For the second installment of my three-part series on file transfer encryption for Ipswitch, I’ll go a little deeper into the how-to’s. (These posts are based on a recent webinar I did with the folks here, available for replay.)
Understanding the basics of file transfer encryption is absolutely critical for securing your file transfer data. However, solely understanding the basics won’t do you much good. You also must understand how exactly you can use it to secure your company’s most private files, and to create an exceptional trail with no unbroken chain of custody.
How will you use encryption?
The type of encryption being used is not as important as how the encryption is done. You must understand how the keys are managed, and the proclivity for files’ encrypted copies to become lost and to fall into the wrong hands.
Utilizing a fairly modern encryption algorithm or product (such as PGP) is a great start, but what it really boils down to is the key handling and execution. If this process is too complicated then someone will end up bypassing it and, most likely, utilize another application (such as Dropbox). This means that every step you took to privatize and secure your data is completely lost. You have completely circumvented the PGP encryption.
Keeping your data integrity
Many of these transaction files have direct financial impact. As scary as this will sound, unauthorized modification transaction is one of the easiest ways to commit fraud.
There is no “one size fits all” for data integrity and file transfer. You have to support the different protocols and types of encryption based on what works best for your company specifically. Although PGP provides data integrity – it enables the user to sign the data and the file to ensure that it wasn’t modified while in transit – it’s just a part of the solution.
Some organizations chose to utilize manual tracking in order to ensure that their check sums are not tampered with at the end of a transaction. However, this completely stands in the way of automation and slows down the process.
Utilizing access control
How different parties access and upload their personal files, while not giving access to other parties’ files, can become incredibly complicated. Many companies find that it become even more difficult when they’re using FTP or custom web applications. Here, if you get past the first level of security, then generally everyone can receive access to everyone else’s files.
Utilizing access controls for both passwords and accounts are critical. If you don’t have a policy built in then your company becomes very vulnerable for attack. But if you do have a policy, be sure to think about how you will be able to unlock accounts when they become mistakenly locked. Also bear in mind that FTP and custom applications are found to be very insecure as well. There is rudimentary authentication in both and many, many holes.
Understanding compliance auditing requirements
Anything that comes into compliance brings with it the need to be audible, or the ability to have a regular trail to track. You must be able to show each access and operation on a file: downloads, uploads, when it was deleted, when it was encrypted, if/when it was decrypted, when it was deleted after being decrypted, etc.
If you choose to use FTP then you will have an audit trail in both your FTP logs and in the file system for the files exposed to FTP. However, relying on native auditing like will be extremely difficult because the information is fragmented, making it extremely cryptic and difficult to interpret – let alone correlate – with one other. Custom web apps are difficult to use because there is no audit log. You will have to employ someone to modify the code to include this tracking capability.
What do you find the most difficult about auditing data for a file transfer? Be sure to leave your thoughts in the comments section below.
If you’re interested in learning more about encryption and file transfer security, be sure to check out the full webinar by clicking here.
And you’re always welcome to visit my own site (UltimateWindowsSecurity.com) for news and analysis.