CTERA Platform Architecture

CTERA PLATFORM
OVERVIEW
& ARCHITECTURE
SECURE ENTERPRISE FILE SERVICES
FROM EDGE TO CLOUD
Table of Contents
Executive Summary 1
Introduction 2
Introducing the CTERA Enterprise File Services Platform 6
Enterprise File Services Platform Use Cases 10
Endpoint Agents & Outlook Plugin 11
Server Agents 17
Cloud Storage Gateways 20
Portal 26
CTTP Protocol 30
Improving Organizational Productivity at Santander Bank 33
Modernizing Data Infrastructure at TopGolf 35
IT-as-s-Service Transformation at a Global 30 Insurer 37
Total Cost of Ownership 39
Security 41
www.ctera.com info@ctera.com USA: (917) 768-7193 Intl: +972-3-679-9000 © 2018 CTERA Networks Ltd. All Rights Reserved
Executive Summary
IT is being charged with securely adopting cloud technology while also
offering modern data accessibility and protection approaches that may
unwittingly omit legacy file services. CTERA renovates data infrastructure to
meet these challenges by providing both modern and legacy file services in
a unified approach that is security-oriented and utilizes on-prem, hybrid
cloud, or virtual private clouds.
Organizations use CTERA software to create a fully-private service offering

of file synchronization and sharing, file server modernization, endpoint
backup and cloud server backup. CTERA customers initially address one or
more of these use cases and add more uses as they shift to more
cloud-oriented services.
The four main components work together to provide a unified experience by

synchronizing and snapshotting laptops/desktops, network drives, and
servers to a (virtual) private cloud back-end. CTERA Agents running on
endpoints, mobile devices, and servers provide local services and are
OS-integrated including right-click synchronization and self-restore.
Locations use a CTERA Cloud Storage Gateway (virtual) appliance to gain
accelerated backup/restore and network drives that are synchronized with
the cloud back-end, as well as business continuity if the back-end is not
accessible. The intelligence and web interface for the system is provided by
the CTERA Portal, which also serves as middleware between the back-end
storage and the components at the edge. CTERA uses the patented CTTP
Protocol between the components to offer a better security profile than
SaaS services without sacrificing functionality.
Because CTERA is the only platform that unifies EFSS, backup, and cloud
storage gateways, there are significant financial implications: any
comparable approach requires two or more vendors and the associated
overhead. To provide an environment of 80TB of user files with file sharing,
backup, and cloud storage gateways, the cost for CTERA software and
hardware is 67% less than using multiple vendors to receive similar
1
functionality. There would be an even larger spread when considering
additional management, storage, and administration costs needed for a
multi-vendor approach.
Security of a CTERA system starts with it being a “private” deployment: all

components are on-prem or in your virtual private cloud. Source-based
encryption raises the security bar above simple “encryption in transit” and
“encryption at rest”, and the encryption keys are also kept private. A
“collaboration firewall” prevents data leakage, along with advanced
authorization and access controls to maximize data security. The full set of
security capabilities are too extensive for this paper, and are explained in
more depth in the CTERA Security White Paper.
One example of a CTERA deployments includes Santander Bank, which used

CTERA file-sync-and-share to enhance user productivity to 60,000
employees globally. In another example, one of the fastest growing sports
entertainment companies consolidated multiple vendors and improved user
collaboration with CTERA. And a Fortune 100 insurance firm launched
backup-as-a-service powered by CTERA, spanning multiple clouds and
platforms into a single cloud fabric.
Introduction
Today’s enterprises are facing a challenge of modernizing critical IT use
cases such as user file storage, file collaboration and data protection by
introducing modern approaches to IT that leverage cloud infrastructure
without sacrificing security. Organizations with a global presence are
seeking to adopt IT-as-a-Service methods of user service delivery that
improve the end-user experience and leverage the cloud (including
on-premises cloud technology and virtual private cloud) to improve
flexibility and reduce costs. Enterprise File Synchronization and Sharing
(EFSS) often becomes a lightning rod in this situation, as security offices
look to replace shadow consumer IT services that end users have adopted,
2
but are equally critical of the shared security and data ownership models
that are introduced when adopting enterprise SaaS services to counter
Shadow IT. For 10,000s of businesses around the world, CTERA solves these
issues by enabling enterprises to modernize file services and deliver
fully-private, cloud-oriented file storage, collaboration and backup services
that unify the organizational file space, enable complete IT security, and
lower TCO and administration
File Management is Transforming

IT departments and end users both find themselves needing to simplify file
access and collaboration. They face a complex mix of local file servers (NAS),
cloud-based file services (such as Microsoft OneDrive), and backup
solutions. Even though the systems usually operate on similar files, there is a
chasm between them in terms of interoperability, policies, and management.
As a result, file storage and sharing is undergoing a transformation to bridge
the gap. According to analyst firm Gartner’s “IT Market Clock” and other
reports, in 2017-18 organizations will seek tools that modernize their existing
content repositories.
The first thought towards that end is to link the disparate systems together.
But utilizing connectors between legacy systems simply adds complexity
without actually fusing the experience and management. Instead, a unified
namespace could span legacy and cloud systems to create a consistent user
experience and simplified management.
By unifying fragmented legacy content sources Gartner explains that

organizations can accomplish the digital transformation of the workplace,
while also providing data governance and management tools to IT. They call
this data infrastructure modernization (DIM).
3
Figure 1: The continuum from IT-focused storage to end
user-focused content repositories
Networked Cloud Storage Modern File Content

Storage Gateways Sharing Repositories
IT-focused End User-focused
Gartner explains that data infrastructure modernization will lead to

consolidation of EFSS functionality, storage gateways and other capabilities
in Figure 1. So instead of substituting one content repository with another,
DIM enables a non-disruptive evolution onto a modern, cloud file system that
unites EFSS, on-prem file servers, and legacy serv.
Cloud Challenges Security Norms

The top concern among IT leaders when establishing cloud strategy is
security. Public cloud systems for storing files are in conflict with the
long-held practice of keeping unstructured corporate data within the
firewall. To compound the issue, with multiple organizations keeping highly
confidential material in the same system, these services are appealing
targets for hackers. And by ceding the physical storage responsibility to the
service provider, organizations lose control over data governance while
regulations still hold them liable.
The exposure inherent in an on-prem, IaaS, and SaaS approach vary, as

shown in Figure 2. The VPN have long kept on-prem information internal,
and have some protection for IaaS deployments (as a VPC). But SaaS lacks
this traditional approach to privacy.
4
Gartner acknowledges the security dangers inherent in SaaS file sharing in
their report, “How to Mitigate the Risks of Public Cloud EFSS and Storage.”
The key challenges they identify are data geography compliance, data
provenance, ceding decryption responsibility, and over-empowering users.
While the analyst firm doesn’t specifically mention recent high-visibility
breaches of popular enterprise SaaS services such as Dropbox, Slack,
Evernote and Adobe, these events certainly influence the enterprise
conversation about IT security.
Gartner’s first recommendation says to explore private cloud (IaaS)

approaches, and their second recommendation includes evaluating on-prem
EFSS in order to avoid the complications associated with third party data,
encryption and authentication ownership that is commonly found in SaaS
file sharing services.
Figure 2: Comparison of deployment method privacy exposure
VPN VPN Little/No Privacy
Applications Applications Applications
Security Security Security

Data, Encryption, Authentication Data, Encryption, Authentication
Operating Systems Operating Systems Operating Systems
Virtualization Virtualization
Virtualization
Servers Servers
Servers
Storage Storage
Storage
Networking Networking
Networking
Data Centers Data Centers Data Centers
On Prem IaaS SaaS

Infrastructure as a Service Software as a Service
5
Introducing the CTERA Enterprise
File Services Platform
CTERA’s focus is on building a private cloud storage-as-a-service platform
that centrally manages file and data protection services and unifies IT
security and governance to follow enterprise data wherever it flows. The
private cloud can be on-prem or part of a virtual private cloud.
CTERA seeks to create the most compelling end user experience by

providing coherent interactions across all file storage and sharing, regardless
of the underlying protocol. Administrators manage the distributed system in
a centralized pane-of-glass, creating policies that span across protocols and
geographies. And the system serves as a single system of record for users to
store, access, protect/recover and collaborate on files from any device.
The platform is inherently more secure than shared services, because

everything can be contained within your VPN and no 3rd party can be
delegated any access to your data, your metadata and your user credentials
if you choose. The system is designed to be deployed behind your firewall in
a Software-as-a-Private-Service that leverages the infrastructure of your
choice. It can be managed by your IT organization or by a service provider.
As you can see in Figure 3, CTERA platform provides an authoritative system

for legacy and modern file storage, sharing, and backup; for big, small, and
home offices; stationary and mobile workers; for locally-attached and
network-attached storage; for human access, automated processes, and
other systems.
The CTERA platform consists of four components that are all connected via
CTERA’s patented cloud protocol. The platform is securely deployed on any
private or public cloud infrastructure and data is centrally stored in any
choice of NAS or object storage. While every deployment requires a CTERA
Portal, organizations have the flexibility to select from a variety of mobile,
server and NAS endpoints to meet business objectives. Furthermore, the
solution is available as a managed service.
6
Figure 3: Capability highlights of the CTERA platform
CTERA Portal
Roaming Users
File Access, Editing, CTERA’s Scale-Out Cloud File System
Sharing (EFSS), Backup,
Self-Restore • Service Orchestration
• Data Management & Optimization
Global Multi- Cloud

De-Duplicaion Tenancy Orchestration
Virtual VDI Drive Home Folder
Desktops Redirection
Limitless Central Dara Loss

Versioning Management Prevention
Cloud Servers
In-Cloud Backup
Cloud-to-Cloud Backup
Source-Based Enterprise
Encryption Authentication
Offices
Backup, Self-Restore, File Access, Editing,
Sharing (EFSS), NAS Protocols
Desktop 0-Minute Failover to

CTERA Cloud Drive
Private Cloud Virtual Private Cloud

On-Prem Object Storage Storage-as-a-Service
Existing Storage (IaaS or PaaS)
Server
7
Figure 4: The main components of the CTERA platform
Private Cloud / VPC

3 4
Servers CTERA Portal Private Cloud

Cloud-based File
System with Scale-Out
CTERA Gateways Service Orchestration
and Data Management
• NAS File Server
Desktops • Hybrid Cloud Backup Virtual Private
Cloud
Enterprise Management,
1 Integrations & APIs
CTERA Endpoint
Laptops
Agents/Apps
• File Sync & Share Authenticated Multi- EMM

• Endpoint Backup Tenancy
• Mobile Access
Mobile Devices Search Billing Monitoring
AV Automation
2
CTERA Server Agents
Virtual Servers
• File/App-Level Backup
• In-Cloud+Cross-Cloud CTTP Protocol
Secure & WAN Optimized
Cloud Access
5
AES-256 + SSL
De-Duplicated Compressed
Bandwidth Control
8
1 Gateways: Storage appliances that provide local NAS functions and
serve as targets for CTERA workstation and server backup agents. All
data is synchronized to the CTERA Portal. Gateways support ACLs and
quotas and provide persistent storage access to users even during
network outages when disconnecting from the portal.
2 Endpints: Desktop agents enable device file and folder synchronization,

native file collaboration and data protection. An Outlook plugin also
converts attachments into links. Mobile apps for iOS, Android and
Windows enable file synchronization, collaboration, editing and real-time
access to any file version.
3 Server Agents: Provide network-optimized backup of physical and virtual

servers running locally or can protect servers deployed in cloud IaaS.
4 CTERA Portal: CTERA’s cloud file system that is responsible for data
synchronization, data protection, infinite file versioning, and service
orchestration. The Portal is scale-out file service delivery middleware that
runs on your cloud infrastructure of choice: where all data, metadata,
encryption and credentials are stored securely behind your firewall.
• For administrators, the Portal is a central security, governance and

administration tool that dramatically reduces data sprawl and IT
complexity. The Portal is built upon cloud principles, and is a
multi-tenant service delivery system with APIs that integrate with
authentication, billing, mobility, antivirus and orchestrhation tools.
• For users, the Portal is a centralized utility to securely access and

collaborate on files and backups from anywhere in the world via web
browser.
5 CTERA Transport Protocol (CTTP): A secure, WAN-optimized network

protocol used for data transfer between CTERA’s Portal, agents, and
gateways. CTERA’s patented approach enables global deduplication, data
fingerprinting, and encryption at the source to make file services
ultimately secure and efficient.
9
Enterprise File Services Platform Use Cases
The CTERA platform is the only solution to provide the full continuum of
cloud-based file services across the enterprise. It’s one platform that
supports many use cases with unified IT control. Customers often adopt
multiple use cases as part of their data infrastructure modernization effort.
Private EFSS
CTERA’s enterprise synchronization and sharing (EFSS) software provides

users seamless file access and collaboration tools across endpoints, virtual
desktops, CTERA gateways and any web browser. CTERA’s EFSS platform
can be deployed 100% privately to remediate the privacy, governance and
security concerns often found with SaaS services.
By integrating with CTERA gateways, only CTERA provides a seamless

experience between legacy and modern forms of file sharing to make the
adoption of cloud file solutions as painless as possible.
Office Modernization
CTERA Gateways enable offices to eliminate file server silos and

independent backup tools and consolidate file and backup services onto a
centrally-managed, cloud-integrated CTERA appliance.
CTERA appliances often save customers up to 80% over legacy approaches

to office home directory, network share and backup storage while also
providing a modern path to next-generation file sharing and backup.
Because all data is backed up to the CTERA portal in a customer’s VPN, data
security, privacy or sovereignty are never an issue.
Endpoint Backup
Device-level data protection is the second service provided by CTERA

agents. When combined with CTERA EFSS, the CTERA endpoint backup
utility provides a comprehensive solution for cost-effectively recovering lost
files or whole devices and system profiles, all from your private cloud.
10
Cloud Server Backup
In addition to working with CTERA gateways, CTERA backup agents can
also connect directly to the portal to provide an efficient and secure
approach to protecting servers in and across clouds. By abstracting the data
protection process away from any one cloud platform, CTERA’s cloud data
protection solution enables organizations to adopt multi-cloud strategies
that eliminate the risk and minimize the cost of embracing the cloud.
Leveraging CTERA’s data optimization technology and automation tools,

customers save up to 80% vs cloud-native volume snapshot solutions.
Endpoint Agents & Outlook Plugin

Figure 5: CTERA Endpoint Agents and Outlook Plugin
CTERA Outlook CTERA Agent on CTERA Gateways

Plugin Personal Computers LAN-Speed File Sync & Share,
Backup
File Sync & Share, Backup

CTERA Outlook CTERA Agent on
Plugin Personal Computers
CTERA Portal
File Sync & Share, Mobile Access

CTERA App on
Mobile Devices
Home Folder Redirection

CTERA Virtual Desktop
Agent on VDI
11
End users of the CTERA platform can use CTERA software installed on their
personal computers, virtual desktops, smartphones, and tablets. The
low-footprint software provides secure data protection, file sync and share
services, mobile access, and VDI home folder redirection utilizing a copy of
data in the cloud.
Figure 6:
Adding a local folder
to the cloud file system
via right-click
Personal Computer Agents

Operating System Support
CTERA PC agents run on Windows, Mac, and Linux. The agents are
integrated with the OS shell, enabling right-click operation and icon overlays
that indicate sync/backup status.
Capability Summaries
File Synchronization
A PC’s local folders and files can be added to the cloud file system. Changes
to the files (made locally or elsewhere) are synchronized at all locations by
CTERA agents. Prior file versions are tracked, retained, and accessible.
Users can synchronize existing cloud folders (such as shared folders) with
their PC, so that they have a local copy of the latest version of files.
Of note, the end user has flexibility on which folders are synched and where
they are stored. CTERA does not mandate that local cloud files be placed in
a “CTERA” folder. Sub-folders can be excluded from synching.
12
File Sharing
Users can share files or folders with users and groups using a right-click
menu. A link to the file is emailed to the recipients. It can have specific
permissions: read/write, read-only, preview-only, or no access. The user can
require specific authentication methods and can set an expiration date. A
corporate sharing policy set in the CTERA Portal is also enforced by the
agent, preventing oversharing.
File Backup
The CTERA PC agent can back up files and folders directly to a CTERA
Portal (either on-prem, or in a cloud) or to a CTERA Gateway, which can then
back up to a CTERA Portal for a tiered approach. The Gateway and Portal
can have different retention periods. The agent enables self-service restore
of retained file versions.
There are agent settings for inclusion and exclusion sets, a scheduler, and
bandwidth throttling. The agent can back up both unlocked and locked files.
Disk-Level/Bare-Metal Backup & Restore

The entire disk image can be backed-up using the CTERA PC agent to later
recover the full system or individual files. The industry-standard VHD backup
file can also be restored to dissimilar hardware or mounted on a virtual
machine. An “incremental forever” option minimizes data transfer and
storage. A sneakernet full backup can help seed the Portal.
Offloading Virtual Desktop User Data to Cheaper Storage

The agent can map a network drive to the user's data located on the CTERA
Portal. This enables the user to store/access their data through CTERA
rather than as part of the VDI storage.
13
Administration, Deployment, and Update
CTERA agents can be centrally managed from the CTERA Portal, and may
be deployed using platform-specific settings templates along with Active
Directory installation. The agents can be remotely updated as well.
Mobile Agents
Operating Systems Supported
CTERA mobile agents run on iOS, Android, and Windows Phone. They
enable users to view, edit, store, and share their cloud files and backups.
Figure 7:
Mobile app interface
14
Capabilities
File Access
CTERA mobile users can access the cloud file system, including (1) files
synchronized from their other devices, (2) files shared by other
users/groups, and (3) files from other devices backed up to the Portal.
Those files can be viewed, edited, and deleted. They can also be downloaded
to the mobile device for offline access. New files can be uploaded to the
cloud file system from the mobile app.
File Sharing
Users can share files or folders by creating links in the Mobile app that have
expiration dates
Remote Wipe
In the event of a lost or exposed device, the administrator can force a device
running CTERA Mobile to log out and to erase all locally synced files. In
addition, the wiped device’s key is invalidated.
Administration, Deployment, and Update

The CTERA mobile apps are available for download on each platform’s app
store, and can be re-branded to match a company’s interfaces.
Outlook Plugin
The CTERA Agent plug-in for Microsoft Outlook enables users to send email
attachments as public links to files on the cloud file system. The plug-in
syncs attached files to the cloud file system via the local CTERA agent and
inserts public links to the files into the email body.
15
Figure 8: Outlook plug-in interface
Figure 9: Backup file selection
16
Server Agents
Figure 10: Configuration options for on-prem and cloud
server backup through Server Agents
1. On-Prem Backup
Lan-Speed
WAN Sync to Backup & Restore
On-Prem
CTERA Portal CTERA Gateways CTERA Agent

on Servers
2. Backup to Cloud
3. In-Cloud 4. Cross-Cloud
Backup Backup
CTERA Portal CTERA Agent CTERA Gateways CTERA Portal

on Servers
Servers running on-prem or in a cloud can be backed-up with the CTERA

platform. CTERA Agents installed on the servers transfer data to to a CTERA
Portal (on-prem or in a cloud) or to local CTERA Gateways (which can then
transfer to the CTERA Portal), providing fast restoration and offsite
protection. It supports bare-metal restore, application-consistent backups,
and file-level backup. This combination provides enterprise data protection
across legacy and cloud servers.
Application Backup and Restore
CTERA makes application-consistent backups of many enterprise
applications. MS SQL, for example, does not need to perform a dump in
order to be backed-up.
17
Bare Metal Restore / Disk Image Backup
The CTERA agent can store a server’s entire disk image as a backup in the
industry-standard VHD file format. And subsequent backups are smaller and
faster because they only need to transfer changed files (“incremental”). The
full system image can be restored to another server without having to first
install the operating system or applications. It is even possible to restore the
system to dissimilar hardware.
File Backup and Restore

Just like the PC agent, the CTERA Server agent can back up individual files
and folders of a server directly to a CTERA Portal (either on-prem, or in a
cloud) or to a local CTERA Gateway, which then transfers the data to the
CTERA Portal.
Cloud Server Backup and On-Prem Server Backup

CTERA provides a platform designed for backing up servers whether they
are in a cloud or on-prem. The approach to cloud backup has significant
differences from on-prem: there is no access to the hypervisor level and you
are charged for storage utilization (and sometimes for data transfer). Other
tools are either complex to script or have expensive and complex ‘media
server’ designs. So CTERA backup performs deduplication, compression,
and encryption before the data is transferred to minimize costs. And CTERA
is designed for massive numbers of agents to connect directly to the CTERA
Portal for backup.
The same properties that enable cloud-friendly backup also make CTERA
appropriate for on-prem data protection that spans numerous global
locations.
A single dashboard and set of tools unify backup processes and policies
across the on-prem and cloud environments, making it easy to manage any
scale of hybrid data protection.
18
Retention and Tiering Settings
Administrators enjoy the ability to easily define retention periods on the
CTERA Gateway and in the CTERA Portal. You can store snapshots at the
edge dependent on your recovery objectives and retain snapshots for longer
periods in the cloud.
Backup Templates
Agents can be automatically deployed to servers via Active Directory, with
templates defining the specific settings for any given machine. Criteria
include: agent operating environments, machine names, applications, and
the region any server is running. CTERA Backup Templates define: storage
destination, backup window schedules, and if any specific backup process
should be throttled.
Figure 11: Snapshot Retention Policy
19
Cloud Storage Gateways
Figure 12: CTERA Cloud Storage Gateways
Office
/Projects
SMB & NFS
CTERA Cloud
Storage Gateway
Backups
Office
/MyDocuments
/Projects
SMB & NFS
CTERA Cloud
Storage Gateway CTERA Portal
Backups
Endpoint Sync
/MyDocuments
Mobile Devices
& PCs
20
CTERA Cloud Storage Gateways are appliances that provide NAS, file
sharing, and backup services, while also synchronizing the files and
snapshots to the CTERA Portal in the cloud. With this hybrid cloud
approach, organizations can retain existing NAS-based business processes,
while gaining modern file sharing and cloud integration for a longer-term
evolution.
Gateway Products & Management

The gateways are available as physical or virtual appliances. They run a
custom, minimal, hardened Linux. Appliances can be configured and
managed throgh the centralized Portal browser-based interface.
Physical Appliances
The CTERA Gateways come in a variety of models, ranging from 2TB to 64
TB raw capacity, RAID 0/1/5/6, and supporting from 50 to 1000 concurrent
users. The form factors vary by model including a short tower, and 1U and 2U
rack-mount servers.
Virtual Appliances
The gateways are also available as a virtual appliance, where the capabilities
are dependent on the selected hardware.
Cloud File System via NAS
Folders and files that are part of the CTERA cloud file system can be
accessed via the gateway using NAS protocols (CIFS/SMB, NFS, AFP, and
more). The administrator selects which parts of the cloud file system should
be accessible, and a local copy is synchronized to the CTERA Gateway. The
gateway provides local high-speed access to the files, and changes are
synchronized between the cloud file system and the gateway copy. The
gateway provides enterprise Windows NT ACLs full emulation, as well as
quota support.
21
Backup Services
CTERA Agents can use a CTERA Gateway as the backup destination, which
can be faster than backing up over a WAN or the internet.
Files, applications, and disk-images can be restored from the local CTERA
Gateway to maximize performance.
The backup data can also be transferred to the cloud and retention policies
set how long the backups are kept on the gateway and in the cloud, as seen
in Figure 11.
Figure 13: Gateway Configuration
File Sharing and Distribution Services

Files and folders that users access and share using the CTERA agent’s EFSS
capabilities can also be synchronized with CTERA gateways. This is a
modern alternative to conventional file replication. It also enables cloud file
sharing for offices that face connectivity issues making public cloud SaaS
solutions impractical.
22
Failure Scenarios
Back-End Connectivity Failure
The CTERA gateway can be immune to connection issues with the back-end
cloud. In the CTERA gateway the primary file system can be stored in whole
at the gateway. If conflicting changes are made in the cloud file system while
gateway is offline, CTERA uses a conflict resolution approach to resolve.
Figure 14: Uninterrupted I/O despite back-end

connectivity failure
/MyDocuments
/Projects
SMB & NFS CTERA Cloud CTERA Portal
Storage Gateway
Gateway Failure
End users still have access to their files even if a CTERA Gateway becomes
inaccessible. The files can still be accessed by mounting a secure, remote
connection to a virtual gateway in the cloud or to the CTERA Portal. The files
are also available via a web browser to the portal.
Figure 15: Folders may be mounted directly from the Portal

if a gateway is inaccessible
Cloud Mount
/MyDocuments
/Projects
SMB & NFS CTERA Cloud CTERA Portal
Storage Gateway
23
Gateway Models
C200 C400 C800 C800+ EV SERIES
CTERA CTERA CTERA CTERA CTERA

From Facor Hardware Hardware Hardware Hardware Virtual
Appliance Appliance Appliance Appliance Appliance
Up to 50 Up to 100 Up to 200 Up to 1,000 Up to 5,000

Recommended For
Users Users Users Users Users*
Drive Bays 2 x 3.5" 4 x 3.5" 8 x 3.5" 8 x 3.5" N/A
Local Appliance
Up to 8TB Up to 16TB Up to 32TB Up to 32TB Up to 64TB
Capacity
Included Workstation 20 50 50 50 Up to 250

Backup Agents
Included Server
1 2 2 2 0
Backup Agents
Ethernet 1 x 1Gb 2 x 1Gb 2 x 1Gb 2 x 1Gb Up to 10Gb
24
CTERA Platform Architecture
Clients
Cloud Storage Desktop/Server Mobile App Web Browser Cloud Mount

Gateways Agents
Multi-Tenant Management Active

Directory
/ LDAP
Storage Infrastructure Connectors
Virtualized Storage, Load Balancing, Cloud Migration
Single
Sign-On
Global Admin
Application, Intelligence, Configuration, Management
Provisioning
Tenant
/Team Admin File Sync & Share Backup Networked Storage VDI Storage
Optimization
Billing
/ Chargeback
User Self- Security & Acceleration

Provisioning
ACLs and Sharing, Policy Engine, Encryption, Deduplication
Monitoring
& Auditing
Device Connectors
Dynamic DNS, Automatic Updates
REST
Content
Access
Integration APIs
Storage Infrastructure
On-Prem or Virtual Private Cloud
25
Portal
The CTERA Portal provides the intelligence, configuration, and management
interface to the CTERA platform. It also acts as middleware between the
front-end Agents and Gateways, the back-end cloud storage, and integration
with other systems.
Centralized Management and Policies
Administrators have role-based authority and use the CTERA Portal to
control most aspects of the CTERA platform. Agents and gateways can be
remotely monitored and managed. Administrators provision services and
agents, and also set global and local policies for backup retention, storage
quotas, and file versioning. Custom alerts and reports keep administrators
informed. The firmware/software of gateways and agents can be upgraded
through the Portal
Figure 17: Control All Devices Centrally
26
Controlling File Visibility and Sharing
Administrators can set a “collaboration firewall” that defines external file
sharing policies based on user profiles and groups. Shared files can even be
locked down with watermarks and preview-only settings. Upload policies
prevent unwanted files from entering the system.
The CTERA app can run in an EMM-secured container and other

containerized apps can save files to the CTERA app.
Figure 18: Cloud Drive Sharing Policy
Figure 19: Collaboration Policy
27
Web Interface to Cloud File System
The Portal provides internal users and external sharees a web interface to
access the cloud file system, including preview, edit, search, versioning, and
search.
Office 365 Integration

Users can create and initiate editing of Microsoft Office 365 files directly
from the CTERA Portal. Users can simultaneously edit the document with
changes being stored in the Portal’s file.
Deduplicated, Virtualized Storage

CTERA Portal stores the cloud file system on one or more storage nodes –
block or object storage systems that may be dissimilar. The Portal enables
source-based global deduplication, and the deduplicated data is stored in
the nodes. CTERA Portal can migrate data between storage nodes without
service disruption, which lets CTERA users switch cloud providers.
Software-as-a-Private-Service
The CTERA platform is designed to run 100% within your network as a
completely automated, multi-tenant service. All components are either
deployed on-prem or in your virtual private cloud. Using CTERA’s rich
RESTful APIs, administrators can drive monitoring, billing, security, and
operational efficiencies. A delegated administration model enables tenant
admins to provision and manage their own environments, while CTERA
isolates each tenant’s security and data.
Authentication
Users can authenticate via directory services like Active Directory or
single-sign-on (SSO) through SAML 2.0 or Kerberos. CTERA offers 2-factor
authentication, and performs mutual authentication with client-side
certificate support including smartcards (like CAC & PIV). The AD/LDAP
roles and groups control access to data and administrator privileges.
28
Security Features
(Please read the CTERA security whitepaper for security details across the
entire system.)
Administrators can create and manage encryption keys or employ personal

passphrases per user to prevent privileged admins from accessing data.
Security events such as user access and failed logins are monitored and
logged, and all user activities are in the audit trail. Integration with SIEM
systems via Syslog provides 3rd party audit trail retention and reporting.
Antivirus tools can connect with CTERA to keep the cloud file system clean.
AWS CloudFormation
CTERA Portal can be rapidly deployed using AWS CloudFormation and a
prepared or customized JSON template.
Rebranding
The Portal interface, Gateway interface, and Agent interface can all be fully
customized.
Failure Scenario
The portal includes a stateless application and metadata database
persistence layer. The database offers continuous replication which should
be used for disaster recovery/business continuity and backup purposes. A
new Portal service can be spun up and attached to the database to fully
resume service rapidly.
29
CTTP Protocol
Figure 20: CTTP Protocol Flow Diagram
Client-Side Mutual Server-Side

Certificate Authentication Certiface
Two-Factor Authentication,
Kerberos, SSO
Whole File
Fingerprint
Cleartext Chunk
Fingerprint
Encrypted Chunk
Anti-Corruption Checksum
TLS Hash
AES
Encryption
TLS
Encryption
File on Host Broken into Unique Chunk Transmitted Received Processed Stored
Chunks (Compressed)
Host Agent Web Server Services Data Storage
CTERA Transfer Protocol (CTTP) is the secure, WAN-optimized

communication method used to transfer data within the CTERA Platform.
Agents and apps communicate with the Portal via CTTP, and Gateways sync
files and snapshots with the Portal via CTTP.
30
Protocol Flow (Edge to Portal)
1 Authentication
Devices, apps, and agents authenticate to the portal with a signed
2048-bit X.509 security certificate. Mutual authentication with client
certificate via OCSP is also possible.
2 Deduplication
The file is broken into chunks of variable size. The chunks are hashed
and compared with the existing list of hashes in the Portal (i.e. stored
chunks), and identifies globally unique chunks. Only the globally
unique chunks will eventually be transferred to the cloud. (The gateway
deduplicates endpoint disk-level backup prior to sending to the
Portal.)
3 Source-Based Encryption
The unique chunks are AES-256 encrypted using the appropriate
encryption key, or using a generated key that is encrypted using a
passphrase-based key.
4 Compression
Once the chunks are encrypted, they are compressed via snappy or gzip.
5 Fingerprinting
To prevent tampering with files in transit, a “fingerprint” is generated
for each file, each cleartext chunk, and each encrypted chunk. The
fingerprint is checked when each encrypted chunk is received prior to
any further processing of the chunk. The cleartext chunk and file
fingerprints are compared when the file is read.
31
6 Encrypted Transfer
The encrypted, compressed, unique chunks are then transferred using
TLS (previously SSL) over TCP. So the encrypted blocks are encrypted
again while they are in-flight. The TLS encryption is removed when the
chunk lands at the destination, but the source-based AES-256
encryption remains around the chunk.
This approach is different from encryption ‘at rest’ plus encryption ‘in
flight’. By encrypting at the source and not decrypting it even in
storage, there are no points at which the clear text is exposed.
7 Storage
The encrypted, compressed, unique chunks are received by the Portal
and placed in a storage node. The portal metadata storage containing
the keys may be hosted separately from the data cloud storage. The
separation of repositories allows CTERA to store a small amount of
sensitive data (e.g. encryption keys) in a fully secured site, while
managing large amounts of encrypted file data in a less secure site
(e.g. public cloud).
Loss of Connectivity
The protocol assumes that connectivity between the sources and
desitnation may be lost. So data transfers pick up where they left off in the
event of a disconnection.
32
Improving Organizational Productivity
at Santander Bank
Santander, one of the largest banks in the world, approached CTERA seeking
to provide employees with fast and reliable file synchronization and sharing
capabilities from any device and from any location (roaming or local to an
office), while ensuring the highest possible security and data protection and
availability to tens of thousands of employees. To meet security
requirements, the solution had to be fully scalable and deployed inside
internal Data Centers, with high levels of data protection (user access
control, encryption, multi-user encryption keys, data redundancy, file
versioning, and more), as well as optimization for bandwidth and storage
efficiency (deduplication, compression and incremental data transmission).
The solution needed to provide dramatic reduction in TCO vs. existing file
services solutions, and would need to be hardware-agnostic. The solution
needed to feature full auditability, with advanced security and user access
controls, and the total project also had to provide data protection services to
thousands of company laptops and desktops.
CTERA EFSS provides a secure and storage-agnostic solution for file sync
that was deployed as a fully private solution from their datacenters using
cost-effective object storage. This internally delivered service provides
end-users the ability to synchronize files and folders across all devices and in
remote offices and collaborate on demand with CTERA’s file sharing and
team collaboration tools. CTERA’s integrated endpoint backup solution was
deployed to provide globally de-duplicated file-level and disk-level data
protection across workstations and laptops for the same 60,000 users.
In the end, the customer received a secure, private, and comprehensive
solution that provided the right mix of user service choice with IT control.
The CTERA platform seamlessly integrates with the existing datacenter
storage infrastructure, as well as domain services to easily authenticate via
AD servers and large AD forests. CTERA’s white-labeling capability also
allowed them to deliver a privately-branded, fully functional EFSS to
reinforce the solution as the only IT-sanctioned file sharing and sync service
end users were to use.
33
With endpoint data protection for employee workstations and laptops, all
files and backup data are compressed and de-duplicated at the source for
WAN and storage optimization and then securely encrypted before being
synced to the software-defined storage environment.
In the end, the customer transformed into a more agile and lean
IT-as-a-service delivery organization that has lowered infrastructure and
service delivery costs while also enhancing insight into user file access to
provide unprecedented levels of control across a large and global
organization
Summary
Leading global banking group company selects the CTERA Enterprise File
Services Platform to enhance user productivity and IT control.
The deployment provides secure enterprise file sync and share services and
endpoint backup to 60,000 employees in multiple continents.
Leverages automated service delivery tools and software-defined object

storage to minimize user support and service infrastructure costs.
34
Modernizing Data Infrastructure at TopGolf
TopGolf is one of the fastest growing private companies in the United States,
but was experiencing a number of issues due to hypergrowth: working with
more than 40 IT vendors led to high storage costs, overloaded
administrators, and deviation from a cloud strategy; network bandwidth
issues due to using various public cloud file sharing services (plus security
and privacy concerns of SaaS file sharing); and not being able to quickly or
efficiently resolve data loss should a user’s laptop or workstation need to
recover data.
They identified CTERA as a single platform that could help fulfill its data
infrastructure modernization initiatives. Using the CTERA Enterprise File
Services Platform to deploy an internal service they are revamping their file
services and data protection agenda. Deployed as a platform on AWS and
powered by CTERA, the internal service is a fully unified solution that allows
users to sync, share, and protect files across endpoints, office gateways, and
the cloud. It includes CTERA cloud storage gateways that act as local file
servers at offices, EFSS gateways that replace public file sharing, and
endpoint data protection with user-enabled backup and restore.
The organization’s network bandwidth issues were immediately resolved

through the deployment of CTERA cloud storage gateways, which allow
office users to access files locally, rather than requiring constant network
access to SaaS file services. The gateways seamlessly connect with CTERA
Enterprise File Sync and Share agents, enabling users to access current files
no matter where they are. It also enables them to facilitate a zero-minute
disaster recovery for offices worldwide: if a gateway fails, local user
machines can be automatically re-mapped to folders on their virtual private
cloud (VPC) on AWS.
ile sharing security issues were also eliminated. Deployed fully behind their
firewall in the AWS VPC, the internal service disallows any exposure of data,
metadata, security and identity management to any third-party provider.
Both CTERA EFSS and Endpoint Backup are optimized for highly efficient
35
and secure transmission of data across the network, with source-to-storage
AES 256-bit data encryption.
The customer also benefits from simple, secure, and user-enabled data
protection tools for direct-to-cloud backup (roaming users) or hybrid
backup models (for office users via the cloud storage gateway).
Moreover, the company was able to reduce vendor count by choosing

CTERA to consolidate four separate vendors across EFSS, endpoint backup,
and NAS devices, while adopting low-cost and highly-resilient cloud
infrastructure via AWS.
Summary
Rapidly-growing company faces too many vendors, clogged networks,
inefficient endpoint restoration, and concerns about SaaS security.
Consolidates multiple IT systems with a fully unified file sharing and data
protection platform.
Empowers users with secure and accelerated file access and collaboration
while reducing TCO by eliminating escalating network and data
infrastructure costs.
Eliminates security and privacy concerns by deploying services on their

private, internal cloud.
36
IT-as-a-Service Transformation
at a Global 30 Insurer
One of the world’s leading insurance and asset management firms devotes
significant resources to the modernization of application, service, and
infrastructure delivery throughout the organization. To support this agenda,
the IT department embarked on a major CloudOps (cloud operations)
initiative that would transform the organization into an internal cloud
services provider that leverages both on-premises and public cloud
computing resources.
Its vision was to implement an automated, API-driven, multi-tenant service

with customized security and administration models for specific users that
would span multiple IaaS and hypervisor providers. The organization
determined that traditional enterprise-grade backup tools were too
cumbersome, too expensive, and not agile enough to address the new mode
of IT-as-a-Service provisioning.
The company’s search for a scalable and automated hybrid cloud data
protection solution led to CTERA’s Enterprise File Services Platform. The
CTERA-powered service allows any user in any location to activate or
deactivate a backup option for his application via a service catalog.
Provisioning new applications from the company’s IT service catalog
provides cost-effective safeguards against the accidental deletion or loss of
business-critical data. The solution protects applications spanning three
independent cloud platforms (Amazon Web Services, Microsoft Azure and
OpenStack) that the IT organization has integrated into a single cloud fabric.
The organization chose CTERA based on several key factors:
• A simple, agent-based approach to application data protection that can

be deployed on any cloud framework. This approach removes any
dependency on a server hypervisor, and allows the organization to deploy
and recover applications on any cloud.
37
• WAN-optimized backup agents to backup/restore any cloud to any cloud
while leveraging global deduplication, incremental-always backup
methods and WAN compression.
• A multi-tenant approach to data and backup administration isolation,

offering each tenant a customized security model with their own
encryption keys and delegated administration.
• Robust, cost-effective support for any object storage platform or service

that enables the company to store data at 1/10th of the cost of traditional
IT deduplication appliances.
• Completely automating the provisioning of user tenants and agents and

eliminating the need to interface with IT administrators for restores or
support thanks to seamless integration with the IT service catalog and
service chargeback system.
• Cloud simplicity, with uncompromising security and data sovereignty to

govern data storage location and enforce the security requirements and
data privacy regulations that are common to the financial services
industry.
Summary
F100 launches internal Backup-as-a-Service powered by CTERA to support
CloudOps initiative.
Solution spans multiple clouds and platforms integrated into a single cloud
fabric.
Company selects CTERA after traditional enterprise tools could not meet
requirements for agility, multi-tenancy, and scalability.
Uses CTERA’s cloud-native, API-driven platform to integrate into service

catalog.
38
Total Cost of Ownership
Comparison Viewpoint
No other vendor provides a fully-featured, unified platform that integrates
legacy file services, modern file sharing, and endpoint backup. Vendors in at
least two categories (NAS, Backup, EFSS) are needed to match the breadth
of CTERA’s fundamental capabilities. So organizations can increase their
savings by utilizing all of CTERA’s purposes: the deduplication ratio
increases, the administrative overhead decreases, and end user productivity
increases. Whereas using multiple vendors to achieve similar functionality
results in duplicate storage silos, multiple administrative interfaces,
incongruent policies, more vendors to manage, and lower organizational
productivity. Furthermore, with CTERA you only pay for the infrastructure
that you use, versus paying profit margin for a SaaS vendor’s infrastructure.
Customer Scenario
In this scenario, the organization wants a globally-distributed system (80
TB) to store, share, synchronize, and backup files across two large (20TB),
five medium (6TB), and ten small (1TB) offices. 550 desktops and 28 servers
are backed-up, and 550 users are performing file sharing.
TCO Calculations
Figure 21: TCO calculations of CTERA and comparable solution
3-Year TCO CTERA Multi-Vendor
NAS Hardware $103,360 $167,500
NAS Software $14,250 $32,300
Backup $0 $76,878
EFSS $75,350 $297,600
Total $192,960 $574,278
39
Figure 22: TCO Graph of CTERA versus a comparable solution
CTERA vs Multi-Vendor 3-Year TCO
NAS HW NAS SW Backup EFSS
$600,000
$500,000
$400,000
$300,000
$200,000
$100,000
$0
CTERA NAS + Backup + Multi-Vendor NAS +
EFSS Backup + EFSS
The table shows total 3-year list prices for a solution from CTERA and a
multi-vendor solution from representative vendors.
The scenario requires 10 small gateways (CTERA C200), 5 mid-sized

gateways (CTERA C800), and 2 large gateways (CTERA C800+), 28 server
backup agents, 550 file sharing licenses, and a one CTERA portal (cost
included with NAS software). These server backup agent licenses are
included with the CTERA gateway so there is no additional cost shown. The
data is deduplicated across NAS, Backup, and EFSS and the resulting cloud
storage cost would be negligible: less than $100 over three years for storage.
In the multi-vendor scenario, we include the costs associated with two or
three vendors to provide NAS, Backup, and EFSS as a service. They would
need to be purchased separately and managed separately.
Additional CTERA ROI would come from increased organizational

productivity and less administration.
40
Security
Created by security experts, the CTERA platform was designed to fully
protect data from attacks or unauthorized access, with security
considerations applied to every function of the CTERA platform. This section
provides highlights of the security capabilities, and for a deeper explanation
of the platform’s security please review the CTERA Platform Security
Architecture Whitepaper.
Private Platform
CTERA can be deployed on-premises or in a virtual private cloud (VPC) to
keep your data within your network and 100% behind your firewall. Unlike
some other “private” file sharing vendors, no external communications are
necessary and no components are positioned outside of your firewall.
Source-Based Encryption and Secure Transfer

A significant difference from other solutions is that CTERA data is encrypted
before it is sent to the cloud and remains encrypted as it is stored. This
approach ensures that sensitive data never leaves the customer environment
before being fully protected. So even when the data arrives in the cloud it is
never in clear text, which is an exposure that other systems can not address.
All network transfers use Transport Level Security (TLS) protocol, preventing
unauthorized interception of data. This wraps an additional layer of
encryption around the chunks for transport. Multiple fingerprints of files and
blocks ensures data integrity as they travel between locations, preventing
man-in-the-middle attacks and transfer errors.
Key Management
CTERA let you create and manage your own encryption keys or use personal
passphrases per user. The keys are stored in a secured database which can
be behind your firewall. CTERA allows administrators to configure the
41
granularity of encryption key usage: selecting a separate key per folder, per
user or per users group. Each tenant has its own set of encryption keys,
which limits damage in the event of a compromised key or tenant. Some
competitors create and/or manage the keys, which enables them to access
your data and is a vulnerable point.
Authentication
Prior to authentication, clients must be enrolled with the Portal to avoid
unexpected clients and then users authenticate their credentials to the
Portal. Administrators can choose to manage users’ credentials locally within
the Portal, integrate with existing directory services, SSO, SAML 2.0, or other
identity management services. This provides seamless user authentication
and avoids duplicate credentials. When managing users’ credentials locally,
the Portal keeps the one-way hashed passwords in the main database.
Administrators can enforce password policies, such as minimal length,
character use, and renewal cycle.
CTERA enables email and SMS-based two-factor authentication via for login
and file sharing (even for external access) to ensure only intended parties
can access files. For environments with increased security requirements,
CTERA can use client certificates that present an X.509 certificate (like a
Common Access Card - CAC).
Administrator Controls & Collaboration Firewall

Role-based access control: define Active Directory or LDAP roles and groups
to control access to data and set up administrator roles. The Portal’s
advanced role-based access control ensures that sensitive operations are
accessible only to a limited set of authorized users.
CTERA lets portal administrators define a policy-driven “collaboration

firewall” govern the way files are shared with external users. These policies
define the allowed collaboration methods – for example allow/deny the use
of public links, enforce preview-only shares, etc. They also specify the type
42
of data that can be synchronized or uploaded to the cloud, based on the file
size, name or extension
Multitenancy
The CTERA Portal has built-in multi-tenancy support so that different
groups of users can be assigned to entirely separate logical instances of the
Portal. This enables the system to service multiple customers on a common
cloud, which is particularly useful for managed service providers or IT
centrally serving multiple business units or isolating security for geographic
regions.
EMM & DLP

End users and administrators can initiate a remote wipe on misplaced mobile
devices to prevent unauthorized data access stored locally or on the CTERA
platform. CTERA integrates with MDM tools to ensure a secure, sandboxed
environment and can even share information with apps within the secure
environment.
Antivirus Integration
CTERA integrates with antivirus vendors through the ICAP protocol for file
scanning, in order to ensure data protection. Files are scanned for malware
automatically and transparently, before they are downloaded from the Portal
for the first time.
Logs & Audit Trail

Both the CTERA Portal and the Gateway administration functions can
maintain extensive logging of all user accesses, failed logins, configuration
changes, data changes, and data accesses. Administrators can use a built-in
log viewer. Logs can be automatically shared with 3rd party audit tools for
safekeeping, analysis, and threat detection.
43

CTERA Platform Architecture

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CTERA Platform Architecture

Caricato da

Copyright:

Formati disponibili

CTERA PLATFORM

Introducing the CTERA Enterprise File Services Platform 6

Enterprise File Services Platform Use Cases 10

Endpoint Agents & Outlook Plugin 11

Cloud Storage Gateways 20

Improving Organizational Productivity at Santander Bank 33

Modernizing Data Infrastructure at TopGolf 35

IT-as-s-Service Transformation at a Global 30 Insurer 37

Total Cost of Ownership 39

Organizations use CTERA software to create a fully-private service offering

The four main components work together to provide a unified experience by

Security of a CTERA system starts with it being a “private” deployment: all

One example of a CTERA deployments includes Santander Bank, which used

File Management is Transforming

By unifying fragmented legacy content sources Gartner explains that

Networked Cloud Storage Modern File Content

IT-focused End User-focused

Gartner explains that data infrastructure modernization will lead to

Cloud Challenges Security Norms

The exposure inherent in an on-prem, IaaS, and SaaS approach vary, as

Gartner’s first recommendation says to explore private cloud (IaaS)

Figure 2: Comparison of deployment method privacy exposure

VPN VPN Little/No Privacy

Applications Applications Applications

Security Security Security

Operating Systems Operating Systems Operating Systems

Data Centers Data Centers Data Centers

On Prem IaaS SaaS

CTERA seeks to create the most compelling end user experience by

The platform is inherently more secure than shared services, because

As you can see in Figure 3, CTERA platform provides an authoritative system

Global Multi- Cloud

Limitless Central Dara Loss

Desktop 0-Minute Failover to

Private Cloud Virtual Private Cloud

Private Cloud / VPC

Servers CTERA Portal Private Cloud

• File Sync & Share Authenticated Multi- EMM

Mobile Devices Search Billing Monitoring

2 Endpints: Desktop agents enable device file and folder synchronization,

3 Server Agents: Provide network-optimized backup of physical and virtual

• For administrators, the Portal is a central security, governance and

• For users, the Portal is a centralized utility to securely access and

5 CTERA Transport Protocol (CTTP): A secure, WAN-optimized network

CTERA’s enterprise synchronization and sharing (EFSS) software provides

By integrating with CTERA gateways, only CTERA provides a seamless

CTERA Gateways enable offices to eliminate file server silos and

CTERA appliances often save customers up to 80% over legacy approaches

Device-level data protection is the second service provided by CTERA

Leveraging CTERA’s data optimization technology and automation tools,

Endpoint Agents & Outlook Plugin

CTERA Outlook CTERA Agent on CTERA Gateways

File Sync & Share, Backup

File Sync & Share, Mobile Access

Home Folder Redirection

Personal Computer Agents

Disk-Level/Bare-Metal Backup & Restore

Offloading Virtual Desktop User Data to Cheaper Storage

Administration, Deployment, and Update

Figure 9: Backup file selection

CTERA Portal CTERA Gateways CTERA Agent

CTERA Portal CTERA Agent CTERA Gateways CTERA Portal

Servers running on-prem or in a cloud can be backed-up with the CTERA

File Backup and Restore