If you missed it, I was quoted in an Information Week article last week on the topic of yet another major breach brought about by the exploitation of a critical vulnerability in Progress Software’s MOVEit managed file transfer product. In this case data from the National Student Clearinghouse (NSC) was compromised. According to Bleeping Computer, “NSC provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities” based on data collected from roughly 97% of students enrolled in public and private in institutions in the U.S. Fortunately (“fortunately”) in this incident data from only 890 schools and about 51,500 individuals was compromised.
The data breach is yet another unfortunate illustration of the fragility of information collected, stored, analyzed, and shared in today’s digital supply chains. Around here we like to say that the world still runs on files. Going through the cost and effort of collecting data isn’t of much value unless the insights and intelligence derived from that data is compiled and shared with those who need it. It would be difficult for a threat actor to get at data stored in a vault somewhere on physical media and disconnected from the public internet, but it is relatively easy for them to get at data that is in active circulation, and that is because organizations have proven to be poor stewards of sensitive information.
Keeping the Information Supply Chain Secure
As I told Information Week’s Carrie Pallardy, “There’s this information supply chain and the data is going to take lots of hops along that information supply chain and any point in that supply chain could have a vulnerability or multiple points.” If we fail to account for all the stops along the way, the bad guys can wait for someone to make a mistake and take advantage. Sometimes those mistakes are made in the act of sharing data, sometimes they are made in the process of building and deploying the systems and networks through which the data moves.
“There’s this information supply chain and the data is going to take lots of hops along that information supply chain and any point in that supply chain could have a vulnerability or multiple points.”
Often there is too much blind trust invested in the expertise of those who make and install the technologies we rely on to for our work. We go to great pains to make sure our Diplomat MFT family of secure managed file transfer solutions are designed with a security-first ethic, and we’re proud of the fact that so many organizations have chosen Coviant Software as their MFT vendor, but we also know that “to err is human.”
Security vs. Convenience
Still, we scratch our heads at times when we see that otherwise excellent products are deployed or used in ways that are not excellent because someone valued convenience over security, or made an assumption that, because the organization has certain security tools in place, all data and activities associated with the organization are, therefore, secure. It doesn’t work that way.
In the Information Week article, I explained that “We all know the firewalls keep us safe and secure in the castle with the moat around it, but MFT is almost like that drawbridge you have to lower to let people in and out. We need to be paying a lot more attention to that drawbridge and making sure that it is secure as it can be.” Before anything enters the castle over that drawbridge, it needs to be verified. And before anything leaves the castle over drawbridge, it needs to be encrypted.
“We need to be paying a lot more attention to that drawbridge and making sure that it is secure as it can be.”
That is why our MFT solution includes an Edge Gateway to handle the verification process in the DMZ without opening any dangerous holes in the firewall’s defenses. It’s why Diplomat MFT:
- Is engineered with automations to ensure files are encrypted using PGP and supports encrypted transport protocols like SFTP;
- Verifies that partners in the file transfer process are who they say they are and confirms receipt of transferred files;
- Uses multi-factor authentication to ensure users are only those who are authorized to use the software;
- Has the capacity to handle large data files and the ability to schedule and manage virtually unlimited scheduled and concurrent file transfer jobs; and,
- Is no-code easy to safely deploy and use so that you never have to choose convenience over security.
Security that is Easy and Affordable
Oh, and because we offer Diplomat MFT at an ethical and transparent price, you never have to worry that security is outside your budget.
If you are looking for secure managed file transfer solution, why not take Diplomat MFT for a free test drive? You can put it through its paces for 15 days, have access to our amazing customer support during that time if you’ve got questions or need a little help or advice, or you can schedule a live demonstration if you’d like.