Five file transfer priorities for 2018
Big changes in the data transfer and file sharing space look set to make 2018 an interesting year. There is updated legislation to get to grips with, plus new, more efficient opportunities for managing the flow of your data. Our technical consultants have shared their top file transfer priorities for the year ahead.
1. PCI DSS 3.2
PCI DSS is the security standard for processing and storing credit card information. New legislation (PCI DSS 3.2) comes into effect on 1st February 2018 and there are updated requirements that come under the scope of your data transfer system.
- Users with administrative access to the systems handling card data need to complete multi-factor authentication. A password alone is not enough to verify the user’s identity and grant access to sensitive information. Multi-factor authentication requires two or more bits of information to authorise a person’s access to the card data. This might be a password, unique code or other method of identification. If you’re scripting an automated transfer though, you’ll need to use different identifying factors, such as private key authentication and IP white listing. This comes in addition to the existing multi-factor authentication requirements for remote access.
- Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) will no longer be considered secure protocols. Organisations have until 30th June 2018 to transition to a secure version of TLS – v1.1 or ideally 1.2 – and disable any fall back to both SSL and early TLS. This will make sure you have a secure communications channel and protect the confidentiality and integrity of information that passes between systems.
Regulators frequently update PCI DSS, keeping it in line with changing consumer behaviour and payment technology. Other PCI DSS requirements for data transfer include: Protecting stored cardholder data; encrypting data in transit across open, public networks; developing and maintaining secure systems and applications; restricting physical access to cardholder data; tracking and monitoring all access to network resources and cardholder data. There’s more information on our resources page.
A good data transfer solution will provide these features, and some provide PCI-DSS compliance reports too.
To compare solutions with PCI DSS 3.2 compliant features, complete the Managed File Transfer Comparison Report. This will recommend and compare solutions meeting your specific requirements.
Most organisations will handle personal data in some way. It is essential that you are clear on which of your data transfers fall within the scope of GDPR and take the right steps to protect it. Out of support software, open source FTP, unmanaged in-house scripts and consumer-grade cloud solutions are some big areas of risk for your organisation.
Does your Managed File Transfer solution do the following?
- Encrypt data in transit and at rest. Data shouldn’t be in the DMZ unencrypted, even if that’s only for a short period of time.
- Offer authentication / access control to restrict users to only access the data they require.
- Deliver high availability functionality so that services can continue following a failure of one or more components.
- Provide visibility of where and when transfers occur.
- Storage retention and ‘housekeeping’ rules to clean old files after they have been downloaded.
These are important Managed File Transfer solution features that will help keep you compliant, reduce the risks of breaches and protect you against hefty fines.
It’s not just about the technology though. GDPR has prompted us to understand the nature and sensitivity of the data. We have to know what is in the file to ensure we handle it appropriately, set suitable security and document the process in an impact assessment. For example, do the files contain personal data? If so, how sensitive is it? What is the reason for the transfer?
Some file transfer systems allow you to build impact assessments within the software and select the transfer process based on the security requirements. For example, if you classify the data as highly sensitive, it will guide you towards using SFTP or HTTPS.
Our GDPR White Paper explains how the new legislation affects your data transfer and file sharing processes and systems. There are clear recommendations from our experts too.
3. Plan your cloud strategy
Interest in cloud-based data transfer and file sharing solutions is growing, as more and more organisations move their IT infrastructure to the cloud. Some organisations are going entirely cloud-based, others opting for a hybrid or gradual transition.
There are a number of advantages to a cloud-based Managed File Transfer solution:
- Reduced on-premise infrastructure management and operational costs.
- Scalable as your business grows.
- Many offer a pay-for-what-you-use pricing structure.
- Improved resilience through a highly available infrastructure.
Make sure you consider all factors when you’re planning your cloud strategy. How will you get your data to the cloud securely, quickly and efficiently? Distance impacts efficiency, so think about where the data you’re transferring originates from and where you’re delivering it to. If the transfers are all on-site, cloud probably isn’t the most efficient solution. If you’re transferring between multiple geographic locations then it might be.
The technologies you choose will have an impact on your efficiency too. UDP based protocols, for example, are good for transferring large files across big distances. TCP is slower, but is an open protocol, so you don’t need bespoke servers and clients.
Consider data residency as well. Data in the cloud is stored across multiple servers and locations. Do you – for example – have permission from your data subject to store their personally identifiable data, or even user login credentials, outside the EU? (An important compliance point on GDPR). You also need to consider where your data is backed up to.
Many of the leading vendors are developing their cloud-based Managed File Transfer offering. Our consultants can advise you which solutions meet your business requirements.
4. Is your FTP server up to date?
You’d be surprised how often we speak to businesses running unsupported FTP servers with outdated operating systems. Not only does this expose your organisation to malware, ransomware and other viruses, but it affects your ISO 27001 accreditation and relationship with customers. (More and more organisations – especially large corporations – demand ISO accreditation from their service providers. That’s because they know they pose one of the greatest risks to information security).
Just because your FTP server has been working ok until now, that doesn’t mean it will continue to be protected. We have already seen DNS hijacking malware so far this year. It’s only going to get worse. Don’t let this be the year your organisation is hit.
This table show which FTP server(s) are supported by the manufacturer, the current version and the operating systems they support.
If your organisation has outgrown its data transfer solution, or you are concerned about its security standards, find out about our health check service.
5. Consider investing in APIs
APIs are becoming a more realistic and cost-effective option for businesses wanting to integrate their systems and speed up their business processes. For example, your MFT solution can receive a file and use an API to import the data into another system. It could be used to drive your CRM or order processing system (or vice-versa), saving time and reducing the risk of human error.
SOAP, REST and COM are some of the most widely used APIs. REST is probably the most common – a hybrid solution and more resilient to version updates of the partner system.
If you wanted to integrate systems in this way, your first step would be to identify a Managed File Transfer solution that supports an API (not all do). Some solutions include an API in their licence, whereas others carry an additional charge. Then you would need an on-site developer to write an application to use the API in the way that you want it to. While this is going to cost you, your organisation will quickly realise the benefits of a more integrated IT infrastructure.
Get in touch to find out about MFT solutions that support APIs and how our professional services team can develop your application.