Never trust, always verify…
Not only have cyberattacks on businesses continued to increase, they have also become more sophisticated and intrusive. Consequently, companies must adopt stronger and more stringent defensive measures in every layer. In addition to protecting the perimeter of the organization, which likely includes mobile and cloud, the internal infrastructure must also be safeguarded against attacks and malicious actors. Sensitive data must be protected from cybercriminals that have managed to breach first level defenses.
Since file transfer software may move data behind a firewall, between external entities or a mix of internal and external, its security must be solid enough to withstand today’s cyberthreats from the beginning endpoint all the way through delivery. Since adopting a zero trust security strategy has proven to be a strong defense against cyberattacks, let’s understand what zero trust is and how it can be applied to file transfers.
What Is Zero Trust?
NIST Special Publication 800-207 Zero Trust Architecture provides the following definitions:
- Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
- Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning and access policies.
- Zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
Furthermore, the publication provides basic tenets and assumptions of zero trust as noted below:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Assumptions in Network
- The entire enterprise private network is not considered an implicit trust zone.
- Devices on the network may not be owned or configurable by the enterprise.
- No resource is inherently trusted.
- Not all enterprise resources are on enterprise-owned infrastructure.
- Remote enterprise subjects and assets cannot fully trust their local network connection.
- Assets and workflows moving between enterprise and nonenterprise infrastructure should have a consistent security policy and posture.
Using Zero Trust to Protect File Transfers
Transferring files involves a network: It may be a company’s intranet, or it may involve external infrastructure such as public wifi or public cloud providers or be a combination of internal and external entities. Ensuring files can pass securely through any network without being intercepted or accessed is the objective of managed file transfer (MFT).
Using a modern MFT solution to send files is a start to meeting the goals of zero trust. The right MFT solution includes multiple security measures that support the zero trust model:
- Identity management tools that enable authentication and authorization, such as role-based access controls (RBAC) and multifactor authentication (MFA), for entities attempting to access the MFT software and data through it.
- TLS 1.3 protocol support (HTTPS and FTPS) adds server authentication.
- End-to-end encryption (E2EE) that protects data while in transit and at rest.
- Management and protection of keys, such as SSH and PGP.
- Data retention rules and functionality to delete data.
When implementing a zero trust architecture to secure file transfers, network connectivity should be developed with the tenets and assumptions listed above. MFT tools are just one element. The network and all of its elements must also take a zero trust stance in its security practices and implementations. Secure protocols and channels should be used. Where the MFT software resides and runs, i.e., computer, data center or cloud, also needs to achieve zero trust. The entire system as a whole is included in zero trust strategy.
Zero Trust Security Model and Thru’s MFT
Thru started in the cloud and continues to provide managed file transfer only to businesses. We have never been in the freemium or consumer side of file transfer. Our security practices meet the highest standards to minimize risk and exposure of sensitive data that is stored and transferred by Thru. We follow the zero trust security model and adhere to frameworks and certifications such as NIST, SOC2 and ISO/IEC 27001.
To learn more about our securing of file transfers, please download our Security White Paper »