AES (“Advanced Encryption Standard”) is an open encryption standard that offers fast encryption at 128-bit, 192-bit and 256-bit strengths. AES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS. (After a symmetric key exchange is used to perform the handshake in[..]
ANSI X.9 (or “ANSI/X.9”) is a group of standards commonly used with bulk data transmissions in item processing and Fed transfers. An example of an ANSI X.9 standard is “ANSI X9.100-182-2011” which covers how XML can be used to deliver bulk data and images. Published ANSI standards may include some[..]
AS2 (“Applicability Statement 2”) is an SMIME-based transfer protocol that uses HTTP/S to transmit files with end-to-end encryption and guaranteed delivery/non-repudiation (when MDNs are in use). There are two main reasons that AS2-based transmission systems are unpopular unless specifically requested by particular partners are complexity and cost. In terms of[..]
AS2 optional profiles (also “optional AS2 profiles”) are features built into the AS2 protocol but not used by every Drummond certified vendor. However, the Drummond Group does validate seven different optional profiles (nine total) and these are briefly covered below. Certificate Exchange Messaging (CEM) – A standard way of exchanging[..]
B2B (“business to business”) is a market definition (a “space”) that covers technology and services that allow file and other transmissions to be performed between businesses (i.e., not between consumers). B2B covers a lot of conceptual ground, from simple “file transfer” and “secure file transfer” to more sophisticated “managed file[..]
A Bank Identifier Code (BIC) is an 8 or 11 character ISO code used in SWIFT transactions to identify a particular financial institution. (BICs are also called “SWIFT addresses” or “SWIFT codes”.) The format of the BIC is determined by ISO 9362, which now provides for unique identification codes for[..]
Certification of software and systems against a standard is better than having software and systems merely in “compliance” with a standard. Certification means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be[..]
Individuals working in the file transfer industry frequently have earned one or more certifications through training and testing. These certifications generally fall into one of three categories: File Transfer Security Certification: (ISC)2 and SANS certified individuals have a good understanding of security from a vendor-neutral point of view. (CISSP is[..]
CFTP is recognised certification for file transfer professionals approved by the CPD. To find out more about the course please visit the CFTP website.
“Check 21” is the common name for the United States’ Check Clearing for the 21st Century Act, a federal law enacted in 2003 that enabled banks to phase out paper check handling by allowing electronic check images (especially TIFF-formatted files) to serve all the same legal roles as original paper[..]
“Compliance” to a standard is weaker than “validation” or “certification” against a standard. Compliance indicates that a vendor recognizes a particular standard and has chosen to make design decisions that encompass most, if not all, of the standard. When a vendor has implemented all of the required standard, that vendor[..]
CRC (“cyclic redundancy check”) is an early data integrity check standard (a.k.a. “hash”). Most CRC codes are 32-bit numbers and are usually represented in hexadecimal format (e.g., “567890AB”). CRC was commonly used with modem-based data transfer systems because it was cheap to calculate and fast on early computers. Its use[..]
This is the individual within an organisation who is responsible for the data. The data controller defines the data collected and the reasons for processing.
Under GDPR, individuals have the right to have their personal data transferred to another system or organisation.
Someone who processes data on behalf of the Data Controller.
The Data Protection Act of 1998 was brought into force on March 1st 2000. Introduced to give UK citizens the right to access personal information held by ‘data controllers’ (any individual within an organisation handling personal data) within the United Kingdom, the Data Protection Act also details principles concerning the[..]
This is an overarching principle of GDPR. It means building data protection into business processes, products and services from the outset.
This is a document that describes the nature of the data, the purpose of the transfer, how it is performed and the security configuration. A DPIA is a key requirement of GDPR.
DES (“Digital Encryption Standard”) is an open encryption standard that offers weak encryption at 56-bit strength. DES used to be considered strong encryption, but the world’s fastest computers can now break DES in near real time. A cryptographically valid improvement on DES is 3DES (“Triple DES”) – a strong encryption[..]
In the file transfer industry, “Drummond Certified” typically indicates that the AS2 implementation in a particular software package has been tested and approved by the Drummond Group. Most file transfer protocols follow RFCs, and AS2 is no exception. (AS2 is specified in RFC 4130, and the “MDNs” AS2 relies on[..]
The Drummond Group is a privately held test laboratory that is best known in the file transfer industry as the official certification behind the AS2 standard. See “Drummond Certified” for more information about the AS2 certification. The Drummond Group also offers AS1 and ebXML validation, quality assurance and other related[..]
The European Committee for Banking Standards (“ECBS”) was a standards body that focused on European banking technology and infrastructure. It was formed in 1992 and disbanded in 2006; it has since been replaced by the European Payments Council. It is still common to see references to the ECBS in GSIT[..]
The European Payments Council (“EPC”) coordinates European inter-banking technology and protocols, particularly in relation to payments. In 2011 the EPC boasted that it processed 71.5 billion electronic payment transactions. The EPC assumed all the former duties of the European Committee for Banking Standards (“ECBS”) in 2006. It is now the[..]
The FDIC (“Federal Deposit Insurance Corporation”) directly examines and supervises more than 4,900 United States banks for operational safety and soundness. (As of January 2011, there were just less than 10,000 banks in the United States; about half are chartered by the federal government.) As part of its bank examinations,[..]
The FFIEC (“Federal Financial Institutions Examination Council”) is a United States government regulatory body that ensures that principles, standards, and report forms are uniform across the most important financial regulatory agencies in the country. The agencies involved include the Federal Reserve (“the Fed”), the Federal Deposit Insurance Corporation (FDIC), the[..]
FIPS 140-2 is the most commonly referenced cryptography standard published by NIST. “FIPS 140-2 cryptography” is a phrase used to indicate that NIST has tested a particular cryptography implementation and found that it meets FIPS 140-2 requirements. Among other things, FIPS 140-2 specifies which encryption algorithms (AES and Triple DES),[..]
FTPS File Transfer, FTP Secure or FTP-SSL as it can be referred to, is a secure means of sending data over a network. Often misidentified as SFTP (an independent communications protocol in its own right), FTPS describes the sending of data using basic FTP run over a cryptographic protocol such as SSL (Secure Socket Layers) or TLS (Transport[..]
GDPR is the new EU regulation for handling people’s personal data. It stands for ‘General Data Protection Regulation’ and comes into force on the 25th May 2018. This stringent set of security measures relate to how and where personal data is collected, handled and used. By reinforcing individuals’ rights and[..]
The Gramm-Leach-Bliley Act of 1999, also known as The Financial Modernisation Act, details regulations that financial institutions must be adhered to, in order to protect consumers’ financial information. The GLBA law governs all financial institutions that hold what is classed as ‘personal data’ including, insurance companies, security firms, banks, credit[..]
HTTPS file transfer describes the combination of HTTP (Hypertext Transfer Protocol) and a secure protocol such as SSL or Transport Layer Security (TLS). It is used to send sensitive data over unsecured networks, for example the Internet. These individual protocols operate on different levels of the ‘network layer’, derived from[..]
IPv6 is the name of the networking protocol which is rapidly replacing the use of IPv4 in wake of widespread IPv4 exhaustion. IPv6 is defined in 1998’s RFC 2460. IPv6 addresses are written in “colon notation” like “fe80:1343:4143:5642:6356:3452:5343:01a4” rather than the “dot notation” used by IPv4 addresses such as ”[..]
ISO 27001 is an Information Security Management Standard (ISMS), published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). Essentially an updated version of the old BS7799-2 standard, it provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented[..]
LDAP is a type of external authentication that can provide rich details about authenticated users, including email address, group membership and client certificates. LDAP connection use TCP port 389 but can (and should) be secured with SSL. When LDAP is secured in this manner, it typically uses TCP port 636[..]
LDAPS refers to LDAP connections secured with SSL, typically over TCP port 636. See “LDAP” for more information.
MD4 (“Message Digest [algorithm] #4”) is best known as the data integrity check standard (a.k.a. “hash”) that inspired modern hashes such as MD5, SHA-1 and SHA-2. MD4 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). Use of MD4 in modern file transfer applications is quite[..]
MD5 (“Message Digest [algorithm] #5”) is the most common data integrity check standard (a.k.a. “hash”) used throughout the world today. MD5 codes are 128-bit numbers and are usually represented in hexadecimal format (e.g., “9508bd6aab48eedec9845415bedfd3ce”). MD5 was created in 1991 as a replacement for MD4 and its popularity exploded at the[..]
NIST (“National Institute of Standards and Technology”) is a United States based standards body whose influence on the file transfer industry is felt most heavily through its FIPS 140-2 encryption and hashing standard. It is also the keeper of many other security standards which must be met if file transfer[..]
PCI stands for “Payment Card Industry”. In file transfer, “PCI compliance” frequently refers to a deployed system’s ability to adhere to the standard outlined in “PCI DSS” – a security regulation for the credit card industry. “PCI certification” is achieved when a PCI compliant system is audited by a PCI[..]
The “PCI Council” is a short name for “PCI Security Standards Council”, the vendor-independent consortium behind PCI (“Payment Card Industry”) standards.
PCI DSS is an information security standard introduced by The PCI Security Standards Council, an open global forum and was formed in 2006 – the 5 founding global payment brands include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. A Global Security Standard, PCI DSS comprises[..]
The PCI Security Standards Council is the vendor-independent consortium behind the PCI (“Payment Card Industry”) standards.
PeSIT is an open file transfer protocol often associated with Axway. Like Sterling Commerce’s proprietary NDM file transfer protocol, PeSIT has now been written into the standard communication specifications of several industry consortiums and government exchanges, thus ensuring a high degree of long-term dependence on Axway technology. PeSIT is required[..]
PGP (“Pretty Good Privacy”) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.
RADIUS is an authentication protocol that supports the use of username, password and sometimes one extra credential number such as a hardware token PIN. In file transfer applications, RADIUS sign on information can be collected by web-based, FTP-based or other file transfer prompts and then tried against trusted RADIUS servers.[..]
SFTP file transfer or the ‘SSH file transfer protocol’ as it is more formally known, is a network communications protocol used for sending data securely over a network. A common misconception associated with SFTP is that it uses FTP run over SSH – this is not the case. SFTP, sometimes[..]
SHA-2 (“Secure Hash Algorithm #2”) is the most secure hash algorithm NIST currently supports in its FIPS validated cryptography implementations. SHA-2 is really a collection of four hashes (SHA-224, SHA-256, SHA-384 and SHA-512), all of which are stronger than SHA-1. Complete SHA-2 implementations in file transfer are still uncommon but[..]
SHA-224 is the 224-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”). It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-256. See “SHA-2” for more information.
SHA-256 is the 256-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”). Like SHA-512, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-256 is optimized for 32-bit calculations rather than 64-bit calculations. See “SHA-2” for more information.
SHA-3 refers to the new hash algorithm NIST will choose to someday replace SHA-2. A contest to select the new hash is scheduled to conclude in 2012.
SHA-384 is the 384-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”). It is not a unique hash algorithm within the SHA-2 standard but is instead a truncated version of SHA-512. See “SHA-2” for more information.
SHA-512 is the 512-bit component of the “SHA-2” data integrity check standard (a.k.a. “hash”). Like SHA-256, it is one of two unique algorithms that make up a SHA-2 hash, but SHA-512 is optimized for 64-bit calculations rather than 32-bit calculations. See “SHA-2” for more information.
SSH (Secure Shell) is a network protocol used to establish a secure connection between a client and server. Once a connection has been established, it acts like an encrypted tunnel down which data can be exchanged securely. SSH file transfer is used to maintain the confidentiality and integrity of data[..]
SSL (“Secure Sockets Layer”) was the first widely-deployed technology used to secure TCP sockets. Its use in HTTPS (HTTP over SSL) allowed the modern age of “ecommerce” to take off on the world wide web and it has also been incorporated into common file transfer protocols such as FTPS (FTP[..]
Under GDPR, the data subject has the right to request all personal data a data controller has on them. This includes their supply chain.
TLS (“Transport Layer Security”) is the modern version of SSL and is used to secure TCP sockets. TLS is specified in RFC 2246 (version 1.0), RFC 4346 (version 1.1) and RFC 5246 (version 1.2). When people talk about connections “secured with SSL”, today TLS is the technology that’s really used[..]
3DES (also “Triple DES”) is an open encryption standard that offers strong encryption at 112-bit and 168-bit strengths. 3DES is a symmetric encryption algorithm often used today to secure data in motion in both SSH and SSL/TLS. (After asymmetric key exchange is used perform the handshake in a SSH or[..]
Software, systems and processes that are “validated” against a standard are typically better than those merely in “compliance” with a standard. Validation means that a third-party agency such as NIST or the PCI Council has reviewed and tested the claim of fidelity to a standard and found it to be[..]
An X.509 certificate is a high-security credential used to encrypt, sign and authenticate transmissions, files and other data. X.509 certificates secure SSL/TLS channels, authenticate SSL/TLS servers (and sometimes clients), encrypt/sign SMIME, AS1, AS2, AS3 and some “secure zip” payloads, and provide non-repudiation to the AS1, AS2 and AS3 protocols. The[..]