Académique Documents
Professionnel Documents
Culture Documents
watchdox.com
OVERVIEW
WatchDox delivers an advanced solution to control, track, and protect your
organizations documents - wherever they go, on any device. By utilizing
virtualization technologies, such as VMware, WatchDox offers a virtual appliance
as an on-premise solution that provides the same functionality as the WatchDox
cloud-based deployment.
Key functionality includes:
watchdox.com
Page 2
watchdox.com
Page 3
WatchDox web applications employ Role Based Access Control security
methodology. The security layer of the software restricts the user according to
security permissions, with no ability to move across unauthorized boundaries. Using
compartmentalized software architecture, the WatchDox server components are
protected against outside intrusion.
Encryption
WatchDox uses the industry-standard Advanced Encryption Standard (AES), used
by businesses and governments to protect sensitive information. All user data
transmissions over the Internet to and from the WatchDox servers are sent using
HTTPS (Secure HTTP connection), and are encrypted via SSL (Secure Sockets
Layer) employing strong keys (128-256 bit, depending on the browser capabilities.
256-bit minimum can be set).
All key data fields that contain data from user input, registration, content, and
policies are encrypted. The storing of the documents and meta-data in encrypted
form ensures that even if intruders obtain the actual physical disks on which they
reside, they will not be able to read or modify them.
Each document is stored encrypted using its own unique cryptographic key. Thus,
gaining access to one key does not invalidate the security of the rest of the
documents in the system. The keys are stored in secure keystore. An additional
hardware security module (HSM) may be connected to the WatchDox virtual
appliance, storing the systems keys externally, with the highest level of security.
Secure Document Boundaries
The WatchDox web-application is further separated into components that handle
meta-data and components that handle users' documents. These components each
reside in their own security context with a strict interface and communicate amongst
themselves over SSL utilizing APIs. This architecture ensures the protection and
separation of users' documents, even in the face of maliciously crafted document.
Encrypted documents are stored in a manner that prevents association between the
document itself and meta-data information such as the documents owner, its
recipients, or its original file name.
Logging
The Appliance can be configured to report events that can be captured by various
SIEM solutions.
watchdox.com
Page 4
NAS/SAN
Drives
File storage for the virtual appliance installation requires a NAS/SAN deployed by
the customer. This component stores the encrypted customer files and the
permissions database. The file system can be set for root crunching. This storage
is configured as additional VMDKs.
SMTP
Server
The WatchDox server uses email as part of its standard operation, sending out
various alerts to users. Therefore, the WatchDox server must connect to an SMTP
server.
OPTIONAL COMPONENTS
Mobile
Devices
WatchDox provides mobile apps for iOS, Android, and BlackBerry devices. These
apps allow accessing, syncing, annotating, and editing documents, while
maintaining the WatchDox controls and tracking capabilities. Users may install
these apps from the global App Store, or alternatively these apps may be deployed
by the organization.
Windows
Plug-in
The Windows Plug-in performs automatic document synchronization and enforces
document controls inside of Microsoft Office and Adobe PDF. It also allows the
revocation of documents residing on the device at any time.
watchdox.com
Page 5
Active
Directory/LDAP
In addition to supporting email-based identities, WatchDox can connect to
AD/LDAP to leverage existing AD groups for user management purposes.
SSO/Authentication
Solution
Customer may deploy an SSO or authentication solution, such as CA SiteMinder,
IBM Tivoli Identity Manager and others. WatchDox can integrate with these
solutions (see user authentication).
SIEM
System
WatchDox can export or send its audit trail events to a SIEM system for archiving,
anomaly detection, or forensic purposes.
Other
Systems
WatchDox provides RESTful APIs, allowing the integration of WatchDox into other
data sources, document workflows, or web portals.
watchdox.com
Page 6
NETWORK CONFIGURATION
WatchDox recommends deploying the virtual appliance on a sub-segment of the
internal network (see diagram below). A reverse proxy or WAF is often placed in
the DMZ between the external network and the virtual appliance. Additionally, the
storage and SMTP server need to be configured and connected to the appliance.
Optionally, a Hardware Security Module (HSM) can be connected as well.
From
DMZ
To
WatchDox Server
Description
Client access
tcp/25
WatchDox Server
SMTP Server
Email notifications
tcp,udp/53
WatchDox Server
DNS Server
DNS resolution
tcp/123
WatchDox Server
NTP Server
Time synchronization
tcp/61616
WatchDox VMs
WatchDox VMs
tcp/80
WAN
Service (opened on-demand)
DMZ
tcp/22
Service person
WatchDox Server
Remote service
tcp/8080
Service person
WatchDox Server
tcp/8161
Service person
WatchDox Server
tcp/10050-1
WatchDox Server
WAN
Global monitoring
Optional
watchdox.com
Page 7
USER AUTHENTICATION
To address ever-growing regulation and to fit into any sort of authentication
scheme, WatchDox is architected to flexibly support the variety of enterprise-level
methods for authenticating users: password-based, multi-factor authentication, or
single-sign-on (SSO). These can be integrated with WatchDox using the OAuth 2.0
protocol.
Additionally, WatchDox offers out-of-the-box authentication schemes, such as
username/password and email-answerback for fast and simple authentication.
SIZING INFORMATION
Below are some sample recommended hardware requirements:
WatchDox Virtual Appliance
3 VM config
9 VM config
5,000
15,000
Max # of Readers**
10,000
30,000
Min # of processors
3xQuad Core
9xQuad Core
NAS/SAN
NAS/SAN
NFS/CIFS/iSCSI
NFS/CIFS/iSCSI
Online DB Replication
High Availability
OS
Max # of Contributors*
Recommended Memory
Supported Storage
Supported Protocols
The number of server blades and VMs can be scaled out to fit larger organizations
or more demanding processing requirements.
watchdox.com
Page 8
HIGH AVAILABILITY
The WatchDox virtual appliance supports High Availability through a cluster
configuration with a backup virtual appliance running on different hardware. The
two systems synchronize database states and failover is controlled through a
VRRP (Virtual Router Redundancy Protocol). Depending on the configuration, the
backup system can access either the same NAS as the primary system or a
backup NAS.
Figure
3:
High
Availability
configuration
with
redundant
Appliance
watchdox.com
Page 9