Manage Learn to apply best practices and optimize your operations.

How secure managed file transfers help meet compliance requirements

By using a properly configured Managed File Transfer system as your sole means of transmitting data—potentially both within your organization and externally—you can become compliant with requirements much more easily.

One of the great boons of modern technology is its ability to move information rapidly from one person or system...

to another, but the methods for transferring files are not always as secure as they could be — or as secure as compliance requires them to be.

In this excerpt from Volume 1 of the Tips and Tricks Guide to Managed File Transfer, author Don Jones explains what steps your enterprise should take to ensure secure managed file transfers that also meet compliance requirements.

The Tips and Tricks Guide to Managed File Transfer
Tip, Trick, Technique 4: How does Managed File Transfer help me meet and maintain compliance requirements?

Table of contents:
Understanding how compliance regulations affect file transfer
Features to look for in a Managed File Transfer system

Download Volume 1 of "The Tips and Tricks Guide to Managed File Transfer" as a .pdf



 Today's companies are dealing with an increasing array of legislative and industry requirements, mostly revolving around security. Legislation such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes‐Oxley Act (SOX), the Gramm‐ Leach‐Bliley (Act) GLBA, the Payment Card Industry Data Security Standards (PCI DSS), Basel II, and more all have stringent data security requirements for specific types of data within your business—often the data that forms the core of your business, such as customer information or financial data.

Sometimes, these requirements are very technically precise. PCI DSS, for example, provides specific guidelines on what kind of data must be protected (customer and cardholder information), when it must be protected (in transit and when stored), and how it must be protected (encryption, in most cases). Other times, requirements are much more general and less technical in nature. HIPAA, for example, simply has a general requirement that patient information must not be disclosed to unauthorized parties; a 2009 addition to HIPAA also requires that data holders notify individuals when their protected information has been improperly disclosed.

Those general business‐level requirements can be extremely difficult to implement from a technology perspective. For example, suppose you work in the healthcare industry and are subject to HIPAA. You need to transfer certain patient information to a partner company, and you need to do so in a way that complies with HIPAA. That means you need to actually implement several technical controls:

  • Encrypt the data while it is in storage
  • Potentially encrypt the data during transmission within your company, especially if such transmission occurs over a publicly‐accessible network (such as when accessed by telecommuting employees)
  • Encrypt the data during transmission to your partner
  • Securely wipe any temporary copies of the data created during transmission
  • Keep track of every access to the data while it is stored
  • Keep track of every transmission of the data
  • Store that tracking information in a secure, tamperproof database or log
  • Control who can initiate transfers of specific kinds of data

Understanding how compliance regulations affect file transfer
A Managed File Transfer (MFT) system can help with many of these requirements. By using a properly‐configured MFT system as your sole means of transmitting data—potentially both within your organization and externally—you can become compliant with these requirements much more easily.

An MFT solution—being primarily for transfer of data—obviously doesn't directly address requirements for the security of "data at rest"—that is, the data stored within your file servers, databases, and so forth. However, because MFT solutions often keep a temporary copy of any data being transferred, they are impacted by "data at rest" requirements. An effective MFT solution should fully secure access to such temporary files so that only the MFT system itself can access those files, and so that any access to those files is audited. Typically, MFT systems will rely on the underlying operating system (OS)—such as Windows or Linux—to provide the security and auditing for those files. A good MFT solution will provide the ability to automatically, and securely, wipe temporary files that are no longer needed, reducing the chance that those files will become the source of a data breach.

After the data goes into motion, the MFT solution's real value to your compliance posture kicks in. An MFT solution that has been certified to Federal Information Processing Standard (FIPS) 140‐2 is automatically able to provide the level of encryption desired by most US‐ and Canadian‐based security requirements; you simply have to ensure that your MFT system is configured to use a file transfer protocol that supports such encryption.

The MFT solution (a good one, at least) can track who has transferred a file, when a file was transferred, how long the transfer took, to where the file was transferred, what file was transferred, and so on. That information should be stored in a secure, tamperproof database that is not directly modifiable (except perhaps by highly‐trusted administrators). A good MFT solution can also centrally control who can initiate transfers, and can use toplevel management policies to govern what types of transfer protocols are used, what kind of logging is kept, and what types of files may be transferred.

The technologies used to bring about this level of compliance can be complex. In fact, simply providing the necessary cryptographic protocols can require an incredible amount of expertise, as a fully‐compliant MFT solution will provide FIPS‐validated cryptographic algorithms and modules. Obtaining that validation is expensive and time‐consuming for a vendor, and requires a high level of software and cryptography expertise.

Features to look for in a Managed File Transfer system
A thorough understanding of the compliance rules is also important. For example, some compliance efforts require you to notify customers of a data breach only if the disclosed data was unencrypted. That means applying encryption to the data, as well as to the transport stream, can help make your life easier: In the event that the data is improperly disclosed before or after transport, it was still encrypted in and of itself, so you haven't actually disclosed anything. As Figure 4.1 shows, MFT solutions can provide this functionality through an intermediate layer of file‐based encryption, often using an industry‐standard technology such as PGP.

Figure 4.1: Multiple layers of encryption help meet different requirements.
Click to enlarge. Doubleclick to restore.

By adding authentication to the mix—ensuring that both the sender and recipient verify each others' identities before beginning any transfer—you can further meet your compliance requirements. Using cryptographic hashes, such as the Secure Hash Algorithm (SHA), you can provide further protection by ensuring that the file isn't damaged or tampered with in‐transit.

That's a lot of technical protocols and configurations that have to be set up. Building your own solution that supports SFTP, PHP, SSL, SHA, SSH, and a raft of other security‐related acronyms simply isn't feasible. In fact, it's not even really practical for today's businesses to become experts in these fine‐grained details as they evaluate MFT solutions. Let me explain: Commonly, businesses will attempt to translate compliance requirements into technical ones, then seek solutions that meet those technical requirements. I call this "double‐mapping," and it looks something like the illustration in Figure 4.2.

Figure 4.2: Mapping compliance requirements to technical ones, then to solutions.
Click to enlarge. Doubleclick to restore.

This kind of effort on the part of businesses is no longer warranted. Compliance requirements have been around long enough to be well understood; vendors who are serious about providing compliance solutions should handle this mapping for you. Figure 4.3 shows what you should be looking for: A solution that maps its capabilities directly to compliance requirements, providing underlying technical explanations if you want them, but focusing on that business‐level mapping.

Figure 4.3: Mapping solution capabilities to compliance requirements.
Click to enlarge. Doubleclick to restore.

It's not that your business shouldn't be concerned about the underlying technical implementation; it's that you should be concerned first about becoming compliant and looking for solutions that map to specific compliance requirements—such as the SOX DS5.11 requirement in this example. Vendors can provide this through informative graphs and tables, such as the excerpt that Figure 4.4 shows.

Figure 4.4: Demonstrating compliance mapping.
Click to enlarge. Doubleclick to restore.

This is truly the answer to the question, "How does Managed File Transfer help me meet and maintain compliance requirements?" You should be able to specify the legislative or industry rules that concern your business, and see exactly how a given solution addresses the specifics of those rules.

For more information on using managed file transfer, download the rest of The Tips and Tricks Guide to Managed File Transfer, Vol. 1 (.pdf).

Check out other volumes of The Tips and Tricks Guide to Managed File Transfer.

This was last published in January 2011

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.