Secure Data Transfer with FTP Alternative MFT
Although FTP still does loyal service despite its age, if you need to send sensitive data, you should consider managed file transfer.
Security concerns related to FTP were one factor that produced a series of developments leading to the Secure FTP, Secure Copy Protocol (SCP), FTP over SSL (FTPS), and SSH File Transfer Protocol (SFTP). A new addition was made in 2008, Managed File Transfer (MFT), in which all files to be transferred are encrypted not only en route but also during storage on the server or on share points.
Core functionalities of MFT include secure transmission and data storage coupled with reporting and auditing of data activities. MFT differs from all other types of infrastructure in that it allows the transfer of very large files. Businesses use MFT over public networks to exchange large amounts of data with business partners across different sites, regions, and time zones safely, reliably, and quickly.
Regulatory Background
The protection of sensitive data should have high priority for any user. Whereas US citizens and businesses are guided by a “patchwork quilt of … sector-specific privacy laws” [The New York Times, February 2, 2013], members of the European Union are protected by Directive 95/46/EC, due to be updated for the digital age, with supplemental legislation in individual member countries (e.g., the Federal Data Protection Act of Germany).
Additional provisions, such as non-disclosure agreements (NDAs) and payment card industry (PCI) and International Organization for Standards (ISO) regulations also inform data security. Finally, mandatory internal and external requirements, such as the Sarbanes-Oxley Act (SOX), PCI-DSS, ISO 27001, and Basel II, ensure technical and organizational compliance. Ultimately, each corporation must ensure that it encrypts data in motion (for file transfer) and at rest, thanks to safe (intermediate) storage.
Germany’s Federal Office for Security in Information Technology (BSI) makes some recommendations in its overview paper on online storage from November 2012 [in German], stating that, if sensitive data are transmitted over unsecured networks, consideration must be given to the use of reliable encryption methods. The BSI also explicitly mentions a particular function that is often offered in conjunction with MFT systems – cloud storage – on which users rely for file sharing or collaboration. Whereas individuals often use free Google tools or cloud services, such as Dropbox, Duplicati, and others, companies prefer more secure services and technologies alongside these offerings.
Managed File Transfer
All MFT solutions are similar: They consist of a server on which files of any size can be provided and a system that manages the access and usage rights. The main difference between MFT and insecure technologies is that files are encrypted for storage on the server and are not accessible to unauthorized persons. With MFT, the data is encrypted on the sender’s side, and only the authorized recipient can download and decrypt the files. Data is safe not only during transport, but also in temporary storage.
When choosing the encryption strength of the MFT system, you should opt for the secure 256-bit AES standard. Some solutions have an additional security option involving data segmentation, wherein the files are divided into small segments before transmission, transmitted in random order, and re-assembled by the recipient.
This method is known as “managed” file transfer because, generally, either the sender communicates the available file downloads by email, or the managing system runs checks against a personal overview. This function is used in many solutions as proof of the successful delivery of data to the receiver. Logging ensures additional security because logfile analysis can detect transmission errors or unclaimed downloads and inform the consignor accordingly.
Typically, you can also limit the validity of files. In this case, a file can be downloaded up to a certain date or only a certain number of times. These management functions, compared with FTP and the like, represent added value and allow reliable proof of delivery.
Email Integration
Documents sent by MFT via email are not subject to the usual size restrictions. When sensitive information or a large attached file is sent by the user, the email body and the attachment are decoupled. Only a link in the email refers to the attachment; physically, it usually remains encrypted in local storage on an MFT drive or server.
The email recipient can then download by clicking the link to the encrypted file on the sender’s MFT server. Integrated upstream authentication is also possible for highly confidential files, wherein the recipient logs on to an MFT portal and then downloads the file after their access credentials have been verified. Normally, the sender receives a message about the attachment being downloaded successfully.
A solution built into Exchange is capable of rules-based classification, wherein predefined policies determine, before transmission, whether a certain file is classified as confidential. Rules can be based, for example, on the sender address, recipient address, file type of the attachment, attachment size, or original location of the attachment. In this way, internal mail can be treated differently from external mail, for example. Some MFT solutions provide widgets for the reception of files from third-party companies, supporting file exchange through internal MFT servers.
Examples
An example of MFT software is Policy Patrol MFT, which integrates fully into all popular email systems and classifies the attachments in outgoing messages according to defined policies. Another solution that uses MFT as its transmission technology is ShieldShare, by Swedish manufacturer BlockMaster. An open source solution that uses MFT as its transmission technology, JADE (Job Scheduler Advanced Data Exchange, the successor to SOSFTP), was developed by programmers from Germany (SOS GmbH), France (Paris SOS), and Switzerland (SOS AG). JADE offers private users a safe alternative to services like Dropbox. With JADE (Figure 1), the user can select from a range of technologies for transferring files, including WebDAV, UNC, and ZIP.
Other solutions integrate with email systems and extend the email user front end with appropriate buttons. The user must decide whether to classify attachments as confidential and then enable the appropriate function before transferring. If this function is overlooked, the attachments are sent unencrypted.
This solution is problematic in terms of data protection, and the company is liable for security breaches if the user does not follow instructions or misclassifies the attachment, and sensitive data gets into the wrong hands as a result.
Wherever businesses and individuals have primarily used FTP to transfer files, an MFT solution can be quite useful as a standalone application. These MFT systems often work just like email applications and try to duplicate their usability. A local client or a web application is used to send files; the sender must authenticate and then can send the recipient an encrypted message in the style of an email message, including attachments. Once the MFT system has become part of the user’s daily grind, the overhead of duplicate administration of targets is something that speaks in favor of an integrated MFT system.
Collaboration and Sharing
MFT technology goes beyond secure data transfer in some of the solutions on offer today by unifying what are otherwise often parallel, isolated solutions, such as file sharing, e-collaboration, online storage, and secure data rooms. An overall solution that offers all of the MFT building blocks is not always useful and also not desired by each administrator. The software available on the market thus usually only provides partial solutions. Usability is often crucial for businesses. If MFT is not ergonomically integrated into standard applications, the extra overhead often causes users to work around the software or simply not use it.
In addition to MFT features for secure file sharing and secure data rooms is online storage that differs significantly from free services like Dropbox, in that all data are encrypted for storage. Because these services are hosted by the company itself, they offer the option of saving files in a private cloud. They also consist of a system for data encryption, as well as access and rights management. If the user data is stored locally in a container, editing is also possible without an Internet connection. When a connection becomes available later, the data is then synchronized and possibly versioned accordingly.
Conclusions
Overall, MFT is capable of exchanging large volumes of encrypted data over insecure public networks. Additional management features enable comprehensive reporting and auditing, as well as proof of successful delivery. To ensure compliance with national and international laws and regulations, it must not be possible to bypass or manipulate the system or for a user to forget to employ the feature. Classification of the files to be sent should not be left to the user; rather, it should be handled automatically by policies. High usability and integration into existing workflows or standard applications like email also increase acceptance. File sharing, e-collaboration, and secure data rooms all use the basic functions of MFT, but each must be optimized for the application in question.