Secure File Transfer Archives - Managed File Transfer Solutions | Secure File Transfer Software | UK

China’s new cybersecurity law and how that impacts Data Transfers?

China’s new cybersecurity law and how that impacts Data Transfers?

Our friends at JSCAPE have written an article about the new cybersecurity law in China, which came into effect in June this year. Utilising JSCAPE’s article (with their kind permission), we thought the overview would be useful to many of you who have business operations in China or transact with organisations based there. The chances that it affects you are very high.

Cybersecurity law in China and how it effects data transfer

Businesses whose data transfers might be impacted by the law

The provisions in the cybersecurity law that impact data transfers govern two sets of businesses: a large set known as network operators and a small subset known as critical information infrastructure operators (CII operators). The definitions however turn out to imply a much wider scope.

For instance, while the term ‘network operators’ might initially be interpreted to mean telecommunications companies, ISPs or cloud service providers, the law actually defines network operators as network owners, managers, and network service providers. That could mean any company who operates any type of network – even a small office LAN. It therefore has the scope to affect many businesses.

Critical information infrastructure refers to data, which if destroyed, damaged, or data leaked “might seriously endanger national security, national welfare and people’s livelihood, or the public interest”. Any infrastructure providing public communication and information services, power, traffic, water, finance, public service, or electronic governance is considered CII. Because it’s not clear what exactly qualifies as “seriously endangering national security” and the like, other organisations not mentioned here might just be considered CII operators as well.

These broad definitions make it hard for companies to determine whether or not they fall under these categories, so it’s best to seek guidance from regulators or legal experts. If you think your business might be affected, it probably is.

How does the law impact data transfers?

The first thing that jumps out in relation to data transfers is the data localisation provisions. Multinational companies and foreign organisations operating in China often transfer certain information to their headquarters or other offices located in other parts of the world. Businesses may also have to transfer files to customers, suppliers, and other trading partners based overseas. Unfortunately, the data localisation provisions of the Cybersecurity Law will now make these outbound file transfers extremely difficult.

Article 37, in particular, requires certain operators to store personal information and other critical data (that were collected or generated during the course of business operations) within mainland China. This provision, which originally only covered CII operators, has lately been expanded to include network operators, casting a much wider net that now impacts most businesses.

The expanded provision is stipulated in the draft regulations entitled “Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas”.

Personal information is normally part of various business processes, often incorporated in HR (Human Resource), sales, and marketing data, among others. Because some of these processes involve the transfer of data overseas, e.g. for further processing or data aggregation purposes, the onset of the data localisation provisions can seriously disrupt current practices.

In cases where it’s absolutely necessary to export personal information and other important data, the Cybersecurity Law may allow it, provided several conditions are met. One of these conditions is to first conduct security assessments in accordance with the measures mentioned earlier.

The security assessments

There are basically two types of these assessments. There are self-assessments and there are regulator assessments. These assessments must focus on certain elements such as:

  • the necessity of carrying out the cross-border data transfer;
  • circumstances surrounding the presence of personal information and/or critical data;
  • the security measures and security environment of both the recipient and the country in which the recipient operates;
  • the risk of leakage, loss, falsification or misuse of the transferred data.

Regulator assessments are required when certain circumstances arise. For example,

  • the number of individuals whose personal information are included in the transfer is at least 500,000;
  • the amount of data exceeds 1000 GB;
  • it involves data relating to information about the security of certain CII.

How secure file transfers can help you pass the security assessments

Secure file transfer systems can help you pass some of these assessments by addressing the technical issues involved. For example, they can greatly enhance the security measures of the recipient and substantially reduce the risk of leakage, loss, falsification, or misuse of the transferred data. Although there are certainly other factors involved, being able to strengthen your recipient’s security measures and reduce critical risks can greatly improve your chances of passing the security assessments.

If you feel that Managed File Transfer solutions may be beneficial to your business, we would be happy to discuss your needs and infrastructure.

Check out our “Do you need MFT” analysis document if you would like to get a better idea of your current processes. This comprehensive expert guide of your data transfer processes will highlight areas which you may need addressing.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Are Your FTP Servers Still Under Manufacturers’ Support?

Are Your FTP Servers Still Under Manufacturers’ Support?

We’re now a week on from the first reports of WannaCry infecting computers across the globe. The initial media  furore has subsided, the world hasn’t ended and IT can get back on with their jobs of keeping the organisation running!

Many software vendors jumped on the bandwagon using WannaCry as an opportunity to position the need for their software, I’m sure you received a tonne of emails. We thought about it but resisted, instead we thought that a concise view of whether your FTP server(s) are supported by the manufacturer, the current version and what operating systems they supported would be of more use.

Naturally if you need any help upgrading any of these servers our technical team are here to help. However it would be advisable checking in with the pre-sales team to ensure that the process runs smoothly; some vendors will require a completely new licence key to go to the latest versions.

If you’ve got any other FTP servers you’d like us to add to the list, please get in touch.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Backing up your Cisco Unified Communications Manager through SFTP

Backing up your Cisco Unified Communications Manager through SFTP

The Cisco Unified Communications Manager (CUCM) is in use at many organisations to integrate data, voice and video applications.  It’s a nice product which provides a good balance between security and functionality.

As is often the case however, this sort of product very quickly becomes a critical piece of the infrastructure and consequently needs to be treated as such.  It’s therefore important to ensure that the configuration is routinely backed up in a secure fashion in order to recover your system should the need arise.

CUCM allows you to backup the configuration to a location on your network; because there will be credentials contained within the backup, it requires that you transfer the backup using a secure mechanism – SFTP.

Any file transfer server that provides the SFTP protocol is fine to use – some file transfer vendors even publish simple guides on how to configure for their specific software, however the steps to successful implementation are straightforward.

First, create an account on the SFTP server that you will use to receive the backup and set up a folder for it.  Even though CUCM allows the use of SFTP, it does not  permit connection using an SSH key – you must create a user that has the ability to connect using just a password instead.  If your SFTP server has the ability to automatically forward on files to another location, you may wish to set this up at this time.

Next go to CUCM and log into the Disaster Recovery System.  From here, select Backup, then Backup Device.  This is where you provide the details of your SFTP server.  Click on “Add New” and provide a friendly name for your SFTP server.  Beneath this, there is an area marked “Select Destination” – here you can enter the SFTP server details, path and credentials.  You can also select how many backups you want to keep in the SFTP server – handy if your SFTP server lacks automation capabilities.

Once you have done this, you can schedule the backup.  Go to Backup, the Scheduler and click “Add New” to create a new schedule.  As you might expect, you can now add the frequency that you want to send the backup to the SFTP server, including the day of the week and time of day.  Finally, save the schedule and click on “Enable Schedule”.

Et Voila!  Your CUCM configuration is now being securely backed up to your SFTP server.

These SFTP servers are supported and recommended by Cisco:

 

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

Should You Password Protect Links to Your Files?

Should You Password Protect Links to Your Files?

As file transfer specialists, we speak to customers every day who are trying to strike the balance between ease of use and security.  Internal users want to be able to share a file quickly and simply.  They don’t want to ask the recipient, who may be faced with a myriad of different systems to go through complex authentication processes.  All end users want the simplicity of the cloud systems they use at home, which are great for sharing your holiday photos.

Although a ruling in the US courts last month may have just swung the balance in favour of a more secure approach.

Video footage related to a court case was uploaded and a non-password protected link was shared between the firm, its parent company and the investigating team.  At a later stage, further legal files were added to the same folder.  The link was included in the police files and was then forwarded to the opposing legal firm.  They were then able to download all of the files before the court case.

The judge ruled that the company had waived any claim of privilege to materials as they were accessible to anyone who had the hyperlink. “In essence, the defendant conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”

This ruling should make us all think twice before putting confidential documents in a file-sharing site without password protection, especially when there are so many secure alternatives available.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

With Only 15 Months To Go – Are You Ready for GDPR?

With Only 15 Months To Go – Are You Ready for GDPR?

The EU has now changed its data protection rules. They will fully apply from 25 May 2018.

These new rules are called the General Data Protection Regulation (or GDPR), although the full official name of the new rules is “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” which can be found in the EU Official Journal (OJ L 119 of 4.5.2016, p.1) here.

To help you identify what the implications are for your business and what practical steps you need to take, Pro2col are working with Jonathan Armstrong, an experienced lawyer with a concentration on technology and compliance and partner at Cordery Legal Compliance.   His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe.  Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and is regularly published in Infosecurity Magazine.

As referenced in my blog article; “Impact of Brexit on GDPR“, the EU legislation will still impact UK businesses in the run-up to leaving the EU and in all likelihood post life in the EU.  It is important to note that the legislation covers all electronic communications data, i.e it is not limited to “personal data” but covers data related to an end-user (individuals and entities). Both more traditional content (text, voice, video, images, sound etc) and metadata (data used to trace source and/or location of communication, the time, date and duration of a communication etc) derived from electronic communications are included. This data will have to be anonymised or deleted unless a user has given consent to their continued use or for legitimate purposes such as billing.

To comply companies will need to implement appropriate technical and organisational measures to protect data against loss or any unlawful forms of processing.  These measures should guarantee a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.  Managed File Transfer is one of the technical measures that can assist with reducing the human risk of data sharing through automating transfers and providing secure, auditable methods for end-user file sharing.  MFT also provides detailed logs and reports for your compliance team.

For all businesses, there is now plenty to be done ahead of next May.  Jonathan will be presenting an overview of GDPR at a Pro2col event on Thursday 9th March.  Click here to register.

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.

FTPS or SFTP? It’s not Agatha Christie

FTPS or SFTP? It’s not Agatha Christie

In 1941 crime novelist Agatha Christie published her detective book “N or M?”; while selecting between FTPS or SFTP is hardly the same thing, you still might need to use some sleuthing skills to make the right choice.

ftps-or-sftp

Partners in crime

Let’s start by looking at which protocol was around first; FTP by a mile – but not in a secured state initially. FTPS makes use of either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to provide connection security through encryption; this is provided by the FTPS servers x.509 format public key certificate. The certificate may be trusted (provided by a trusted certification authority), or else self-signed. Using a self-signed certificate does not mean the level of encryption is any less, just that you have to be sure that the host is who they say they are. FTPS connections are made secure either implicitly or explicitly. FTPS servers generally listen for implicit connections on port 990 and explicit connections on port 21 – although of course the server administrator may choose to use different ports if they desire.

An implicit connection starts with the client issuing a TLS “Client Hello” message; this message implies that the connection should be secure and if the server doesn’t receive it, the connection is immediately dropped. If however the server does receive the “Client Hello” message, it will send the server certificate to the client, which will authenticate it and use it to encrypt a session key which it then sends back to the server to encrypt the session with.

In the case of explicit FTPS, the client explicitly requests security by sending an “AUTH TLS” (or AUTH SSL) command straight after the connection is made. If the AUTH command is not sent, the FTPS server will treat the client connection as a ‘regular’ non-secure FTP session instead.

Interestingly, implicit connections are not listed in RFC 2228 (the FTPS documentation), only explicit connections.

In either case, once the session has started, the client will need to authenticate to the FTPS server – normally this will be by userid and password, but may also include client certificates if required. All FTP commands are quite naturally passed along the control channel (normally 21 for explicit or 990 for implicit), but FTPS then needs a separate channel for data communications (the actual sending of files or directory lists). The data channels are by default port 20 for explicit FTPS and port 989 for implicit FTPS. Data channels are opened as they are required, then immediately closed again (the control channel remains open for the duration of the session).

 

Nemesis

In the style of so many detective story plots, SFTP is not what you might immediately suspect it to be – a form of FTP. In fact, FTPS and SFTP are completely unrelated and bear only a passing resemblance in the structure of many commands. SFTP is not FTP over an SSH connection, rather a distinct protocol in its own right which makes use of the underlying SSH protocol to provide connection security and authentication. Because it is using the underlying SSH protocol, it is normal to use the SSH port (generally port 22).

With SFTP we move away from using certificates for encryption and instead use public/private key pairs, which are not signed by trusted authorities. Like an FTPS self-signed certificate, the only area of doubt is that the server is who it professes to be – once you are confident that you have connected to the right server, you simply accept the server key and proceed to exchange files over an encrypted session.

The most important difference between FTPS and SFTP is that SFTP requires just one port to operate on – there is not a separate data and control channel to take care of.

In contrast to FTPS where clients occasionally provide a certificate for authentication, it is common practice for SFTP batch clients to authenticate by key only to avoid the need to store and maintain passwords.

 

Cards on the table

So having considered some basics of both FTPS and SFTP, let’s look at some of the details and see what each can do that the other can’t. Mostly speaking, what one can do the other can too – there are a few exceptions though:

  • FTPS will allow you to create custom commands
  • SFTP has better control of file permissions, ownership and properties
  • FTPS allows use of Trusted x.509 certificates
  • SFTP only requires a single port to be open on the firewall
  • FTPS supports EBCDIC transfers
  • SFTP allows creation of symbolic links
  • Windows servers and clients don’t natively support SFTP
  • SFTP is simple to install and manage on Linux and Unix servers

 

And then there were none

Mostly the decision on which protocol to use comes down to the requirements of the organisation; if there is a prevalence of linux/unix servers in a network, SFTP may be the better choice. Conversely, in a Windows only environment it makes no sense to install SFTP as it would require clients to be installed everywhere.

In addition, some firewall administrators would be happier to use SFTP with it’s single port, while some server administrators may not want SSH access to their servers enabled.

Otherwise it makes sense where possible to invest in file transfer server software that supports both protocols and leave the choice up to the clients.

 

Resources Available For You

The Expert Guide to Managed File Transfer

Includes definitions, requirements assessment, product comparison, building your business case and much more.

Managed File Transfer Needs Analysis

200 essential questions to consider before implementing your chosen Managed File Transfer solution.

Managed File Transfer Comparison Guide

A full feature comparison of Managed File Transfer solutions from the eight leading vendors in the industry.