Anyone working in Information Technology is aware of the utmost importance of data security. Either you are responsible for establishing security standards and procedures, must adhere to those standards or both. Let’s take a high-level look at how Alebra’s Parallel Data Mover (PDM) addresses data security for cross-platform file transfers at two levels:
- Access to data within a given system.
- Protection of data as it flows from one system to another.
Data Access Within a System
Companies have invested a lot of time and effort establishing industry recognized security access systems. On mainframes, RACF, ACF2 and Top Secret are the three most common. Linux/UNIX/Windows systems have many forms of identity and data access products. Kerberos is another example that has widespread use on Hadoop systems. These features and products serve as the backbone of protecting the overall access to systems and the data storage these systems may have.
Establishing a separate security mechanism for just file transfer operations is not required, and it would add complexity and need additional system maintenance. The risk of oversight and other human errors in managing a separate security mechanism would increase. At best, it would be redundant.
What is important is that file transfer operations occur completely under the authority and control of the existing security system. To accomplish this, PDM uses two sets of security credentials – one for the source system, another for the target system. Data transfer tasks, on both the sending and receiving systems, run under these user credentials provided by the requestor. As a result, the existing security procedures are in complete control of file transfer operations.
Encryption – Protection of Data in Transit
As stated above, the existing security will protect data access within a given system. But what about data that flows between systems? For this protection, PDM uses AES encryption recommended by the National Institute of Standards and Technology (NIST). The detailed technical explanation of our approach is beyond the scope of this post, but the highlights are:
- Public/Private Key Pairs generated by Elliptic Curve Cryptography (ECC).
- Unique Ephemeral keys generated for each transfer operation and valid for only one transfer.
- Use of NIST approved random number generators.
- Keys reside in protected memory and are destroyed after transfer completes.
- Keys are NEVER stored.
If you are a Security Specialist and wish more details, they are found in the document NIST Special Publication 800-56A – “Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography” at the link below:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
Simplicity
If you click the link above and scanned the document, unless you specialize in the science of cryptography, the algorithms and protocols may seem very complex. Even the title of this document scares most people away. This does not mean applying these powerful and secure techniques to daily operations must also be complex. Alebra has simplified the security of file transfer operations in the following ways:
- Fully exploit existing security facilities – no new facilities required.
- Eliminate all key management activities
- Generate new unique encryption keys for each transfer operation
- Keys destroyed when transfer completes
- No keys are ever stored
- Invoke encryption using one simple keyword – “SECURE”
One simple keyword – now that doesn’t sound scary at all, does it?
Let us know if we can help.
Bill Yeager | Chief Technology Officer | bill.yeager@alebra.com