Protecting Your Data At Rest – What Are Your Options?

Protecting Your Data At Rest – What Are Your Options?

Modern Managed File Transfer (MFT) solutions provide several ways to protect data. In addition to using secure protocols for data in transit and the protection against DDos, Hammering and Brute Force attacks, many solutions provide mechanisms for securing files at rest, while they are awaiting collection or processing.

Protecting data at rest

Protecting the files at rest can be achieved in several ways, with the most common being:

  • Writing to an Encrypted File store
  • Encrypting Data using PGP or similar
  • Securing them in another network segment

Encrypted File store

Encrypted file stores leverage either native encryption technology such as EFS, or use their own encryption methods to secure files stored in the data area of the MFT solution. Files are encrypted before they are stored so there is no requirement to manage keys.  Decrypting the data is also done on the fly, when a file is downloaded through the software. Browsing to the storage location from the operating system may show either the real file names or an anonymised series of files. The downside to this method is that data written to a windows share is not accessible to other applications except via the solution ie via an API.

If your MFT solution does not support encryption at rest natively, then there are several network storage devices which can present encrypted storage as a normal CIFS share. Using this as storage for your MFT solution will protect your data from physical theft but may not protect from access by internal users or systems.  Not all MFT solutions can be integrated with this type of encrypted storage device.

Use PGP

Another popular method is to secure the data using PGP. PGP gives you the option of encrypting a file outside of the MFT solution for full end to end security.  Alternatively, most MFT solutions support PGP encryption and decryption for incoming and outgoing files.  PGP encryption applied by the MFT system is triggered once a file has been successfully uploaded.  Once the file is PGP encrypted, it can be sent over to a remote system where it will need to be decrypted. While this process has many positives, not all MFT solutions support PGP encryption on the fly.  The MFT solution must wait for the file to be uploaded and stored unencrypted, before it attempts to PGP encrypt it. This means that there is a short period of time where the file will sit on the storage in an unencrypted state and only once the encryption process has completed successfully will the unencrypted version of the file be deleted. As this whole encryption process only takes a few seconds, the exposure of the data unencrypted is minimal and many organisations are happy with the risk of temporarily unencrypted data.

Network Segments

An alternative approach to protecting your data at rest is to use the forward/reverse proxy capabilities for MFT solutions. This adds an extra layer of defence to your MFT system’s security. As no data is stored on these proxies, any external attack that managed to compromise the proxy server, would not be able to access any data as it is safely stored on the main MFT server behind another firewall. Just like the encrypted file stores, these gateways are completely transparent to the end users.

Each of these measures help protect data at rest and they can all be combined to give a high level of protection. These methods can assist in meeting regulatory compliance such as PCI DSS, ISO 27001, etc.

GDPR

ONLY 15 MONTHS TO GO!! – Are you ready?

Managed File Transfer Comparison Guide

Managed File Transfer Comparison Guide

[Updated – 2017]

Our independently researched Managed File Transfer comparison guide has been updated for 2017. Our third edition reviews eight of the leading Managed File Transfer (MFT) solutions.   We’ve created this guide to enable businesses of all shapes and sizes to review the solutions side by side to speed up the selection process.

This version of the guide includes a section on cloud connectors for the first time. As businesses rapidly adopt cloud services, this has become an increasingly common discussion point.

It isn’t a definitive analysis of all the available MFT solutions, but it does include the most cost effective, popular and feature rich products in one place for you to review. The guide is split into six sections and provides an insight into the main questions that we’re asked on a daily basis.

  • Solution Basics – these are the key questions that more or less everyone asks us, when looking for a Managed File Transfer solution.
  • Business Strategy – this section prompts you to consider how your solution will be impacted by other policies within the business.
  • Technical Details – looks at some of the key features of Managed File Transfer solutions at a more granular level.
  • Automation Options – lists the most commonly required automation features, a key component of any Managed File Transfer solution.
  • Transfer Protocols – a review of eleven of the most widely used file transfer delivery protocols.
  • Cloud Connectors – a key differentiator at this point, we list eight of the most common cloud services that you’re likely to need to connect to.

The guide covers the most frequently asked questions, but naturally we can only include so much detail.  By the end of this document you should however, have a clearer view of what specific features you need from your Managed File Transfer solution and which vendors are a good fit.

Once you’ve reviewed the comparison guide, I encourage you to review our other free resources. These are our Expert Guide to Managed File Transfer and the Managed File Transfer Needs Analysis.

It’s highly likely that you’ll have many more questions and our team of pre-sales and technical consultants are perfectly placed to provide you with further product information, demonstrations, and software evaluations. Additionally we’ll help you to build a stronger business case, comparing multiple similar solutions, highlighting how a solution might cater for future growth, providing cost comparisons and guidance on calculating ROI.

We look forward to helping you with your Managed File Transfer project in the near future!

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

The Advantages of Using a Forward and Reverse Proxy

The Advantages of Using a Forward and Reverse Proxy


There are many free ways to implement file transfer in an organisation, from using inbuilt FTP daemons on a Unix server, to installing Microsoft IIS or similar and even trying an open source Managed File Transfer (MFT) product.

What these products have in common is that connections are passed directly through to the server. If the server is sited in a DMZ, then connections pass over the external firewall, but all the data and account credentials are stored in the DMZ. Alternatively, if the server is located in the secure “internal” network zone, firewall ports would need to be opened up directly from the internet into this network zone which may violate internal security policies.

Modern MFT solutions approach this problem in one of two ways. Some products are designed to sit inside the DMZ and encrypt data at rest, while storing account credentials in an encrypted database. Firewall rules between the DMZ and internal network are not required except for collection of the data.

The other which is by far the most popular way, is to use an additional server sited in the DMZ as a forward/reverse proxy server.

A proxy server based in the DMZ, acts as a front end to the MFT solution. Connections are terminated at the proxy and passed back to the MFT server located in the internal network using another/proprietary port. The proxy itself does not store any data or account information but instead acts as an intermediary between the MFT server and the connecting client. This means that if the proxy server were to be compromised by malicious software, no sensitive data is at risk and the attack cannot get any deeper into the network.

Outbound connections from a MFT solution located inside the secure network can also be routed though a proxy. This means that just a single port needs to be opened between the MFT server and the proxy located in the DMZ. For added protection, in most cases this connection is “outbound only” and needs to originate from the MFT server before the proxy responds to any connection attempts. From the proxy out to the internet standard ports can then be used making firewall configurations more straightforward for the network team to configure.

If you implement a proxy server there are also a few added benefits which may not be immediately obvious.

Forward Proxies are useful for performing NATing.

Upgrading key solutions like MFT can be a disruptive process and it is not uncommon for Pro2col to come across MFT servers which have not been upgraded for over 5 years as a direct result of the impact and downtime upgrading would have. If a server is using a proxy server, then a new MFT server can be installed next to the out of date MFT server, and at switch over, connect to the proxy server as soon as the old server is taken down. External users and connections see no difference in how they are connecting and downtime appears, from the external connections point of view, to be a few seconds. As a result, upgrade disruption is kept to a minimum, maintenance windows can be scheduled more regularly.

Many organisations have a security policy of data not being stored in the DMZ and using a proxy server can enable the MFT server to stay in the secure part of your network without routing internet traffic though the DMZ to the server.

PCI DSS regulations amongst others stipulate that credit card data cannot be stored in the DMZ, even if it is encrypted. Using a proxy plus the reporting features of MFT enables compliance.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Open Source Managed File Transfer Software: Is it Really an Option?

Open Source Managed File Transfer Software

Is it Really an Option? [Updated – 2017]

I originally wrote this post back in July 2012, after a number of requests for open source Managed File Transfer from potential customers. They’d found us via our web site, which clearly promoted a wide variety of commercial products, with no reference to open source, however they were only interested in an open source options.

Free clearly doesn’t pay the bills, however being a bit of an industry geek, I decided to do the research and find out what was available. I identified a couple of SourceForge projects, which I’ve been following over the past 4-5 years.

For the record, I’m a fan of open source. Our previous Technical Director was a thrifty Northerner, who converted me. We ran various elements of the business very successfully on open source projects. Our support ticketing system was based on OTRS and our monitoring system used Nagios. Both were mature applications, widely used in the open source community and provided considerable functionality at a price that suited!

 

open_source

When it comes to open source Managed File Transfer though, the landscape is patchy at best. Open source FTP servers exist in abundance and can provide the landing point for incoming and outgoing files, but open source Managed File Transfer projects appear to be scarce. I suspect that this is because Managed File Transfer hasn’t been one of those technologies that every company deploys.

Open source Managed File Transfer trends

My research over the past 4-5 years has highlighted a few trends that don’t bode well for open source Managed File Transfer projects, and may be a reflection of the wider open source landscape. In general, they have slotted into the following categories:

  • The company is acquired and the free option is removed. Some or all of the functionality is incorporated into a commercial offering.
  • The part-time developer gets a contract or new job and the project gets shelved.
  • The project is labeled as Managed File Transfer, but doesn’t contain the key functions of all commercial offerings in the market.
  • Commercial vendors offer a pseudo open source product with limited functionality and encourage migration to their commercial solution.

Some open source MFT that is no more

These are some of the open source projects that I have been following:

Policy Patrol by OPSWAT – has now become Metadefender Email Security. The Managed File Transfer element of the open source project appears to have been shut down.

ShieldShare by BlockMaster – now appears to be part of the DataLocker stable but their focus is on encrypted storage. It’s unclear whether the product was acquired for the encryption capabilities. Project shut down.

Appterra – their open source supply chain integration platform with Managed File Transfer capabilities was acquired by Descartes. The open source project has been shut down.

DivConq MFT – a SourceForge project that looked promising but the developers seem to have ended the project and the associated web site has closed down.

Karonte – positioned as an open source Managed File Transfer solution but it doesn’t have the basic functionality we consider critical for MFT.

Genuine open source projects

There are just two genuine projects that I’ve found so far. I couldn’t recommend either, as I’ve not invested any time personally or asked our technical consultants to review them, however they have ongoing development and support packages.

Yade – an open source project, previously going under the name of SOSFTP. This project has been around since at least 2012. SOS Berlin lists a number of customers on their web site and provides support and consulting packages. Currently my favourite option, based upon the length of time they’ve been around.

WAARP – a relative newcomer to the market but it looks to have all the basics covered. It also provides commercial support options and their web site provides visibility of who is involved in the project. This is certainly one to watch.

If you’re a user of either Yade or WAARP, I’d be interested in hearing from you. I’m keen to understand how complete the project is, how responsive the development team are and what your experience of their support offering has been like.

In conclusion

Whilst the open source marketplace can be a fantastic resource for some business applications, Managed File Transfer isn’t currently one of them. If your business is in the tech space or you’ve an extensive development and technical team then open source Managed File Transfer may be a viable option for you.

However, Managed File Transfer is mission critical for almost all of our customers and many come to us looking to mitigate the risks associated with supporting a bespoke or homegrown solution. As developers and contractors move on, many companies we speak to are stuck with a solution that has minimal documentation and the knowledge required to make changes or fix faults has been lost.

If you’d like to discuss your Managed File Transfer requirements, I’d be pleased to talk them through with you. You may be surprised at how much bang you get for your buck these days in commercially available products.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

5 Steps for Writing a Successful Business Case for MFT

5 Steps for Writing a Successful Business Case for MFT

One area that lots of customers need assistance with is building their business case for Managed File Transfer. Whilst each organisation’s approvals process is unique, we see some common themes. Below are five key steps or suggestions to how to build a successful business case for Managed File Transfer.

Consider all the stakeholders

It goes without saying that the needs of each Line of Business are different and are likely to be distinct from the project drivers from IT. Marketing need to be able to send large files simply with the correct corporate branding. Legal require all files to be signed for. Procurement want date stamping to ensure all tenders were received within specified deadlines. End users would prefer to use consumer grade solutions that they are familiar with. IT are generally looking for scalability, manageability, speed of install, security and visibility. The business case for MFT can address all of these issues and more.

Executive Sponsor

Managed File Transfer is often the glue between corporate systems and there is often no natural owner within an IT structure. An executive sponsor can help to overcome any objections to change from end users and ensure cross team support for a project that will impact networks, database teams, IT security and more.

Business Benefits

All our vendors have white papers designed to address specific business issues such as PCI Compliance or GDPR. There are also reports on the benefits gained by existing users of MFT, which can be used to frame your business case. The Ipswitch report for example suggests that the key reason for implementing MFT is to improve productivity and this is supported by a Globalscape report that suggests MFT implementation can increase your file transfer capability ten fold without increasing your IT support.

Cost Vs Benefit Vs Risk

Whilst the costs are generally easy to identify, benefits can be harder to quantify. Key areas to investigate include savings associated with scripts that can be quantified. For example, experienced staff built the legacy scripts and are often involved with troubleshooting any issues as a result. MFT simplifies not just the creation of scripts, but also on-going management. MFT can also reduce the number of trouble tickets relating to the movement of files and the time it takes to locate the issue.

As well as direct cost savings, there are risks associated with data breaches or failures on customer SLAs. Research based on existing MFT users, show that implementing solutions can improve the satisfaction of internal and external partners and reduce their reliance on IT, thus improving productivity.

Selection Criteria

Lots of customers start with a very high level set of criteria that can be met by almost any MFT solution. To ensure you get the right solution, you need a more comprehensive set of criteria. Our Needs Analysis services can help to clarify functional requirements. It is also important to assess the total cost of ownership including support costs, training, documentation and upgrades. As the use case for MFT frequently expands post-installation, the scalability of the solution and options for additional features now and in the future are also important components of your business case.

There are some more detailed notes in our Expert Guide to Managed File Transfer and we have a library of white papers from research companies and vendors available upon request.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Implementing MFT? Who you gonna call?

Implementing MFT? Who you gonna call?

Unfortunately, the answer is never going to be as simple as “Ghostbusters!” – but if you don’t select the right people at every stage you could easily be in for some nasty surprises.

As with any implementation project, there are several stages that any organisation will have to go through, each potentially requiring a different team to perform the various activities depending upon the size of your organisation. In smaller organisations, it’s quite normal for one person to perform several roles or functions, but it’s important to know what particular functions are being covered in order to ensure that nothing gets missed. According to ITIL, there are three key phases in the lifecycle of any software – these are Design, Transition and Operations (Service Strategy and continuous Improvement don’t apply at this point).

itil-methodology

Let’s look at the phases in order:

Service Design

During the Service Design phase, the Managed File Transfer (MFT) software is selected and the service is designed.  At this time, most of the work comes from the project leader; however input is also required from other functions.

Function Role
Enterprise Architect Specialises in handling how applications interact.
Information Security Manager Assesses and approves security requirements.
Compliance Manager Ensures that standards are met.
Service Owner Manages the service after go-live date.
Technical Analyst There is normally a separate Technical Analyst or team for each specific aspect of the environment, for example – Server Build & Support, Network Support, Monitoring, Scheduling…
Applications Analyst Manages the MFT application, like Technical Analysts there will often be a separate analyst or team for each Application.
Continuity Manager Validates that the new MFT application meets the existing continuity criteria.

There are of course other key ITIL functions during the Service design phase, however these do not all necessarily need to be involved and may be happy simply to receive meeting minutes and key updates.

Service Transition

Once testing has been completed, it is time to move into the Service Transition phase. This is the crucial time between testing and production where so many projects run into problems; consequently, it is important to get it exactly right before moving forward. At this time, Change Management becomes vital (in some organisations, every step of the Design phase will also have been subject to Change Management).

The functions that provide input at this stage must include as a minimum:

Function Role
Change Manager As the Change Manager approves all changes, he will have final say on whether an application moves into production.
Change Advisory Board The CAB advises the Change Manager on whether to allow a change to go ahead.
Knowledge Manager The Knowledge Manager will ensure that Operations, Help Desk and end-user guides are available.
Test Manager The Test Manager not only ensures that the application is fit for service, but also that the operations team is able to support it.

Again, other ITIL functions exist but are not included here. Pay special attention to Change Management as this is often a point overlooked until the day arrives to install the new MFT system, causing unnecessary delays.

Service Operation 

Once the new system goes live, a whole new set of functions are required to support it.

Function Role
Help Desk The Help Desk team performs first level support and handle all new incidents. Incidents that they cannot resolve are escalated to other teams as necessary.
Access Manager The Access Manager grants or denies access to the MFT application.
Operations Team Perform the day-to-day activities to ensure the application runs successfully.

In Summary

The diagram below should help to show which roles are involved at which points in the lifecycle. As mentioned at the start of this article, these phases are taken from ITIL methodology, however they still apply even if you are not practicing ITIL. You should not for example enter into the design phase without including the Security or Compliance Managers.

key-roles-in-the-project

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.