cancel
Showing results for 
Search instead for 
Did you mean: 

Egnyte's Security Policies and Practices

Robert Ellis
Resident

Egnyte's Security Policies and Practices

I have a couple questions that I would like to ask in regards to Egnyte and its security policies and practices. 

1.  Is access to Egnyte via mobile Encrypted.  Your security whitepaper mentions access via web browser and desktop are encrypted but it does not mention anything about mobile. 

  1. Your security Whitepaper mentions that data is encrypted at rest.  What type of encryption is this? 

  2. Your security Whitepaper mentions that passwords are stored in your password database using MD5 encryption.  MD5 is no longer considered a 'secure' means of protecting data as it has been openly cryptographically broken.  Is Egnyte still using MD5 to protect passwords? and if so, is there any plan to migrate to a more secure encryption protocol? 

4.  What is done with a customer's data once they leave Egnyte?  I presume the data is removed in some fashion, but what method is used to remove the customer's data? 

0 Kudos
5 Replies
Community Manager Don David
Community Manager

Re: Egnyte's Security Policies and Practices

Hi Robert, 

I will have the appropriate personnel contact you to answer your questions. A couple of answers that I can provide: mobile access are encrypted, data is deleted when a customer leaves.

0 Kudos
Highlighted
Robert Ellis
Resident

Re: Egnyte's Security Policies and Practices

I have not been contacted regarding issues 2 and 3.  I do not have to be contacted privately as these should be things that the Egnyte community should be aware about.

  1. Your security Whitepaper mentions that data is encrypted at rest.  What type of encryption is this? 

  2. Your security Whitepaper mentions that passwords are stored in your password database using MD5 encryption.  MD5 is no longer considered a 'secure' means of protecting data as it has been openly cryptographically broken.  Is Egnyte still using MD5 to protect passwords?  If so, is there any plan to migrate to a more secure encryption protocol?

0 Kudos
Krishna Sankar
Resident

Re: Egnyte's Security Policies and Practices

Hi Robert,

  Sorry for the delay. Here are the answers for the rest of your questions:

   #2 : We use the AES Cipher with a key strength of 256 bits.

   #3 : Yep, agreed. MD5 is no longer considered safe. We use Bcrypt for secure storage of passwords. 

Cheers

<k/>

0 Kudos
Robert Ellis
Resident

Re: Egnyte's Security Policies and Practices

Thanks for the quick response Krishna!  Its good to hear that Egnyte is no longer using MD5.  It was an issue that we were potentially worried about. 

Would you be able to expand on Don David's response to my 4th question?  I had already figured Egnyte deleted customer data when they leave.  I was more interested in how and to what level data is removed.  For example, I could simply send all files to the recycle bin or I could write 0's to the selected drive partitions/sectors or even do multiple passes of various writing algorithms to ensure all data is completely gone. 

Thanks, Robert

0 Kudos
Krishna Sankar
Resident

Re: Egnyte's Security Policies and Practices

Robert,

   Good question.   Let me take this opportunity to systemically look at the storage mechanics and the layers:

  1. We use RAID & so the disk blocks are striped across 10-20 disk spindles, depending on the configuration. 
  2. Our object store is independent of the metadata layer, and that stripes files across multiple disk subsystems
  3. The encryption adds another layer of obfuscation
  4. The Linux file system adds it's own organization semantics with re-allocation of deleted inodes and data blocks. 
  5. Back to the delete method, the EoS (Egnyte Object Store) deletes the files from the OS, as directed by policies set in the metadata layer (trash retention policies et al). We do not use any technique like zeroing of file contents and/or blocks. 
  6. In case of an expired or discontinued workgroup, all the files that belonged to the workgroup are deleted from the file system and the encryption keys are deleted from our keystore. 
  7. In short, neither the files nor the blocks are contiguous in traditional sense. I remember the old days of Norton Undelete for DOS where one could recover erased files by combing through disk blocks and the File allocation Table.
  8. And our storage nodes are pretty busy, thanks to our customers. The Linux file system reuses freed up inodes when files get deleted very aggressively, leaving no realistic chance of any form of "undelete".

Cheers

<k/>