Future proofing file transfer methods

Oct. 25, 2022
Zero trust and DRM facilitate information protection crucial to any organization

When attacking a problem, you can either hack at the branches or go right to the source. Establishing Zero Trust is no different. Let me be clear – I will always advocate for a full, robust strategy involving everything from SIEM to EDM to NGAV and beyond, but for a true defense-in-depth approach to Zero Trust, you really must protect your data at the source. I’m talking about protecting the information itself, not just the access to it. And for this, you need Digital Rights Management (DRM).

Why we’re outgrowing current file transfer methods

To understand how organizations should approach zero trust, we first must understand the current information-sharing landscape. According to security expert Anastasios Arampatzis, “Sharing data is now simpler than ever, but it's also less secure because of the widespread use of collaboration tools and cloud-based file-sharing services. BYOD, remote workers, and work-from-anywhere personnel exacerbate the security issue. In addition, enterprises face strict compliance regulations such as HIPAA, PCI-DSS, FISMA and GDPR. With the amount of sensitive, business-critical data that crosses the wire on a regular basis, ensuring that it only falls into the right hands is more than an ‘IT issue.’ It’s a matter of survival.”

So, what are our current survival techniques? PGP, or Pretty Good Privacy, has been around since 1991 and is used for signing, encrypting and decrypting communications, providing privacy and authentication. It’s still widely in use, but as files travel over ever-more-complex networks (where lurk ever more sophisticated attacks), more might be needed. “We're getting to the point where simply sending confidential information with basic encryption is no longer an acceptable method,” states Ian Thornton-Trump, CISO at Cyjax.

Why is that? What’s wrong with the encryption we have used for so long? Nothing, only the fact that once it is unencrypted, it’s out of your hands. Organizations today want – I would say need – to know that their files are safe not only in the hands of the intended recipient but for the life of the data. Take HBO, for example. Their popular Game of Thrones is sent through international distribution channels to appear on cable, streaming services, and networks worldwide. The issue is that once those digital copies are sent, pirated copies can be (and are) made, and spoilers leak out, threatening ratings in their home market and affecting their bottom line. While solutions like Managed File Transfer (MFT) services mitigate a lot of the problem of getting files safely from point A to point B, they cannot do much about what happens after that. And that, as we have seen, is where a lot of the bad activity occurs. With these current methods, Zero Trust can only extend so far.

Zero Trust: The last mile in organizational defense

So, what would be getting to the root of the problem? To understand that better, we must first understand Zero Trust. Zero Trust means that nothing is left to chance; everything must be proven, every time. As I mentioned earlier, there are two approaches. You can either secure the transfer method, or you can secure the data itself. What we do now is secure transfer or access.

While there is no more perimeter, we still verify the user at a “gate,” and once they have been authenticated, they have the keys to the kingdom to do whatever they want with the data inside. This introduces a few problems. First, authentication methods are not foolproof, with a large propensity towards human error. Usernames and passwords can be stolen, guessed, and cracked. This makes access-only controls less than optimal. And remember, we are looking at the confidentiality, availability, and integrity of the data. This technique makes the information both confidential and available but does nothing to protect its integrity.

To illustrate that point, let’s just say the correct recipient authenticated securely and obtained legitimate access to the file. As far as most security protocols go, their job is done. However, say that the user decides to do something suspect with your file – as in the case of HBO’s Game of Thrones pirating problem. Nothing would prevent them.

Why DRM is needed for Zero Trust

To truly achieve Zero Trust across files, data, and business-critical information, you need to defend it at the source. This requires you to not only place access controls on the method of delivery but on the information itself.

For this, there is Digital Rights Management (DRM). DRM works differently. Rather than making the data impossible for unwanted parties to catch, it makes it impossible for them to use. DRM lets you control every file, email, and piece of intellectual property that crosses the wire. You can set permissions on who can open it, limiting access to specified email or IP addresses only, and retain full control over who can print, copy, save, edit, or even screenshot your file. Bill Stubbles, Solutions Engineer at HelpSystems, explains that “a DRM solution integrates data protection and access control, and allows levels of protection that a conventional file encryption solution such as PGP simply cannot match. With PGP, once a file you send out has been decrypted, it is completely outside of your control. [A DRM solution] allows you to apply and revoke rights management to your files at any time.” This has obvious benefits for compliance. HIPAA, for example, prohibits the sharing of personal health information (PHI) outside of HIPAA regulations and where needed for the patient’s medical care. Protecting such files with specific permissions prior to sending will ensure that the information is not accessible by an unauthorized third party, even if it should fall into the wrong hands. In short, DRM ensures that:

  • End users can send and receive communications to authorized recipients only, without exposing them to unauthorized third parties. 
  • End users retain control of the files after they are sent, received, and accessed 
  • Administrators retain full DRM rights management even after data has left the organization 
  • You assign privileges and permissions on a case-by-case basis and retain full control even after the data has been accessed. That way, if something goes south, you can revoke it at any time. With DRM, you can retain a level of data control that puts Zero Trust squarely in your hands. 
About the Author:  Chris Bailey is the product leader for the HelpSystems Secure File Transfer products, including Globalscape, GoAnywhere and FileCatalyst. Prior to his current role, Bailey was the co-founder and CEO of FileCatalyst, which he led until its acquisition by HelpSystems in January of 2021. Bailey holds a BSc in computer science from Dalhousie University in Halifax, Canada. He holds a patent for the core protocol used by FileCatalyst to accelerate file transfers. Bailey has accepted 2 Emmy Awards on behalf of FileCatalyst for pioneering accelerated file transfer for the broadcast industry and for his work with the NBC Olympics on the 2014 Winter Games in Sochi. In 2016, Bailey received a Top 40 under Forty award in Ottawa, Canada for his achievements in business. Follow Chris on LinkedIn.