Coming from a network security background, for me “IPSec 3DES VPNs” seemed to be the solution for secure data transfer between business partners for quite a long time. Over the years, with more experience, I naturally found out that this was not the solution for all use-cases and scenarios these crazy folks called “customers” came up with. Nonetheless, when SSL-VPNs became en-vogue I hesitated to join the choir of supporters. While I fully understand and support the idea of a more flexible, more application or user-centric approach due to the gain in usability, I still love my “old VPN client” when connecting to the company resources.
During the last 13 month two projects kept me busy, that changed my personal perception of what one may need to be happy regarding secure access to resources and secure file transfer. One of those is largely related to “Cloud Computing” as such, and using//processing company data which is not stored inside my brick + mortar, perimeter secured, firewall protected company server but somewhere in the “internet”. Making sure only the right person with the right credential accesses this data makes me want to use strong authentication, but few of the Cloud service providers do offer such an additional layer of protection.
The other project was based on very Information Society 1.0 processes – the need to secure and protect the personal subscriber information of periodicals and daily newspapers that are exchanged between the publisher and the logistic service provider who manages the delivery of above mentioned print products – even if the subscriber is on vacation in Spain or recently moved to new address. These transfers are conducted between separate systems, distributed all over Europe. As most of these application systems are build individually, no real data standard is established. As the number of parties involved is high and participants change frequently, classic VPNs are out of question (and possibly “too expensive”). Thus, the need to protect data transfer (yes, it is based on FTP!!!) is obvious. Well, have you ever tried to create a solution that acts both as a server AND a client and supports FTP, sFTP, FTPS and other cryptic siblings of the FTP protocol? No? Well, you should not!
The “cure”? Being a big fan of hardware, a.k.a. token-based, strong authentication mechanisms, vendors of non-hardware based mechanisms usually have a hard time convincing me that it is worthwhile paying attention to their product briefings. MultiFactors' Garret Grajek was one of those CTOs whom I was giving a hard time until I finally arranged an appointment for a briefing. What can I say? The approach to using soft-certificates as second factor for authentication and the combination with out-of-band (a.k.a. SMS based) messaging during registration of a computer/session did impress me – because it was so simple and straight-forward! Especially for me, who uses multiple devices in parallel to access e.g. my mail, registering my personal computer at home or my clients' laptop in the customer network to access Outlook Web Access this really did the trick. Ok, the downside is, I still need to log-in with my AD credentials – but this is something I criticized with Entrusts' GRID authentication scheme, also (which I love, because it is such a low prized alternative to OTP tokens). Back to my project experience with outsourcing and “Cloud Services”, MultiFactor now has launched a nice extension which makes this approach available for use with services such as SalesForce.com and GoogleApps by leveraging federation technology. Now, I have to admit, this is something one can hardly achieve by using their own smartcard or token based authentication technology – especially not if one frequently changes the machine used. I guess if this approach can be tied into an Authentication Strategy and could possibly be supported by one of the Versatile Authentication Platform solutions, I could be a full supporter of these ominous “soft-tokens”.
Still, this does not help directly with my friends' subscriber data, that needs to be updated daily. Fortunately, last Friday I had a briefing with nuBridges, a vendor of data protection tools that target both data at rest and data in motion. For the data at rest part, tokenization, scrambling and obfuscation of data – especially sensitive information such as credit card information – can be altered and stored in such ways that unique identification is still possible but leaked data would essentially be worthless. I won't go into too much detail on this, but my experience with outsourcing and out-tasking applications that also handle payment transactions tells that there is some need for this. I was by far more interested in their secure data transfer solution, called nuBridges Exchange. Again, without going into too much technical detail, this solution provides a nice standard-of-the-shelf product to securely handle multiple parties exchanging large quantities of files in a secure way. Besides support for all varieties of secure data file transfer protocols, the most important fact is the streaming capability of the solution. The files in transfer are not stored on the receiving end of the transfer connection but rather streamed onwards to a protected internal storage system. As the receiving server sits in-between two firewalls and the “inbound streaming” transmission through the internal firewall is initiated by the control server inside the secured area, no open ports need to be put into the internal firewall system. As time for a first briefing usually is insufficient to go into much detail, I was unable to investigate the architecture and implementation further, but both management interface, report dashboard and the availability of a self-service portal for the business partners made a rather good overall impression. I am looking forward to further investigate these solutions and for sure will take a closer look at their Exchange Network service, also – especially as protecting credit card data at the point-of-sales and between PoS and central merchant systems seems to be attracting the attention of auditors lately.
What do you think about protecting data transfer and authentication/authorization strategies in a Cloud-environment? Let me know!