Vibe Security

A Vibe Whitepaper
01/20/2019

Overview

With the mission of empowering teams to collaborate, innovate and ideate in a unified canvas, Vibe is a unique all-in-one devices with customized operating system and cloud backed software. We understand that data security and privacy protection is paramount to our customers. In this paper, we explain what is under the hood of our Vibe system and how it handles user data as well as the measures we adopted to ensure the security and privacy of user data.

System Security measures

Our easy-to-use smart board software in Vibe is backed by a cloud infrastructure working behind the scenes to ensure near real-time, reliable syncing, sharing and collaboration. Built by experienced system architects from Twitter and Microsoft on the world’s most popular cloud infrastructure, Amazon Web Services (AWS), our system is reliable, scalable, efficient and most importantly, secure.

System architecture

Vibe users can access the whiteboard content at any time from web, mobile devices as well as Vibe devices. All of those clients connect to secure servers to provide access and update.

image

Figure 1. System diagram and its security measures

Security measures for each sub-system

Storage

The board content is stored in AWS Simple Storage Service (S3). It provides reliable, secure, efficient and scalable storage that millions of applications are already using. The data is further encrypted by the one of the strongest encryption method, AES-256. As the last line of defense, we do not store board full content into a single image file in S3, but instead break it into a series of stroke, text and images and scattered into the storage. The full image is only composed on the client side.

We store users information, teams information and board related metadata into AWS No-SQL database DynamoDB. Users information includes name, email and company information. Teams information includes members, company website, etc. Board metadata includes its creation and last modified time, content URLs to S3 and also access control list. All information is as well encrypted by AES-256.

Computation

The backend services are responsible for retrieving content, syncing whiteboard change and also manage user’s privilege to accessing content. It communicates with both S3 and DynamoDB using AWS SDK via internal VPC network.

The REST API is hosted by AWS Lambda computation framework and is accessed via fully firewalled, DDos mitigated API Gateway service. Sensitive APIs such as accessing shared boards by 10-digit code are throttled per-IP basis to mitigate brute-force attack.

The Web-socket Service is hosted by AWS Elastic Container Service (ECS). It is behind Elastic Load Balancer. Elastic Load Balancing works with Amazon Virtual Private Cloud (VPC) to provide robust security features, including integrated certificate management, user-authentication, and SSL/TLS decryption.

We enabled industry-standard protection techniques, including firewalls, network vulnerability scanning, network security monitoring, and intrusion detection systems to ensure only eligible and non-malicious traffic is able to reach our infrastructure.

Clients

Vibe clients include the Vibe device, web app and mobile app. All clients communicate with backend systems through HTTPS with TLS 1.2.

Vibe deivce uses device unqiue private key to authenticate with backend system.

Web app and mobile app support Single Sign On in additional to password authentication (salted SHA-256 hash).

Once authenticated, backend will issue a JWT token (HS256) for client to authenticate in the future without providing sign in information.

Security as company value

Trustworthy is on top of our company values. At Vibe Inc., we understand that building up trust with our customers is critical to our company’s success. Ensuring Data-security and privacy protection are two pillars of trust building. We are continually improving the security, confidentiality, integrity, availability, and privacy of the Vibe system. As we are currently a small startup, the only way to ensure customer’s data security is to adopt drastically aggressive measures, even at the cost of losing engineering efficiency. Our current security policy includes,

  • As Vibe Inc. is distributed in a few cities in the US and China, we make sure that all user related data are stored exclusively in US territory.
  • Developers in China do not have access to user data, a developer server with mock data are used for development and testing purpose
  • Only C-level managers have access customer data stored in AWS, all of whom have enabled two factor authentication and encrypted their computer.
  • Upton receiving the device, we will sign a non disclosure form with all our customers to guarantee their data are protected from leaking.