MFT Resource Center
MFT Security Basics
Security is one of the most important elements of MFT, or managed file transfer. In this guide, we walk through the key components of MFT security, how they're used, and why they're important for any MFT setup.
Security Quick Links:
Refresher: What is MFT?
MFT, or managed file transfer, is the secure, centralized transfer of company files, documents, and data. It encompasses all aspects of inbound and outbound file transfers, while enhancing security with industry-standard network & encryption protocols, digital certificates & signatures, non-repudiation, and other security features. MFT systems are playing an ever-larger role in organizations, replacing legacy file transfer systems and ad hoc tools with a unified, streamlined approach that eliminates waste and duplication.
For a complete rundown on the basics of MFT, see our complete guide on MFT basics.
Encryption for Data and Transport Security
Encryption is the process of encoding data, or a message, such that only authorized parties, or applications can access the data. It works by encoding data using an encryption algorithm that makes the data look like a random series of characters, instead of plain text. The data, or message, can only be read by a party or application that possesses a cipher, or key, used to decrypt the algorithm and make the data readable as plain text.
MFT uses various methods of encryption to secure both the contents of a message, called data layer encryption, and the means of transporting that message, called transport layer encryption.
Data Layer Encryption Algorithms
There are several prominent encryption algorithms used for data layer security:
S/MIME - Secure/Multipurpose Internet Mail Extensions
S/MIME is a longstanding protocol for sending digitally signed and encrypted messages - the popular, more recent AS2 is, in fact, built on S/MIME. When you use S/MIME with an email message, it gives recipients confidence they've received messages exactly as they were sent. S/MIME also helps the recipient validate the identity of the sender.
3DES - Triple Data Encryption Standard
3DES was first developed in the 1970s and is an industry-standard encryption algorithm used in a variety of MFT protocols, though it is being phased out of use. 3DES is the latest version of DES. It provides added security by encrypting data three times and utilizing a different key for at least one of the versions.
AES - Advanced Encryption Standard
AES is the encryption algorithm standard trusted by the U.S. Government and numerous high-security organizations. It can use keys in 128, 192, and 256-bit form and is considered largely impervious to attacks.
RSA - Rivest Shamir Adleman
RSA (named for its inventors) is an asymmetric cryptography algorithm based on the idea that it is difficult to factorize a large integer. The public key consists of two numbers where one number is a multiplication of two large prime numbers. The private key is also derived from the same two prime numbers.
Open PGP - Pretty Good Privacy
Open PGP encryption uses a mix of data compression, hashing, and public-key cryptography. It employees a combination of symmetric and asymmetric keys to encrypt data that is transferred across networks. In Open PGP encryption, each step uses a different algorithm, and each public key is associated with a username and an email address.
Transport Layer Encryption Algorithms
For transport layer security, MFT can use secure protocols such as AS2 and AS4 that directly incorporate encryption. There are three common encryption mechanisms to secure transfers:
TLS/SSL - Transport Layer Security
SSL, or Secure Sockets Layer, is a networking protocol designed for securing connections between clients and servers over an insecure network, such as the Internet. SSL was the first protocol to enable online transactions between consumers and businesses. However, SSL has largely has been replaced by the Transport Layer Security (TLS) protocol. TLS, or Transport Layer Security, evolved from and superseded SSL. TLS is the most widely deployed security protocol used today. In addition to supporting web page transmissions, TLS is often used in email, file transfer, instant messaging (IM) and voice over IP (VoIP) applications.
SSH - Secure Socket Shell
SSH is a network protocol that gives users a secure way to access a computer over an unsecured network. SSH also refers to the suite of utilities that implement the SSH protocol. Secure Shell provides strong authentication and encrypted data communications between two machines connecting on an open network.
Authentication Basics
Authentication is the process of verifying the identity of a user to prevent unauthorized access to data or messages. It can include everything from basic username & password verification to digital certificates & signatures, and more.
Digital Certificates
When your users and partners attempt to connect to your file transfer server, they should have a way to verify they're connecting to the right server and not to a pretender. If this layer of security isn't available, they could end up uploading sensitive data to the wrong host. A digital certificate is an ID card. It tells other people who you are and confirms to the user that they have navigated to the correct place. A digital certificate also holds a copy of your site's public key, which provides encryption for data transmitted between your site and the user's web client.
Digital Signatures
Digital signatures are a secure way to ensure the identity of a party. Much like a signature on a check identifies the party writing a check, the unique digital signature of a party sending digital files is used for authentication. Modern secure MFT software can generate both digital certificates and signatures for authentication.
DMZ-Proxy Server - Protecting Your Company Firewall(s)
A Demilitarized Zone (DMZ) is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the Internet.
It acts as a buffer between your LAN and the outside world, keeping web and email servers out of your internal network. This allows you to transport files without compromising your firewall and putting your network at risk. A disabled firewall could permit all data packets to enter and exit the network unrestricted, including malware that could infect your PCs.
Non-Repudiation
Non-repudiation is a legal concept that is widely used in information security. It refers to a service that provides proof a message was sent and received, when it's crucial to ensure all parties are held to their word, whether given through contracts or other digital communications. Non-repudiation is critical for operations in which highly sensitive documents, such as purchase orders and invoices, are transmitted.
Non-repudiation provides assurance that no party involved in the transaction can deny the validity of a document or communication.
MFT Reliability
MFT reliability ensures that in the event of a transmission failure, document sending is retried without transmitting multiple copies.
Duplicate documents pose security and data integrity risks. MFT helps guarantee delivery through automated scheduling, checkpoint restart and automatic recovery or retry. If a file transfer is interrupted, the solution attempts to resume the transfer at a preset interval for a specified duration of time or until successful delivery, with no human intervention required. A managed file transfer solution will typically follow these steps:
- Authenticates an inbound user, sometimes using multi-factor authentication
- Permits the upload of files based on the permissions assigned to that user account or group
- Stores the file in a secure format using an encryption algorithm
- Notifies the intended recipient of an inbound file
- Repeats steps 1 and 2 for the file recipient
- Logs and audits all activities
CData Arc Provides Comprehensive MFT Security
CData Arc provides reliable, secure, and scalable MFT solutions. Any file and any protocol. It's fast, easy and inexpensive to adopt and offers rapid-scale capabilities. With robust messaging and translation capabilities, CData Arc can automate and schedule transfers for end-to-end integration. Using its comprehensive logging and auditing features, you can gain real-time visibility into file transfers throughout your company and easily comply with data privacy regulations like GDPR and PCI.