This blog post focusses on MFT security and compliance. With the sheer abundance of security standards, laws and legislation, it’s important that your managed file transfer solution supports and maintains compliance. This also applies to password security in Managed File Transfer. It includes an MFT GDPR case study, but the security controls explained here will support all compliance standards.
MFT GDPR case study
Regulation like the GDPR doesn’t always stipulate specific security measures for protecting personally identifiable data. Often it is down to the data controller to implement measures appropriate to the risk and sensitivity of the data. You need to focus on the security surrounding the transfer itself. But there are other requirements for the processing of personal data to consider too. To aid the protection of personal data, make sure your passwords are strong and changed on a regular basis. Simple passwords are easy to crack, password security in managed file transfer is very important in order to keep data secure and allow the correct user access.
The following GDPR articles are relevant for your MFT solutions.
- GDPR Article 25 – storage and accessibility
- GDPR article 30 – record of activities processed by the MFT solution
- GDPR article 32 – the security surrounding processing of the data
- GDPR article 35 – the data protection impact assessment (DPIA)
- GDPR articles 15, 17 and 20 consider an individual’s right to request access to their data and have it removed, which needs to be done in a timely manner.
MFT security and compliance features
Encrypted at rest (e.g. PGP, AES)
This is achieved by encrypting either individual files or entire file systems. When a file system is encrypted, it is generally using technology like Bitlocker. For individual files an application may use proprietary encryption techniques like AES256, or else employ an encryption/decryption tool (for example PGP or GPG).
Encrypted in transit
(e.g. SFTP, FTPS, HTTPS) Transit encryption requires channels passing the commands and data to be encrypted, regardless of whether the files being transmitted have already been encrypted. FTPS and HTTPS uses SSL encryption, which has certificates to prove the identity of the receiving server. The actual encryption occurs based upon a unique key inside the certificate. SFTP uses SSH to encrypt the channel, and – similar to SSL – the channel is encrypted based upon the receiving server’s public key.
Authentication / Access Control
Organisations should be able to create unique user identities within a file transfer system, and monitor user activities. The system either needs to provide a robust mechanism for setting password strengths and expiration policies, or use existing security systems to manage these (these are generally more advanced). Some systems offer Multi Factor Authentication (MFA), where users have to confirm their identity by another means (eg: Entering a unique code sent by email or text). Additionally, the system should restrict users to only access the data they require, whilst not being so restrictive that they cannot work. Organisations also need to think about how third parties authenticate their identity. For example, a recipient at another organisation should authenticate their identify when receiving files through an EFSS system.