Secure File Transfer
Thru provides a secure and scalable cloud service for manual file sharing and automated file transfer. We adhere to a multi-layer defense-in-depth model, which reduces the attack surface and contains security breaches at multiple levels. Security layers protect Thru’s cloud infrastructure, application and customer data.
Cloud Infrastructure Security
Deployment
Customers can deploy Thru in our cloud or in their private cloud. We manage deployment and maintenance for customers who deploy in our cloud, while private cloud customers pay for and manage their own cloud infrastructure.
Thru runs in certified Microsoft Azure data centers in the United States, United Kingdom, Germany and Australia. These data centers are compliant with the following standards (see also Microsoft Azure documentation):
- SSAE 18 / ISAE 3402 (previously SAS 70)
- SOC 3 SysTrust
- ISO 27001
- PCI Level 1 Service Provider Certified
- Tier III Standards Compliant
Network Protection
- High availability for all network components
- Multiple zones deployed for access controls and traffic logging
- Firewalls with stateful inspection
- Intrusion protection / detection software
- OWASP-compliant web application firewalls filter web traffic
- Dedicated VPN tunnels with multi-factor authentication for access into production systems by operations personnel
- Domain access control by Active Directory in each deployed geography
- Whitelisting and connection management of Thru’s server endpoints protect against security scanning and denial of service attacks
Antivirus Protection
- Real-time scanning of code and data areas
- Ongoing antivirus engine and signature updates
- Automatic quarantine of infected files
Monitoring
We monitor global infrastructure and security events with security information and event management (SIEM) software 24/7.
Scanning
Weekly automated scanning of Thru’s cloud infrastructure in all service geographies.
Application Security
Authentication
- Required to access any part of Thru
- Strong credential policies for web portals and native applications
- Multi-factor authentication support
- Federated authentication with identity providers via SAML 2.0 and OpenID Connect
- SFTP / FTPS endpoints are protected by password, key and certificate-based authentication
Read about The Basics of Multi-Factor Authentication »
Authorization
Role-based security to control access to application actions, workflows and data entities following the principle of least privilege.
Web Portal Security
Protection against OWASP Top 10 web application security risks. Portals are scanned for security vulnerabilities on a regular basis.
Monitoring
- File transfer dashboards available for monitoring
- Alerts for errors and missing files
Public API Protection
Secured by OAuth 2.0 framework.
Testing
- Weekly automated vulnerability assessments of Thru platform
- Periodic penetration testing by third-party security vendors
Software Development
- Static application security testing is performed in all phases of Thru’s SDLC with triage and remediation
- Dynamic application security testing is performed at the testing and release SDLC phases using automated cloud security tools
Data Security
Data in Transit
Data transfer protected by secure transfer protocols: HTTPS / TLS 1.2 / 1.3, FTPS, SFTP.
Data at Rest
All data stored in Thru is encrypted by AES 256-bit encryption.
Data Replication
Data is replicated to multiple zones via cloud provider infrastructure.
Payload Encryption
PGP encryption is supported along with key management in the administration portal.
Data Retention
Multi-level retention policies delete the file data from transient storage after transfer completion.
Disaster Recovery and Compliance
- Documented business continuity and disaster recovery plan for production and business systems
- Standard service level agreement (SLA) is 99.9%
- Recovery time objective (RTO) is 4-6 hours
- Recovery point objective (RPO) is to have the whole site functional with minimal loss of transactions or data
- HIPAA compliant
- General Data Protection Regulation (GDPR) compliance
- Users can request removal of personal information
- Administrators can require user agreements before sending or receiving files
