Uploading Data

In order for Canopy to process data, the data must first be uploaded. Uploading options will be explained in detail below. When you begin a project, your first screen will look like this:

Clicking on Upload Documents will provide you with the following options to upload native files:

Upload Name

Enter a user defined name for the set of files you will upload.

Custodian

Enter either the name of the individual associated the Upload Name, or a name for this particular grouping of documents.

Details

This field can be used for documenting any additional details associated with the upload.

A single Custodian must be associated with each Upload Name, however the same Custodian can be associated with multiple Upload Names.

Upload Options

Canopy offers various options to upload data. Choosing the most appropriate option depends on where the compromised data is located relative to Canopy’s application. Canopy’s application resides in an AWS region corresponding with the location of your tenant. Here are the list of upload options to consider, in the order of upload efficiency:

1. AWS Presign URL
2. Azure Shared Access Signatures (SAS)
3. Citrix Sharefile
4. Web Browser
5. Microsoft Office 365

   

Using AWS presigned URLs will transfer data directly from your AWS S3 bucket to your Canopy project. This is an AWS-to-AWS transfer of data that, once initiated, will continue to transfer data, even if you close your browser and turn off your computer.

Please refer to AWS documentation on how to create a presigned URL.

If the customer’s data is in the same AWS region as Canopy’s application, downloading presigned URLs is likely the fastest way to upload data.The data transfer will take place completely within AWS’s infrastructure, eliminating factors introduced by internet service providers that could impact the transfer speed. Presigned URLs allow for secure data transfer between S3 buckets without sharing keys or passwords with Canopy. Each presigned URL relates to one object. We recommend zipping up data and assigning one presigned URL to each zip.

Canopy will screen the URL for inconsistencies, or expiration, before initiating the transfer. If we detect that the presigned URL has expired, we will let you know immediately. Likewise, if we detect an issue with the bucket name, file name, or date, we will let you know that the URL is invalid:

Canopy supports uploading files directly into your project from Azure Storage via shared access signatures (SAS). You can read about Azure SAS here. This upload method is similar to AWS presigned URLs and both methods have a number of benefits over uploading from the browser:

• The upload is not browser session dependent. Refreshing the browser or shutting down your computer will not disrupt the process.
• The upload is transferring directly between two major public internet cloud providers, Azure and AWS. The bandwidth is dependent on the network peering connections between these two providers and will bypass any routes on premises.
• The signed URLs contain tokens that can be secured by allowed IP addresses, a data range, and read only permissions.
• The access rights can be revoked at anytime.

Here is an example Azure Blob storage configuration screen where the signing parameters are configured and where the SAS tokens and URLs are created:

To begin the Azure SAS upload process, click on Upload using Azure Storage shared access signatures (SAS):

To upload using SAS URLs, create your SAS URLs in the Azure interface. You can then paste the URLs individually, or as a group, into the SAS Token input box and press enter.

Pre-Upload Validation

Canopy will validate the URLs for the following errors before attempting to upload the URL from Microsoft:

• Invalid Token - This means what was pasted doesn’t appear to Canopy as a valid URL.
• Expired Signature - This means that Azure will deny access to this URL if a upload is attempted.
• Missing Signature - This means that the token is missing from the URL.

If any of these validations fail, the URL will be moved to the list under Invalid or Expired Tokens. Canopy will not attempt to download the URLs in this list.

Upload Errors

Azure performs further validation and error checking. These errors will appear in the Upload Dashboard as Failed with the error message provided by Azure.

Uploading via the web browser is most convenient when your data is contained locally on the machine where you will initiate the upload. If you have a large upload bandwidth connection to the internet (1 GBS, for example), uploading multiple zips at a time will be very fast.

Supported File Sizes and Types
Upload via web browser is configured to support files up to 1 TB in size. Files larger than 1 TB will fail when the total upload exceeds 1 TB. Supported file formats include: .7z, .gz, .iso, .mbox, .pst, .rar, .vdi, .vhd, .vmdk, and .zip.

The downside of this method is that the network complexity is high and there are many organizations involved. Once you know your broadband speed, consider the following:

• Your upload bandwidth purchased from your provider likely guarantees that upload speed only to the edge of their network. Consider if your provider has a peering connection with the AWS Region where Canopy’s tenant resides, and if they will guarantee the same upload speed to that connection. If your provider does not have a direct connection with AWS, you may be subject to bottlenecks introduced by third party ISPs.

• A Wi-Fi connection should be avoided, as only in ideal conditions 2.4 GHz Wi-Fi will support up to 450 Mbps or 600 Mbps, while 5 GHz Wi-Fi will support up to 1300 Mbps. However, these are absolutely ideal conditions (for example, when you are standing right next to the router and there are no other devices connected or transferring data).

• If you are connecting a remote drive within your company’s intranet, your speed will be limited by your computer’s connection to that remote drive. The bandwidth to you will require double the bandwidth to upload that same data, because it is first being copied to your computer and then transmitted to Canopy.

• If you are copying data from another cloud service, like Azure, for example, you will be downloading data from Azure and then uploading it to Canopy. Compared to uploading data that is local to your computer, you will be effectively cutting your bandwidth in half. Also, your upload speed will be limited by the download speed from your cloud service.

• Uploading data from a portable USB thumb drive connected to your computer can also be a limiting factor if you are not using USB 3.0 or greater. USB 2.0 devices support a maximum transfer rate of 480 Mbps. If you are using a USB connected device, please make sure that the connection, cables, and peripherals all support USB 3.0.

If the compromised data is stored in Citrix Sharefile, you can upload this data directly from Citrix, bypassing your computer and corporate network. Citrix requires that file sizes are less than 100 GB. You authenticate directly with Citrix Sharefile, avoiding the need for Canopy to see or store passwords or keys. The transfer speed is dependent on the network connection between AWS and Citrix.

If you want to collect a compromised email box directly from Azure, you can use the Microsoft Office 365 connector. This collection bypasses your computer and corporate network. You authenticate directly with Microsoft, avoiding the need for Canopy to see or store your passwords or keys. The transfer speed is dependent on the network connection between AWS and Azure.

By authenticating directly with Microsoft, you can initiate a cloud Azure-to-Amazon transfer that will continue to transfer data, even after you close your browser. You can select one or more email boxes to upload directly from MS Office 365.