Secure data transfer with FTP alternative MFT
Transport Insurance
Security concerns related to FTP were one factor that produced a series of developments leading to the Secure FTP, Secure Copy Protocol (SCP), FTP over SSL (FTPS), and SSH File Transfer Protocol (SFTP). A new addition was made in 2008, Managed File Transfer (MFT), in which all files to be transferred are encrypted not only en route but also during storage on the server or on share points.
Core functionalities of MFT include secure transmission and data storage coupled with reporting and auditing of data activities. MFT differs from all other types of infrastructure in that it allows the transfer of very large files. Businesses use MFT over public networks to exchange large amounts of data with business partners across different sites, regions, and time zones safely, reliably, and quickly.
Regulatory Background
The protection of sensitive data should have high priority for any user. Whereas US citizens and businesses are guided by a "patchwork quilt of … sector-specific privacy laws" [1], members of the European Union are protected by Directive 95/46/EC [2], due to be updated for the digital age [3], with supplemental legislation in individual member countries (e.g., the Federal Data Protection Act of Germany [4]).
Additional provisions, such as non-disclosure agreements (NDAs) and payment card industry (PCI) and International Organization for Standards (ISO) regulations also inform data security. Finally, mandatory internal and external requirements, such as the Sarbanes-Oxley Act (SOX) [5], PCI-DSS [6], ISO 27001 [7], and Basel II [8], ensure technical and organizational compliance. Ultimately, each corporation must ensure that it encrypts data in motion (for file transfer) and at rest, thanks to safe (intermediate) storage.
Germany's Federal Office for Security in Information Technology (BSI) makes some recommendations in its overview paper on online storage from November 2012 [9]: "If sensitive data are transmitted over unsecured networks, consideration must be given to the use of reliable encryption methods." The BSI also explicitly mentions a particular function that is often offered in conjunction with MFT systems – cloud storage – on which users rely for file sharing or collaboration. Whereas individuals often use free Google tools or cloud services, such as Dropbox, Duplicati, and others, companies prefer more secure services and technologies alongside these offerings.
Managed File Transfer
All MFT solutions are similar: They consist of a server on which files of any size can be provided and a system that manages the access and usage rights. The main difference between MFT and insecure technologies is that files are encrypted for storage on the server and are not accessible to unauthorized persons. With MFT, the data is encrypted on the sender's side, and only the authorized recipient can download and decrypt the files. Data is safe not only during transport, but also in temporary storage.
When choosing the encryption strength of the MFT system, you should opt for the secure 256-bit AES standard. Some solutions have a additional security option involving data segmentation, wherein the files are divided into small segments before transmission, transmitted in random order, and re-assembled by the recipient.
This method is known as "managed" file transfer because, generally, either the sender communicates the available file downloads by email, or the managing system runs checks against a personal overview. This function is used in many solutions as proof of the successful delivery of data to the receiver. Logging ensures additional security because logfile analysis can detect transmission errors or unclaimed downloads and inform the consignor accordingly.
Typically, you can also limit the validity of files. In this case, a file can be downloaded up to a certain date or only a certain number of times. These management functions, compared with FTP and the like, represent added value and allow reliable proof of delivery.
Email Integration
Documents sent by MFT via email are not subject to the usual size restrictions. When sensitive information or a large attached file is sent by the user, the email body and the attachment are decoupled. Only a link in the email refers to the attachment; physically, it usually remains encrypted in local storage on an MFT drive or server.
The email recipient can then download by clicking the link to the encrypted file on the sender's MFT server. Integrated upstream authentication is also possible for highly confidential files, wherein the recipient logs on to an MFT portal and then downloads the file after their access credentials have been verified. Normally, the sender receives a message about the attachment being downloaded successfully.
A solution built into Exchange is capable of rules-based classification, wherein predefined policies determine, before transmission, whether a certain file is classified as confidential. Rules can be based, for example, on the sender address, recipient address, file type of the attachment, attachment size, or original location of the attachment. In this way, internal mail can be treated differently from external mail, for example. Some MFT solutions provide widgets for the reception of files from third-party companies, supporting file exchange through internal MFT servers.