Zero Trust Security for File Transfers


Never trust, always verify…

Not only have cyberattacks on businesses continued to increase, they have also become more sophisticated and intrusive. Consequently, companies must adopt stronger and more stringent defensive measures in every layer. In addition to protecting the perimeter of the organization, which likely includes mobile and cloud, the internal infrastructure must also be safeguarded against attacks and malicious actors. Sensitive data must be protected from cybercriminals that have managed to breach first level defenses.

illustration showing people with user accounts given roles and selective permissions
In response, information security experts have designed and now endorse a zero trust security model. This safety model espouses that no one is trusted and has its basis in the principle of least privilege (PoLP) security concept: A user (whether human or application) should be able to only access what is absolutely necessary for its function.

Since file transfer software may move data behind a firewall, between external entities or a mix of internal and external, its security must be solid enough to withstand today’s cyberthreats from the beginning endpoint all the way through delivery. Since adopting a zero trust security strategy has proven to be a strong defense against cyberattacks, let’s understand what zero trust is and how it can be applied to file transfers.

What Is Zero Trust?

NIST Special Publication 800-207 Zero Trust Architecture provides the following definitions:

  • Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
  • Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning and access policies.
  • Zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

Furthermore, the publication provides basic tenets and assumptions of zero trust as noted below:

Basic Tenets

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

Assumptions in Network

  1. The entire enterprise private network is not considered an implicit trust zone.
  2. Devices on the network may not be owned or configurable by the enterprise.
  3. No resource is inherently trusted.
  4. Not all enterprise resources are on enterprise-owned infrastructure.
  5. Remote enterprise subjects and assets cannot fully trust their local network connection.
  6. Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.

Using Zero Trust to Protect File Transfers

Transferring files involves a network: It may be a company’s intranet, or it may involve external infrastructure such as public wifi or public cloud providers or be a combination of internal and external entities. Ensuring files can pass securely through any network without being intercepted or accessed is the objective of managed file transfer (MFT).

Using a modern MFT solution to send files is a start to meeting the goals of zero trust. The right MFT solution includes multiple security measures that support the zero trust model:

When implementing a zero trust architecture to secure file transfers, network connectivity should be developed with the tenets and assumptions listed above. MFT tools are just one element. The network and all of its elements must also take a zero trust stance in its security practices and implementations. Secure protocols and channels should be used. Where the MFT software resides and runs, i.e., computer, data center or cloud, also needs to achieve zero trust. The entire system as a whole is included in zero trust strategy.

Zero Trust Security Model and Thru’s MFT

Thru started in the cloud and continues to provide managed file transfer only to businesses. We have never been in the freemium or consumer side of file transfer. Our security practices meet the highest standards to minimize risk and exposure of sensitive data that is stored and transferred by Thru. We follow the zero trust security model and adhere to frameworks and certifications such as NIST, SOC2 and ISO/IEC 27001.

To learn more about our securing of file transfers, please read our Security Architecture Technical Document »


Have questions about managed file transfer?

Get answers, not a sales pitch. Our experts have analyzed, discussed and solved difficult file transfer challenges since 2002. We are here to help you.

Scroll to Top