Page 56 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 56
oneself completely to a specific pursuit until it becomes second nature. By that measure, and after twenty
years devoted to providing only the best possible managed file transfer solutions in the industry, Coviant
Software has earned its stripes and the right to be considered experts in the field. And we’ve learned our
share of lessons along the way.
One of earliest (and possibly most important) lessons we learned is that convenience should never be
prioritized over security. Seems obvious, but it remains a challenge for software designers to this day.
The digital age promises immediate access and instant gratification; people want what they want when
they want it, and so any extra steps that delay communication or getting to an asset or service are deemed
inconvenient. Security experts have been developing tools to keep networks and data safe for many
years and we’ve been hearing talk of concepts like cyber defense-in-depth, secure-by-design, privacy
and security compliance, and more since long before 2004, yet the issue persists.
No Excuses for Inaction
No one who was involved in software development by 2004 could claim ignorance of the importance of
cybersecurity. The late Kevin Mitnick began breaking into computer networks in 1979 and was convicted
in 1999 on multiple computer security charges dating back to the 1980s. The Acxiom breach, in which
1.6 billion records containing personal consumer data were compromised by cybercriminals, had already
happened by 2004. That incident had dire implications for managed file transfer since the individuals who
hacked into that organization were able to steal the information from unsecure file transfer protocol (FTP)
servers.
That was the context when Coviant Software came onto the scene, and from the start it influenced our
approach to secure managed file transfer (MFT). The first iteration of our Diplomat MFT solution was
developed for a large hospital to manage the transfer of financial data, and so we knew security had to
be baked into the product, including the use of file encryption (OpenPGP) and support for secure transport
protocols (SFTP) to keep data—and information about that data—safe both in transit and at rest.
Make it Easy to Be Secure
One challenge we recognized early on is that the encrypt/decrypt process is complicated, and it is
especially complicated for individuals who are not used to working with software at the command line
level. A busy administrative employee—or any employee for that matter—expected to take extra time to
manually encrypt a batch of files before sending them off to a bank, payment processor, or insurance
clearinghouse is likely to skip that part to expedite the transaction. And for those that do try to complete
the task, there’s a risk that they might make a mistake and send files in the clear anyway. Furthermore,
it is unrealistic to expect employees in a busy organization to manually encrypt and decrypt thousands of
individual file transfers each day.
The convenient thing to do would be to make encryption an option (thus supporting a claim to be secure)
but put the onus on the user to activate the secure feature and so incentivize the user to skip that essential
step. However, that would be the opposite of secure. That is why we designed our MFT solution with
56