Technology and Security
Nimbox Vault is built securely, from the ground up.
We can’t access your data, and we’re transparent about how we protect it.
With an extensive range of administrative controls, you can deploy secure file sharing for your teams, whilst complying with your organisation’s information policies.
Your dashboard provides detailed insight into how Vault is being used across your teams. Through reports, alerts, and custom policies, you can control exactly how and where information is shared and collaborated on. Policy controls include: allowed file types, custom retention periods, share settings, security and authentication controls, account access, and device management.
Unlimited history and global file locking
Never lose changes again. Each file, folder, and account has a full version history, and revisions can be restored at the click of a button—letting your team focus on truly brilliant work, without worrying about overwriting important drafts or edits that colleagues make.
Quickly recover from ransomware attacks, using our snapshot feature. Administrators can restore organisation data as it existed at a specific point in time. This feature recovers content that was previously deleted, recreated, or changed, and maintains the full revision history of restored files.
Tracking and audit
Vault tracks files from creation through to destruction. In your dashboard, you can view tamper-proof audit logs that detail exactly who has touched, changed, viewed, and downloaded a file or folder. These audit logs are time-stamped, and can be exported in many common formats.
Configure alerts to be sent by email, text message, or via your service desk, which inform IT staff, compliance officers, and team leaders about pre-determined events in your cloud. Alerts can report, in real time, on user activity, guest access, end-point and backup status, and many more.
Create user groups, and assign object-based file and folder permissions so that users only see the data to which they have been explicitly given access. Decide where users can access files, and prevent them from viewing content on machines that you haven’t specifically approved.
Enable two-step authentication across your organisation. When accessing data using the web, desktop, and mobile apps, team members will need to enter a single-use code—generated by an authenticator application, or delivered by SMS and email.
Import accounts and user groups from Active Directory and LDAP sources, to allow domain-based authentication to our platform.
Selective Sync and network throttling
Select which files appear on desktop computers, and choose when to limit network usage with custom throttling settings—perfect for remote workers and in offices with limited bandwidth.
Vault offers unparalleled levels of security, and the following sections detail how we achieve them.
Data stored in Vault is encrypted with 256-bit Advanced Encryption Standard (AES) cryptography in cipher-block chaining mode. Organisation data is always encrypted—on a device, in transit, and whilst stored—and can only be decrypted by the customer, and its authorised users.
Our architecture allows for the secure inspection of traffic by the customer to ensure there is no malicious content. Importantly, Nimbox can never see your data, unlike many other cloud storage services that may be able to access unencrypted customer data.
In Vault, only the customer has control over the encryption and decryption of their data. Because encryption occurs at the device level and the encryption key that is needed to decrypt the data always stays with the customer, we cannot decrypt stored data.
Data that is stored in Vault is instantly encrypted and decrypted on-the-fly, on the device that is being used at the time—even when using the Vault web application. Nimbox uses AES, a well-known and widely trusted encryption algorithm, with a 256-bit key.
AES is an approved cryptographic module in FIP 140-2, and in its CNSSP-15 publication, the Committee on National Security Systems states that AES with a 256-bit key is secure enough to encrypt data marked up to TOP SECRET for the U.S. Government.
In essence, only encrypted binary data is stored by Vault and it is this data that is synced with other devices registered to the user’s account, through an encrypted ‘tunnel’.
The data that a customer stores in Vault is always encrypted and decrypted on the user’s device, not on our servers. This process is known as client-side encryption, because the client (which could be an iPhone, PC, Server, Mac, or the web app etc.) is doing the encryption work.
The raw cryptographic keys used to encrypt and decrypt users’ data are never stored on or transmitted via our servers. To enable multi-device working, an encrypted version of these keys are stored within Vault, and only provided to devices that are registered to the Buyer’s account.
The encrypted binary data that is stored in Vault would be essentially useless to an attacker if it was intercepted in transit or at rest, as they would not have access to the encryption key. This includes access by Nimbox.
Breaking a symmetric 256-bit key would require vast computing power. In practice it would take 50 supercomputers—that could check a billion billion (10^18) keys per second—about 3 x 10^50 years to exhaust the 256-bit key space.
Transport Layer Encryption
Nimbox utilises Transport Layer Security (TLS) versions 1.1 and 1.2 to securely transfer encrypted customer data between the client and the Vault platform. TLS 1.1 and 1.2 are modern versions of the protocol, and are considered to be extremely safe by the cryptographic community; we don’t support older, less-safe versions of transport layer security, such as SSL 3 and TLS 1.0.
We also support Forward Secrecy key exchanges using Diffie-Hellman (ECDHE and DHE) enabled cipher suites.
TLS certificates using the SHA-2 algorithm, and signed by GoDaddy CA are deployed on all Nimbox services. SHA-2 is the most secure signature algorithm currently offered by commercial and open-source certificate authorities.
Every Vault user account, including guests, has a 4096-bit RSA key pair that is used exclusively for sharing. When a user shares a file or folder using the Secure Share option, the data is encrypted with the recipient user’s public key. The recipient user then decrypts the data with their private key. The process is automatic and transparent. This allows a user to share data only with the intended recipient, since only the recipient is able to decrypt it.
Key generation and storage
Password-Based Key Derivation (PBKDF2) with HMAC-SHA256 is utilised to convert a user’s password into a 256-bit encryption key. A second key—derived from the first key—is then used to encrypt data and other keys, such as the RSA key. This second key is shared with the customer’s organisation account, to enable corporate control of data stored within Vault.
Any subsequent keys that are not generated directly from the user’s account password are generated by an open-source, cryptographically secure, pseudorandom number generator on the user’s device. Because keys are generated on the device, they cannot be seen by us.
Private keys that must be stored (to enable cross-device, and intra-team working), are always encrypted prior to transmission to the Nimbox platform. These keys can only be decrypted with either the user’s password, or the customer’s administration password.
User and server authentication
Users can access Vault with a username and password, or you can integrate AD/LDAP sources to provide domain-controlled authentication. Our API also supports OAuth2.0 for custom integration.
Two-factor authentication can be enabled as a mandatory organisation policy, or for individual accounts. Tokens can be generated by text message, email, or smartphone app. We currently support Google Authenticator, Amazon AWS Virtual MFA, or any other TOTP-compatible app.
Nimbox authenticates each user when transmitting data or encryption keys. Authentication is achieved by comparing a PBKDF2-generated hash of the user’s account password, with a stored hash on the Nimbox platform. By using a hashed version of the user’s account password, Nimbox is able to securely authenticate the user without requiring the password itself.
Remote device wiping
If a device is lost or stolen, you can easily unlink it through your dashboard. When a device is unlinked, all cached and locally stored data is removed from the device, and the authentication tokens are deleted. Our software also ‘black lists’ the device, so that it cannot re-connect. All device wipes are tracked in the audit logs, and administrators can create custom alerts.
Nimbox owns, controls and when necessary, custom-builds systems. We operate multi-zone environments to maximise uptime, redundancy, and to provide the fastest response time to customers. Our network architecture is designed to reduce single points of failure, and is constantly reviewed for best practice and compliance.
By using this approach to platform architecture, we can provide customers with the fastest and safest cloud environment.
Resilience, disaster recovery, and backup
Nimbox is hosted on a resilient platform, in three data centres. Our platform is powered by VMware technologies, and utilises automatic replication and failover. We test our failover procedures regularly.
Monitoring and vulnerability scanning
Our platform is monitored 24x7x365 from our system centre, and by Pingdom AB. Our platform is monitored for availability, reliability, and speed. A comprehensive external security testing programme is run each week to ensure that our service is secure from known exploits, new vulnerabilities, and targeted attacks.
Physical data security
Vault is hosted in Tier 3+, ISO27001:2013 certified data centres, which have 24x7x365 on-site security, zonal swipe card entry, CCTV systems, perimeter fencing with controlled access, fire suppression systems, in-rack early warning temperature sensors and fire detection in all rooms, ceilings and below raised floors, N+1 UPS, and N+1 generators with a minimum 48 hours of fuel.
You trust us to encrypt and store your data. We take this trust very seriously. We thoroughly investigate all reported security vulnerabilities, and aim to make this process as transparent as possible.
What our programme covers
Our security programme includes our platform, public web assets, and third party services (but only where the attack can exploit our customers directly).
Please don’t submit reports derived from automatic scanning tools, such as SSL Labs; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues.
Additionally, attacks that only affect individual user accounts (such as self-XSS), the presence of application or web browser ‘autocomplete’ messages, Logout Cross-Site Request Forgeries, banner disclosure on public services, issues only exploitable through clickjacking, and descriptive error messages, are not covered.
In scope assets
Not in scope assets (unless the attack can exploit our customers directly)
How to report a security vulnerability
To contact the Nimbox Security Team, please email firstname.lastname@example.org.
What to tell us
When contacting our Security Team, try to include information that we can use to replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code). Please read our security programme’s scope before submitting your report, as only in-scope reports will be accepted.
What happens next
We aim to respond to all vulnerability reports within 24 hours. We will then provide you with updates every 20 working days.
The Security Team reviews all reported vulnerabilities and takes steps to validate and reproduce them. If more information is needed, we will work with you until such a time that the vulnerability can be validated.
Once the review is complete, and the vulnerability has been confirmed, the results will be sent to you along with information about its resolution and any subsequent public disclosure.
Public disclosures will be made on our blog. We realise that individuals, businesses and organisations usually publish vulnerabilities on their websites, and if possible, we’d like to publish our respective public disclosures simultaneously.
We’ll let you know if a reward (either payment or ‘swag’) will be issued for the bug that you report. Rewards are issued at our sole discretion, and we don’t guarantee that your report will result in a reward being issued.
You guys rock
The security researchers below have reported security vulnerabilities to us, helping to make the internet a safer place.
Get started for just £10 a month Grab your free premium trial