When is "Secure File Transfer" Not Secure?

Thursday, October 13, 2011

Jonathan Lampe



The temptation to use "secure" file transfer utilities persists because they are cheap or free to acquire.  

However, enterprises that scatter these point solutions throughout their infrastructure quickly discover that the old adage about “spending cheaply to pay dearly” applies here. 

All file transfer utilities copy files from point A to point B and many even use point-to-point transport technologies such as SSL/TLS or SSH. However, transport-level level encryption is rarely enough to provide the level of assurance required to comply with regulations, industry expectations or internal company policies.  

One of the missing capabilities in most file transfer utilities is protection of data at rest. Without the ability to encrypt files, critical data may be at risk whenever these utilities are used.   

Another missing capability is guaranteed delivery.  Many file transfer utilities claim to provide this capability though point-to-point integrity checks, but they lack two crucial elements to prove recipients received their data.  

One is a system of strongly authenticated acknowledgements such as a cryptographically signed receipts.  The other is a universal logging system that preserves events as coherent chains of custody.  

So what's the alternative? Generally speaking, products that advertise themselves as "managed file transfer" ("MFT")  products have solutions to these problems - and much more.  

MFT products provide the capabilities of multiple file transfer utilities through a centralized command and control interface.  They also have audit and reporting features that track files as they are manipulated or moved through systems.   

Together, all these managed file transfer capabilities let enterprises govern the complete information lifecycle around file-based data - exactly what's needed to add security to file transfer today.  

Possibly Related Articles:
Information Security
Encryption SSL SSH TLS Secure File Transfer Managed File Transfer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.