Authored by: John Yang, Vice President Asia Pacific and Japan, Progress
Cybersecurity has never been such a hot topic. The recent spate of sophisticated ransomware attacks has highlighted the potential vulnerability of every aspect of enterprise IT, bringing into question the ability of organisations to protect their vital data as they conduct their business.
Cyber criminals are constantly seeking way to intrude into the IT infrastructure of businesses, and it is obvious that the file transfer process is a magnet for bad actors. Organisations cannot function without moving data internally and externally; files have to be transferred among departments, partners, customers and systems, and while the data is on the move, it is potentially open to attack. A significant breach earlier this year at Singtel, Singapore’s largest telco, resulted from the hacking of a third party file-sharing system. The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that affected other organisations around the world, including New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.
Such vulnerabilities are why traditional methods of file transfer such as the FTP standard have been replaced more recently by Managed File Transfer (MFT) software. MFT solutions provide secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA, and GDPR – crucially important as organisations need to provide audit trails to protect themselves in the event of a data breach.
IT departments are rightly paranoid about security. MFT users are metaphorically always looking over their shoulders for the next inbound attack, and asking themselves if their system can ever be secure enough. Perhaps surprisingly, the answer to this question is actually quite simple: how secure does the organisation need it to be?
Every organisation’s security protocols are different. They may be based on external rules imposed by regulators or they may be their own best practices, but they will always differ from one another. It is easy to say that everyone should be implementing the best possible security but in reality that almost never happens. This may seem shocking but a number of factors come into play, including cost, convenience and even a level of ignorance about possible vulnerabilities. The fact is that MFT security cannot and indeed should not be a one-size-fits-all feature; it depends on figuring out how much security the organisation needs, how much it can afford, and how much will be tolerated by the users.
When an organisation decides on implementing an MFT system, an important consideration is how much choice is provided. For example, all MFT solutions on the market will encrypt files in transit but not all will also encrypt those files at rest. Some will, but at an additional cost. And although it sounds insecure, some MFTs will let you choose whether or not to encrypt at all. This is actually not unreasonable - if for example the organisation is using MS Azure Blob hosts to store its data, then Microsoft automatically encrypts it. However, not everyone will trust Microsoft’s own encryption and others may be put off by the need to keep re-encrypting and de-encrypting the data every time it’s accessed, which can lead to a deterioration in performance.
The same consideration applies with features such as security-question-based password resets or Multi-Factor Authentication (MFA). These may or may not be appropriate for the organisation, but if the MFT solution doesn’t offer the choice of whether to use them, it is unlikely to meet the company’s specific security needs.
Security and encryption are no-brainers for MFT, but other features should also be considered. Here are three of the best security features that can prevent a breach.
An Audit Trail That Exposes Tampering
If the organisation operates under regulations like HIPPA, GDPR, CCP, SOX or PCI-DSS, this is a requirement. Organisations may be required to prove that a particular data transfer was kept constantly secure and that access was confined to authorised individuals. To meet this requirement, data must be kept encrypted both in transit and at rest. A report must be generated that shows this together with details of anyone who accessed that data. The MFT system should automatically produce this kind of report, which can be shown to auditors, and also confirm there weren’t any data breaches. This is a worthwhile feature even if it is not mandatory for the organisation, because it always shows what happened, if anything, and when.
Multi-Factor Authentication (MFA)
This feature obliges one to balance user convenience with real security value. It can be a troublesome procedure to follow, but it definitely provides the greatest level of security. MFA confirms that the individual logging in is actually the person entitled to do so. It requires something they know (login and password) with something they have (their phone or token generator, for example). This means a stolen password by itself is useless, because the thief also needs access to the user’s phone or authenticator app. Microsoft has more than 300 million Azure systems which bad actors are constantly probing. The only thing that kept them out 99.9% of the time was MFA. If organisations do nothing else to enhance their security posture, they should implement MFA – it will do more to prevent intrusions than the next ten security methods combined.
Regularly Rotate Data Encryption Keys
Data encryption keys unlock the doors to all the data on your MFT. If an unauthorised individual can get hold of them, they can access everything – probably without the organisation’s knowledge. It is sound security policy to rotate them regularly - that is in fact a PCI-DSS recommended best practice. The MFT solution must not only allow the encryption keys to be securely and easily rotated from within the interface, but also provide a way of tracking the status of key changes. Ideally, it should include a feature that rotates them automatically so the organisation is never vulnerable.
These three tips are just the start. There are dozens more features, functions and best practices companies can implement to prevent intrusions. And each one will come with different trade-offs. Organisations need to consider whether, for example, it is worth hosting the MFT in the cloud.
They must ask themselves if users will tolerate an enforced policy acceptance before they log in? Will customers demand onboarding or access faster than the security procedures will allow? Only the organisation itself can answer these questions. Businesses must regularly reassess their security procedures and how well users are complying with them. This will help find the equilibrium between making the MFT secure while not locking it down so much as to make it irritating or even useless for the users. It’s the security goldilocks zone – between not too paranoid and not paranoid enough, only you can tell when your paranoia is just right.