Managed File Transfer and Network Solutions

Groups and their role in regulatory compliance - Part 1

Posted by John V. on Tue, Apr 10, 2012 @ 10:00 AM


Here's something that's particularly useful if you want to provide access control to JSCAPE MFT Server directories based on user roles.  It's called Groups. JSCAPE managed file transfer server Groups are named sets of virtual directories and file system permissions that may be assigned to multiple user accounts.  You can use them to comply with certain laws and regulations like PCI-DSS, HIPAA, and SOX.

Role in regulatory compliance

Groups can help you implement RBAC or Role Based Access Control, which is the often recommended - and sometimes even required - way of enforcing access control.  

In PCI-DSS (Payment Card Industry Data Security Standard)

PCI-DSS  v 2.0, for instance, explicitly specifies RBAC in Requirement 7.1.2, defining it as the assignment of privileges (to system components and cardholder data) that is based on individual personnel's job classification and function.

In HIPAA (Health Insurance Portability and Accountability Act)

Although no longer explicitly stipulated in HIPAA's final Security Rule (the part of HIPAA that impacts file transfer systems), RBAC was actually part of the proposed rule. It was only excluded from the final rule so as not to prejudice other forms of access control. However, the relationship between roles and access controls is unmistakably given importance in the fourth paper of the Security Rule Educational Series, entitled "Security Standards: Technical Safeguards".

In discussing HIPAA's Access Control standard (§ 164.312(a)(1)), the paper says, "Regardless of the technology or information system used, access controls should be appropriate for the role and/or function of the workforce member." 

In SOX (Sarbanes-Oxley Act)

One of the main reasons why legislators came up with SOX was to bring down incidents of fraud. Therefore, granting employees the least amount of privileges needed to perform a job is an important ingredient when complying with this law.

But then when you have a large organization, it would be extremely difficult to keep up with promotions, reshufflings, reassignments, resignations, and new hirings, and still make sure people have just the right privileges.

Clearly, the most effective way to do this would be to employ a role based access control system so that privileges could simply be assigned to roles. When people have to be given new assignments, they only have to be assigned to those roles.

We are aware that groups are not the same as a full blown RBAC environment. But not all companies with a file transfer system have a full-blown RBAC environment either.

So if you don't have an RBAC system yet but want to implement a secure access control system based on user roles or job functions within your secure file transfer environment, then groups is a pretty good alternative.

A simple example featuring Groups 

Let me now show you how you would use groups to limit the access permissions of users based on those users' specific functions in your file transfer environment. I'm going to do it using a simplified sample scenario.

In our example, one group of employees is going to be tasked to upload files to our file transfer server. We will call this group the Uploader Staff. In addition to performing uploads, these employees will also be allowed to create directories, delete directories, view files and subdirectories, delete files, rename files and so on. Basically, they will be allowed to do practically everything that can be done on the server except download files.

The only people in our organization who will be allowed to download files will belong to a separate group. This group will be known as the Downloader Staff. Aside from downloading files, members of the Downloader Staff will only be able to view files and subdirectories; nothing more. For instance, they will not be able to upload files, delete files, or even rename files.

Finally, we will have a select group of employees who are going to be allowed to do all the functions of both groups. They shall be called the Super Staff. In a real-world scenario, it's not good for such a group to exist. Employees with super user privileges will naturally pose a very high risk to your organization. Still, we include them here just so we can demonstrate the power of groups.

groups compliance


In our imaginary organization, The Uploader Staff group will consist of Joey and Maria. The Downloader Staff group, on the other hand, will be made up of Steven and Doug. Only one member will belong to the Super Staff: Danika. 

Uploader Staff: Joey, Maria

Downloader Staff: Steven, Doug

Super Staff: Danika

Let's now go to Part 2 of this post and watch these groups in action.  




Topics: JSCAPE MFT Server, Managed File Transfer, Compliance, Secure File Transfer