Just because a tool calls itself Secure File Transfer doesn't make it so. Many so-called secure solutions are in fact only partially secure – and sometimes barely secure. So what are the top methods to transfer files securely?
There are many file transfer solutions that don't necessarily need to be secure — if you are extra careful and never send or receive any files that have any kind of confidential or personal information, then something like DropBox is probably okay. But when you think about it, that greatly limits what you can send. Moreover, you don't always know what hackers find useful. Just think of all the information they can gather from our social media accounts. Who knows what they’ll find of value in your files – or your company’s?
If you have a file transfer solution you think is secure, and need it to be secure, you should probably ask yourself a few telling questions. This blog will walk you through the major approaches to file transfer and discuss security issues involved with each. At the end we will present a totally safe and easy to use Secure File Transfer software. And actually, instead of keeping you waiting, we will tell you right now that this approach is called Managed File Transfer (MFT), and is a decidedly secure and disciplined approach to ad hoc and enterprise scale file transfer needs.
EDI, While Secure, is Not the Answer
We are starting with a solution that is secure, but immensely difficult to set up, expensive and can only transfer a small portion of the data and files your company and you as an end user may need to send.
Secure File Transfer is certainly not new and major enterprises, especially those that fall under compliance regulations, have had their different approaches for many years. For the largest of companies with lots of partners, Electronic Data Interchange (EDI) has been the answer. This longstanding technology has been key to sharing items such as invoices with trading partners. EDI can handle large volumes with many partners and is largely transaction-oriented.
EDI solves a different set of issues than Secure File Transfer solutions. But what EDI exchanges are not really files per se. Files are different. Files are not transactions but larger pieces of content, which can come in a variety of formats such as Word documents, spreadsheets, PDF's, database records and all manner of unstructured data including image files. It is this unstructured data the EDI struggles with and fails at securing. In fact, experts believe that EDI, limited to transporting only structured data, handles only 20% of the data enterprises need to share, leaving the other 80% in the hands of Secure File Transfer solutions and other tools.
EDI also requires trading partners to agree on a data format. In many cases, the trading partner doesn’t support a particular format, thus requiring translation. This is where a Managed File Transfer (MFT) solution such as MOVEit from Progress comes in. MOVEit can handle these translations and incorporate the file transfers into the MOVEit Managed File Transfer solution and workflows.
So now you've got me. But I haven't defined what Managed File Transfer is yet. As the name implies, Managed File Transfer is a method of transporting and transferring files and documents of many types. Unlike low-level solutions like Dropbox, Managed File Transfer solutions can include automation to ease the transfer of a large volume of files, auditing to track whether files have been successfully sent and security so that files are not tampered with or compromised. More on Managed File Transfer later. Much more.
Other Wrong (and Insecure) Way to Transfer Files
Email: Let’s start with perhaps still the most common way to transfer files – good old email. Email attachments made life easy for pictures of your newborn, and for other non-sensitive info it still works just fine. Cybercriminals aren’t exactly jonesin for photos of little Johnny. But when the attachment contains unannounced company financials, email simply doesn't cut it.
At the same time email isn't always reliable. How many times has your message been bounced back or stuck in the junk mail folder? What if you key in the wrong address? Now someone you don't even know has those unannounced company financials and may well send them off to the competition. An email for file transfers is not scalable at all, and these days more and more email clients have file size limitations so you can't send larger files anyway. And how do you ensure your email and the attachment go to the recipient? Do you really rely upon return receipts? When was the last time that ever worked?
Thumb drives and disks: We're going to go way back in time and talk about using thumb drives and even disks to transport files. You're wondering what century I’m in, but the truth is some people still use this physical transport method to transfer files – and it is way scary and insecure. Almost no thumb drives are protected and encrypted, and anyone who's lap it drops into can see everything. Even worse, thumb drives are still a common virus carrier. Would you like some ransomware with that file? My guess is no one in your enterprise uses this this approach, but if they do make them stop immediately!
File Sync-and-Share: There are two types of File Sync-and-Share: enterprise class and consumer grade. Often these are the same solution, with one free and with storage limits, and the other paid with more storage and a bit (just a bit) more security.
There are many issues and concerns here. First, authentication is often rudimentary and easy to hack with multi-factor authentication being the exception rather than the rule. The notion that these systems sync between end user devices is another security hole. If an iPhone is syncing with Dropbox or Google Drive, anyone who grabs that phone can see the files.
Don't get me wrong, these are terrific solutions for common types of file sharing and non-critical data can be exchanged this way without much worry. But critical data, confidential data and data covered by compliance rules should never be sent about this way.
File Transfer Protocol (FTP): When we bandy about terms like EDI and FTP, you soon realize that file transfer solutions and technologies have been around for a while, decades in fact. FTP matches that definition. It has long been a way that IT, power users and business line folks move large files in a manner they believe to be secure. It has been a terrific technology and still makes sense for an awful lot of use cases. But Secure File Transfer isn't one of them.
FTP doesn't measure up security-wise and is not advisable for confidential data and anything that falls under compliance rules. There are other grave FTP shortcomings. When you need to move a lot of files, IT often relies upon scripts to automate the process. Scripts come with their own complications. First someone must write the scripts which takes time, and someone should test the script to make sure it works as intended. But scripts are complicated to manage and often only understood by the person who wrote them, and what happens if they leave your company?
And while scripts offer a low level of automation, it really is not up to the volume of files your enterprise needs to send or the different types of transfers you likely require. In short, FTP is difficult to secure, tricky to automate and cannot properly track and audit your file transfers.
The worst situation is to have a wide array of methods of transferring files. Here, copies of files are kept all over the place with no central oversight or security. It is a disaster waiting to happen.
What is Secure File Transfer Really? The Managed File Transfer (MFT) Answer
To be secure, a file transfer must be fully protected, meaning that it is encrypted at rest and that the transfer itself is tracked to ensure that it happened properly. In addition, anyone accessing the file transfer system should be authenticated, preferably through multi-factor authentication. We mentioned tracking, and this should be brought to a higher level where all your file transfers are audited and logged so there is a complete record of all movements and any issues related to these transfers.
These issues are exactly why Managed File Transfer (MFT) technology was invented in the first place. In fact, we just largely defined what a MFT solution is – it is all of the above.
With all these attributes, MFT can replace all or most of the methods you use today to transfer files. Its single, secure, and manageable automated solution with a single pane of glass to see all activities greatly reduces the risk of file transfers gone wrong. At the same time, your end users and IT are more productive through automation and that single pane of glass, creating a positive return on investment (ROI) compared to using an array of different and usually insecure and problematic transfer solutions.
The Need to Encrypt Not Always Met
Many of the “secure” file transfer tools claim safety because they are not entirely wide open, requiring an account to be set up and a password to access them. That’s like saying your jewelry is safe because there is a single lock on the door, but the window is open. Without MFA, most anything can be hacked, and so it is with these purportedly secure offerings.
Your data should be protected even if a cybercriminal invades the file transfer system, and the only way to do that is by securing the data itself through encryption.
Even otherwise protected IT solutions such as databases behind a firewall with restricted end user access can be breached when those database files leave the DBMS and are exported or transferred. This can happen during the transfer or when the file is moved, say to a server, and is at rest there.
Good MFT software like MOVEit Transfer can always strongly encrypt data.
FTP on Steroids - Diving into MOVEit Automation
Think of MOVEit Transfer server as like an FTP server on steroids. Like with FTP, files are delivered to the Managed File Transfer system, and users connect, upload or download their files. Unlike FTP, with MOVEit files are encrypted at rest to ensure the integrity of that data, and make sure nothing's been modified.
Moreover, users must authenticate through the MOVEit service or through an external identity provider before accessing any data. That allows MOVEit to produce a tamper-evident audit log, so you know everything that happened with your file transfers, and that vital logs haven't been messed with.
Managed File Transfer can use any combination of hosts as either sources or destinations. There are myriad host types MOVEit connects to, but the big ones are internal Network Shares, FTP and SFTP systems externally. SharePoint online is becoming increasingly common, so that is an option, as is Blob or S3 storage – those types of sources.