Security is table stakes for any managed file transfer (MFT) solution, and it’s important for organizations to understand the different levels of security. Mark Towler, senior product marketing manager, Progress, delves into the different types of secure MFT solutions and provides the top tips for intrusion prevention.
Your Security, Your Choice
I was talking with a client recently, and we were discussing the importance of securing the data on his MFT system. He said something that stuck with me: “We know we’re paranoid. But are we paranoid enough?†It’s an interesting statement partly because it reveals not only the concerns MFT users have about security but the point they’re starting from. It has to be secure in the first place, but can it ever be secure enough? The answer is actually quite simple: how secure do you need it to be?
Every organization has its own security requirements. They may be imposed from outside by regulation, or they may be best practices required by their own management, but they’re always going to be different. Ideally, everyone would be using the best possible security, but in the real world, that almost never happens due to factors like cost, convenience and general ignorance about possible vulnerabilities. The key for any organization with an MFT is to understand how much security your organization needs, can afford and will be tolerated by your users. And that’s why MFT security should never be a one-size-fits-all feature.Â
Choice is what you need to be looking for when considering an MFT. All will encrypt files in transit, but not all of them will also encrypt those files at rest (or at least not without charging extra). Some give you a choice to choose whether or not to encrypt, which isn’t necessarily as insecure as it sounds. For example, if your organization is using MS Azure Blob hosts to store your data, that data is automatically encrypted by Microsoft. But some may not want or trust Microsoft’s innate encryption. Others may balk at the performance hit caused by re-encrypting and re-decrypting that data every time it’s accessed (a significant problem if you’re dealing with hundreds of transfers daily). The same goes for a number of other security features like security-question-based password resets or multi-factor authentication (MFA). They may work for your organization, or they may not. But if your MFT solution doesn’t give you a choice whether or not to use them, then it’s not going to fit in well with your specific security requirements.Â
While security and encryption tend to be table stakes in the MFT industry, it’s important to look at features that will give you the most bang for your security buck. The following are the three best security features you can implement to prevent a breach, in my opinion.
Learn More: The Encryption Elephant in the Room: Getting to Secure Encrypted Traffic
1. A Tamper-Evident Audit Trail
If you operate under regulations like HIPAA, GDPR, CCP, SOX, PCI-DSS or something similar, this actually isn’t a choice; it’s a requirement. At any time, you need to be able to prove that any given data transfer was kept secure at all times and that only authorized individuals had access to it. That means you need to keep data encrypted in transit (when being transferred between people or systems) and at rest (when being stored somewhere).
You also need to be able to create a report that shows this along with details of anyone who accessed that data. This kind of report should be automatically produced by the MFT system upon request, not only to show potential auditors but also so you can confirm there weren’t any data breaches. Even if you aren’t required to comply with regulations, this is a worthwhile feature because it always ensures you can figure out what happened and when. And that’s the first question that comes up when data is leaked or intruders access your network.Â
Learn More: Survived the Pandemic? Don’t Risk Your Business to a Cyberattack Now
2. Multi-Factor Authentication (MFA)
This one is the heaviest lift in terms of user convenience, but it’s also the one that provides the most value, hands-down. MFA confirms that the individual logging in is actually who they claim to be. It requires something they know (login and password) with something they have (phone, token generator, etc.). It effectively makes a stolen password useless because the password thieves also need access to the user’s phone or authenticator app. Don’t take my word for it; take Microsoft’sOpens a new window . Their 300 million Azure systems are probed constantly by intruders, and the only thing that prevented access 99.9% of the time was implementing MFA. If you do absolutely nothing else to enhance your security posture, implement MFA. It will do more to prevent intrusions than the next ten security methods combined.
3. Regularly Rotate Your Data Encryption Keys
Data encryption keys are literally the keys to the kingdom for all the data on your MFT. If an unauthorized individual can access them, they can access everything, probably without your knowledge. Sound security policy requires that they be changed regularly, and that’s a recommended best practice according to PCI-DSS regulations. Human error (and, who are we kidding, procrastination) can prevent these keys from being rotated regularly or at all.
You should ensure that your MFT solution not only allows you to securely and easily rotate your encryption keys from within the interface but also provides some way of tracking the status of key changes so you can tell when and if they were rotated. Ideally, it should include a feature that rotates them automatically for you so that you’re never vulnerable.
Learn More: What Is Cloud Encryption? Definition, Importance, Methods, and Best Practices
Beyond the Three Tips
Of course, these three tips are only the beginning. There are dozens of additional features, functions, and best practices you can implement to prevent intrusions and strengthen your security posture.
Each one will come with different considerations and trade-offs, too. Is it worth the advantages in cost savings and convenience to host your MFT in the cloud? Will your users tolerate an enforced policy acceptance before they log in? Do your customers demand onboarding or access faster than your security procedures will allow? No one can answer these questions but you. Applying the three tips listed above is a good start, but you should regularly reassess your security procedures and how well your users are complying with them. This will help you find an equilibrium between making your MFT secure while not locking it down so much as to make it completely useless for your users. While some say that you can never be too paranoid and others say you can, only you can tell when you’re being paranoid enough.
Did you enjoy reading this article? Let us know your thoughts on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!