Last week we held a well-attended webinar titled “Secure Managed File Transfers” Meeting Compliance Regulations.” The webinar covered meeting the data in motion requirements of PCI DSS, HIPAA/HITECH, and other regulatory compliance requirements with Alliance FTP Manager, our secure managed file transfer solution for the IBM i. During the presentation we received several great questions that we’d like to share with you on our blog. As always, if you have any additional questions, send them our way.
Is there a reason why I shouldn't use PGP on windows? I can just transfer my file from IBM i to windows and then PGP encrypt it there. Does this make sense?
Yes, I fully understand why customers would want to take that approach, however if you are under PCI DSS regulations you would be out of compliance. The transfer of sensitive data across a network and then landing unencrypted will take you out of compliance, even if you encrypt it later. There is no question about that. That is a situation we have been remedying for customers for a number of years. The security best practice standard is to encrypt at the source and decrypt at the destination. So you need to avoid the transfer of unprotected data through internal servers or across any network. You really want to make sure that the encryption is in place and that the data lands encrypted.
Can managed file transfer be used on just one side or do both sides of the transfer have to have the same software?
Good question, first off, I'd like to point out that managed file transfer is a term of art. There is no formal definition, no RFC, no NIST standard. So for this answer, you're going to get my opinion on this. In our managed file transfer solution there are absolutely no requirement that a recipient of an encrypted file or a secure transfer needs to have our software. Our solution is based on open standards and no customer ever needs to deploy software in order to process a transfer. Open standards give you many software choices and give your trading partners a lot of choices on what they want to use.
Regarding Open PGP implementation, which RFC or RFC's do you follow?
Well there are a couple. There is an original RFC2448 and there is a later RFC4884. Our commercial PGP product from Symantec is compliant with all of those standards - so the original and newer PGP RFC's are fully supported in our commercial product. Therefore we stay well lined up with those particular standards. Of course, there are some capabilities in the commercial product that are not defined as a part of the open standard - they are an extension if you will. There are a number of capabilities in the commercial version that really help larger enterprises stay lined up with compliance requirements and meet best practices. Those are built on top of full compliance with open standards.
View a recording of our webinar Secure Managed File Transfers: Meeting Compliance Regulations for more information on meeting data in motion requirements of PCI DSS, HIPAA/HITECH, and other compliance requirements on your IBM i.