AMMX Data Security

Ultra Secure Managed File Transfer – “Ensuring Data Transfers are kept SAFE"

Into the New Millennium businesses, organisations and governments are increasingly exploiting the means of transferring and exchanging data files and important information over public and private networks to achieve improved efficiency, productivity and cost imperatives.

Electronically exchanging data that is often sensitive and core to the business, such as corporate financial data, client data, health records, employee data, and other intellectual property, carries with it the risk of such data falling into the wrong hands or not even making it to the intended recipients at all. It is widely believed that the next major act of terrorism will be an act of cyber terrorism.

Data Security has never been more important or topical. The need for an ultra secure global managed file transfer network has never been greater.

Against this backdrop, companies are beginning to be faced with ever-increasing regulatory and governance requirements such as: -

• Health Information Portability & Accountability Act – HIPAA
  
• Sarbanes-Oxley – SOX (includes publicly-traded companies in the United States, including all wholly-owned subsidiaries and all publicly-traded non-US companies doing business in the US are affected. Also, any private companies that are preparing their initial public offering (IPO) will also need to comply with certain provisions of Sarbanes-Oxley.)
  
• The Payment Card Industry Data Security Standard (PCI DSS)
  
• J-SOX:  Japan’s Financial Instruments and Exchange Law similar to Sarbanes-Oxley

In the case of Sarbanes-Oxley and HIPAA requires every process be documented, fully auditable and accountable. Within these processes companies must ensure that file transfers are secure, managed and controlled with the absolute need to address all potential flaws and weaknesses of their current systems.

Secure Managed File Transfer is no longer ‘de rigueur’ for best practice companies but is becoming an absolute requirement for all companies that electronically transfer, and exchange data, in the 21st Century.

The Characteristics of AMMX which ensure secure data transfer compliance

Since computers have been using a communications function, File Transfer Protocol FTP has been the common means of achieving this end. It is generally recognised that this method is inherently limiting. Gartner Research states: -

“ FTP enables file movement between disparate devices and systems, but it doesn't provide management, monitoring, security or process control. An MFT suite helps control all aspects of data movement, ensuring that they're fully managed and secured. But not all MFT suites are equal.”

The range of protocols and technologies deployed to achieve electronic file transfer has increased over the years. In developing AMMX to respond to today’s stringent data security requirements and ease of deployment some key considerations have been taken into account to provide:

• Client/Server deployment characteristics
• Robust security and auditing -  far more pervasive than Value Added Networks
• Minimal cost of ownership
• Ease of Distribution via the Internet – simple download
• Inexpensive, easy to deploy clients
• An intuitive user interface
• Global Directory for the management and change of Public Keys
• Auditability to the boundary of applications

AMMX is a standard for the ultra secure transfer of electronic business messages between trading partners over the internet as well as between internal business applications. AMMX builds on the foundation of the concept of Managed File Transfer to provide:

• Enhanced document tracking to provide status points not only for the delivery of the message between applications, but also provides for extended reporting by the receiving application to track progress through the supply chain back to the initiator.
• Optionally, can use more robust and stronger encryption standards than other current document exchange standards. AES 256/512 for block mode encryption and the SHA-2 family of hash functions as currently recommended by the National Institute of Standards and Technology (NIST) and which becomes mandated by 2010. Note only SHA-1 is supported on Windows XP. (* Note – see below)
• Addresses some of the perceived weaknesses in other document exchange standards such as AS/2.
• Uses existing standards for encryption, digital certificates and signatures over a new lightweight simple transport protocol designed specifically for the purpose to exploit the current widespread availability of high speed broadband connections.
• Enables point to point, store and collect as well as store and forward.
• Uses X.509 certificate exchange between client and server to provide authentication during SSL connection.
• Uses X.509 certificates to provide user authorisation.
• Uses digital signatures for non repudiation.

* NIST's Policy on Hash Functions

March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols.

Alternate File Transfer Methods

• FTP is not a robust or secure protocol for the exchange of business documents.
• S/FTP and FTP/S do provide a robust way and secure way to exchange documents, but are limited only to the transfer of data. They do not provide for the non-repudiation of data with the use of digital signatures. Nor do they provide any audit facilities other than for file delivery.
• AS/2 is currently the main contender for a Managed File Transfer but does not provide the pervasive audit of AMMX. Its disadvantages are:

Exclusive use of available standards such as MIME encapsulation, some of which were created over 10 years ago has resulted in a standard with too many implementation options which have caused implementation issues. AS/2 is more of a compilation of standards than the development of a standard specifically architected for the exchange of business documents.

Use of Http protocol requires that both trading partners must setup and configure complex web servers and firewalls to allow the exchange of trading documents.

The use of MIME encapsulation with nested body parts requires complex application logic to extract payload.

Interoperability certification process has not been able to eliminate implementation and setup issues that may arise.

Vision for AMMX

• An Ultra-Secure Managed File transfer designed specifically for the efficient and secure exchange of business documents or data with extended audit tracking capabilities to allow the progress to be tracked through the complete supply chain. For a purchase order this could be from issue to fulfilment, with audit updates being relayed from the supplier back in to the customer internal application.
  
• A product suite which implements AFT’s SAFE protocol to include a high performance, multi threaded server, a Java client application to enable the rapid implementation of business solutions and an API to enable tight integration with business applications.
  
• A community of servers, able to exchange business documents in ‘real time’ as part of a corporate infrastructure, as part of a trade organisation or as part of global community

As a hosted server, providing a viable low cost alternative to existing VANs

AMMX Health Service Case Study - Click here to read in full