On-Premises to Cloud Enterprise-Grade Security
CTERA allows customers to control all levels of security independent of their choice of cloud infrastructure. This includes built-in data-at-rest encryption, data-in-transit encryption, Active Directory or LDAP user authentication with single sign-on, and data integrity verification.
By using source-based encryption in all CTERA Cloud Storage Gateways and end-point software Agents, CTERA effectively creates a VPN for cloud storage, in which the customer has all data encrypted before it is sent to the cloud. CTERA uses enterprise-grade AES-256 (Advanced Encryption Standard) encryption, a highly secure encryption algorithm approved for protecting U.S. government classified material and widely used by financial institutions. The data is then stored in its encrypted state in the cloud.
Users also have the option of encrypting local volumes on CTERA Cloud Storage Gateways, further protecting their data in case of physical theft of the appliance or its hard drives.
Private Encryption keys
CTERA Portal allows each user to choose either a private key derived from a personal encryption passphrase, or to accept an automatically generated key. The system administrator has full control over the choices of encryption keys given to users, according to the security policies of the organization.
Furthermore, in CTERA Portal, the metadata and keys to the protected data are stored separately from the data itself, so that they may remain behind the organization's firewall regardless of where the data resides. This way, encrypted data can be stored in public or private cloud while the customer retains exclusive ownership of the keys and metadata. This means that a cloud storage provider never has access to the keys nor can it grant access to a third party without the customer's consent and knowledge.
Authentication and Identity Management
CTERA integrates with your existing Active Directory/LDAP services to provide user authentication and single sign-on, including password expiration policies and AD forests support. Active Directory groups can be used to determine user privileges and management roles. A fully documented API is provided for additional custom integration.
For administration access, CTERA Portal supports role-based access permissions, automatic lockout after failed login attempts and IP-based access control.
Secure Connection, In-Transit Encryption
In addition the encrypting the data itself, all cloud traffic is transmitted over a TLS (Transport Level Security) connection, the same kind of connection used for safe transactions on e-commerce sites. TLS protects data from being read or intercepted en route to the online backup infrastructure. CTERA Portal uses X.509 digital certificates to prevent "man in the middle" attacks.
Data Integrity Assurance
CTERA uses SHA-1 (Secure Hash Algorithm) to "fingerprint" the data sent to the cloud. This is a method to ensure data integrity, i.e. that the data set reaching its destination is the same data set transmitted by the user, and that it has not been tampered with.
Password Policy Enforcement
CTERA allows admins to set a minimum password length and enforce password change policies on users, preventing them from creating easy-to-guess passwords or keeping the same password for a long time.