Secure by Design, Secure by Deployment

by | Jul 8, 2024

We like to talk about how our Diplomat MFT managed file transfer solution is “secure by design.” There’s a lot that goes into making that claim and we take it seriously. It means clean code, an architecture that is unnecessarily complex, and double-checking any time a security alert is issued pertaining to vulnerabilities affecting other MFT products. When vulnerabilities are discovered in other products, we review and test our own to make sure we haven’t used a similar approach that leaves our customers open to cyberattacks.

To date we’ve been successful in keeping Diplomat MFT secure and, by extension, denying threat actors an easy way to compromise our customers. But we are always on our guard and try to avoid triumphalism. Software products are made by imperfect people, after all, and are thus also imperfect; that’s why we never rest when it comes to testing and improving.

Learn from Someone Else’s Mistakes

When bad things do happen, it is an opportunity to learn from the experience (our own or someone else’s) and work hard to improve. When those bad things become a pattern of repeated behavior, some introspection is called for to recognize the potential cause and break the cycle. But there is also a responsibility to raise awareness of the risks involved so that others can avoid them and take mitigating action.

Starting in early 2023 a series of cyberattacks exploited vulnerabilities in several MFT products, including MOVEit, GoAnywhere, Aspera, Titan, and ShareFile. Those attacks affected thousands of organizations and tens of millions of individuals. The common denominator in many of those attacks was a vulnerability that left unsecure data and files accessible via internet-facing components. Any unencrypted files or transport data found in those systems could be compromised by threat actors aware of and using attacks designed to exploit the vulnerabilities.

Breaking the Cycle of Bad Behavior

That constitutes a cycle of bad behavior, and one that has yet to be broken. Multiple vulnerabilities (including one deemed to be high-severity) were recently disclosed affecting SolarWinds’ managed file transfer product Serv-U. One of the vulnerabilities “could allow attackers to read sensitive files on the host machine.” Patches and hot fixes were issued for the new Serv-U vulnerabilities and some older ones as well.

In the past I have likened this persistent vulnerability to the data transfer process (and too many products) to protecting a castle by building a moat (firewall) but leaving the drawbridge (MFT software) unprotected. That usually happens as a way to make file transfers more convenient for others by making it easier to access assets like a remote administrative dashboard, but convenience should never be prioritized over security.  This is why it is not enough to simply say “secure by design” when it comes to managed file transfer software. It must also be “secure by deployment.”

Secure Design and Deployment Matter

What we mean by that is making sure a product can’t be installed in the customer’s IT estate in such a way as to preclude any secure features built into the product. At Coviant Software we address that possibility by ensuring Diplomat MFT is deployed with our Edge Gateway so that verification is managed in the DMZ rather than opening any dangerous holes in an enterprise’s firewall.

We also build Diplomat MFT with automated PGP encryption management, support for encrypted transport protocols like SFTP, automatic recipient verification, role-based access and privileges, and multi-factor authentication. We also feature process automation to minimize one of the most common data breach causes: human error. The most secure products in the world don’t do much good if they are difficult to use and so incentivize people to avoid them.

If you are searching for an alternative to Serv-U or any other commercial or home-grown managed file transfer solution, we’d love to have you try Diplomat MFT to see if it fits your needs and is as easy to use as our customers say. We think you’ll be impressed with its secure design and deployment, its ease-of-use, and its enterprise-grade performance. We know you’ll be happy with the price and level of support you get. You can try Diplomat MFT for free for 15 days, or you can schedule a live demonstration with one of our experts.