uniscon.com

Sealing technology makes virtual data rooms

more secure, easier to use and more flexible

than ever

White paper:

Virtual

data rooms

uniscon.com

2

Content

1. Basic requirements for virtual data rooms .................................................................................................. 3

2. Why encryption alone is not enough ........................................................................................................... 3

3. Exclude operator access in the data center ................................................................................................. 4

4. More usability and comfort thanks to sealing ............................................................................................. 5

5. Advantages in terms of security .................................................................................................................. 6

6. The functions in detail .................................................................................................................................. 7

7. Setup and administration .......................................................................................................................... 10

8. Checking and testing the properties of idgard® and the sealed cloud ...................................................... 11

9. Further information ................................................................................................................................... 12

10. Bibliography ............................................................................................................................................... 12

uniscon.com

3

1. Basic requirements for virtual data rooms

Historically, the term "data room" was coined in connection with the sale and purchase of companies and

parts of companies (Merger & Acquisition, M&A). A well-guarded room was set up in which all documents required for a so-called due diligence—such as, audit documents and company analysis—were stored. The group of people who were granted access to the data room was precisely defined and presences were accurately registered and documented by a security guard.

Although such physical data rooms are still in use, virtual data rooms have become very popular. Especially the much lower costs and the possibility to view and edit documents without having to travel to the office

give virtual data rooms the edge.

Moreover, the functions available in virtual data room aim at replicating the situation in a physical data room. For example:

the presence in the data room is documented,

unauthorized access is denied and abuse and unauthorized copying of documents is prevented

In addition, further practical functions can be added electronically:

Notifications when new documents are uploaded

Reminders that there are still "unread" documents Setting up several data rooms with different group of authorized users

Formal and informal communication between different authorized persons in the data

room context

With this variety of functions, virtual data rooms are spreading far beyond their use for M&A to applications for cross-company projects, cross-organizational teams and, in general, to electronic communication that

requires careful documentation, for instance, between contractors or lawyers and their clients or further

stakeholders, etc. Take a look on our website https://www.idgard.de/cloud-anwendungen/datenraum/ for

further information on the various applications in detail.

2. Why encryption alone is not enough

Secure data rooms are primarily associated with the technology of encryption. This allows physical access to

signals and data to be tolerated without having to fear unauthorized reading of the content. Data can be

securely transmitted from a sender to a central processing unit, where it can be securely stored and securely

forwarded to a recipient.

There are two types:

1. Encryption is carried out by the provider of the data room in the data center. The security level is determined by organizational measures and is therefore weak. Most data room providers rely on this

method.

uniscon.com

4

2. The encryption takes place in the end devices and the data is encrypted end-to-end. Here only a subset of the functions described above can be implemented. Furthermore, the metadata—for example, who wrote or read which data and when—, as well as the presence in the data room are openly available to the operator and are only secured there by organizational measures. This

situation is illustrated in Figure 1:

Figure 1: Illustration of the security situation in conventional data rooms

In addition to these security weaknesses, conventional data rooms are complex to set up. Each participant

must be given credentials in a trustworthy way and sometimes it is necessary to install software locally on

the end devices. These weaknesses can be circumvented with the idgard® data rooms, which we will approach later.

3. Exclude operator access in the data center

The "sealed cloud" technology on which the virtual idgard® data room is based prevents access to the physical signals even during processing. The data is stored in encrypted form in such a way that the operators

of the service and the infrastructure cannot read the it due to the key distribution. Thus idgard® and the sealed cloud complete the basic IT security calculation. Figure 2 outlines the set of technical measures for securing the data in a sealed cloud.

First, in the infrastructure of a sealed cloud, the data center is divided into several segments. Electro-

mechanical controls and backups allow employees to access only one of these segments at a time if

necessary, for example, for maintenance purposes. Access authorization is granted by an instance that is itself excluded from physical and logical access to the system. The access itself is comprehensively logged. In addition, a so-called "data clean-up" is triggered both in the

event of planned access by employees and in the event of an unplanned access attempt (attack). This means that the active sessions of cloud users are moved to an unaffected segment of the data center and all data

in the affected segment is deleted. With idgard® sealed cloud, this is done so thoroughly that even for 10 seconds the power is taken from the application servers which are operated without persistent storage, thus preventing any ice-spray attacks.

uniscon.com

5

During restart, an integrity check is performed over the entire software stack, this is, from the hardened operating system through all software layers to the application software. For example, if the waiting engineer were to import non-certified software, the application server could not restart after the segment was closed.

A complete and accurate scientific explanation of the innovative technical measures is given in [1] and [2].

Figure 2: The set of technical measures for securing the data in a sealed cloud.

4. More usability and comfort thanks to sealing

Since the sealed cloud technology automatically centralizes all key management, neither the person

responsible for setting up the data room nor the users invited by them need to worry about the complexity of key management.

With idgard® no local installation is required. It can be used from any browser and can also be registered

online. The administrator just needs to select a username and password online and name the registering company. Once this is done, you can start using idgard® immediately. After creating an account (which can

also be a non-binding trial), you must confirm that you accept the agreement for the processing of data by

order. The administrator can then immediately invite to the employees and external guests to the data room with

just two clicks. The persons concerned are informed by e-mail and SMS. The e-mail contains a link that leads the recipient to a form in which the employees or guests can choose their own username and password.

uniscon.com

6

They receive a pass code by SMS which is requested during registration. Alternatively, an LDAP or MS Active Directory integration of idgard® is also possible.

The Admin or employees designated by the Admin can set up a data room with just a few clicks. The

employees and external guests can easily be selected from a list and invited to this data room. To sum up, idgard® offers the following operating and comfort advantages compared to conventional data rooms:

Online registration without buying: idgard® use can start within a few minutes. No waiting times for

buying, no local installation and no training necessary.

100% adjustable: licenses can be added or removed individually online. All your bookings are billed

by day and appear on the monthly invoices. Payment is made according to usage.

Employees and guests can securely join an idgard® account with an e-mail and SMS and can be invited

to different data rooms by just “clicking”—without complicated key management.

5. Advantages in terms of security

If the conventional security calculation is based on encryption and organizational measures, two challenges

remain unsolved: (1) The protection of content and metadata when unencrypted data is processed, and (2)

the protection of metadata that can be analyzed particularly easily, even when encrypted data is routed. The canonical set of technical measures [1], on which the sealing is based, completes the basic security concept.

With the technical sealing, the user data can be protected against attacks from outside and inside.

This sealing protects both content and metadata from any unauthorized access.

uniscon.com

7

6. The functions in detail

Table 1 lists the most important functions for operating virtual data room and evaluates them regarding four different classes of data room.

Table 1: Functions overview regarding four different types of data room

Functions Data room with encrypted transmission

Data room with encrypted

transmission and

storage

Data room with E2E client encryption

Data room offer based on the sealed cloud

(idgard®, the sealed

cloud)

Protection against

unauthorized access

Protection against interception during

transmission

o.k. through encrypted

transmission

o.k. through encrypted

transmission

o.k. through encrypted

transmission

o.k. through encrypted

transmission

Protection against

unauthorized access to documents

Unauthorized persons can get

hold of documents relatively

easily

Protection against unauthorized persons relatively good. Disloyal

employees of the provider can

decrypt documents

o.k. through E2E encryption o.k. by combining encryption and sealing

Protection against tapping

metadata, for example, who is a

member of the data room, when,

how often and which document

was viewed, etc.

Employees of the data room provider can misuse metadata

Employees of the data room provider can misuse metadata

Employees of the data room provider can misuse metadata

o.k. by combining encryption and sealing

Documentation of the data room

visitors

Journal / Audit trail o.k. o.k. o.k. o.k.

Easy export o.k. o.k. o.k. o.k.

Protection against document distribution by data room

visitors

“Read only” files o.k. o.k. o.k. o.k.

Watermark o.k. o.k. o.k. o.k.

Notification for mass downloads

to the data room admin

- - - o.k.

Additional functions and costs

Setup and installation - local installation usually recommended

local installation usually necessary

no installation needed

Support of mobile devices - partially partially o.k.

Communication with other

authorized persons

partially partially partially messages, chat and

voting function

Cost structure usually setup costs + user fees usually setup costs + user fees usually setup costs + user fees No setup costs, 100% customizable, data room are

charged per day of use

We have gathered below some screenshots on data room functions to illustrate how easy they are to use.

Figure 3 shows how an ordinary PrivacyBox can be turned into a data room in idgard®, provided the employee has been authorized by the administrator:

uniscon.com

8

Figure 3: Checkbox to convert an ordinary idgard® Privacy Box to a data room. This checkbox appears in the Box properties when a new PrivacyBox is created or an existing one is edited.

Figure 4 shows the usual view of a PrivacyBox when it is configured as a data room. Also, as in any PrivacyBox, folders and subfolders can be created to structure the information. Additionally, a journal is available.

Figure 4: Screen view of the new data room. The journal button is now available. The view shows an empty subfolder.

Figure 5 shows the data room journal. The buttons for the exporting the data room journal, as well as uploading, downloading, deleting, and viewing files are now visible.

uniscon.com

9

Figure 5: Screen view of the journal.

Finally, Figure 6 shows the data room settings that are available after uploading a file: "Watermark", "Read

only", "None".

Figure 6: Available options once a file is uploaded.

Operating idgard® data rooms is so simple that the instructions can be summed up in these four screenshots.

uniscon.com

10

7. Setup and administration

The setup and administration of the data room functions is just as easy. Here you can have a look at the

corresponding screenshots. Figure 7 shows the contract status page of an administrator account. The status of the bookings is always shown. The number of employee licenses, guest licenses and data rooms available can be adjusted individually.

Figure 7: Buying more data rooms the self-service area.

The Admin must authorize the individual employees to convert idgard® PrivacyBoxes to data rooms. Figure 8

shows the list of idgard® users of the sample account and how an Admin can authorize an employee to create data rooms.

Figure 8: Authorization of an employee to set up data rooms

uniscon.com

11

8. Checking and testing the properties of idgard® and the sealed cloud

uniscon, the operator of idgard®, works according to IT-Grundschutz, a sustainable management system for information security designed by the German Federal Office for Information Security. Parts of the service are

already certified by TÜV-iT. uniscon GmbH is one of four service providers which, along with Telekom AG, SAP AG, and regio-IT GmbH, are involved in the pilot project for data protection certification of the German

government.

In addition, we would like to refer to the extensive documentation and certificate package of uniscon GmbH [4], containing among others the documentation on uniscon GmbH, the service idgard® and the certification. During the certification process, based on the selected and documented certification strategy, the necessary

documents (approx. 35 documents) are included.

uniscon.com

12

9. Further information

idgard® Brochure: Simple & Secure Communication via patented Sealed Cloud

idgard® Privacy Boxes are a safe and yet easy alternative to Email. Find out how idgard® provides for legally compliant communication and work with business partners.

idgard® – Features | Applications | Software & Apps

An overview of idgard® license types, features and additional software.

Secure Mail: How to protect yourself against phishing attacks

Companies are particularly frequently targeted by criminal phishing attacks. We show you how to recognize suspicious e-mails and what you can do to effectively protect yourself and your employees against phishing attacks.

10. Bibliography

[1] Hubert Jäger et al., “A Novel Set of Measures against Insider Attacks - Sealed Cloud”, in: Detlef Hühnlein, Heiko Roßnagel (Ed.): Proceedings of Open Identity Summit 2013, Lecture Notes in Informatics, Volume

223, ISBN 978-3-88579-617-6, pp. 185-195.

[2] Hubert Jäger, et al., “The First Uniscast Communication System protecting both Content and

Metadata”, in the proceedings of the World Telecommunication Congress 2014.

[3] Steffen Kroschwald, Verschlüsseltes Cloud Computing, Anwendung des Daten- und Geheimnisschutzrechts auf „betreibersichere“ Clouds am Beispiel der „Sealed Cloud“, in: Taeger, J., Law as a Service (LaaS), Recht im Internet- und Cloud-Zeitalter , Tagungsband Herbstakademie 2013 (Band 1), 289.

[4] Documentation and certificate package for uniscon GmbH and the service idgard®. Available upon

request at contact@idgard.de, 2014.

uniscon.com

13

uniscon — a company of the TÜV SÜD Group uniscon GmbH is a company of the TÜV SÜD Group. As part of TÜV SÜD’s digitalization strategy, uniscon offers high-security cloud applications and solutions for secure, legally compliant data traffic. TÜV SÜD is one of the world’s leading technical service providers with over 150 years of industry-specific experience and more than 24,000 employees at around 1,000 locations in 54 countries. Within this strong network, uniscon

is able to reliably implement large-scale international projects in the IoT and Industry 4.0 sectors with the Sealed Cloud and its products.

Further information on partners and products: www.uniscon.com

Contact: uniscon GmbH – Sealed Cloud Technologies

E-mail: contact@uniscon.com

Webpage: www.uniscon.com Phone: +49 (89) 4161 5988 100

Published by:

uniscon GmbH

Managing director: Karl Altmann

Ridlerstraße 57 · 80339 Munich · Phone: +49 (0)89 / 4161 5988

100 Amtsgericht (Local Court) in Munich HRB 181797