By now, you should know that controlling access to sensitive files, devices, tools, and network areas is of utmost importance in cybersecurity, but you should also know that it’s not enough to simply control how users access resources. It’s equally important to be able to track and audit access, so that you can see who’s logged on, when and where they did it, and the resources that they’ve accessed. That’s where auditable access controls come in handy.
What Regulators Want, Regulators Get
This is especially important in highly regulated industries, such as healthcare or banking, where regulators will occasionally need to perform audits to prove that only authorized users accessed sensitive data, that they only did so when necessary, and that access and transfer of sensitive data was performed in a secure and compliant manner.
Principle Six of the GDPR, for example, states that data must be "processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures."
Those "appropriate technical or organizational measures" are important, and you can bet that
access controls are one of them, but if those access controls don’t leave an auditable log, you’ll have a hard time proving compliance to regulators.
Lacking that degree of visibility and logging required for compliance certification can result in major consequences. The logs should be tamper-evident and keep track of when a file was transferred, if the right party received it, and whether or not it was subsequently deleted.
Proper Tools Equal Proper Outcomes
That may seem scary, but the solution to these potential problems isn’t very difficult: simply ditch outdated and insecure file transfer methods. Standing up FTP servers may have worked in the past, but it’s simply insufficient in the age of the GDPR. With a proper managed file transfer solution, you can easily get complete visibility and control over file transfer activities between partners, customers, users and systems. Secure files at rest and in transit and assure compliance with internal policies and regulatory mandates.
MOVEit, for example, boasts advanced security features including FIPS 140-2 validated AES-256 cryptography, users authorization / authentication, delivery confirmation, non-repudiation, and hardened platform configurations. MOVEit Transfer logs activities in a tamper-evident database to comply with ISO 27001, HIPAA, PCI, GDPR, SOX, BASEL I/II/III, FIPS, FISMA, GLBA, FFEIC, ITAR and data privacy laws. It also integrates with your existing DLP and anti-virus systems, identity systems through SAML 2.0, AD, LDAP services, and SIEMs. Additionally MOVEit offers API interfaces (including REST) for integration with other third-party applications.
Jeff Edwards
Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.