Why Choose AS2 for Secure File Transfers?

Image

Securing all the data your organization exchanges is a need, not a want in today’s cybersecurity environment. To minimize the risk of a security breach – whether intentionally malicious, or accidental through user error – takes the proverbial village of proactive measures. One of these is employing strong protocols such as AS2 (Applicability Statement 2) when exchanging files.

AS2 should be a contender when choosing which standard your organization will use to securely send and receive business-critical, sensitive files.

What is AS2 and How Does it Work?

AS2 is a standard used to transfer data securely over the internet. It is used across the world, especially among organizations that participate in e-commerce. AS2 encrypts messages when exchanging data outside your organization with vendors, trading partners, or remote systems though a secure HTTPS connection.

Sensitive information is protected in transit by using digital certificates and strong encryption standards. In addition, AS2 messages sent over HTTPS are compressed and signed before transmission over a secure SSL tunnel.

Senders of AS2 messages also can get digitally signed receipts (or MDNs: Message Disposition Notifications) of successful message delivery that contain a checksum value that the sender can use to verify the message received is identical to what was sent.

“Historically, AS2 is commonly used by industries like retail, manufacturing, finance, and healthcare. One of the reasons this protocol is often the choice of these market segments is that the integrity of file transfers is very important to their critical business functions. They need that level of assurance that their files are protected from unauthorized changes,” notes Chris Spargen, Senior Manager, Solutions Engineering, Fortra.

AS2 offers organizations concerned about file transfer security several overarching benefits, including:

• Privacy
• Authenticity
• Data integrity
• Nonrepudiation of origin and receipt (proof of origin and integrity)

Those benefits stem from the following AS2 features.

Features of AS2 Add Security, Integrity to Data Exchanges

• Encryption: AS2 messages are encrypted for data security by using the recipient's public certificate. This way, only the recipient can decrypt the contents by using their own private certificate.
• Compression: Compressing or decreasing the size of the AS2 message can help speed the transfer along and help ensure reliable delivery.
• Digital signatures: Recipients can verify the authenticity of the sender by signing an AS2 sent message with their private certificate. A receipt is then returned to the originator for signature to help ensure the identity of the recipient’s system. These digital signatures provide message integrity and non-repudiation of origin.
• Message Integrity Check: With AS2, the recipient calculates a checksum of the message using MD5, SHA1, or a SHA2 hashing algorithm. This value is then shared with the sender by placing it in the receipt. The sender also calculates a checksum using the same algorithm and the two values are compared to guarantee that the sent message is identical to one received.
• Receipt: To acknowledge that the recipient received the message via the AS2 protocol, a Message Disposition Notification (MDN) serves as a receipt. The MDN can also be used to verify the recipient's identity when the receipt is signed.
• Non-repudiation of Receipt: Usings message and receipt signatures creates a Non-Repudiation of Receipt (NRR) event, which is considered legal proof of delivery.

Why Choose AS2 Over Other File Transfer Protocols

Spargen notes, “AS2 is often leveraged by trading partners who have mutually agreed upon file formats and file transfer requirements. It is admittedly more cumbersome than SFTP or FTP, largely due to the multiple SSL certificates and encryption layers at play with both the communication layer (HTTP over SSL) as well as encryption and digital signatures for the AS2 message itself. However, using a robust managed file transfer tool that supports AS2 can help streamline these secure transfers."

AS2 vs FTP

Unlike AS2, FTP does not encrypt files withing the transfer window. With channels unencrypted, data is vulnerable to interception and misuse. An authenticated username and password are required with FTP, but a secure connection is not guaranteed. In addition, FTP lacks automation features and does not meet compliance requirements such as FIPS, HIPAA, or GDPR.

AS2 vs SFTP

If you or your trading partners need to meet compliance requirements, particularly ones retail or e-commerce businesses’ need to follow, such as PCI DSS, AS2 should be your choice over SFTP. AS2 can offer synchronous or asynchronous MDN receipts, which can prove that your transferred files have been received and decrypted successfully by an authorized recipient. 

In addition, AS2 provides for end-to-end encryption and validation of a file’s integrity (non-repudiation), and no limit to size or volume of files being sent or received.

Non-retail-type businesses, however, often prefer SFTP over AS2. With SFTP you can specify strong authentication as well as use passwords, user IDs, or SSH keys to authenticate server to server connections. While this might seem more cumbersome to track, file transfer solutions that use key and certificate management systems can generate SSH key pairs quickly and keep them centralized and secure.

AS2 vs AS4

AS4 is an open standard used to secure and exchange documents between businesses using Web Services. Like AS2, it supports a variety of document formats including HL7, XML, JSON, binary, and ASCII. And it too utilizes compression to reduce bandwidth, supports digital signing and encryption, and offers non-repudiation.

Where this protocol differs from AS2 is how acknowledgements are managed. AS4 uses SOAP with XML digital signatures vs MDNs. Also, AS4 message packages use MIME and SOAP, while AS2 uses purely MIME-based packaging. And lastly, AS4’s security is based on the WS security standard, and AS2’s is through S/MIME specifications.

“AS4 is considered by many to be the next generation protocol with more modern technologies. Some of our GoAnywhere MFT users prefer AS4 over AS2 as it can be more compatible with technologies such as SOAP and XML when integrating with internal systems, as well as external ones,” said Spargen. “In addition, it offers robust support for meta data, to transport a variety of messaging from JSON to binary, and more.

However, according to Spargen, AS2 may still be preferred for the following reasons:

1. AS2 has strong security controls and is not an outdated protocol. Often, new technologies will offer security benefits that necessitate the adoption of the new technology.
2. In the B2B market, changing processes that operate effectively is not a popular opinion – especially for backbone processes that power the business. It requires mutual trading partner support and adoption and given the time and investment it requires to set up AS2, there are operating costs that companies need to consider before making this change.

Drummond Certification Helps Ensure Solution Protocols Meet Interoperability Testing

GoAnywhere MFT is Drummond-certified for AS2 and AS4 which helps provide a high level of assurance of compliance and compatibility with other AS2 and AS4 solutions. This certification recognizes that GoAnywhere has met full interoperability testing, meaning that the information you exchange and receive is secured according to the relevant Applicability Statement standards.

MFT Supports AS2 and Other Protocols for Secure File Exchanges

Whatever file protocol is chosen, managed file transfer (MFT) solutions like Fortra’s GoAnywhere MFT can centralize and integrate the file transfer process as it operates as a single pane of glass for both auditing and administration. AS2 features in GoAnywhere include:

• Multiple file attachments
• Compression
• Digital signatures
• Message encryption and integrity checks
• Signed receipts
• Logging