by Greg Shields

Think for a minute about the immediate problems that surface once Andy and Bob begin transferring files through an unmanaged solution. Data loss, compromise, corruption-each of these hidden perils you can break down into four main areas of control: confidentiality, integrity, availability, and audit. Let’s take a look at each of these hidden perils in turn, to help you understand the great need for managed file transfer solutions in any business.

Confidentiality

The requirements of confidentiality deal with the protection of data against prying eyes. Assuring that a piece of data is successfully transferred to the correct person, with the further assurance that it hasn’t been seen by others who are disallowed is the primary requirement of confidentiality.

With the right solutions today, the requirements of confidentiality are met through a combination of authentication, access control, and encryption. Authentication mechanisms, such as passwords, smart cards, biometrics, and other solutions, link a specific person to the group of individuals who have been approved to view the data. A smart managed file transfer solution will provide one or more of these mechanisms to ensure that the right person accesses the right data.

Further, the Internet is an inherently “open” network. Data in transit must be encrypted to protect it against prying eyes as it transfers from source to target. That encryption must occur through established protocols, such as AES (Rijndael), SSL (v.3), PGP, HTTPS, or others. Layering over the top of HTTP or FTP, these protocols are currently accepted by governments and industry for their ability to protect against hacking and malicious decryption.

Integrity

Perhaps the most “hidden” of the hidden perils relates to data integrity. Although transfers to and from the Internet have grown extremely reliable with today’s technology, even the simplest of data transfers will eventually experience a problem. Those problems relate to downloaded data that arrives in some way different than its original source. It can relate to data that is mutated or corrupted in transit, either by transient network conditions or as a result of malicious code. Data at rest can also be changed through many mechanisms, both malicious and accidental, while it awaits transfer.

Although these requirements sound similar to the confidentiality items mentioned earlier, they are in fact quite different. Confidentiality refers to the need to protect data against inappropriate viewing, while integrity ensures that the data arrives intact and unaltered between source and target. Your managed file transfer solution must also include integrity controls to ensure that safe arrival. These controls can be based on SHA (SHA1, SHA-256, SHA-512), MD5, or other protocols.

Integrity in this sense also refers to the preservation of data against malware injection. Internet-based transfers route data through various portions of the Internet where security controls may not be present. Transfers between companies also can leak one company’s malware incident to another. Thus, a managed file transfer solution must also include isolation for downloaded data along with malware scanning functionality to protect sites from infection.

Availability

File transfer mechanisms, especially those that are corporate-sponsored and widely-used, must also be available when users need them. It makes little sense for Andy and Bob’s businesses to create a managed file transfer solution if that solution will be intermittently unavailable when needed. Availability features in managed file transfer solutions can range from load balancing to clustered servers to geographical distribution of servers.

Availability in file transfer solutions also relates to the technical controls that are laid into place for the file transfer itself, ensuring that the file transfer occurs smoothly and with minimal problems. These can leverage the automatic restart of interrupted file transfers, the splitting of large files into multiple streams for improved performance, as well as compression and alerting capabilities.

Audit

Be aware that the “management” in managed file transfer needn’t necessarily infer constant attention by IT itself. “Managing” a file transfer can mean simply that the transfer occurs through a known and secured mechanism. Smart solutions today enable individual users to add permissions to a file or folder on their own and without the need for IT support. This user self-service enables users to freely work with the solution for their needs, while assuring IT and security that its use is through acceptable practices.

To facilitate this freedom of use, your managed file transfer solution must include the creation and proper storage of audit data. This audit data provides a log of transactions for security and compliance auditors, ensuring that the system is used correctly and has not been compromised.

In order to fulfill the needs of most compliance regulations, log data must be stored in a way that it cannot be tampered with by users or IT administrators. Such data must be kept in protected databases where only specially-identified individuals can read and clear its information.

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.