Managed File Transfer solutions can be cumbersome and costly. Here are ways to determine if your organization can benefit without pain …
Cybercriminals are constantly seeking way to intrude into the IT infrastructure of businesses, the file transfer process is a magnet for bad actors.
Organizations cannot function without moving data internally and externally: files have to be transferred among departments, partners, customers and systems, and while the data is on the move, it is potentially open to attack.
A significant breach earlier this year at Singapore’s largest telco, Singtel, resulted from the hacking of a third party file-sharing system. The hack was part of a wider global breach of the File Transfer Appliance (FTA) file-sharing system that has affected other organizations around the world, including New Zealand’s central bank, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.
Such vulnerabilities are why traditional methods of file transfer such as the FTP standard have been replaced more recently by Managed File Transfer (MFT) software. MFT solutions provide secure collaboration and automated file transfers of sensitive data, and advanced workflow automation capabilities without the need for scripting.
Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA, and GDPR – crucially important as organizations need to provide audit trails to protect themselves in the event of a data breach.
Is MFT suitable for your corporation?
Every organization’s security protocols vary based on factors such as external rules imposed by regulators, internal best practices and so on. A number of other factors come into play, including cost, convenience and even a level of ignorance about possible vulnerabilities.
Whether MFT security cannot can fit into any firm will depend on figuring out how much security the organization needs, how much it can afford, and how much inconvenience will be tolerated by the users.
Some important considerations are:
- Benefits vs Cost vs Risk ratios: for example, all MFT solutions on the market will encrypt files in transit but not all will also encrypt those files at rest. Some will, but at an additional cost. And although it sounds insecure, some MFTs will let you choose whether or not to encrypt at all. This is actually not unreasonable: if for example the organization is using MS Azure Blob hosts to store its data, then Microsoft automatically encrypts it. However, not everyone will trust Microsoft’s own encryption and others may be put off by the need to keep re-encrypting and de-encrypting the data every time it is accessed, which can lead to a deterioration in performance.
The same consideration applies with features such as security-question-based password resets or Multi-Factor Authentication (MFA). These may or may not be appropriate for an organization, but if the MFT solution does not offer the choice of whether to use them, it is unlikely to meet the company’s specific security needs. Security and encryption are no-brainers for MFT, but other features should also be considered.
- Provision of forensic audit trails: For organization operating under regulations like HIPPA, GDPR, CCP, SOX or PCI-DSS, it is already a requirement to prove that data transfers are kept constantly secure and that access is confined to authorized individuals. To meet this requirement, data must be kept encrypted both in transit and at rest. A report must be generated that shows this together with details of anyone who accessed that data. The MFT system should automatically produce this kind of report, which can be shown to auditors, and also confirm there were no data breaches. Even if it is not mandatory for an organization, MFT can be a worthwhile feature because it always shows what happened (if anything) and when.
- User convenience vs Security: MFT solutions need to balance user convenience with real security value. Functions such as MFA ensure that any individual logging in is actually the person entitled to do so. This means a stolen password by itself is useless, because the hacker will also needs access to the user’s phone or authenticator app. If organizations do nothing else to enhance their security posture, they should implement MFA: it will do more to prevent intrusions than the 10 security methods combined.
- Regular rotation of data encryption keys: Unauthorized individuals that can get a hold of an MFT solution’s data encryption keys will be able to access everything—probably without the organization’s knowledge. Therefore a good MFT solution must involve regular rotations of data encryption—a PCI-DSS recommended best practice. It must also provide a way to track the status of key changes. Finally, it should include a feature that automations the processes automatically so the organization is never vulnerable.
- No one size fits all: Many more considerations, features, and best practices involving MFT will need to be considered as an organization grows, and each MFT usage scenario will come with different trade-offs in different corporate circumstances. For example, organizations need to consider whether it is worth hosting the MFT in the Cloud. They must ask themselves if users will tolerate an enforced policy acceptance before they log in. Will customers demand onboarding or access faster than the security procedures will allow? Only the organization itself can answer these questions.
Businesses must regularly reassess their security procedures and how well users are complying with them. This will help find the equilibrium between making the MFT secure while not locking it down so much as to make it irritating or even useless for the users. It is the security goldilocks zone: between ‘not too paranoid’ and ‘not paranoid enough’, only detailed introspection and consensus within the leadership can tell when the level of paranoia about file transfer security is ‘just right’.