This guide answers some questions regarding the FTP environment's
expected conformance to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry ("PCI"),
Sarbanes-Oxley (a.k.a. "SARBOX") and other regulations.
- "Data at Rest" - The FTP environment satisfies this requirement by
encrypting all files stored on disk with FIPS 140-2 validated 256-bit AES encryption.
The encryption module which powers the FTP environment is only the tenth product to have
been vetted, validated and certified by the United States and Canadian governments for
cryptographic fitness under the rigorous FIPS 140-2 guidelines.
- "Data in Motion" - The FTP environment satisfies this requirement by
using encrypted channels (SSL or SSH) when sending or receiving data.
- "Tamper-Evident Audit Trail" - The FTP environment maintains a full audit trail of not
only every file transfer but every administrative action as well.
All entries are cryptographically chained in a way that makes
log tampering (i.e., adding, deleting or changing entries)
evident. Scheduled "tamper checks" are run automatically and
may also be run manually whenever needed.
- "Integrity Checking" - The FTP environment and certain file transfer
clients including the Upload/Download Wizard, EZ, Xfer, Freely, Central, API Windows and API Java use
cryptographic hashes to verify the integrity of files throughout the transfer chain.
- "Non-repudiation" - The FTP environment authentication and integrity
checking allows people to prove that certain people transmitted and/or received specific
- "Obsolete Data Destruction" - The FTP environment overwrites all
deleted files with cryptographic-quality random data to prevent any future access.
Specifically, the FTP environment meets the requirements of NIST SP800-88 (data erasure).
- "Need-To-Know Access Only" - The FTP environment user/group
permissions allow specific access to only those materials users should access.
- "Good Password Protection" - The FTP environment requires tough
passwords, prevents users from reusing passwords and periodically forces users to change
- "Good Encryption" - The FTP environment uses SSL to communicate across
networks. This "negotiated" protocol can be enforced to connect with
128-bit strength, the maximum currently available. The FTP environment uses FIPS 140-2 validated
256-bit AES to store data on disk. (This algorithm has been selected by NIST to replace DES, and is faster and
more secure than Triple-DES.)
- "Denial of Service Protection" - The FTP environment is resilient to
DOS attacks caused by resource exhaustion through credential checks or other resources
available to anonymous users. ("Nuisance" IP addresses will be locked
- "Multiple Factor Authentication" - When used with a username, IP addresses, passwords and client keys/certs offer
one-, two- or three-factor authentication.