Why compliance keeps MFT owners up at night (and what to do about it)

As most engineers will tell you, the word compliance is one which should be met with trepidation and disdain in equal parts. Why is that so? Simply put because it means you’re going to be asked to prove you know what you’re talking about, against a background of grey and misinterpretation; asked by and individual who doesn’t usually even understand the response or how satisfactory it is…

Compliance stresses IT professionals no end, perhaps second only to a data breach or cyber-attack, which there is of course compliance legislation governing so when you’ve recovered from a cyber incident you can sweat over the compliance repercussions of it for some extra grey hair. Over the past decade, the legislation, which is imposed on organisations has increased dramatically, to the point where an official number is hard to obtain. These legislations differ vastly by data type, by industry and by geography. In the European Union alone, since 2020 there have been over thirteen thousand new laws passed which are classed as compliance legislation.

As application owners of Managed File Transfer, our systems often underpin the movement of data between third parties, creation of orders, movements of money and can be the difference between business success and embarrassment in failure. It’s all too common for us to focus on the items within our technical understanding, the workflows, the user, the protocols being used, making us completely unaware of the reasons behind the transfer or understanding the nature of the data being moved. Which could, of course, be subject to one of these compliance items.

The rate of compliance creation shows no sign of slowing, we’re expecting new data use and access rules in the United Kingdom this year, as well as directives relating to resiliency, Artificial Intelligence use and further privacy regulations. None of these are likely to contain technical requirements which can be translated into Managed File Transfer configuration settings, far from it. Similarly, as these compliance measure become increasingly numerous and esoteric, the ability to simply enable a compliance mode or run a report for each of them is wishful thinking.

Instead, we’re tasked with answering these burning questions ourselves as the relevant SME in our respective organisations. How then, can we start to navigate this increasing list of things to check and items to care about? The good news is that there is often overlap and commonality, things like using updated software, libraries or cryptographic controls for example. Some further overlaps and examples are discussed in a little more detail below.

1. Resilience

More and more legislation mentions the ability to recover from or endure an element of outage or disruption. Where our file transfer mechanisms are becoming critical ingress and egress points of the business, these should be designed in a resilient nature. Whether that be a Disaster Recovery plan, a Business Continuity Plan, application level high availability or through the infrastructure on which it resides. The Managed File Transfer service needs to be resilient in most organisations to meet compliance requirements.

2. Versions

Running out of date software is always best avoided, patches should be applied in a timely manner to keep your organisations secure, the same goes for infrastructure the platforms are running on. This also means when things become unsupported you’re not likely to be disrupted or shocked or rushed into adopting new versions without the appropriate plans or testing cycles. A lot of the modern compliance legislation requires running of both supported and up to date software versions.

3. Permissions & Controls

Regardless of who you are, what you do for a living, too much access to anything is a bad idea. Principle of least privilege is an antiquated theory to some, but it remains a topic within various legislation items. No access as root, not operating as a law unto oneself. Restrict access simply to what an individual requires to deliver the outcomes of their jobs. No more and no less.

4. Supply Chain Risk & Third-Partys

Many of the legislation now identifies how interconnected our organisations and computer networks have become and the crucial role that provides in performing business. Legislation such as DORA across Europe, seek to identify these relationships and risk posed by the interconnections. Mandating reports are provided when an issue occurs within an outsourced platform or that could impact an interconnected party. With Managed File Transfer being a key ingress and egress point of any sized business, knowing what the nature of transfers are that occur and who or what they impact when a failure could arise is another activity MFT SMEs should expect to become asked of them with increasing frequency.

5. Cryptography

Finally, cryptographic practices are being included in technology legislation as a matter of course. Without direct instruction on what’s safe and what isn’t cleared for product use directly, this activity becomes another one that MFT product owners should be concerned about. As cryptographic changes in the move to Post Quantum Cryptography and stronger mathematics, compliance regulation will instruct the creation of policy around cryptographic measures. As a rule of thumb, there should be documented procedures and standards for strength, length and types of keys allowed including what transfers they’re used for and how they can be rotated or revoked as necessary. A simple example is the host key or master secret deployed on a MFT server, often created during the initial install, rarely backed up or changed in the decade or more post original deployment.

These five steps are by no means exhaustive and not designed to be. Compliance cannot be treated with a wide brush stroke, what applies in one business could not be the case or matter to another. One thing is for sure, compliance in the late 2020s will grow and be required on many product sets. Your file transfers are underpinning impressive businesses, and they need to be compliant. Not least so we can avoid a fewer grey hairs, beards and sleepless nights.

Ready to take the guesswork out of MFT compliance?

Our dedicated MFT specialists can help you navigate complex regulations, implement best practices, and future-proof your file transfer operations with a compliance assessment.

Click here to schedule a time, or, if you’re at the start of a MFT project and looking for expert-led advice, book a discovery call.

Plus, don’t miss our exclusive Post Quantum Cryptography webinar – live on 19th July and available on demand. Secure your spot today!