Technical Blog Post
Successful data encryption strategies in B2B Integration and Managed File Transfer
Author: Manisha Khond
Inadequate security have led enterprise data breaches to increase at an alarming pace.Staggering numbers of affected customers (most recently EQUIFAX Data breach) incur financial losses and harm to the company reputation due to data breach. This send shock waves through the business world, creating a sense of urgency around identifying solutions.
End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud, on a device, or in transit. It can be invaluable in the effort to combat advanced threats, protect against data breaches, and maintain regulatory compliance.
But the wide variety of options for enterprise deployment can be intimidating, and companies haven’t been using it effectively.
So how can companies start using encryption to protect data?
Organizations can leverage encryption to provide persistent data protection by anchoring it with a comprehensive strategy that incorporates a complete life cycle process along with the technology solution. Developing an encryption program should be part of an overall enterprise risk management and data governance planning process. A comprehensive approach that focuses on encryption of data, will generate greater efficiency and effectiveness for an IT organization. In order for data to be secure, it must be protected throughout its life cycle.
It is important to consider the state of the data you are trying to protect:
- Data in motion (data being transmitted over a network)
- Data at rest (in your data storage area or on desktops, laptops, mobile phones, tablets and IoT devices)
- Data in use (in the process of being generated, updated, erased, or viewed).
So let’s discuss the categories of the data to be encrypted.
- Data in motion: This is the data that is being transmitted over the network. Both the B2B Integration (IBM Sterling B2B Integrator) and Managed File Transfer provides (IBM Sterling File Gateway) Adapters and Services that supports TLS. Refer the blog below to use Transport Layer Security.
There are Services/Adapters that supports SFTP/SSH.
- Data at rest: The B2B Integration and Managed File Transfer has the functionality of document encryption. Once the document encryption is turned ON, all of the data at rest is encrypted. There are 2 types of storage: Data stored in the Database and Data stored on the device (like NAS/SAN storage or File System). The document encryption functionality can be customized to mention if you want to encrypt all the data or only the data stored on the Database or only the data stored on the NAS/SAN storage or File System. Refer the blog below to turn on document encryption.
- Data in use: This is the data in the process of being generated, updated erased or viewed. The data can be files, encrypted documents, plaintext documents, passwords, and passphrases. Using the Administrator Role, if you are processing a plaintext document, (even though you later send the document via encrypted communication channel and you have the document encryption turned ON for all the documents), the document can be viewed as plaintext document in IBM Sterling B2B Integrator and in IBM Sterling File Gateway. The roles that allow viewing Business Process execution, Dataflow, Route details etc, will be able to see plaintext documents. Therefore it is important to consider the user roles carefully and Administrator access should be limited to the Personnel who truly need the access. Use the Principal of least privilege while assigning roles to the users. You can use the functionality of encrypting/obscuring Passwords, Passphrases so that they do not appear plaintext in the User interface (like instance data).
Other considerations are:
- Endpoint Encryption (Full Disk encryption)
- Store the backup in encrypted format
- Having secure location to store backup media
- Data monitoring (e.g. unauthorized access, excessive permissions, review of audit logs)
- Security policies on data maintenance, access, storage.