security-icon

Technology and Security

Nimbox Vault is built securely, from the ground up.
We can’t access your data, and we’re transparent about how we protect it.

  • Administrative controls

    Administrative controls

    With an extensive range of administrative controls, you can deploy secure file sharing for your teams, whilst complying with your organisation’s information policies.

    Dashboard

    Your dashboard provides detailed insight into how Vault is being used across your teams. Through reports, alerts, and custom policies, you can control exactly how and where information is shared and collaborated on. Policy controls include: allowed file types, custom retention periods, share settings, security and authentication controls, account access, and device management.

    Unlimited history and global file locking

    Never lose changes again. Each file, folder, and account has a full version history, and revisions can be restored at the click of a button—letting your team focus on truly brilliant work, without worrying about overwriting important drafts or edits that colleagues make.

    Ransomware protection

    Quickly recover from ransomware attacks, using our snapshot feature. Administrators can restore organisation data as it existed at a specific point in time. This feature recovers content that was previously deleted, recreated, or changed, and maintains the full revision history of restored files.

    Tracking and audit

    Vault tracks files from creation through to destruction. In your dashboard, you can view tamper-proof audit logs that detail exactly who has touched, changed, viewed, and downloaded a file or folder. These audit logs are time-stamped, and can be exported in many common formats.

    Alerts

    Configure alerts to be sent by email, text message, or via your service desk, which inform IT staff, compliance officers, and team leaders about pre-determined events in your cloud. Alerts can report, in real time, on user activity, guest access, end-point and backup status, and many more.

    User permissions

    Create user groups, and assign object-based file and folder permissions so that users only see the data to which they have been explicitly given access. Decide where users can access files, and prevent them from viewing content on machines that you haven’t specifically approved.

    Access control

    Enable two-step authentication across your organisation. When accessing data using the web, desktop, and mobile apps, team members will need to enter a single-use code—generated by an authenticator application, or delivered by SMS and email.

    Import accounts and user groups from Active Directory and LDAP sources, to allow domain-based authentication to our platform.

    Selective Sync and network throttling

    Select which files appear on desktop computers, and choose when to limit network usage with custom throttling settings—perfect for remote workers and in offices with limited bandwidth.

  • Security

    Security

    Vault offers unparalleled levels of security, and the following sections detail how we achieve them.

    Encryption

    Data stored in Vault is encrypted with 256-bit Advanced Encryption Standard (AES) cryptography in cipher-block chaining mode. Organisation data is always encrypted—on a device, in transit, and whilst stored—and can only be decrypted by the customer, and its authorised users.

    Our architecture allows for the secure inspection of traffic by the customer to ensure there is no malicious content. Importantly, Nimbox can never see your data, unlike many other cloud storage services that may be able to access unencrypted customer data.

    Zero-knowledge protection

    In Vault, only the customer has control over the encryption and decryption of their data. Because encryption occurs at the device level and the encryption key that is needed to decrypt the data always stays with the customer, we cannot decrypt stored data.

    Data that is stored in Vault is instantly encrypted and decrypted on-the-fly, on the device that is being used at the time—even when using the Vault web application. Nimbox uses AES, a well-known and widely trusted encryption algorithm, with a 256-bit key.

    AES is an approved cryptographic module in FIP 140-2, and in its CNSSP-15 publication, the Committee on National Security Systems states that AES with a 256-bit key is secure enough to encrypt data marked up to TOP SECRET for the U.S. Government.

    In essence, only encrypted binary data is stored by Vault and it is this data that is synced with other devices registered to the user’s account, through an encrypted ‘tunnel’.

    Client-side encryption

    The data that a customer stores in Vault is always encrypted and decrypted on the user’s device, not on our servers. This process is known as client-side encryption, because the client (which could be an iPhone, PC, Server, Mac, or the web app etc.) is doing the encryption work.

    The raw cryptographic keys used to encrypt and decrypt users’ data are never stored on or transmitted via our servers. To enable multi-device working, an encrypted version of these keys are stored within Vault, and only provided to devices that are registered to the Buyer’s account.

    The encrypted binary data that is stored in Vault would be essentially useless to an attacker if it was intercepted in transit or at rest, as they would not have access to the encryption key. This includes access by Nimbox.

    Breaking a symmetric 256-bit key would require vast computing power. In practice it would take 50 supercomputers—that could check a billion billion (10^18) keys per second—about 3 x 10^50 years to exhaust the 256-bit key space.

    Transport Layer Encryption

    Nimbox utilises Transport Layer Security (TLS) versions 1.1 and 1.2 to securely transfer encrypted customer data between the client and the Vault platform. TLS 1.1 and 1.2 are modern versions of the protocol, and are considered to be extremely safe by the cryptographic community; we don’t support older, less-safe versions of transport layer security, such as SSL 3 and TLS 1.0.

    We also support Forward Secrecy key exchanges using Diffie-Hellman (ECDHE and DHE) enabled cipher suites.

    TLS certificates using the SHA-2 algorithm, and signed by GoDaddy CA are deployed on all Nimbox services. SHA-2 is the most secure signature algorithm currently offered by commercial and open-source certificate authorities.

    Encrypted sharing

    Every Vault user account, including guests, has a 4096-bit RSA key pair that is used exclusively for sharing. When a user shares a file or folder using the Secure Share option, the data is encrypted with the recipient user’s public key. The recipient user then decrypts the data with their private key. The process is automatic and transparent. This allows a user to share data only with the intended recipient, since only the recipient is able to decrypt it.

    Key generation and storage

    Password-Based Key Derivation (PBKDF2) with HMAC-SHA256 is utilised to convert a user’s password into a 256-bit encryption key. A second key—derived from the first key—is then used to encrypt data and other keys, such as the RSA key. This second key is shared with the customer’s organisation account, to enable corporate control of data stored within Vault.

    Any subsequent keys that are not generated directly from the user’s account password are generated by an open-source, cryptographically secure, pseudorandom number generator on the user’s device. Because keys are generated on the device, they cannot be seen by us.

    Private keys that must be stored (to enable cross-device, and intra-team working), are always encrypted prior to transmission to the Nimbox platform. These keys can only be decrypted with either the user’s password, or the customer’s administration password.

    User and server authentication

    Users can access Vault with a username and password, or you can integrate AD/LDAP sources to provide domain-controlled authentication. Our API also supports OAuth2.0 for custom integration.

    Two-factor authentication can be enabled as a mandatory organisation policy, or for individual accounts. Tokens can be generated by text message, email, or smartphone app. We currently support Google Authenticator, Amazon AWS Virtual MFA, or any other TOTP-compatible app.

    Nimbox authenticates each user when transmitting data or encryption keys. Authentication is achieved by comparing a PBKDF2-generated hash of the user’s account password, with a stored hash on the Nimbox platform. By using a hashed version of the user’s account password, Nimbox is able to securely authenticate the user without requiring the password itself.
    Remote device wiping

    If a device is lost or stolen, you can easily unlink it through your dashboard. When a device is unlinked, all cached and locally stored data is removed from the device, and the authentication tokens are deleted. Our software also ‘black lists’ the device, so that it cannot re-connect. All device wipes are tracked in the audit logs, and administrators can create custom alerts.

    Network architecture

    Nimbox owns, controls and when necessary, custom-builds systems. We operate multi-zone environments to maximise uptime, redundancy, and to provide the fastest response time to customers. Our network architecture is designed to reduce single points of failure, and is constantly reviewed for best practice and compliance.

    By using this approach to platform architecture, we can provide customers with the fastest and safest cloud environment.

    Resilience, disaster recovery, and backup

    Nimbox is hosted on a resilient platform, in three data centres. Our platform is powered by VMware technologies, and utilises automatic replication and failover. We backup all platform assets, including our network storage nodes, with fourteen daily retention points, plus ten weekly backup points. We test our failover procedures regularly.

    Monitoring and vulnerability scanning

    Our platform is monitored 24x7x365 from our system centre, and by Pingdom AB. Our platform is monitored for availability, reliability, and speed. A comprehensive external security testing programme is run each week to ensure that our service is secure from known exploits, new vulnerabilities, and targeted attacks.

    Physical data security

    Vault is hosted in Tier 3+, ISO27001:2013 certified data centres, which have 24x7x365 on-site security, zonal swipe card entry, CCTV systems, perimeter fencing with controlled access, fire suppression systems, in-rack early warning temperature sensors and fire detection in all rooms, ceilings and below raised floors, N+1 UPS, and N+1 generators with a minimum 48 hours of fuel.

  • Vulnerability reporting

    Vulnerability reporting

    You trust us to encrypt and store your data. We take this trust very seriously. We thoroughly investigate all reported security vulnerabilities, and aim to make this process as transparent as possible.

    What our programme covers

    Our security programme includes our platform, public web assets, and third party services (but only where the attack can exploit our customers directly).

    Please don’t submit reports derived from automatic scanning tools, such as SSL Labs; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues.

    Additionally, attacks that only affect individual user accounts (such as self-XSS), the presence of application or web browser ‘autocomplete’ messages, Logout Cross-Site Request Forgeries, banner disclosure on public services, issues only exploitable through clickjacking, and descriptive error messages, are not covered.

    In scope assets

    vault.nimbox.co.uk
    sync.nimbox.co.uk
    www.nimbox.co.uk
    developer.nimbox.co.uk
    canary.nimbox.co.uk

    Not in scope assets (unless the attack can exploit our customers directly)

    support.nimbox.co.uk
    status.nimbox.co.uk

    How to report a security vulnerability

    To contact the Nimbox Security Team, please email security@nimbox.co.uk. Should you wish to encrypt your email to us, please use our PGP key.

    What to tell us

    When contacting our Security Team, try to include information that we can use to replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code). Please read our security programme’s scope before submitting your report, as only in-scope reports will be accepted.

    What happens next

    We aim to respond to all vulnerability reports within 24 hours. We will then provide you with updates every 20 working days.

    The Security Team reviews all reported vulnerabilities and takes steps to validate and reproduce them. If more information is needed, we will work with you until such a time that the vulnerability can be validated.

    Once the review is complete, and the vulnerability has been confirmed, the results will be sent to you along with information about its resolution and any subsequent public disclosure.

    Public disclosures will be made on our blog. We realise that individuals, businesses and organisations usually publish vulnerabilities on their websites, and if possible, we’d like to publish our respective public disclosures simultaneously.

    You guys rock

    The security researchers below have reported security vulnerabilities to us, helping to make the internet a safer place.

    Shivam Kumar Agarwal
    Pradeep Kumar
    Mansouri Badis
    Charfeddine Hamdi
    Konduru Jashwanth
    Muhammad Osama
    Zee Shan
    Ali BawazeEer
    Babar Khan Akhunzada
    Nithish Varghese
    Ashish Padelkar
    Ross Bingham

lightbulb-icon

Additional documentation

Service Overview PDF

Get started for just £8 a month Grab your free premium trial