Workspace is generally used as a collaboration tool, allowing users to upload, organize, view, edit, and share files. Workspace employs a highly configurable set of roles and permissions to help prevent data breaches in an organization. Workspace exposes a Web UI and a REST API that can be coded against directly or via the Workspace .NET SDK. Workspace is hosted in Microsoft Azure Cloud. The main application is written in Python, with each service in all service layers running containerized using Docker on highly secured CentOS 7 Linux hosts.

Security Standards

Workspace adheres to the following security standards:

• Relevant FIPS-140-2 requirements and standards
• NIST SP 800-52r2 "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) implementations"
• FIPS 186-4 Digital Signature Standards
• FIPS 184-0 Secure Hash Standards
• FIPS 198-1 The Keyed-Hash Message Authentication Code
• OWASP Application Security Verification Standard

The secure file platform adheres to the following additional standards:

• NIST SP 800-57 "Key Management Guidelines"
• NIST SP 800-38A "Recommendation for Block Cipher Modes of Operation"

Network Security

All communication with Workspace is negotiated using the TLS 1.2 or 1.3 protocol, with only modern cipher suites, to secure the network connection at the highest possible level.

Services are appropriately segregated and protected on all tiers and layers, allowing only the minimal functionality required to perform the task.

Application Security

All workspace development is governed by and completed within a Secure Software Development Lifecycle, which establishes procedures, practices, and guidelines governing the initiation, planning, design, development, testing, and implementation of Workspace ensures that security, quality, and performance considerations are embedded from initiation.

Developers follow security industry best practices, standards, and guidelines, including those provided by OWASP, SafeCode, ISO27001, and NIST, when designing and developing all products, and are supported in this by our Security Engineering Team.

Service Validity

To ensure that all the services in production remain unchanged, the following criteria are required:

• All services must be governed by an organization's unique identifier
• Production software running must match validated checksums
• Production services container images must match validated checksums
• Production technologies must match validated checksums

Data Ownership

Every item within the system must be tagged with an organization's unique identifier. This ensures that the services can isolate which data is being accessed when working on behalf of the organization.

Data Access

Users' access to data is restricted by multi-level Role-Based Access Control (RBAC). Client applications may access objects and metadata about objects they own. The secure file platform must prevent unauthorized access to all objects and metadata.

Data Integrity

The secure file platform must report the object's SHA256 hash to the client application as part of the ingress process. Client applications must be able to retrieve their objects unmodified.