B2B Integration

 View Only
  • 1.  Secure NACHA files at REST

    Posted Thu September 17, 2020 10:42 AM
    Team,

    We had a requirement to secure NACHA files containing bank information , at Rest.  Currently any one having access to SFG can view process data and look into document and view plain contents.  Does any one implemented any solution to secure those files at rest? One option is to PGP encrypt the producer file and consumer to decrypt.  Are there any other solution, to secure with out asking the partners to make changes on their side?  Thanks

    ------------------------------
    Srini Parise
    ------------------------------

    #SupplyChain
    #B2BIntegration


  • 2.  RE: Secure NACHA files at REST

    Posted Thu September 17, 2020 10:34 PM
    Hi Srini,

    I guess you are looking for encryption of data in motion/flow, I believe when data is written to a persistent disk i.e. filesystem or database is considered as data at rest. B2Bi/SI support securing documents at the File system and/or DB.

    Based on my understanding, it can be achieved through exchanging encrypted documents with trading partners. Or having a solution built on top of SI with the help of a user exists, to encrypt documents before putting into Mailbox (receiving documents), in case of outbound documents we might need to do decryption per receivers requirement. But, again if the document is decrypted in SI it's visible in Process data.

    ------------------------------
    Rajasekhar Muthamsetty
    ------------------------------



  • 3.  RE: Secure NACHA files at REST

    Posted Fri September 18, 2020 08:58 AM
    Thank you .  As you said, if producer sending files to encrypt and consumers to decrypt is option but it will be a big impact and time consuming process.

    Does any one look at this article and tried?
    https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.security.doc/SI_DocEncryptOverview.html

    Thank you

    ------------------------------
    Srini Parise
    ------------------------------



  • 4.  RE: Secure NACHA files at REST

    Posted Fri September 18, 2020 09:14 AM
    Well, in my opinion, additional steps always take a little more time and system/human resources. Such can be optimized based on our requirements, avoiding might not be possible.

    I haven't tried this, but I believe this talks about encryption at rest, not at motion or processing.

    ------------------------------
    Rajasekhar Muthamsetty
    ------------------------------



  • 5.  RE: Secure NACHA files at REST

    Posted Mon September 21, 2020 11:08 AM
    ​Hi Srini,

    I have tested the document encryption using what you laid out in the IBM article on our development system https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.security.doc/SI_DocEncryptOverview.html.

    What I found is you are still able to view documents through the UI, but if you attempted to see the documents through another method such as windows explorer or putty using sftp they would be encrypted and you would not be able to read them.

    This also will put a significant load on your server hardware.

    ------------------------------
    Matthew Hasselman
    ------------------------------



  • 6.  RE: Secure NACHA files at REST

    Posted Tue September 22, 2020 11:53 AM
    If we just need to transfer files from one point to another, we can consider data encryption at processing/motion. But in other cases where we would like to read content, if we keep it encrypted it might not help.

    You can try this - Encrypt the document on the first step, and override its persistence level might help.

    ------------------------------
    Rajasekhar Muthamsetty
    ------------------------------



  • 7.  RE: Secure NACHA files at REST

    Posted Tue September 22, 2020 01:48 PM
    Hi Raj,   Thank you.  I think we are not concerned about security during transmission as we are only using secure transport protocols SFTP or Connect:Direct.  Only concern is data at rest issue.

    So, if we encrypt as first step of receiving file, what does persistence override will do? Is there any article or examples?  

    1) Ask producer to send encrypted file - > Transfer through MFT  as it is - > Ask consumer to decrypt    ( In this case, data at rest is also secure)  but we can't go in this option as it impact our customers to make changes  -  So not a good option
    2) Per IBM article. encrypt data a rest  --> Seems okay, but people having access to SFG UI, can see plain data  -  Semi Okay 

    3) ???

    Thanks

    ------------------------------
    Srini Parise
    ------------------------------



  • 8.  RE: Secure NACHA files at REST

    Posted Tue September 22, 2020 01:42 PM
    Matthew,

    It is good to know that you were able to test and experience the behavior.  Thank you. Based on your comments, resources having access to SFG UI could able to read file contents, which is not good for our business case.  But atleast it is encrypted for users having direct access to filesystem.

    Thank you

    ------------------------------
    Srini Parise
    ------------------------------