Why SFTP Can Fail GDPR Compliance

July 25, 2018 Security and Compliance, MOVEit

After spending years as a far-off date on CIO calendars, GDPR is finally here. The General Data Protection Regulation applies to all organizations that process the personal data of EU residents, even if the organization itself is based outside of the EU. The penalties for non-compliance are sure to turn some heads reaching up to $24 million USD or 4% of an organization’s worldwide annual turnover, depending on which is higher.

While organizations around the world have been working to ensure that their GDPR preparation strategy is fail-safe, last minute questions and concerns are sure to be keeping some people up at night. As some data collection practices will obviously stand out as being GDPR non-compliant, other practices may find themselves in a bit of a grey area leaving some individuals scratching their heads.

SFTP and the Grey Areas of GDPR Compliance 

Secure FTP (SFTP) certainly falls into this messy middle ground, with many businesses mistakenly believing the protocol is GDPR compliant. While SFTP is undoubtedly practical, understanding why it doesn’t meet compliance could save your company from a hefty fine. Before we can take a look at what keeps SFTP from GDPR compliance, we need to understand what sets the protocol apart from regular File Transfer Protocol.

Secure File Transfer Protocol is a relatively new technology that was developed in the mid-1990s that allows for the transfer of files and other data over a connection that has been secured using the Secure Shell protocol. What sets SFTP apart from FTP is it’s packet-based nature, as opposed to FTP’s text based. The primary differentiator is that because SFTP is sending less data, it will ultimately be faster over the long term. Furthermore, with SFTP, file transfers are performed in-line over the main control connection, cutting out the need to open a separate Data Connection for file transfers.

 

Why SFTP Isn’t a Sure Thing for GDPR Compliance

Now that we understand what sets SFTP apart from FTP, we can take a look at what makes the protocol such a risky bet for GDPR compliance. First off, it may be surprising to learn that even secure file transfer processes have some significant limitations that could expose an organization to an increased risk of security breaches and GDPR non-compliance. This is frequently a result of businesses failing to meet a few critical best practices including data encryption, FTP automation, FTP visibility, and proper scaling to match organizational growth and complexity.

External file transfers of personal data require significant attention in the age of GDPR. Data transfer activities, while convenient and quick, pose a number of risks to personal data. For example, personal data uploaded to FTP servers is unencrypted and rarely deleted, outdated security patches present easy access for cyber-criminals, and the lack of centralized control over permissions exposes user credentials.

FTP data transfers frequently rely on scripts written in undocumented languages such as PERL, BASH, VB, and PowerShell. These undocumented scripted workflows installed across multiple FTP servers can cause complications resulting in the unauthorized processing of personal data. Furthermore, GDPR imposes rules on IT and security teams to present proof of GDPR compliance. Collecting and offering audit logs from multiple FTP servers will be time-consuming and will raise the suspicions of compliance auditors with a preference a single source of log data in a consistent format and stored in a tamper-evident database. 

Can You Upgrade an Existing SFTP Environment into GDPR Compliance?

It should be noted that upgrading an existing SFTP environment into GDPR compliance is a fundamentally flawed strategy. By doing so, an organization would need to ensure that all external transfer processes are using secure protocols and encryptions. Additionally, an organization would need to add AES-256 encryption to all upload processes to protect all resting data. While this may seem like a safe and responsible step towards compliance, it should be made clear that this is ultimately a futile effort as these improvements are not enough; Secure FTP inherits a number of the vulnerabilities and risks of the replaced SFTP server.

Solutions that are GDPR Compliant

As has been mentioned earlier, if an organization collects, stores, processes, or transmits the personal data of EU citizens, GDPR will apply to it. To avoid any potential fines, it’s critical that IT and security teams ensure that the systems, user authentication, and encryption techniques involved in the collection and transmission of personal data. While Secure FTP won’t fly in the age of GDPR, certain Managed File Transfer solutions have emerged to address this. These solutions look to meet the relevant articles introduced by GDPR with the abilities to encrypt personal data in both transfer and rest, non-repudiation to ensure that data is only transferred between senders and receivers, DLP and Anti-Virus integration, perimeter security, and centralized access control.

The penalties are too great to take GDPR compliance lightly. Even if an organization doesn’t work with EU client data, it won’t be long until we see GDPR adjacent legislation pass in other parts of the world. By looking past Secure FTP, organizations aren’t just looking past their competitors, they’re looking toward the future.

Check out these resources to learn more about GDPR and its implications:

Breaking Down the GDPR’s Data Protection Principles

Seven Steps to Compliance with GDPR

File Transfer and the GDPR

Brexit and the GDPR

Financial Services Data Transfers and the GDPR

Nate Lewis

Read next File Transfer Tools Can Lead to GDPR Non-Compliance