We All Need Secure File Transfer
It is not unusual for companies to protect their commercial and client information. It is not unusual for government agencies to protect national security and personal information.
However, during job application or other kind of assessment/application, our personal information may be transferred to the recruiting agent and/or the employer in a less secure way – via public email. Especially many employers these days require far more than just CV, but also quite a few personal documents; passport copy, drivers’ license, birth certificates, citizenship proof, social welfare card, academic certificates, just list a few for example.
If such information leaks, someone may impersonate us, gain our access and privilege, even endanger our company or country – OK, I might watch too much movies 🙂
It can be really easy and inexpensive to secure our file transfer. File encryption tool can be a simple and free answer, such as 7-Zip for Windows and Keka for MacOS.
Following is an encryption example from Keka on my Mac. Job applicant can then email the encrypted file to the agent/employer and advise the password via text message or phone. The separation of the actual file and the password helps enhance security.
If files are too large for email to handle or more comprehensive security is required, then the following AWS S3 can be an easy and inexpensive solution.
Why AWS S3 Storage?
AWS S3 receives IRAP accreditation and is an Australian federal government certified cloud service.Reference is as below:
- AWS S3 Product Page: https://aws.amazon.com/s3/
- ISM Compliance IRAP Program: https://aws.amazon.com/compliance/irap/
- ASD Certified Cloud Services: http://www.asd.gov.au/infosec/irap/certified_clouds.htm
Some benefits of AWS S3 include but not limited to:
- Regional storage is available, which meets government requirement of onshore storage
- Physical hardware and environment etc. passed IRAP assessment
- Central authentication and authorisation, dual factor authentication are available
- User access policies, whitelisting, file and transport encryption can be enforced
- Log information is available
- Versioning is available in case accidental delete and for auditing purpose
- High availability and tape backup is available – please refer to AWS S3 Product Page
- Inexpensive especially when using Reduced Redundancy Storage (RRS) and the service is charged based on ongoing storage usage.
Lab Solution Design
I built a secure file transfer solution over the weekend for personal and small group use, not fully polished yet though. The example organisation is called AltairX.
Design diagram is as below:
Security considerations are as below, the following classification is based on AWS functions:
1. Authentication – User and Credential
- Username must not reflect the user’s actual name to enhance security, e.g. u12fx is used.
- User must be assigned to group(s) for access permission.
- User can only access the file storage via browser, i.e. API access is not allowed in our case – though it can be designed if required.
- User will be assigned an initial auto-generated password and must change password at next sign-in.
- Password complexity and expiration/renewal requirements are enforced.
- Privilege users, HRs in our case, must use dual factor authentication to login.
2. Authorisation – Group Policies
3 groups are created: S3_User, S3_HR, and S3_LOG. Each group is associate with a group policy. User is assigned to required group.
2.1 S3_USER Policy
- Users can only access their home folder. e.g. user ‘umezh’ can only access ‘altairxfile/user/umezh’, but not ‘altairxfile/user/u12fx’.
- Users can upload and delete the files in their home folder, but not download files from the folder.
2.2 S3_HR Policy
- HR users can only access all users’ home folder, i.e. ‘altairxfile/user/*’, but not other folders under or not under ‘altairxfile’ bucket.
- HR users can upload and delete, as well as download files from any user’s home folder. e.g. download files from ‘altairxfile/user/u12fx’ and ‘altairxfile/user/umezh’.
2.3 S3_LOG Policy
- Log users can only access log files stored in ‘altairxlog’ bucket, but not other buckets.
- Log users can only read and download logs, but not delete, modify, and upload logs.
3. Resource Access Control – Bucket Policies
3.1 ‘altairxfile’ Bucket Policy
- Any documents stored in this bucket must have server-side AES256 encryption. It means the encryption will be handled by AWS using AWS certificates, users don’t have to encrypt at their side.
- Files download is only allowed from whitelisted IPs, e.g. the organisation AltairX’ public IP in our case.
- Private access is enforced on all files and folders. Public access without authentication is not allowed.
3.2 ‘altairxlog’ Bucket Policy
- Same requirements as applied to ‘altairxfile’ bucket.
4. Logging and Auditing
- User access and activity logs are stored in a separate bucket, i.e.’altairxlog’.
- Versioning is enabled to track object changes (folder and file in our case).
- Event alert can be configured to allow email and/or message notification if required.
5. File Transmission Encryption – HTTPS(TLS)
AWS S3 service stopped SSL support a few years ago and enforce TLS. I used SSL lab to assess AWS S3 HTTPS security. We can see the overall rating is pretty good.
TLS and SSL support information is as below. It shows that SSL is not supported any more. End user can also force TLS1.2 only connection by modifying the browser security setting to TLS1.2 only.
6. Other processes and policies
- Files should be downloaded from AWS S3 within 24 hours upon being received and stored in the company’s secured on-premises storage, if required.
- Files are deleted from AWS S3 once downloaded.
To be continued…
In the next article, I will test the secure file transfer setup, include user manual, and share some policy scripts written in JSON.