Recent months have seen a slew of major security breaches involving file transfer applications. Prominent governmental, educational, and corporate enterprises have been compromised, millions of people have been affected, and even politicians have started asking questions. I've been asked to comment on this, but there is an unwritten rule of etiquette among IT vendors: don't attack a rival over security breaches. Full and timely disclosure of vulnerabilities and breaches is essential to minimizing their effects and nothing should discourage that.
It is better to focus on what can be done to make technology safer. A lot has been said about programming techniques, access controls, and software development. Yet another key aspect of data security, which is often overlooked, is that a vendor can't lose what they don't have.
The concept of minimizing digital surface area is usually applied to the technical aspects of hardware and software. But the idea is also useful when considering who, and what, has access to your data. Data transport workflows can involve a lot of components: web interfaces, intermediate storage, notification systems, orchestration, translation, dashboards, and more. The infrastructure that hosts these services may be spread across multiple vendors and service providers. The question is, who controls that infrastructure and who is responsible for maintaining its security?
Many file transfer systems, especially cloud hosted workflows, store your data on systems controlled by the vendor. That may be adminstratively convenient, but it means their security problems are your security problems. Here at DEI, we have a simpler philosophy: we never touch your data. We don't host it, we don't manage it, we don't have access to it. We provide software and guidance as to best practices in deploying it. Actual control is always left in the hands of our customers. Most of our deployments involve the cloud, but never on infrastructure we control.
This is not to say that managed workflows should be avoided. Far from it. Our partners have built amazing systems and processes around DEI's accelerated data transport. But they work closely with end-users to tailor solutions and deliver accountability.
When considering a file transfer workflow, ask yourself who will have access to the systems that store your data. Does the data move directly between your systems, or will it rest somewhere in between? Does the user database live on your systems, or someone else's? Does every vendor with access to your data really need it?
Minimizing your data surface area means maintaining control of the data itself, and the best way to do that is to ensure that the data stays on systems you control and is managed by people who answer directly to you.