Secure File Transfer in the Realm of Digital Business:
An Interview with Stuart James
Without the proper security protocols in place, transacting digital business will be detrimental to success. As information transmitted across the internet may be intercepted, read, and even altered by third-parties, advanced file encryption is essential to keep critical information from falling into the wrong hands.
When transferring data to external recipients outside of your network, the best way to ensure you remain in control of your sensitive information is to deploy a premium secure file transfer solution in your environment.
To relay expert advice on the importance of secure file transfer, I interviewed Litéra Corp’s Information Security Officer and Lead Developer of Litéra Secure File Transfer®, Stuart James.
Q: How is Secure File Transfer Essential to Business Security?
Stuart James: No matter what industry you’re in, when you’re transferring anything outside of your network, be it sensitive legal documents, financial statements, or any other kind of private information, you want to be the owner of those files and have the ability to audit and track when they leave and where they are going. You want to encrypt those files in-transit and at rest wherever they end up being permanently stored, be it in a pure cloud, hybrid or on-premises solution.
Q: What’s the difference between a cloud solution and an on-premises solution?
SJ: In a cloud-only solution, you don’t have the same assurance of maintaining control of your information. Because it is controlled and maintained by a third-party, you don’t have any way of knowing who exactly might be accessing the cloud environment or its infrastructure. With an internally deployed on-premises solution, existing IT departments retain full-control of data.
Q: Why is it important to encrypt files both in-transit and at-rest?
SJ: In-transit encryption protects information in case of interception. Anyone who intercepts the file at that point won’t be able to access it without the unique key automatically generated between your server and the client. Once your files arrive in permanent storage, at-rest encryption protects them from being accessed by anyone internally without prior authorization.
Q: How does Litéra Secure File Transfer® encrypt files?
SJ: Litéra Secure File Transfer® encrypts files using both high-end Transport Layer Security (TLS) cyphers for files in-transit, not to be confused with Secure Sockets Layer (SSL) which we no longer support due to its vulnerability. For files at-rest, we use Advanced Encryption Standard (AES) 256 block-level encryption.
We regularly scan our platform for optimal cypher configurations. We configure and deploy our system to achieve an A+ rating using an independent SSL/TLS verification method. This allows us to automatically promote the highest-grade cypher for your browser on any connecting device so that transportation between server and the client requires minimum configuration as well as provide elliptical curve encryption for systems that support it.
Block-level encryption secures files where they are stored on your server. We use AES 256 block-level encryption with a multi-part key to secure each individual file uniquely. This method differs from file system encryption. We’re not doing that. Litéra Secure File Transfer® encrypts each file with its own unique AES 256 cypher.
The benefit of this is if for whatever reason your system were to be compromised or your file system were to be accessed, each file has its own unique encryption. This makes it that much more difficult for someone to ever potentially access them, even internal staff.
Q: How secure is the platform?
SJ: The Litéra Secure File Transfer® platform deploys as a hardened Linux system. Linux doesn’t suffer from many of the attacks that are out there in the world, because, as more of a server-based product, it doesn’t have as much exposure to end-users. I’m not saying there aren’t exploits for Linux, but there’s nowhere near as many.
Using a Red Hat based platform allows us to inherit some of the upstream work that has been done by Red Hat and the NSA which has to do with mandatory access controls (MAC) using SELinux. SELinux is a MAC subsystem that manages access to the kernel level space of the platform. Having MAC specifies which users or processes have access to view specific parts of a system. This helps protect the integrity of the platform.
For instance, let’s say there is an exploit that would allow a remote attacker to access and overtake either part of the Linux kernel, or the file system itself. Having SELinux protecting the platform at the kernel level would see any attempt to access as a violation of the policy in place, deny it, and prevent the attack from ever occurring.
MAC in SELinux is only one part of our multi-layered approach to platform security. Others include things like minimal package installation where we’re only installing what’s required for the application to run. We regularly patch the libraries and run vulnerability/penetration test scans against our platform. The server itself patches automatically as part of the update process, and we frequently run a full-range of attacks against the application stack to ensure that the platform framework is secure.
Q: What are some of the different use cases of Litéra Secure File Transfer®?
SJ: In terms of files, we can do small or large. We can take one file encrypt it and send out access links to it. We can also do the same thing with entire folders. With our Litéra Secure File Transfer® plugin for Outlook, we can zip an entire folder and send it off. Users can choose whatever they want to encrypt. It may be something they find personally sensitive, like bank statements or PHI. Lawyers can use it to encrypt attorney client privilege information, or sensitive documentation that a client wishes to have sent electronically and stored in an encrypted way.
Some users may only use it for bundles of small sensitive files, and others users may use it for extremely large files. The system theoretically has no limit other than time and resource. You can send endlessly and forever if you have the space and the time. We’re quite commonly transferring files of 100GB 500GB, and even over 1TB, but this is all in the realm of “do you have the time and the speed and the bandwidth within your network to do that.” We commonly see many law firms sending out discovery files that are easily 10-50GB.
Q: Why is it important to implement high quality solutions like Litéra Secure File Transfer®?
SJ: Litéra Secure File Transfer® certainly offers many of the things organizations look for in a secure file transfer service, such as security, ease-of-use, reliability, speed, and a simple deployment. Litéra Secure File Transfer® gives the option to use different authentication backends, and makes it easier for both internal and external users to use in a way that doesn’t cause grief or harm.
We integrate all deployments inside of organizations using true SSO technology so that users don’t actually have to enter their password to access the site. They log in automatically. Using KERBERUS integrated IWA solutions, it’s very easy to provision 5 users or 5k, 10k, or more internal users in these types of environments.
We’ve also taken that a step further from an external point of view, and in the last 12 months we’ve integrated with all of the major OAUTH2 providers such as Microsoft Office 365, Google, and Yahoo. If you’re an external recipient dealing with a law firm, as an example of a personal matter, you may be using a personal email address associated with your Microsoft, Google or Yahoo account. In that case, you can reuse the authentication mechanisms of your email provider to authenticate to the Litéra Secure File Transfer® platform. This is fully customizable to the client. If they want to use SSO for their internal deployment and offer Oauth2 authentication to their external clients they can do so.
Q: Are there any new improvements you can talk about?
SJ: We are implementing a variety of improvements optimizing download, visual and message notification workflows. The main feature releases we are looking at deploying in the next few months updates support for SAML2 to be able to validate against a variety of other industry standard SSO. Part of that includes Office 365 work loss, which uses SAML2 for app-to-app online authentication.
If you wanted to deploy completely cloud native you would be able to integrate not just with user databases but also in an SSO environment for a mixed open ID environment. This will effectively replicate the workflow existing in the traditional desktop environment into a fully cloud native deployment. If you’re an organization that wants to use Office 365 but still want to control the data leaving your network, you can simply deploy Litéra Secure File Transfer® in your environment.
Staff Writer – Litéra