Blog Archives - Managed File Transfer Solutions | Secure File Transfer Software | UK

China’s new cybersecurity law and how that impacts Data Transfers?

China’s new cybersecurity law and how that impacts Data Transfers?

Our friends at JSCAPE have written an article about the new cybersecurity law in China, which came into effect in June this year. Utilising JSCAPE’s article (with their kind permission), we thought the overview would be useful to many of you who have business operations in China or transact with organisations based there. The chances that it affects you are very high.

Cybersecurity law in China and how it effects data transfer

Businesses whose data transfers might be impacted by the law

The provisions in the cybersecurity law that impact data transfers govern two sets of businesses: a large set known as network operators and a small subset known as critical information infrastructure operators (CII operators). The definitions however turn out to imply a much wider scope.

For instance, while the term ‘network operators’ might initially be interpreted to mean telecommunications companies, ISPs or cloud service providers, the law actually defines network operators as network owners, managers, and network service providers. That could mean any company who operates any type of network – even a small office LAN. It therefore has the scope to affect many businesses.

Critical information infrastructure refers to data, which if destroyed, damaged, or data leaked “might seriously endanger national security, national welfare and people’s livelihood, or the public interest”. Any infrastructure providing public communication and information services, power, traffic, water, finance, public service, or electronic governance is considered CII. Because it’s not clear what exactly qualifies as “seriously endangering national security” and the like, other organisations not mentioned here might just be considered CII operators as well.

These broad definitions make it hard for companies to determine whether or not they fall under these categories, so it’s best to seek guidance from regulators or legal experts. If you think your business might be affected, it probably is.

How does the law impact data transfers?

The first thing that jumps out in relation to data transfers is the data localisation provisions. Multinational companies and foreign organisations operating in China often transfer certain information to their headquarters or other offices located in other parts of the world. Businesses may also have to transfer files to customers, suppliers, and other trading partners based overseas. Unfortunately, the data localisation provisions of the Cybersecurity Law will now make these outbound file transfers extremely difficult.

Article 37, in particular, requires certain operators to store personal information and other critical data (that were collected or generated during the course of business operations) within mainland China. This provision, which originally only covered CII operators, has lately been expanded to include network operators, casting a much wider net that now impacts most businesses.

The expanded provision is stipulated in the draft regulations entitled “Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas”.

Personal information is normally part of various business processes, often incorporated in HR (Human Resource), sales, and marketing data, among others. Because some of these processes involve the transfer of data overseas, e.g. for further processing or data aggregation purposes, the onset of the data localisation provisions can seriously disrupt current practices.

In cases where it’s absolutely necessary to export personal information and other important data, the Cybersecurity Law may allow it, provided several conditions are met. One of these conditions is to first conduct security assessments in accordance with the measures mentioned earlier.

The security assessments

There are basically two types of these assessments. There are self-assessments and there are regulator assessments. These assessments must focus on certain elements such as:

  • the necessity of carrying out the cross-border data transfer;
  • circumstances surrounding the presence of personal information and/or critical data;
  • the security measures and security environment of both the recipient and the country in which the recipient operates;
  • the risk of leakage, loss, falsification or misuse of the transferred data.

Regulator assessments are required when certain circumstances arise. For example,

  • the number of individuals whose personal information are included in the transfer is at least 500,000;
  • the amount of data exceeds 1000 GB;
  • it involves data relating to information about the security of certain CII.

How secure file transfers can help you pass the security assessments

Secure file transfer systems can help you pass some of these assessments by addressing the technical issues involved. For example, they can greatly enhance the security measures of the recipient and substantially reduce the risk of leakage, loss, falsification, or misuse of the transferred data. Although there are certainly other factors involved, being able to strengthen your recipient’s security measures and reduce critical risks can greatly improve your chances of passing the security assessments.

If you feel that Managed File Transfer solutions may be beneficial to your business, we would be happy to discuss your needs and infrastructure.

Check out our “Do you need MFT” analysis document if you would like to get a better idea of your current processes. This comprehensive expert guide of your data transfer processes will highlight areas which you may need addressing.

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide

Are you sharing data securely?

Are you sharing data securely?

Your employees need to share data between themselves to perform their roles effectively, but how do you ensure that this adheres to your organisations’ security policies? What can you do to control this and help them with sharing data securely?

With multiple employees now working from different sites or hot desking, it’s an area that can easily spiral out of control, so we have a possible solution for you to consider.

Let’s take a common example for many organisations. Employees often need to share data with external 3rd parties on an ad-hoc basis. For most of my time in IT, this has been done by sending an attachment in an email. Policies and procedures that users agree to upon employment and mail filter tools, such as Mimecast, would also be options that should be put into place to prevent data that needs to be secured being leaked via e-mail.

However, this doesn’t really address the issue. Sending files by e-mail invariably causes issues at the mail server stage, where space is generally a premium.  Mail sent to multiple recipients in the same organisation will result in numerous copies of the same file being stored, especially problematic when you consider that the majority of users don’t delete e-mails until their mailbox is full.  Additionally, resources on mail servers are often challenged just by handling e-mails with large attachments.  As a consequence, if a user runs into a block or needs a file which is going to be stopped by the mail server, then they may look for an alternative way such as a cloud based file sharing solution.

Several years ago, I was told by an IT manager of a large media company, that their organisation moved nearly a terabyte of data through file sharing services every month. They felt the cost of sharing the data by other means or the delays involved would actually harm the business. The problem was they had no control and didn’t know if the data was authorised to be shared or where the data was going.

Sharing data securely with Ad-Hoc module messaging via an MFT

Using an Ad-Hoc messaging module of a Managed File Transfer (MFT) solution would have allowed them to block sharing sites from all users, yet still allow users to share data in a controlled mannerAd-Hoc messaging (sometimes referred to as EFSS or Electronic File Sync & Share) allows clients to exchange e-mails containing hyperlinks to files, rather than the files themselves; these are stored in a web enabled file transfer server, which both the sender and recipient are granted access.  Although it is clearly desirable to remove the attachments passing through the mail server, it does highlight potential failings around the governance of the data entering or leaving the organisation, such as Data Loss Prevention (DLP) and virus-checking.

MFT solutions now integrate into Anti-Virus (AV) and DLP solutions using an ICAP (Internet content Adaption Protocol) connector. When a file is shared, the MFT solution passes the file and other metadata to the DLP solution using the ICAP protocol. Based on its content, the DLP server will then check if the file should be sent. If the file is allowed, then an “OK” message is sent to the MFT server and the ad-hoc notification message is sent. If the file is blocked by the DLP server, then the MFT gets a “not OK” message and the server does not send the notification mail. The file is then deleted so it is not cached. Incoming and outgoing files can also pass through an AV Scanner using a similar method to ensure that malicious code is not being shared.

When you installed MFT, ICAP may not have been included in your AV or DLP solution, but most now offer it, so it’s definitely worth reviewing your integration options.

ICAP is not a perfect solution and has some technical drawbacks. For example, most ICAP based solutions (and there are only a few) require that you provide the ICAP interface by way of a proxy, which will not necessarily interact well with every MFT solution – be sure to check which specific products are supported by your MFT system.  Another potential issue can be the length of time required to transfer large files to the ICAP server for inspection – in some cases this may result in a perceived lag during the sending of the Ad-Hoc message.  However, combined with the Ad-Hoc module of an MFT solution, it allows the control of data in and out of an organisation to meet IT security policies without restricting the end users from performing their duties.

If you would like to investigate whether an MFT solution would be right for your organisation, you can check out our Expert guide to MFT which includes some questionnaires to help you. Alternatively, If you’d like to discuss your options, feel free to give our team a call on 0333 123 1240.

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide

Are You A File Transfer Solution Administrator?

Are You A File Transfer Solution Administrator?

If you’re an IT professional that has responsibility for your company’s file transfer systems, there’s a good chance that you’ve had little training and have had to work much of it out for yourself. However it doesn’t need to be that way.

Understanding how file transfer fits into an organisation, how it should be secured, who to provide access to, which protocols are most appropriate to integrate with specific systems shouldn’t be a process of trial and error. External partners should be on-boarded efficiently, securely, and you should be confident in the choices you make during the process.

certified file transfer professional

We realised that there wasn’t an appropriate training course to help IT professionals to understand the mechanics of file transfer. Sure, there are vendor courses about specific software packages, but they expect an underlying level of knowledge about file transfer that many just don’t have. So in partnership with a number of leading file transfer vendors we created the Certified File Transfer Professional (CFTP) programme.

The programme is vendor independent, it’s purpose is to educate IT professionals about the different types of file transfer technologies, which protocols should be used and when, how to better secure your company by adopting best practises and much more.

Certified File Transfer Programme

The CFTP programme is delivered as an online course or in the classroom. From our training facilities in London or onsite at your company, Pro2col’s experienced technical consultants deliver a hands-on, interactive training programme working through the course content and then adjudicate during the examination.

If you or your colleagues would like to build upon your base knowledge of file transfer, gain an Internationally accepted accreditation, and help better secure your transfers ahead of GDPR, we’d love to hear from you.

You can register your interest for our classroom based training here, or register to get the free study guide on the web site. Alternatively If you’d like to discuss your options feel free to give our team a call on 0333 123 1240.

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide

8 Common Reasons Why Managed File Transfer Fails

8 Common Reasons Why Managed File Transfer Fails

I wrote an article a while back about how to monitor a Managed File Transfer system, but I didn’t really discuss any of the many things that can go wrong and ruin your day.  Here are some non-product specific thoughts and ideas on the automation aspect of MFT; the scheduled or triggered transfer of data between networks.

Triggering

In general, the first place where something goes wrong is the actual triggering of an action.  Depending on the system that you are working with, this may be an event, job, task or similar.  Actions are generally triggered by an event matching a rule – for a scheduled action this is a time event corresponding to a specific time.  More commonly however, the event will be the arrival of a file and the rule will be a filename or folder match.  Common errors in this area include conflicting rules in multiple actions and files arriving just after a scheduled transfer.

Sources and Targets

Broadly speaking, the most common role of automation software is to move files from one place to another – unfortunately, this is where things most often go awry.  Here are some common problem that occur.

Firewall incorrectly configured – affecting both inbound and outbound traffic. Caused by either some or none of the required ports being opened, or even incorrect NATing of the automation components IP address

Whitelisting and Blacklisting – Unfortunately as the automation administrator, you don’t necessarily have a view of this.  It is however worthwhile being able to validate that your IP address hasn’t changed unexpectedly.

Password, Key or Certificate Expiry – There is always a play-off between security and operability, but invariably in more secure environments non-expiring certificates, keys or passwords are disallowed.  Be aware that many secure transfer servers will not confirm that this is the cause of the problem, so it may not be immediately obvious.  You should also note that repeated failures may result in IP blacklisting or a locked account.

Connectivity – The internet is a great place to get lost in and we all expect to have occasional issues reaching certain destinations.  The same can often hold true inside your own network however.  Remember that you may sometimes need to flush a DNS cache in order to make the right connections (especially true after a post maintenance DNS change).  For those connections that just can’t be made (whether internal or external), you will need to put a plan in place to reconnect when the target server becomes available again.

Space – Maybe not the final frontier, but often the last straw.  Many platforms place a hard limit on the maximum permissible file size; some network administrators have a hard limit on how big a file they allow through their network (especially during peak times).  And of course, inevitably there will always be a disk running out of space somewhere.

Programs and Scripts

Most MFT systems will provide you with the opportunity to execute a program or script at some point during the transfer process.  This allows you perform some basic transformation or processing of a file during transit.  Invariably the MFT software will not by default provide all of the debug information that you need, so be prepared to write in extra logging, or redirect STDERR to STDOUT and capture it somewhere.

Notifications

Often, MFT software cannot/will not report back failures to send email notifications as they potentially may be stopped somewhere outside of the MFT system.  To counter this it is common to send yourself a daily status email, the arrival of which demonstrates that at least some emails are leaving the MFT system.  If the MFT software does not provide the opportunity to test emails, try logging on to the server and running telnet on port 25 to test SMTP (Windows); on Linux systems you may use sendmail instead.

Summary

These are of course just a handful of the kind of problems that MFT administrators have to face on an almost daily basis; hopefully though, just by thinking a little about these may help to avoid some issues, or even give some pointers to resolution.

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide

Are Your FTP Servers Still Under Manufacturers’ Support?

Are Your FTP Servers Still Under Manufacturers’ Support?

We’re now a week on from the first reports of WannaCry infecting computers across the globe. The initial media  furore has subsided, the world hasn’t ended and IT can get back on with their jobs of keeping the organisation running!

Many software vendors jumped on the bandwagon using WannaCry as an opportunity to position the need for their software, I’m sure you received a tonne of emails. We thought about it but resisted, instead we thought that a concise view of whether your FTP server(s) are supported by the manufacturer, the current version and what operating systems they supported would be of more use.

Naturally if you need any help upgrading any of these servers our technical team are here to help. However it would be advisable checking in with the pre-sales team to ensure that the process runs smoothly; some vendors will require a completely new licence key to go to the latest versions.

If you’ve got any other FTP servers you’d like us to add to the list, please get in touch.

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide

Password Security in Managed File Transfer

Password Security in Managed File Transfer

Last week was “World Password Day”, a day designed to get people thinking about password security and hopefully change their passwords. I was surprised to see an article from Sophos that the average person has 19 passwords to remember and almost a third struggle with strong passwords.  With the raft of work systems, private emails, social media, online shopping and banking passwords I thought it would be many more. I did a quick tally of my online passwords and worked out I have in excess of 30 passwords, although most of the private account passwords are variations on 4 main passwords.  I worked for one very large organisation who insisted passwords were changed every month but suggested that you simply add the month digit to the end of your password, negating the password security almost entirely.

The full article from Sophos can be found here.

Having strong passwords and authentication methods for file transfer accounts is very important. There are several approaches for user authentication that are supported by most Managed File Transfer (MFT) solutions.

These are

  • Application Controlled
  • External source (AD / LDAP / Other source)
  • Advanced Authentication using RADIUS or a One Time Password system
  • Private key authentication

With application controlled authentication, the MFT solution will control the length, complexity, password history and password expiry using internal systems. Usually users will be prompted to change their passwords either by getting an email, or when they login.

This works well but, for users inside the organisation, passwords can drift out of sync and this can lead to increased issues as users are asked to remember more and more passwords to access different systems. In this case, we usually recommend that the MFT solution uses the internal Active Directory or LDAP source. This allows the user to use the same credentials that they login to their computers with. Responsibility for changing the password then resides with the AD/LDAP system and the MFT solution will not normally track the passwords. When a user presents their credentials to login to the MFT solution, the system will pass the username and password to the AD/LDAP source for verification. If the AD/LDAP system confirms the credentials are correct the MFT solution lets the user in. As there is usually no caching of credentials, if a user changes their password on the AD/LDAP system then that password is reflected instantly in the MFT system.

Increasing the security of using AD/LDAP to authenticate user credentials, RADIUS solutions using time limited one-time password tokens or even SMS messages can be integrated to provide an extra level of security.

In RADIUS authentication, the user or device sends a request to the MFT system to gain access to a particular network resource, then the system passes a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. RADIUS servers vary, but most can look up client information in text files, LDAP servers, or databases. The RADIUS server can respond with an Access Reject, Access Challenge, or Access Accept. If the RADIUS server responds with an Access Challenge, additional information is requested from the user or device, such as a secondary password. Access Accept and Access Reject allow or reject the user access respectively.

Using AD/LDAP authentication or RADIUS authentication works well for users who are logging into the system interactively using either a web interface or file transfer client such as FileZilla, but do not work well for accounts which are used as a part of file transfer scripts.

The most popular method of securing these is to use “private key” or “key pair” authentication. With this the account does not use a defined password, but rather the MFT solution encrypts a token and sends that as a challenge to the client. This token is decrypted using the private half of the key at the client end and sent back unencrypted. If the tokens match the MFT solution accepts the user as verified and allows the account access. In this way any scripts which need to access the MFT solution do not need to have passwords encoded into them in raw text. Key pair authentication works with SSH keys for SFTP and SSL Certificates for FTPS and HTTPS connections.

With many more password breaches coming not from brute force attacks but from compromised authentication databases, experts are now advocating not making passwords longer or more complex but to implement Two Factor Authentication (2FA). This can be achieved using a combination of password and Private Key authentication or RADIUS in your MFT solution and works well for users and scripts.

Now maybe a good time to review your MFT password policies and maybe time I change some of my passwords too!!!

Resources Available For You

Do you need a File Transfer solution?

Questions regarding need for File Transfer 

get-the-guide

Find out your File Transfer requirements!

“Needs Analysis Service for File Transfer”

get-the-guide

Compare the software on the market!

“Managed File Transfer Comparison guide”

get-the-guide