Securely Sharing Documents and Files in a Privacy Oriented World
A Guide to Managed File Transfer
If there is one topic we find ourselves talking about over and over again, it is the need to balance regulatory and compliance requirements with keeping teams and staff operationally effective.
Simply put, how can we transform security from a prohibitive exercise into one of enablement? An age old question.
The most recent and best placed example of this, is the GDPR (General Data Protection Regulation). The famous European data protection regulation which requires greater care, control and justification, from data controllers and processors alike, whenever they share or process personal data and documents containing personal data.
Practices such as sending personal data in emails with no protection or other insecure communication channels, which was once the norm are now considered too risky.
Refocusing the question on file transfers and file sharing, it becomes how can we continue to share data and documents in an effective manner, yet ensure an acceptable level of security?
What is Managed File Transfer?
Managed file transfer might be the answer.
Even if you are not familiar with the term, the chances are that you have used one of these types of solutions before, whether it was authorised or not... We will come back to that later. Some of the more recognisable brands offering managed file transfer services are Dropbox, HighTail and Ipswitch MOVEit.
The principle is simple. You wish to share a file which is inappropriate as a regular email attachment, whether that be for security or size reasons. Instead, you use a service whereby you can upload a file to a website and then share it, sometimes by using an invitation email. The recipient receives that email invitation or account details and is led back to the managed file transfer solution to collect the file.
- Security of the file has been maintained.
- The sending party never uses an insecure channel.
- The transfer is auditable.
In the past, this process may have been managed by an email attachment, USB memory stick or even an FTP server and site for the more ambitious. Today, those methods and channels are no longer considered secure or appropriate for modern work practices.
Did you know that Rapid7 research shows that there are still approximately 21 million FTP servers connected to the internet? Read more here.
Take a look at our Managed File Transfer for Dummies eBook to learn more about the basics of managed file transfer.
With variants of the same idea including EFSS (Enterprise File Synchronisation and Sharing), secure email platforms or file locker systems. Managed file transfer solutions have been gaining in popularity for over a decade. In fact, Ipswitch MOVEit has been commercially available since 2003.
Where email has often been quoted as being the life-blood of a modern organisation, the age of big data challenges that traditional notion. For a second, consider how difficult your operational effectiveness levels would become without the ability to transfer and share files.
Managed file transfer solution vendor and respected file transfer experts Ipswitch, in collaboration with Osterman Research cite seven major issues with not using a managed file transfer solution:
Sensitive files not being sent in a secure manner, often as a regular email attachment.
IT departments cannot control the lifecycle of shared documents and files.
A lack of auditability in the file transfer process.
Transferred files may not be achieved according to company policy.
Users may seek to use shadow IT, or alternative unapproved transfer channels as current practices are prohibited.
Transferred files are often outside of the view of solutions such as DLP (Data Leakage Prevention).
Possible lack of compliance with an industry standard or national legislation.
- Security - An MFT or managed file transfer solution enables the transfer of files using secure protocols that will encrypt content, both in transit and at rest. This is essential in order to maintain the confidentiality and integrity of files and documents as they pass from sender to recipient.
- Compliance - An MFT or managed file transfer solution allows an organisation to maintain compliance with the growing number of industry, legal and elective standards that are designed to protect sensitive information and personal data.
- Control -A key distinction of an MFT or managed file transfer system is the control that it provides over documents and files: its expiration, automated clean up processes, who can access the content, where it can be sent, and the ability to audit, etc.
- Integration with existing workflows - An essential element of a true MFT or managed file transfer solution is its ability to integrate with existing workflows. For example, a purchase order system that sends purchase orders and other documents to recipients must integrate seamlessly with this system to secure the sending action; and maintain a high level of automation.
If the benefits of managed file transfer were not enticing enough, data protection law and information security standards are becoming more stringent on the transfer of sensitive data too. Ever increasing the adoption of solutions.
Five Regulatory & Compliance Requirements
Below we have listed five of the most common compliance drivers and data protection laws which affect file transfers; and how managed file transfer can help.
Europe's shining star in the realm of data protection. Released in 2016, enforced from 2018, this regulation has been a hot topic for the past few years. Covering all organisations within Europe and those outside who process the personal data of anyone inside, it is without a doubt the most forward-thinking and disruptive data protection regulation in the world.
While not specific in recommending types of technology or solutions, the GDPR has six core principles (article 5) with regard to the collection and processing of personal data. One of which requires that personal data have its confidentiality and integrity guaranteed by state of the art technological or organisational controls.
Take a look at our blog post on how managed file transfer can help with the requirements of the GDPR.
Again, the lack of specifics mean that managed file transfer is not expressly required, however if an organisation does share files and documents which contain personal data, they will need to be able to justify this action with appropriate controls. For example, encryption of files, guarantees of recipient identity, auditability and retraction (recall).
All features of a good managed file transfer solution.
Failure to comply with the GDPR could be met with corrective powers such as the prevention of further processing activities, public notification of breaches or audits by a supervisory authority.
In extreme cases where it is warranted, an organisation could be issued with a penalty of up to 2% of global revenue or 10,000,000 EUR; or up to 4% of global revenue or 20,000,000 EUR depending on the type of infraction.
Further reading: File Transfer and the GDPR eBook
The centre of the information security universe is the ISO 27001 certification. Much like the GDPR, ISO 27001 requires the building of foundational controls used in an information security management system, some of which may be technological and other, organisational.
Over and above the due care of informational confidentiality and integrity, ISO 27001 requires a level of auditability. It is also worth noting that ISO 27001 has a much wider scope than the GDPR, focussing on not just personal data but all files and documents in use by the organisation.
Appropriate controls must be in place to protect the confidentiality, integrity and availability of files and documents wherever they are physically or in their lifecycle.
While there are no specific fines or repercussions for failing to adhere to the requirements of ISO 27001. You may fail to achieve the accreditation or re-certification process, if you do not.
With the cost of certification and the associates costs of preparing for certification relatively high, failure to become accredited could be seen as a monetary penalty to large to stomach.
The American Health Insurance portability and Accountability Act sets the standard for protecting sensitive patient data and applies to any company that deals with protected health information (PHI).
The basic goal of HIPAA’s Security Rule is to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule is separated into three types of safeguards: administrative, physical, and technical.
Organisations can utilise managed file transfer and achieve HIPAA compliant data transfers by:
Preventing unauthorized access to ePHI from users or software that do not have permissions. §164.312 (a)(1)
Ensuring users can be tracked and any access or activity on information systems that use ePHI is recorded. §164.312 (a)(2)(i)
Establishing electronic security protocols to insulate data in motion from unauthorized access as its transferred across electronic networks. §164.312 (e)(1)
Disconnecting electronic sessions based on predetermined rules. §164.312 (a)(2)(iii)
Applying procedures to encrypt and decrypt data such as ePHI (electronic patient health information). §164.312 (a)(2)(iv)
Demonstrating via electronic records that data has not been altered, compromised, or deleted without authorization. §164.312 (c)(2)
There are four categories of penalties: the type of penalty depends on whether or not the organization was negligent in following HIPAA and whether or not the violation in question was avoidable even with proper HIPAA compliance.
Depending on the type of category the violations fall into, fines vary between $100 per violation (i.e. per record compromised) to $50,000 or more.
PCI-DSS (Payment Card Industry’s Data Security Standard) is a regulation created for any organisation who stores or processes payment card information, to increase controls and ultimately reduce fraud.
The PCI DSS standard currently consists of 12 requirements and over 200 sub-requirements. Key requirements found within the standard include encrypting data in transit and at rest, controlling access and permissions to cardholder data and maintaining secure systems and networks. The most current version of the data security standard at time of writing is version 3.2.1, released in May of 2018.
Managed file transfer solutions are not necessarily required by PCI-DSS requirements, however the usage of one in a card data environment comes with a number of requirements to fulfil.
For example, there are strict requirements on using encryption for card data stored in the solution, encrypted transmission channels for card data being transferred, authentication and password complexity requirements and considerations for how a managed file transfer solution is tested for vulnerabilities.
Automated managed file transfer solutions are particularly popular in card data environment as a tried and tested mechanism for creating automated processing workflows. With some managed file transfer solution vendors having worked in this space for over a decade, many of their features have been created specifically for this data security standard.
Take for example secure deletion capabilities such as those defined in NIST SP 800-88; or how encryption keys are stored in the solution. Often re-encrypted and placed into a tamper-evident database.
Further reading: How to Create a PCI-DSS v3.2.1 Compliant MFT Solution.
Did you know that the cryptography requirements of PCI-DSS are changing from the 30th of June 2018? Read here for more information.
ITAR (International Traffic in Arms Regulations) is a set of regulations created by the United States which serves to control how defence-related articles and services on the USML (US Munitions List), as well as related technical data, are transferred.
In essence, it states that any items listed on the USML can only be shared with United States citizens, unless special authorization or exemptions have been previously created.
Critically, to maintain ITAR compliance, organisations must make sure that files and documents being shared are not accidentally distributed to foreign persons or people from foreign nations. In the case of managed file transfer solutions, strong authentication, permissions and retraction capabilities are key components.
In conclusion, a managed file transfer solution may be a requirement to mitigate risk or meet one of your obligations under a number of standards and data protection laws.
Combating Shadow IT
So far, we have made a number of references to shadow IT without going into too much detail about its definition or why it is such a threat to IT departments.
IT departments must support the needs of the organisation while also keeping sensitive documents and files safe, managing risks of disparate systems, tracking where files and documents are transferred, and responding to compliance and regulatory requirements.
At the same time, some users and departments are taking IT into their own hands, where they are not being given the tools they require to do their jobs, integrating new technologies without formal permissions.
Commonly referred to as shadow IT, these rogue deployments often lack baseline security controls and can be very difficult to discourage once embedded into an organisation. Perhaps the most common examples of the application of unwanted consumer technology in the enterprise is the transfer of large files.
One way IT can eliminate the need for rogue file-moving technologies is by using a managed file transfer solution.
In Gartner's 2016 edition of their "Top 10 cloud security predictions". They predicted that by 2020, one third of successful attacks experienced by enterprises will be on their shadow IT resources.
Gartner also highlighted that, by 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.
Image sourced from McAfee.
The main challenge with Shadow IT often comes with providing users with an authorised and controlled service which matches the ease and features provided by the unauthorised.
Any manage file transfer solution adopted by an organisation must be able to match the capabilities and ease-of-use provided by the equivalent shadow IT application which was being used, in order to reduce its usage.
Take a look at our blog which covers the top five benefits of using a managed file transfer solution for sending secure documents and files, rather than your users taking advantage of shadow IT services such as Dropbox and HighTail.
Top Features to Look for in an MFT Platform
When looking for a managed file transfer, there are a number of features and options available, depending on requirement and budget. We have assembled what we think are those features that you should exist at the top of your list, regardless.
Encryption - Both at rest and in motion to ensure the confidentiality of sensitive files and documents. Choose a managed file transfer which encrypts all files at rest with a strong cipher and key length, ideally AES 256 bit or above. US and Canadian based organisations are likely to require any solution using encryption to be certified by NIST (National Institute of Standards and Technology) under FIPS 140-2. This may not be a requirement for non-US/Canadian organisations but keep it in mind as a rubber-stamp for good encryption practices and key management in the solution.For file confidentiality in motion, you should choose a managed file transfer solution which supports secure transfer protocols such as SFTP or HTTPS/SSL. The support for insecure channels such as FTP may be necessary for legacy applications etc, in this case the solution should have the ability to restrict this channel to specific IP addresses or user accounts only.
Strong and varied authentication options - For an effective workflow, your users are unlikely to want to use a separate account with yet another password. Any managed file transfer worth its cost will be able to connect to your existing user repositories as an authentication source. LDAP and Microsoft Active Directory support are great starts, SAML and federated identities are even better and future proof you for technologies like Azure AD. The solution should be able to force strong password requirements, extend the need to reset passwords after an allotted time and include a two-step authentication process, often known as multi-factor authentication or two-factor authentication.
Irrefutable auditing and logging - One of the main reasons for using a managed file transfer solution is for better oversight and control of the movement of files and documents. Any action taken to transfer a document or file should therefore be audited for later reference or scrutiny. That log should ideally be irrefutable, by using techniques which guarantee its contents are correct. This is often known as tamper-evident and can involve hashing or logging database records and sequence numbering. Where the transfer of files and documents can have legal ramifications, you will need to ensure that the information you have to hand is both correct and can be used to demonstrate either compliance or adherence.
Integration capabilities - It is often said that no man is an island, with regard to the power of teamwork. The same can be said of IT security solutions. Your solutions would be best working together rather than isolation, for better context and power. When it comes to file transfer, there are two technologies which you should be interested in integrating with; DLP (Data Leakage Prevention) and AV (Antivirus) software.
Ease-of-use - The quickest way to stop users from endorsing and supporting a new application or solution is to make it too difficult to use. Therefore, choosing a solution which is both accessible and intuitive is of high importance. File transfer as a topic is fraught by an endless war with shadow IT, where users will use other solutions which are often unauthorised in order to complete a task. Take for example an email server which is configured to prevent attachments over a specified size. Users who come up against this problem will use personal transfer sites like Dropbox or webmail clients such as Gmail to complete their task. This can cause issues with compliance, control and data protection.
Automation -Any task which is repeated multiple times should in principle be automated. Where file transfers are regular and organised, a managed file transfer solution should be able to execute these tasks without human interaction. These workflows can be complicated, have multiple logical outcomes depending on conditions and be able to report any errors or problems encountered. Most importantly, an automated file transfer should not afford any less security than a human initiated one.
Cost of ownership - Last but certainly not least is budget. All solutions are going to have a cost, whether that be freeware, perpetual licenses or a subscription. In any case, it is important to be able to quantify the cost of ownership over a long period of time. There are a number of managed file transfer solutions available, all with differing licensing models. Avoid those with unpredictable cost models, such as those which charge per user account for external parties and give preference to those which have fixed cost models.
Do you script your file transfers with cron jobs or Windows scheduled tasks? Take a look at our blog entitled "How to Automate File Transfers and Ditch the Scripts".
Cloud vs. Self-Hosted
As a solution type which has been around for some time, managed file transfer has always lent itself well to on-premise deployments, whereby the software and the server it is hosted on is owned and managed by the purchasing organisation.
But has the trend towards cloud-based technology changed this?
There are some obvious benefits to on-premise deployments:
All files and encryption keys are held on-site and their security is dependent on the host organisation.
There is no requirement to draw up contracts or data processing agreements with third-parties.
Access to sensitive documents and files are controlled by the host organisation.
Integration with services and solutions which not be exposed to non-internal devices and servers.
Learn more about the benefits of managed file transfer in the cloud in our blog post - Five reasons to consider managed file transfer in the cloud.
As time has progressed and cloud usage has been normalised by even the largest and most sensitive organisations, the adoption of cloud based managed file transfer solutions has increased too. Somewhat proliferated by the commercial and private manage file transfer solutions available on the internet, such as Dropbox, OneDrive and Google Drive.
Sometimes referred to as SaaS (Software as a Service).
The benefits of a cloud approach can include:
A reduction in operating costs as there is often no need to have experienced members of staff who can configure and manage the platform.
Benefit from a larger deployment in the cloud which will often have guaranteed up-time statistics and failover capabilities.
Hardened and strengthened host data centres, which could have security in excess of your own.
Simplified implementation, roll-out of cloud application tends to be quicker and simpler.
While the march toward the cloud has been particularly strong, it has been lead at least initially from a budgetary standpoint, with cloud solutions operating lower initial running costs via flexible licensing and subscriptions. There exists a number of challenges, particularly with data protection and the wider security aspect, which are not always easily overcome.
Organisations who deal with highly sensitive files and documents; or significant quantities of personal data will wince at placing their biggest risk factors in an environment they do not fully control.
This has led to a middle ground appearing in the form of a "private cloud", a location which inherits cloud-like capabilities such as being located off-site and accessible through the internet. Yet, the overriding control of the application/solution and host servers are held by the organisation. In effect, only the infrastructure is managed by a third-party.
Colloquially, it has become known as IaaS (Infrastructure as a Service) and is commonly provided through service providers such as Microsoft Azure, Amazon AWS and Google Cloud, to name a few.
Any managed file transfer solution selected should ideally be able to leverage any or all three of the discussed environments.
How to Continue Working with Legacy Systems
Whether it be legacy systems or legacy partners, the challenge of misalignment in practices and security standards can be tough.
Managed file transfer is an evolution of the humble FTP server, prolifically used both historically and today for the transfer of files and documents. While the vulnerability of an insecure transfer channel and the adoption of newer technology have pushed many to abandon FTP. There are those who still rely on these legacy systems.
In a perfect world, it would be desirable to cast the unevolved aside as a difficult and unwanted problem. However, this is a position which is often impossible to take up.
Most managed file transfer solutions will offer the possibility of enabling legacy and insecure transfer protocols and channels such as FTP. In fact, many managed file transfer solutions are likely to have started their lives as a simple FTP server.
There are a couple of methods you can adopt to ensure that FTP channels are being kept as secure as possible.
Limit the IP addresses and user accounts which can use FTP as a file transfer protocol or channel.
Implement FTPS, which introduces SSL to secure the communication channel.
While neither is better than moving to SFTP or a more secure transfer protocol, needs must when working with external parties.
Learn how data in transfer doesn't have to be automatically and inherently high risk.
Five Managed File Transfer Adoption & Usage Tips
Selecting a managed file transfer solution is the easy part. Gaining user adoption and widespread use is much more difficult.
Here are our top five recommendations for adoption and continued usage:
- Branding and customisation - It may seem as non-critical requirement but the addition of a logo, branding colours, local languages and other finishing touches imbeds a solution into your organisation. After all, if you had an employee uniform, wouldn't you expect each employee to wear that uniform?
- Leverage existing user repositories - Put simply, don't make your users create yet another username and password, federate the authentication process by connecting to something like Microsoft Active Directory. There are mutually beneficial reasons for both administrator and user alike. Users want a smooth an experience as possible, having a centralised identity prevents forgotten passwords and confusion. In addition to this, when asked to create separate accounts, users will often choose repeat or simple passwords, increasing the risk of credential theft or unauthorised access. If that isn't enough reason, systems with separated accounts typically have a higher rate of IT support tickets asking for password resets.
- Automate repeatable tasks such as user creation - When your users want to share a file or document, the last thing they want to have to do as a result, is to create a recipient account, define permissions and share that account with the intended recipient. It adds additional overhead to something which can be automated. A managed file transfer solution should be able to create said account and deliver it automatically based on predefined policies. It should also be able to remove that account automatically, once it is no longer required.
- Keep options open - Don't limit your options and thus make something which was intended to bring flexibility, become inflexible. This goes for file transfer protocols, permission sets, solution features and customisations. No workflow is ever the same and equally, no IT team ever truly knows every workflow which is taking place in the network. It is almost guaranteed that a method of file and document sharing which you thought didn't take place, probably does; and to reduce the use of shadow IT, your managed file transfer solution is going to need to be able to replace it.
- Empower your users - Users do not want to constantly ask for IT support; and if you have ever watched Channel 4's The IT Crowd, you would know that IT support would prefer that users did not ask so many questions. Where users can complete tasks themselves without escalation, happy users and IT support staff co-exist. Read receipts for sent files and documents; viewable audit logs for owned files; and limited scope administrator capabilities can both empower users and make them more efficient.
Of course, the challenges and subsequent tips for managed file transfer deployments and solutions can differ depending on case and industry type.