MFT Security and Compliance (plus MFT GDPR case study)
This blog post focusses on MFT security and compliance. With the sheer abundance of security standards, laws and legislation, it’s important that your managed file transfer solution supports and maintains compliance. It includes an MFT GDPR case study, but the security controls explained here will support all compliance standards.
MFT GDPR case study
Regulation like the GDPR doesn’t always stipulate specific security measures for protecting personally identifiable data. Often it is down to the data controller to implement measures appropriate to the risk and sensitivity of the data. You to focus on the security surrounding the transfer itself. But there are other requirements for the processing of personal data to consider too.
The following GDPR articles are relevant for your MFT solutions.
- GDPR Article 25 – storage and accessibility
- GDPR article 30 – record of activities processed by the MFT solution
- GDPR article 32 – the security surrounding processing of the data
- GDPR article 35 – the data protection impact assessment (DPIA)
- GDPR articles 15, 17 and 20 consider an individual’s right to request access to their data and have it removed, which needs to be don’t in a timely manner.
MFT security and compliance features
Encrypted at rest (e.g. PGP, AES)
This is achieved by encrypting either individual files or entire file systems. When a file system is encrypted, it is generally using technology like Bitlocker. For individual files an application may use proprietary encryption techniques like AES256, or else employ an encryption/decryption tool (for example PGP or GPG).
Encrypted in transit
(e.g. SFTP, FTPS, HTTPS) Transit encryption requires channels passing the commands and data to be encrypted, regardless of whether the files being transmitted have already been encrypted. FTPS and HTTPS uses SSL encryption, which has certificates to prove the identity of the receiving server. The actual encryption occurs based upon a unique key inside the certificate. SFTP uses SSH to encrypt the channel, and – similar to SSL – the channel is encrypted based upon the receiving server’s public key.
Authentication / Access Control
Organisations should be able to create unique user identities within a file transfer system, and monitor user activities. The system either needs to provide a robust mechanism for setting password strengths and expiration policies, or use existing security systems to manage these (these are generally more advanced). Some systems offer Multi Factor Authentication (MFA), where users have to confirm their identity by another means (eg: Entering a unique code sent by email or text). Additionally, the system should restrict users to only access the data they require, whilst not being so restrictive that they cannot work. Organisations also need to think about how third parties authenticate their identity. For example, a recipient at another organisation should authenticate their identify when receiving files through an EFSS system.
High Availability / Resilience
Modern file transfer systems are generally configured in a way that allows their services to continue, following the critical failure of one or more components. This may be managed by a highly available infrastructure – with minimal or zero downtime achieved by load balancing and removing single points of failure – or by restoring a system to a standby server and recovering to a previously agreed time (Recovery Point).
It is important to keep a record of all transactions performed by a file transfer system. Some systems will provide this in great detail, others not so much. In either event, it is preferable to have a reporting process built into the system for both ease of use and transparency.
One of the biggest issues with any file transfer system is the tendency to have an abundance of old files remaining in it. This often comes from user’s reluctance to delete files following their download. As a consequence, old forgotten files containing confidential data may be left around even though there is no requirement for them. To address this, some file transfer systems contain housekeeping routines to clean old files after they have been downloaded or a suitable period has passed. It is imperative that these housekeeping rules are applied and adhered to.
Security and compliance audit
File transfer systems need to be tested periodically to ensure that their security is still in place and adequate to the task. Some file transfer systems have preconfigured reports that can be executed to demonstrate this, while others will rely on auditor reviewing system configuration. Additionally, as file transfer systems are frequently internet facing, external penetration tests need to be performed to ensure that they do indeed meet security criteria.
Pro2col experts can provide a full compliance audit for your file transfer solution. Alternatively, we can review your requirements and recommend the right solution to meet your requirements. Contact us on 0333 271 8337 for a free, no obligation discussion.