Hardening Your MFT Environment: A File Security Essential

Image

Congratulate yourself if you already have a secure, managed file transfer (MFT) solution in your organization. You’ve taken a proactive step towards addressing growing cybersecurity concerns around the exchange of your sensitive, often business-critical files.

While robust file transfer solutions can offer security, automation, and a streamlined way to conduct this essential business process, to maximize your security defenses, you’ll want to take note of some best practices and configurations for hardening your MFT environment.

Related Reading: How MFT Helps Strengthen Organizations for Top Cybersecurity Risks

What Does it Mean to Harden Your Environment?

The goal of hardening your environment is to lessen your security risks by minimizing the available attack surface using technology tools, best practices, and taking specific security-minded actions for your organization’s software applications, infrastructure, systems, and firmware.

In short, hardening your environment gives cybercriminals fewer opportunities to commit cybercrime and gives your employees and trading partners fewer avenues to accidentally mishandle data. Ensuring your systems are resilient through hardening can also help your organization continue doing business “as usual” without critical downtime.

As a rule, Fortra encourages organizations to regularly review and utilize best practices around hardening their environment to take advantage of the security measures in your solution to guard against cyberattacks and data breaches. In addition, taking the time to harden your environment and enforce those best practices can help organizations more easily meet compliance requirements about how data is safeguarded in motion and at rest.

Hardening is Just One Part of a Security-Centric Approach

Hardening one’s environment is important, but it also is just one element of a solution’s approach to security. At Fortra, we approach it at the development level with things like MEND scanning and static code analysis; at the product level we address it through security by default such as encryption and security settings; and we also do so by achieving certifications such as FIPS, SOX 2, and Common Criteria.

Beyond the product level, a layered approach is the ideal posture to achieve best-in-class security for your MFT environment. In addition to a secure, MFT platform, there are a few security tools that elevate your environment, including:

• Integrating malware and threat protection scanning on inbound data transfers. This helps ensure internet data is clean before it enters your network.
• Leveraging a secure content engine or a rules schematic such as Data Classification to determine if or what is allowed to leave your organization, especially where human error poses risk. A mature MFT solution allows you to apply DLP (Data Loss Prevention) controls, masking or removing sensitive content that should not leave your organization before the data leaves your network. If certain sensitive data should not leave your organization, your MFT solution should be able to deny the transfer and alert an admin via email, SMS, or through an alerting system like PagerDuty.

But what if you need to allow that most-sensitive data to be shared with an external third party? Digital Rights Management (DRM) is a common approach to safeguarding your        most sensitive assets. Zero Trust File Transfer is our elegant solution combining MFT + DRM (Digital Rights Management) to provide a secure solution with revocation access and full auditing and control of your data.

• Many MFT platforms offer a collaboration module leveraging the HTTPS protocol, popular for its ease of use. Unfortunately, a sizeable percentage of data security attacks are exploited over the HTTPS protocol, with the MFT market no exception. According to recent research from Verizon, web application attacks are involved in 26% of all breaches, making it the second most common attack pattern.

A Web Application Firewall (WAF) provides a critical security layer when you have a web server that is exposed to the internet. A mature MFT solution will have WAF interoperability,  allowing the WAF to intercept traffic before it reaches your server, protecting your server from numerous attacks including SQL injection, DDOS (Distributed Denial of Service Attack) and RCE (Remote Code Execution).

The above security layers help ensure your MFT environment is protected beyond the application layer, from inbound threats and from outbound data leaks. If you take just one thing from this blog post, it should be that layered security is the best security!

General Security Best Practices for MFT Solutions

If you are reviewing the security posture of your current MFT solution environment and wondering where to start hardening your environment, look for and turn on the security settings and options available to you, such as:

• Authentication: Utilize options such as MFA, two-factor, SAM, LDAP, Key/Certificate plus password, or time-based one-time password apps like Google Authenticator or Microsoft Authenticator.
• Encrypted Folders: Ensure that data that needs to be kept in storage locations or on your server (at rest) is encrypted at rest using AES 256-bit encryption.
• FIPS 140-2 compliance: Globally restricts all ciphers and algorithms from both the server side of the application as well as the client side of the application
• Automatic IP blocking for malicious usernames and leverage a global IP filter.
• Filter and audit login failed attempts.
• If you have an ICAP server, enable Antivirus Settings to automatically deny inbound file transfers containing threats.
• Review hardening documentation and consult your security team to see what settings align with your corporate security posture.

It’s important to note that not all MFT solutions, particularly free file transfer options, have this wide array of security settings built in that can be configured by admins. Fortra’s GoAnywhere MFT, however, does have the extensive security setting options required by many compliance standards and also includes the necessary advanced reporting to help your organization meet compliance regulations.

Advanced Reporting Helps Remove Mitigation Guesswork

The auditing and reporting of all file activities – workflow, file server, and administrator logging – is critical to meeting stringent compliance requirements for PCI DSS, HIPAA, as well as other state privacy laws and other regulations. GoAnywhere’s Security Settings Audit Report quickly identifies any areas that may be lacking security-wise in the environment and, more importantly, provides recommendations for mitigation, to eliminate any guesswork on fixing failures or non-compliances.  

This report analyzes a vast array of different security configuration settings within GoAnywhere, with a detailed list of the solution’s security defaults, all enabled services, and the current configured security settings. For example, the report could show you don’t have the FIPS 140-2 module enabled, this would provide a warning, even though you could still explicitly only allow NIST-approved algorithms and ciphers without having that setting do it for you automatically.

Of course, in addition to all the recommendations for hardening your environment, it’s essential to update your software solution to the latest version to ensure you have the most recent security updates available. GoAnywhere also provides Expert Services if you have questions or want to walk through this report or other hardening best practices for your MFT environment.

Security Starts with Development

When evaluating solutions, consider the software development lifecycle. Those solutions with development teams building in risk mitigation though the use of static code analysis, dynamic application security testing and other tactics substantially boost the security of the end product. Fortra is proud that we have the added benefit of dedicated Security Champions in-house who evaluate and triage security risks.

The GoAnywhere team continuously identifies, assesses, and mitigates risks by:

• Using static code analysis to identify areas of source code that may be vulnerable to attack
• Conducting software composition analysis to identify security risks and vulnerabilities with third-party libraries
• Utilizing penetration testing regularly with a comprehensive incident response team and process to acknowledge, analyze, mitigate, and remediate incoming potential threats
• Applying DAST (Dynamic Application Security Testing) to analyze software for vulnerabilities through simulated attacks
• Incorporating SAMM (Software Assurance Maturity Model) to analyze and improve the secure development life cycle
• Conducting mandatory Secure Software Development training for all developers
• Securing communications protocols and the entire build process

The Security Trust Center provides additional details on certifications, the software development lifecycle, penetration testing, and more.