FTPS, SFTP and PGP Encryption: Core Components of a Secure File Transfer Strategy
3 Core Components to Securing Data in Motion
One simple way to ensure the security of your data is to use a secure managed file transfer solution to protect and secure transfers as they move on or off your system using strong encryption. There are two primary mechanisms used for transferring the data:
FTP with SSL (FTPS)
FTPS is a file transfer protocol that has been updated to support encrypted sessions.
Implemented based on industry standards and integrated with the IBM i Digital Certificate Manager (DCM), new IBM i platforms have DCM installed by default. Our own solution, Alliance FTP Manager, adds things like intelligent firewall negotiation and proxy server support to make those connections easier to deploy, as well as integrated logging to make sure that the sessions are properly logged to comply with regulations and enable successful compliance audits.
Secure File Transfer Protocol (SFTP)
SSH (Secure Shell) FTP , also called Secure File Transfer Protocol (SFTP), is a Linux and UNIX facility that also exists in the IBM i platform to provide encrypted transfers to and from your IBM i platform.
SSH FTP (SFTP) is easier to manage from a firewall point of view than SSL FTP (FTPS) based on how it encrypts, establishes, and maintains sessions. Syncsort fully supports password-based SFTP in batch mode and is the only vendor who fully implements that capability according to the standard.
The third critical components to a including data in motion in your secure file transfer strategy is file encryption using Pretty Good Privacy (PGP).
Pretty Good Privacy (PGP)
PGP encryption protects data at rest, and it is also critical to providing privacy for data communications. When you move data securely across the internal network or across the internet, you need to be sure that it’s properly encrypted at its destination. FTPS- and SFTP-encrypted sessions are great at protecting data when in transit; however, when that data lands on an FTP server, it may not be inside a firewall and could be exposed.
PGP is the most widely deployed encryption to protect data, and it plays a fundamental role in managed file transfer. It is commonly used across a spectrum of enterprise industries including retail, financial services, health care and insurance.
Commercial PGP Encryption
The commercial version of PGP — created by the original developers and now supported by Symantec — is fully implemented in our Alliance FTP Manager solution. Commercial PGP encryption offers several features important to enterprise clients, such as:
- Support for additional Decryption Keys (ADK) allows you to encrypt a file and send it to multiple people without using the same key. You can encrypt the file and add your own decryption key, which allows you to recover that data as part of a discovery process to prove what data was actually sent to a recipient.
- Key server support in addition to local PGP encrypted key stores on the IBM i platform and for z/OS mainframe.
- Support for Self-Decrypting Archives (SDA) for multiple platforms.
- Commercial PGP has been through multiple rounds of FIPS 140-2 certification over the years. Both the source code and the application have been thoroughly vetted by independent security professionals numerous times, and that code has been open for public review.
Beyond the three core components for secure file transfer, you need three additional items to confirm that the encryption being used is defensible and has been reviewed by security professionals:
- Good audit trails
- Real-time system logging integrated with the IBM i security audit journal (QAUDJRN)
- Certifications through NIST and FIPS 140-2
Syncsort’s Alliance FTP Manager offers the three core components of a secure file transfer solution and address all three additional requirements to ensure your data is secure when in motion.
For more information about encrypting data in motion, read our eBook: The Essential Guide to Secure and Managed File Transfers on the IBM i