer solutions that enable users to exchange files with each other using the IBM Aspera high speed protocol, FASP (Fast Adaptive Secure Protocol). File Transfer with the FASP requires two network connections. One TCP connection used as a control channel and another UDP connection for FASP.
Each of the Aspera web applications (WebApp) have a comprehensive security model that provides secure access to enable high speed file transfers. The following diagram describes the process to securely transfer data when using Aspera WebApp.
Steps 1-4 - The IBM Aspera client application is authenticated through credentials or Identity Provider to then enable the transfer of files from a personal computer or mobile device to HSTS/HSTE. When the user initiates a file transfer request, the WebApp requests a time-limited token for HSTE/HSTE. The WebApp securely transmits the token to the IBM Aspera client application.
Steps 5-7 - The file transfer is initiated by the IBM Aspera client application with a token for session authentication. It establishes a secure connection to the HSTS/HSTE by using the Secure Shell Protocol (SSH) with a common private key or with a TLS based connection using the WebSocket protocol and then initiates the remote file transfer process. The HSTS/HSTE are configured to only allow the file transfer commands by the operating system user account. The token is transmitted through the secure TCP session allowing the HSTS/HSTE to cryptographically validate the token. In case any parameters within the token, such as timestamp, file list, permissions, or transfer direction, are found to be incorrect, the transfer of files is denied.
In the following sections, we are covering the most important facts about the security that is built-in the IBM Aspera file transfer workflow with Aspera Web Apps:
The encrypted communication pathway that is established between a client and a server is known as the Secure Control Channel. Its role is to create a cryptographically secure network connection between two hosts that provides confidentiality, integrity, and security of communication to transfer data between the client and server.
When using IBM Aspera software, the client comes packaged with an SSH private key that can be used with any HSTS/HSTE with no end-user configuration required. The transfer session establishes the SSH session with the same key-pair. The key-pair is only used to establish the secure TCP control channel.
Alternatively, the secure control channel can be established with the TLS protocol over a WebSocket connection. The HSTS/HSTE must have a certificate signed by a trusted certificate authority where the hostname can be validated.
The authorization to upload or download files is granted by the WebApp that issues the token. File transfer can only happen with a valid token.
Secure remote process control with aspshell
In the Aspera secure ecosystem, the intention behind aspshell is to take the place of regular system shells (like bash) as the default shell for operating system users configured for IBM Aspera file transfer with Web Apps.
aspshell limits the functionality of the operating system user to only run the commands specific to IBM Aspera file transfers. Arbitrary system commands will be rejected.
Secure file access with tokens
A token serves as a data structure containing information used as proof of authentication and/or authorization of a user or process within a system for a limited duration.
Initially, the user or process undergoes authentication within the WebApp to confirm their identity. Upon successful authentication, HSTS/HSTE evaluates the user's permissions and roles and grants authorization for a token corresponding to their authenticated identity, the WebApp validates the authenticity and integrity of the issued token by performing token authentication procedures, including verifying a valid user ID (email address) signed with a corresponding private key, and checking for token expiration and revocation, then the WebApp passes the token to the client, enabling the client to start uploading/downloading files.
These tokens can vary in terms of use:
-
Transfer tokens are employed to facilitate secure data transfers between endpoints (client-server) for access to specific data and actions (upload/download). These tokens are encrypted to ensure their integrity, prevent tampering, and provide an additional layer of security for the recipient to verify that the token has not been modified since it was issued.
-
Bearer tokens, such as JSON Web Tokens (JWTs), represent the authenticated user, offering a more secure option for passing authentication information. Transmitted over HTTP headers, these tokens provide sufficient information to gain access without repeatedly providing credentials. Upon receiving a bearer token, HSTS/HSTE verifies its authenticity and checks its permissions to determine whether to grant access to the requested action (upload/download) and to access specific resources. Additionally, bearer tokens are signed, meaning a digital signature is added to the token, enabling the recipient to verify its authenticity and integrity.
For instance, in Faspex, the user logs in, Faspex verifies the user's identity, requests a transfer token from HSTE/HSTE, and passes the token to the client application. When transferring files, the client application retrieves the token and forwards it to HSTS/HSTE that validates it and allows file transfer to proceed.
As another example, in AoC the user logs in to AoC using the Identity Provider, and their identity is confirmed through an OAuth2 login procedure. Afterward, AoC generates a bearer token for the user. During file transfers, the Aspera client application retrieves the token and forwards it to HSTS/HSTE that validates it and allows file transfer to proceed.
Secure UDP data transport with AES-GCM encryption
Using UDP for data transfer allows for high transfer rates and requires special consideration for security. FASP uses AES-GCM encryption algorithm by default to encrypt each packet sent over the network. AES-GCM encryption guarantees confidentiality, data integrity, and prevents unauthorized access during the transfer process.
FASP is designed to support the addition of new ciphers as the security landscape of threats changes. The Web Apps and HSTS/HSTE can be configured to accept specific key sizes (128, 192, 256) for AES-GCM based transport encryption.
Secure files at rest with client-side and server-side encryption at rest
This is a crucial strategy for keeping data secure, particularly in scenarios where data breaches or unauthorized access are potential risks.
When client-side encryption is enabled, the users need to set an encryption password while uploading files. During upload, as the files are read from the disk, they are encrypted on the client side (the password never leaves the client side) using a secure random encryption key derived from the supplied password. When the recipient downloads the files, the password must be given, and it is used to decrypt the files as they are written to disk. In this scenario, the sender must provide the password to the recipient out-of-band to decrypt the files and have access to their content.
Server-side encryption is also available. With server-side encryption, the server and storage owners are responsible for securing the files. End-users uploading and downloading files do not need to know passwords to encrypt and decrypt the files. HSTS/HSTE is configured with a password that utilizes an encryption mechanism like the envelope encryption technique employed/used in client-side encryption. Every file uploaded gets encrypted on disk as it is being written, and every file downloaded gets decrypted as it is being read from disk.
Both encryption methods can be used together to get a stronger and more secure environment because the content is secured through the envelope encryption with keys from client and server. By using both, unauthorized access to sensitive data or risks associated with data breaches and data exposure can be prevented.
Secure access control features with Web Applications
All Aspera Web Apps have user roles as part of the safe and secure environment. The roles help define the activities permitted to each user and allows an administrator to have full control.
Within Faspex, every user can be assigned a role that limits their access to the Faspex server configuration and specific packages.
The user specific roles include:
-
Regular user: Send and receive packages,
-
Managers: Manage regular users, workgroups, external users, shared inbox member, and workgroups.
-
Admins: Configure server, access packages and relays, manage all.
-
External: Isn't tied to a Faspex account. This allows Faspex users to share public packages with externals using links or invite them via email. However, Admins can set up Faspex for external users to create accounts before downloading packages.
User roles in Shares determine a user's permissions to access and perform actions on a share. For authorized share access, three roles exist: admins, managers, and regular users.
-
Managers: Handle view, modify, remove permissions over shares they're authorized for.
-
Regular users: Permissions are based on admin and manager authorization. These accounts need authorization to access shares, including user, group, and directory service accounts.
In AoC, users are categorized by Roles, Types, and Status, defining their activities. Roles include Global and Workspace; Types include Standard and Limited; and Status include active, pending, and deactivated.
-
Global role: Organization administrators possess broad privileges. ATS administrators share these, with the ability to create transfer nodes and grant ATS admin status.
-
Workspace role: Workspace Managers have specific privileges for editing, managing members, inboxes, folders, and settings.
-
Standard user types: Packages app users send, collaborate, share, download. In Files app, they access, share, and manage settings.
-
Limited user types: Perform management via Admin app, often without user app access.
In conclusion, the importance of role assignment in the Aspera Web Apps includes enhanced access control, increased efficiency, customized permissions, reduced risks, consistent access, scalability, simplified management, clearer audit trails, flexibility, and easier collaboration.