Content security overview

Edit online

In addition to secure access controls, protecting content directly ensures that digital assets retain their value even as Aspera on Cloud users collaborate to develop, exchange, and deliver content. This article collects several Aspera on Cloud content security settings and strategies, and provides links to configuration procedures.

Aspera security considerations

Aspera on Cloud file transfers do not include anti-virus and malware scanning before or after the transfer. If your business security requirements include anti-virus and anti-malware scanning, you must implement a separate process for the scan before you transfer files using Aspera on Cloud.

If your business security requirements include restrictions for uploads and transfers by file extension type, you must use the Aspera Node API on each transfer server to configure exclusion rules.

Content encryption in Aspera on Cloud

Server-side encryption

Security in multi-tenant organizations

In a multi-tenant or reseller organization, you must ensure strict separation between workspaces to protect tenant privacy.

By default, the auto-complete function in Aspera on Cloud shows workspace managers all users and groups in the entire organization, along with the personal contacts of all users. Instead, you can configure your org such that workspace managers can see only users and groups from the workspaces in which they are members, along with their own personal contacts in any workspace and with outside users.

For details, see Assign the workspace manager role.

Files app content security

Admin controls

By default, collaboration in the Files app is unrestricted. But as an admin, you can apply increasingly restrictive controls to sharing actions available to Files app members.

Global: Admin > Applications > Files

Workspace: Admin > Workspaces > workspaceName > Applications > Files

Prevent app users from sharing with unauthenticated recipients; restrict the use of public links: Who can share folders via public links
Prevent app users from sharing with non-workspace members: Who can share folders with external users
Allow sharing with designated non-workspace members only; list specific external users as the only valid recipients: Who are eligible eternal users
Prevent accidental sharing with the entire workspace: Who can share folders with the entire workspace
Require external users to create an AoC account and log in to receive a package

User controls

As an admin, you can establish workflows that guide your workspace members how to use these additional content security measures:

Apply content permissions to shared content
Require a password to access content shared using a public link
Unshare a folder

Packages app content security

Admin controls

Global: Admin > Applications > Packages

Workspace: Admin > Workspaces > workspaceName > Applications > Packages

Prevent app users from requesting packages from non-workspace members: Who can send submission links
Prevent app users from sending packages to non-workspace members: Who can send packages to external users
Require non-workspace recipients to create an account and log in to receive a package: Require external users to log in when receiving packages
Prevent accidental sending to the entire workspace: Who can send packages to the entire workspace
Require encryption at rest for all send packages: Automatically apply encryption at rest to all packages

Global: Integrations > Watermarking

If you integrate your Irdeto forensic watermarking service with Aspera on Cloud, you can allow or require workspace members of the Packages app to apply a watermark to all packages they send.

User controls

As an admin, you can establish workflows that guide your workspace members how to use these additional content security measures:

Require package recipients to apply a password
Apply watermarking when sending a package

Content security caveats

Members of the Automation and Activity apps are not limited to acting on, monitoring, or reporting on content in workspaces where they are members. No matter their workspace membership:

Automation app members can configure and manage automated workflows on any workspace in your org.
Activity app members can monitor and report on content in all workspaces in your org.

For these reasons, Automation and Activity app members are typically org admins.

Public links

Public link expiration

Global: Admin > Applications > Packages/Files

Workspace: Admin > Workspaces > workspaceName > Applications > Packages/Files

Select the check box next to the Links expire after (days) option in the Public and authenticated links section, and set the desired value for the link expiration.

The administrator can set a default expiration for all public links.
An individual user can reduce the expiration set by the administrator, but cannot extend it.

Public link password

Global: Admin > Applications > Packages/Files

Workspace: Admin > Workspaces > workspaceName > Applications > Packages/Files

Select the check box next to the Make password required for new links option in the Public and authenticated links section.

The administrator can enforce the password requirement when creating the public links.
Passwords won’t be set by default, users must set the password when creating a new public link.

Disallow encryption-at-rest during package send operations

Global: Admin > Applications > Packages

Workspace: Admin > Workspaces > workspaceName > Applications > Packages

Select the option Disabled from the drop-down list in the Client-side encryption at rest section.

Administrators can disable the application of client-side encryption-at-rest to packages in all workspaces or in specific workspaces.
Senders can’t apply EAR to individual packages.