Protecting Your Data At Rest – What Are Your Options?
Modern Managed File Transfer (MFT) solutions provide several ways to protect data. In addition to using secure protocols for data in transit and the protection against DDos, Hammering and Brute Force attacks, many solutions provide mechanisms for securing files at rest, while they are awaiting collection or processing.
Protecting data at rest
Protecting the files at rest can be achieved in several ways, with the most common being:
- Writing to an Encrypted File store
- Encrypting Data using PGP or similar
- Securing them in another network segment
Encrypted File store
Encrypted file stores leverage either native encryption technology such as EFS, or use their own encryption methods to secure files stored in the data area of the MFT solution. Files are encrypted before they are stored so there is no requirement to manage keys. Decrypting the data is also done on the fly, when a file is downloaded through the software. Browsing to the storage location from the operating system may show either the real file names or an anonymised series of files. The downside to this method is that data written to a windows share is not accessible to other applications except via the solution ie via an API.
If your MFT solution does not support encryption at rest natively, then there are several network storage devices which can present encrypted storage as a normal CIFS share. Using this as storage for your MFT solution will protect your data from physical theft but may not protect from access by internal users or systems. Not all MFT solutions can be integrated with this type of encrypted storage device.
Another popular method is to secure the data using PGP. PGP gives you the option of encrypting a file outside of the MFT solution for full end to end security. Alternatively, most MFT solutions support PGP encryption and decryption for incoming and outgoing files. PGP encryption applied by the MFT system is triggered once a file has been successfully uploaded. Once the file is PGP encrypted, it can be sent over to a remote system where it will need to be decrypted. While this process has many positives, not all MFT solutions support PGP encryption on the fly. The MFT solution must wait for the file to be uploaded and stored unencrypted, before it attempts to PGP encrypt it. This means that there is a short period of time where the file will sit on the storage in an unencrypted state and only once the encryption process has completed successfully will the unencrypted version of the file be deleted. As this whole encryption process only takes a few seconds, the exposure of the data unencrypted is minimal and many organisations are happy with the risk of temporarily unencrypted data.
An alternative approach to protecting your data at rest is to use the forward/reverse proxy capabilities for MFT solutions. This adds an extra layer of defence to your MFT system’s security. As no data is stored on these proxies, any external attack that managed to compromise the proxy server, would not be able to access any data as it is safely stored on the main MFT server behind another firewall. Just like the encrypted file stores, these gateways are completely transparent to the end users.
Each of these measures help protect data at rest and they can all be combined to give a high level of protection. These methods can assist in meeting regulatory compliance such as PCI DSS, ISO 27001, etc.