OpenText Secure MFT Security Overview

Similar documents
OpenText Secure MFT Network and Firewall Requirements

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

FileCloud Security FAQ

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

BANKING SECURITY and COMPLIANCE

OpenText Managed File Transfer (MFT) is an enterprise

How Managed File Transfer Addresses HIPAA Requirements for ephi

MOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA

Netop Remote Control Security Server

ReadyNAS Remote White Paper. NETGEAR May 2010

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Security Architecture Whitepaper

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Improved Digital Media Delivery with Telestream HyperLaunch

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

How To Login To The Mft Internet Server (Mft) On A Pc Or Macbook Or Macintosh (Macintosh) With A Password Protected (Macbook) Or Ipad (Macro) (For Macintosh) (Macros

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

VPN. Date: 4/15/2004 By: Heena Patel

Shipping Services Files (SSF) Secure File Transmission Account Setup

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Evolution from FTP to Secure File Transfer

EXPLORER. TFT Filter CONFIGURATION

VPN. VPN For BIPAC 741/743GE

How to Secure a Groove Manager Web Site

WS_FTP Professional 12. Security Guide

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Perceptive Content Security

Implementing and Managing Security for Network Communications

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Directory and File Transfer Services. Chapter 7

CA Performance Center

Securing Information in LiveBackup

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

MySQL Security: Best Practices

Chapter 10. Cloud Security Mechanisms

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Admin Quick Start Guide

PowerChute TM Network Shutdown Security Features & Deployment

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture


How To Understand And Understand The Security Of A Key Infrastructure

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Configuring Security Features of Session Recording

Xerox DocuShare Security Features. Security White Paper

UBS KeyLink Quick reference WEB Installation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

How Reflection Software Facilitates PCI DSS Compliance

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Agenda. How to configure

Guidance Regarding Skype and Other P2P VoIP Solutions

Computer Networks. Secure Systems

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

OpenText Fax Servers and Microsoft Office 365

2007 Microsoft Office System Document Encryption

WEBROOT ARCHIVING SERVICE. Getting Started Guide North America. The best security in an unsecured world. TM

Getting Started Guide

White Paper. Software version: 5.0

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

OpenText Managed File Transfer

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Overview. SSL Cryptography Overview CHAPTER 1

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Protocol Security Where?

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

How To Use Netscaler As An Afs Proxy

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Microsoft Office Live 2007 R2. Guide. Published: August 2008

Secure Data Transfer

White Paper BMC Remedy Action Request System Security

Secure IIS Web Server with SSL

Web Application Security Assessment and Vulnerability Mitigation Tests

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Is your data safe out there? -A white Paper on Online Security

QliqDIRECT Active Directory Guide

Securing the Exchange of Information Inside and Outside the Organisation. Joe Combs EMEA Solution Consultant, edocs

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

Active Directory Self-Service FAQ

Security Technology: Firewalls and VPNs

Interwise Connect. Working with Reverse Proxy Version 7.x

OpenText Managed File Transfer

WS_FTP Professional 12. Security Guide

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Configuration Guide. SafeNet Authentication Service AD FS Agent

SSL VPN Technical Primer

The biggest challenges of Life Sciences companies today. Comply or Perish: Maintaining 21 CFR Part 11 Compliance

CTS2134 Introduction to Networking. Module Network Security

SECURE MESSAGING PLATFORM

Transcription:

OpenText Secure MFT Security Overview Many file transfer protocols, including FTP and HTTP, send user credentials and files in clear text format without any encryption. This means anyone can intercept the connection without the sender or receiver s knowledge. Because of this, companies are seeking to replace their unsecured file transfer applications to improve security. This whitepaper will outline how OpenText Secure MFT ensures all factors that are directly and indirectly related to file transfer activities are strongly secured, helping organizations eliminate risk with a user-friendly file transfer solution.

Table of Contents Introduction...3 Secure Authentication...3 Encrypt Data in Transit...4 Protect Data at Rest...5 Control Access by User Roles...7 Miscellaneous Security Measures...7 Account Provisioning...7 File Type Restrictions...7 Summary...8

Introduction It is well known that many file transfer protocols, including FTP and HTTP, send user credentials and files in clear text format without any encryption. Anyone can snoop the network traffic and intercept the connection without the sender or receiver s knowledge. This lack of security is one of the most common reasons that companies look for alternatives to replace their unsecured file transfer applications. OpenText Secure MFT provides best in class security to protect all aspects of a file transfer workflow, from user authentication, to file transfer, and down to the way files are securely stored. This whitepaper will outline how Secure MFT achieves these tasks in detail. For more information on Secure MFT, please visit: http://www.opentext.com/securemft Secure Authentication OpenText Secure MFT uses OpenText Directory Services (OTDS), which comes bundled with the solution, to handle all matters related to authentication. OTDS acts as a common authentication layer for the backend identity servers, including Microsoft Active Directory, or LDAPv3 directory servers. It allows users to access Secure MFT via Single Sign On (SSO) by leveraging their existing corporate identities. OTDS also supports any number of additional user partitions, allowing administrators to define and manage the identity of external users, such as trading partners, contractors, or external business users, independent of the internal enterprise directory services. Multiple user partitions provide administrators an efficient way to manage a mixed group of user identities. OTDS also allows administrators to enforce password policies, such as password length, complexity, and retries. Administrators can use SSL to secure the connections from OTDS to the identity provider, as well as the connections to the end user. The username and password that a user supplies is transmitted in encrypted form throughout the process, and in the case of SSO against AD or LDAP servers, no passwords are transmitted at all. Authenticated users are issued a security token, which can be used to access other Secure MFT services. ENTERPRISE INFORMATION MANAGEMENT 3

7. USER TOKEN VERIFIED WITH OTDS FIGURE 1 OTDS MFT WEB SERVICE TRANSFER SERVER Secure MFT authentication and transfer workflow 3. REDIRECT TO OTDS RECEIVE LOGIN PAGE OR SSO NEGOTIATION 1. FIRST CONNECTION ATTEMPT 2. USER NOT AUTHENTICATED REDIRECT TO OTDS 4. USER IS AUTHENTICATED AND CONNECTS 5. TRANSFER AND OTHER SETTINGS RETURNED 6. CONNECTION INITIATED WITH TRANSFER SERVER 8. USER AUTHENTICATED TRANSFER BEGINS Encrypt Data in Transit As a solution that promises strong security, Secure MFT always encrypts data using a FIPS 140-2 validated cryptographic module when transmitting over the network. The default transfer protocol employed by Secure MFT is the patented OpenText Fuel protocol. It is the next generation file transfer protocol designed by OpenText, and aims to offer a wide gamut of benefits that are missing from many traditional transfer protocols, such as: Acceleration of file transfers over high latency network by up to 80x faster than traditional transfer protocols Pause-and-resume capability to eliminate the need to restart file transfers from the beginning if the transfer is interrupted Data integrity check to verify checksum and guarantees bit-perfect transfer between parties and ensures that sent files arrived at their destination unaltered and uncompromised Ensure data are always encrypted before they are transmitted over the network OpenText Fuel protocol overcomes performance issues related to network latency that often plague TCP-based protocols by using a combination of User Datagram Protocol (UDP) and TCP. By default, the OpenText Fuel protocol operates on port 3000 (UDP) and 3000 (TCP). Secure MFT first generates SFTP / SSH packets, and then encapsulates these in OpenText Fuel packets before sending the payload over the wire. If one were to analyze the network traffic generated by Secure MFT, one will see the protocol wrapping as illustrated in Figure 2. Secure MFT uses Secure FTP (SFTP) and Secure Shell (SSH) protocols to prepare files for transmission and encryption. As a protocol, SSH is a well-known and respected secure transmission encryption mechanism, which provides very rich and varied options for end-point authentication, user authentication, encryption, and the ability to tamper-proof the data stream. With SSH, Secure MFT server and the client on the end-points will negotiate a unique key to encrypt the transmission, and that encryption key changes for every transfer. ENTERPRISE INFORMATION MANAGEMENT 4

FIGURE 2 OPENTEXT FUEL OpenText Fuel protocol diagram SFTP / SSH The cryptographic module is FIPS 140-2 validated and Secure MFT uses AES-128 as the encryption algorithm. Finally, before Secure MFT put data on the wire, it encapsulates SFTP / SSH packets in the OpenText Fuel protocol to provide the aforementioned productivity and performance enhancement. In summary, once a user s identity is established and the user initiates a file transfer session, file assets are passed through the SFTP/SSH layer to be formatted for transmission and establish a secure connection using a unique SSH session key, then optimized by the OpenText Fuel protocol layer for acceleration. On the wire, Secure MFT file transfer activities will be limited to only the UDP and TCP ports configured for OpenText Fuel protocol. OpenText Fuel protocol also ensures bit-perfect transfers by generating hash values of the file assets on both end-points, and compares the hash at the end of the transfer. The hash is based on the standard SHA-2 algorithm, which can be further validated with any open source tools. However, Secure MFT deploys a unique hashing process to ensure that pausing and resuming file transfers will not affect the checksum validation. Protect Data at Rest Secure MFT can be configured to encrypt all files as it stores them in the connected file storage system in order to provide an extra layer of security. Secure MFT uses a unique key, which it generates on a per-file basis to encrypt each file. The benefits of this approach are: No two files are encrypted by the same key No master key to unlock all files Data-at-rest encryption/decryption key for each file is made up of a number of pieces of information, some of which is dynamic so that there is no way for a malicious attacker to access a key on the system that will decrypt a file ENTERPRISE INFORMATION MANAGEMENT 5

Only senders and receivers of a transaction will have the permission to retrieve encrypted data from the storage through Secure MFT Only the metadata of a transaction are recorded in the audit logs, and only users with the Auditor role will be able to access the logs: Sender s name Recipient list Transaction start time and end time File names and the corresponding file size Expiration date/time Subject provided for the transaction Finally, Secure MFT renames the physical files using GUID when stored in the repository, further obfuscates the identity of those files from prying eyes. In the case of asset life cycle management, Secure MFT allows administrators to set the retention policy globally or let senders set the retention on a per-transaction basis. The access to files associated with a transaction is therefore time limited. Once the retention period is reached, links to those expired files cease to function. Administrators can configure Secure MFT to periodically remove files that are no longer associated with any active transactions from the file repository, and so sensitive assets will not remain on the server for any longer than necessary. Figure 3 The optional setting to encrypt the file repository, accessible from the Secure MFT Setup Console. FIGURE 3 The optional setting to encrypt the file repository, accessible from the Secure MFT Setup Console ENTERPRISE INFORMATION MANAGEMENT 6

Control Access by User Roles Secure MFT offers granular user roles, each with defined access rights. By assigning appropriate roles to users, Secure MFT administrators can effectively control the access to the solution. Available user roles include: Administrator Administrators can access the web administration console to create users, monitor ongoing transactions in real time, and modify Secure MFT server settings. But they do not have access to the Audit logs Auditor Auditors can log in to the web administration console solely to access the audit logs Sender Users with the sender role will be able to send files using Secure MFT Receivers Receivers can receive files Dashboard Access Dashboard Access gives users permission to access the user web dashboard Inviter Only users with the inviter role can invite additional users to join to the Secure MFT service Restricted Sender Administrators can restrict a user to only send files to a defined list of email addresses or domains by assigning that user with the Restricted Sender role. Miscellaneous Security Measures Secure MFT employs additional security measures to produce an all-around secure file transfer platform. Account provisioning Secure MFT leverages a multi-point provisioning process during user registration. It requires newly registered users to reconfirm their email address, and offers administrators the ability to moderate the registration by manually validating the registration requests to ensure the identity of the user and control the access to the solution. Both steps can be bypassed to streamline the registration process at the administrator s discretion. File type restrictions To further allow organizations to control the flow of corporate information, Secure MFT provides file type restrictions so companies can restrict users from sending files of certain types based on file extensions. For example, administrators can configure Secure MFT to reject files with extensions.exe.com, or.bat, which some consider inherently unsafe, or application-specific extensions to protect corporate intellectual properties. ENTERPRISE INFORMATION MANAGEMENT 7

Summary Data breaches are in the news constantly. These breaches have affected some of the largest and most recognized organizations in the world organizations with advanced security and intrusion detection. One source of information leak is in the file transfer, as many of those transfers are still taking place over unsecured network protocols initiated by unmanaged file transfer applications. Backed by more than 20 years of experience in providing enterprise-grade security solutions, OpenText Secure MFT delivers uncompromising security to organizations of any size to safely exchange files globally. The state-of-the-art design of Secure MFT ensures all factors that are directly and indirectly related to file transfer activities, including user authentication, data-in-transit and data-at-rest encryption, asset life cycle management, and user access rights, are strongly secured. By doing so, it helps organizations eliminate risk associated with rich digital content exchanges with a user-friendly file transfer solution, while increasing user productivity, confidentiality and security of file exchange with a single, centrally-managed solution. For more information about Secure MFT, please visit: http://www.opentext.com/securemft www.opentext.com/securemft NORTH AMERICA +1 800 304 2727 EUROPE, AFRICA +31 (0)23 565 2333 MIDDLE EAST +971 4 390 0281 JAPAN +81-3-4560-7810 SINGAPORE +65 6594 2388 HONG KONG +852 2884 6088 AUSTRALIA +61 2 9026 3400 Copyright 2015 Open Text Corporation OpenText is a trademark or registered trademark of Open Text SA and/or Open Text ULC. The list of trademarks is not exhaustive of other trademarks, registered trademarks, product names, company names, brands and service names mentioned herein are property of Open Text SA or other respective owners. All rights reserved. For more information, visit:http://www.opentext.com/2/global/site-copyright.html (11/2015)04013EN.rev1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information