SkyKick - Cloud Backup Security

Note:
The information contained in this article has been provided by Cloud Direct's partner, SkyKick.

SkyKick takes the security and privacy of sensitive business information seriously. This document provides an overview of the steps taken to protect data in its Cloud Backup application, both at rest and in transit.

 

Access to Data

At the highest level, and by necessity, SkyKick will always have the same level of access to customer data that is implied by the permissions of the credential the partner provides. In order to back up the data, SkyKick needs access to the data. However, SkyKick maintains a strict access policy and a set of industry-standard mechanisms for ensuring the privacy and security of backed up customer data.

Additionally, SkyKick Cloud Backup only restores data to the original mailbox or site to prevent a non-owner of the mailbox or site from accessing its data.

We do the following:

  • Per-contact AES-256 encryption backed by RSA 2048-bit public private key certificates managed via the Windows/Azure infrastructure for both credential management and user content.
  • Certificates are separated by both environment (production/testing) and value type (credential/content).
  • Engineer access is controlled on a needs basis by role-based access to both the compute infrastructure and the certificate private keys. Only engineers requiring access to deploy or trouble-shoot production environments are granted access to those environments.

 

Security in Search

This is the focal point of the trade-off between security and convenience. Rapid return search is fundamentally at odds with end-to-end encryption of the searchable content. The trade-off we make is that we only index a small amount of each document's metadata (E.g. folder path, subject, attachment names) and store the index in a separate area of our data centre with its own role-based access, limited to the developers who work directly on the search server. Because search is exposed through our API, so access is additionally granted to partners and customers via account management in the SkyKick Portal.

 

Leveraging Secure Platforms

To ensure the highest level of physical and virtual security SkyKick Cloud Backup is managed on Microsoft Windows Azure for 100% of our production server resources. These are all protected by those facilities' physical and virtual security. For details, see Microsoft Windows Azure.

 

Security - Data at Rest

Azure Storage

We utilize secure servers on Windows Azure for the stored data. Partners also have the option to bring their own Azure that they control and can choose the geography in which the data are stored.

Credit Card Information

All transactions go through Authorize.net, so Cloud Backup does not require a credit card number stored on any media controlled by SkyKick.

Encryption

Each element of sensitive user information that will be required to be known by a SkyKick system for Cloud Backup is stored in SkyKick's online system under AES-256 bit symmetric key encryption. The per-datum symmetric AES keys are themselves encrypted using a variable set of RSA 2048 bit public keys. The corresponding private keys are retained in Windows Azure certificate management stores and are available only to the systems that require them.

Access

Access to the dependent systems, the certificates holding the private keys, and the decrypt functionality enabled by the private keys is programmatically logged, monitored, and governed by a strict access policy. After reception by SkyKick's system, all sensitive user information remains encrypted at all times in memory on intermediate systems and when being transferred between systems. It is only decrypted on dependent service endpoint systems and then only to do the necessary authentication/authorization.

Each element of sensitive user information that is not required to be known at any point is encrypted using a one-way hashing process.

Access to the SkyKick application is managed through partner accounts with usernames and passwords. All partner and user account credentials to the SkyKick site are stored with individually salted one-way SHA-2 hashes as specified in Kentico Documentation.

 

Security - Data Transfer

All data, including those sent to/from Exchange or SharePoint Online and transmitted across SkyKick's backend network boundaries, are transmitted via TLS enabled protocols. For example, SkyKick uses HTTPS for Exchange Web Services and all other web service protocols.