Meeting MFT security, reliability and compliance requirements with JSCAPE
Managed file transfers play a crucial role in facilitating business processes. As such, they have to be carried out with a high degree of security, reliability and adherence to regulatory compliance. JSCAPE MFT excels in that regard. In this post, let’s engage in a more in-depth discussion about the various security, reliability and compliance capabilities of JSCAPE by Redwood.
Gain confidence with multi-layered security
Business file transfers, especially those that involve mission-critical processes and/or sensitive data, have to be protected at all times. Many of these file transfers go through the Internet, which is known to be teeming with cyber threats. To minimize the risk posed by cyber threats, JSCAPE is equipped with multiple layers of security. In this section, we’ll briefly go over some of the cybersecurity capabilities built-into this managed file transfer solution.
Data-at-rest and data-in-motion encryption
Many business file transfers involve sensitive data like login credentials, personal identifiable information (PII), payment card data, intellectual property and so on. To preserve the confidentiality of your data during these activities, JSCAPE offers several file transfer protocols that support data-in-motion encryption, which renders man-in-the-middle attacks and other network-based threats ineffective. Even if an attacker manages to intercept an encrypted connection, that attacker won’t be able to retrieve any useful information.
In addition, JSCAPE also comes with data-at-rest encryption, which provides the same kind of protection to stored data. So, even if an attacker manages to infiltrate your network and even steal the storage devices that hold JSCAPE user files, that attacker will likewise be unable to retrieve anything usable.
Access control measures
Access control measures prevent threat actors from gaining unauthorized access to your systems. This, in turn, prevents files from being stolen, sabotaged or tampered with. JSCAPE is stacked with a robust selection of access control mechanisms that include multiple authentication options (e.g., password, public key, LDAP, RADIUS and more.), IP-based access, multi-factor authentication, single sign-on and many others.
This robust selection gives you enough flexibility to enforce the level of access control suitable for your organization. You can even apply different levels of access control to different groups of users. Moreover, JSCAPE enables you to implement access control best practices such as role-based access control and the principle of least privileges.
Data integrity checks
In order for your business transactions to be 100% reliable at all times, every piece of data sent and received must be accurate and devoid of any tampering. JSCAPE MFT supports several file transfer protocols that have built-in mechanisms for preserving data integrity, from checksum validations to full-blown electronic receipts.
Virus scans
Files that arrive at your JSCAPE solution can come from practically anywhere — including malware-infested systems. To minimize the risk of a malware outbreak in your IT infrastructure due an uploaded file, JSCAPE provides options that allow you to set up automated virus scans for your file uploads.
Data loss prevention (DLP)
When you handle a lot of sensitive data, the chances of data loss — due to accidental or deliberate circumstances — can be quite high. To minimize the risk of data loss or, worse, a full-blown data breach, JSCAPE is equipped with a customizable DLP tool that you can enable on pre-defined folders and incorporate into your automated file transfers. The DLP module can then automatically deny a file transfer and/or notify you if a potential data leak is detected.
Reverse proxy
Internal networks hold a sizable portion (if not 100%) of business-critical systems and data. To prevent internet-based threat actors from reaching their internal networks, some organizations that need to provide public-facing network services for internet-based users set up a demilitarized zone (DMZ) and deploy copies of their networks services there. In effect, these organizations have two copies of their network services — one in their internal network for their internal users and another in their DMZ for their internet-based users.
It’s worth noting that whereas the firewall on the right can be configured to block all inbound traffic, the firewall on the left has to have some open ports to give users access to the network services deployed on the DMZ.
While this setup works, it has two major issues:
- It’s expensive and difficult to maintain since you need to have two deployments for each server application.
- The DMZ-based servers are accessible to the internet and, hence, exposed to internet-based threats. Any passwords and data stored on those servers can be compromised. This vulnerability is the reason why the Payment Card Industry Data Security Standard (PCI DSS) prohibits devices that store payment card data from being deployed on the DMZ.
JSCAPE eliminates these issues by providing a reverse proxy, which you can deploy in your DMZ and enable secure access to internally deployed servers. The reverse proxy supports DMZ streaming, a feature that allows you to serve internet-based users without storing any data at the DMZ and without opening inbound ports on your internal firewall (the firewall on the right). Moreover, since the reverse proxy supports any TCP/IP protocol it allows you to eliminate the need to deploy several network services in your DMZ.
For more information, please read these blog posts:
- sHow to secure a network service with a reverse proxy
- 8 reasons why you should use a reverse proxy in your DMZ
Comprehensive visibility
You can’t secure what you can’t see. It’s therefore important to have complete visibility of your entire managed file transfer infrastructure. JSCAPE provides comprehensive visibility, starting from a graphical dashboard that displays key health and performance metrics (e.g., system resource utilization, connections, uploads, downloads, logins and many others) at a glance. In addition, JSCAPE comes with a wide range of logging options that allow you to track as little or as much information about your file transfer sessions and JSCAPE environment as you need. It even supports syslog and SIEM logging.
Have peace of mind with highly reliable file transfers
With several business processes — some mission-critical — going through your file transfer system on a daily basis, you want to keep that system running optimally at all times. You also want to keep downtimes to a minimum or, if possible, even non-existent. A drop in performance or, worse, an extended downtime, can impact thousands of users and multiple processes down the line. JSCAPE maintains highly performant and highly available file transfer services through the following features and capabilities.
Active-Active High-Availability (HA) configuration
JSCAPE can be configured in such a way wherein you have a load balancer in front and a cluster of two or more JSCAPE instances behind it. However, this configuration is transparent to file transfer clients. From the point of view of each file transfer client, the load balancer appears as a single instance of JSCAPE. They have no way of knowing that there are actually multiple instances behind that load balancer, nor do they have to determine which instance they should connect to.
As file transfer requests come in, that load balancer will distribute the workload across the cluster. In doing so, the load balancer significantly reduces the workload of each individual JSCAPE instance and prevents it from reaching maximum capacity. This ensures every instance maintains a high level of performance. JSCAPE already comes with its own load balancer, so you don’t have to purchase a separate product.
For more information, read the post: Active-Active vs. Active-Passive High-Availability Clustering
Although the load balancer is quite effective at distributing workloads and, in turn, preventing each JSCAPE instance from reaching maximum capacity, your file transfer demand will likely grow over time. There will come a time when your cluster will eventually reach maximum capacity. How will you meet that growth? Well, you can simply add more instances< AKA nodes, to the cluster. This is easily done if you leverage JSCAPE’s centralized global datastore.
Centralized global datastore
JSCAPE comes with a centralized global datastore that makes it possible for you to just “plug in” additional instances whenever the need arises. JSCAPE’s centralized global datastore is a database that contains configuration settings of all your JSCAPE instances in a cluster. Basically, all instances in a cluster share the same configuration settings and those settings are stored in the global datastore.
This is important because, in order to set up an active-active HA configuration, all nodes in the HA cluster must have exactly the same settings. The global datastore eliminates the need for manually configuring each JSCAPE instance and making sure all settings match.
For more information, read the post: Setting up a MFT server HA cluster with a shared RDBMS as global datastore
Network and cloud storage
Another JSCAPE capability that can come in handy in active-active HA configurations is the ability to utilize network storage devices and cloud storage services as shared storage systems. This is important because, in an active-active HA cluster, you’ll never know which JSCAPE instance the load balancer will direct a particular user. With a shared storage setup, each shared storage (e.g., a network-attached storage or NAS) will appear as a user folder regardless which JSCAPE instance the user is directed to.
You can choose from a wide range of shared storage options, including NAS storage, public cloud storage services (e.g., AWS S3, Azure Files Storage, Google Storage, etc.), and even other network services (e.g., FTPS servers, SFTP servers, etc.)
For more information, you may read these posts:
- Setting up a NAS shared storage for your file transfer servers
- How to connect and upload files to Azure storage
- How to use Amazon S3 as storage for your MFT server
- How to use Google storage as the file storage system of your MFT server
Active-Passive High Availability configuration
If you have no need for, can’t afford or simply prefer not to deploy a JSCAPE cluster but still want to achieve an acceptable level of high availability, you can deploy JSCAPE in an active-passive HA configuration instead. In this configuration, one JSCAPE instance actively processes file transfer tasks while another instance serves as a backup. In case the active instance fails (e.g., due to a physical server crash, power outage, network disconnection, etc.), the passive instance can immediately take its place, thereby minimizing downtime.
Simplify regulatory compliance efforts
All these built-in security and reliability capabilities greatly simplify tasks in fulfilling data privacy/protection regulatory compliance mandates, such as:
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes Oxley Act (SOX)
- General Data Protection Regulation (GDPR)
- And many others.
Here are a few specific examples that demonstrate how JSCAPE MFT can help you achieve regulatory compliance.
HIPAA compliance
HIPAA-covered entities, which include healthcare plans like Medicare/Medicaid and Veterans Health Plans, health care clearinghouses and health care providers like physicians, clinics pharmacies and nursing homes, are required to adhere to certain standards specified under the Technical Safeguards of HIPAA’s Security Rule.
These requirements pertain to security measures such as access control, integrity and transmission security, among others. In addition, HIPAA also includes provisions that call for the use of electronic data interchange (EDI) in health care transactions.
JSCAPE can help HIPAA-covered entities meet the EDI as well as several security-related requirements using a single solution. In addition to the comprehensive selection of security features mentioned earlier, JSCAPE also supports Applicability Statement 2 (AS2), a highly secure file transfer protocol and one of the most widely accepted protocols used for facilitating EDI transactions.
For more information, you may read these posts:
- Guide to HIPAA-compliant file transfers – Part 1
- Guide to HIPAA-compliant file transfers – Part 2
- Guide to HIPAA-compliant file transfers – Part 3
- Securing HIPAA EDI transactions with AS2
PCI DSS compliance
PCI DSS is a set of standards that apply to any organization dealing with payment card (credit card or debit card) data. It consists of 12 general security requirements, which consist of several sub-requirements. While we won’t be discussing every single requirement that affects file transfers, we’d like to share with you three of them as well as how JSCAPE can help you meet those requirements.
PCI DSS requirement | How to address them using JSCAPE |
1.3.1 – Inbound traffic to the cardholder environment (CDE) should be restricted to only traffic that is necessary and all other traffic must be specifically denied. | Use JSCAPE’s IP-based access feature, in conjunction with its reverse proxy and DMZ streaming capability, to limit inbound traffic to certain source IP addresses and protocols. |
4.2 – Primary account number (PAN) must be protected with strong cryptography during transmission. | Choose a JSCAPE-supported file transfer protocol that supports encryption and select only strong cipher suites. |
8.3.4 Invalid authentication attempts should be limited by locking out the user ID after not more than 10 attempts. | JSCAPE’s password policies include a setting where you can specify the maximum number of invalid password attempts before a user account is disabled. You can use that setting for this purpose. |
Those are just three examples. There are several other file transfer-related PCI DSS requirements and sub-requirements that can be met using JSCAPE.
Final thoughts
In this post, we covered the key security, reliability and compliance capabilities of JSCAPE. These attributes are essential to any business process that involves data exchanges across unsecured networks like the Internet. By leveraging these capabilities, you can significantly reduce the risk of a data leak, a full-blown data breach or a compliance violation, as well as the costly penalties and fines that accompany them.