Protecting Data while Stored in the Cloud
Keeping files secure at rest means protecting them from unauthorized access where they are stored, including in the cloud. As a leading provider of cloud-based secure file transfer, Thru is vigilant about securing files at rest because:
- Thru relies on persistent storage to provide guaranteed file delivery. Files are temporarily stored until successfully delivered with resulting in zero data loss.
- Customers can choose to use Thru to store their files as a virtual file system.
This blog highlights how the Thru application models and uses Microsoft Azure security features to protect stored files.
Secure Storage in Microsoft Azure Files Shares
Thru’s managed file transfer as a service (MFTaaS) is hosted in multiple Microsoft Azure regions to support data sovereignty and reduce the data transfer latency. The files transferred and managed by Thru’s MFT cloud service are temporarily stored in Azure storage accounts subsystem—known as Files shares—in the Azure region where a customer instance is provisioned.
Azure Files shares is a managed file storage service by Microsoft Azure that provides multiple security features. The storage security features implemented by Thru that are based on Azure Files shares security model and augmented by Thru application security features are:
Data Encryption at Rest
Azure Files shares use Azure Storage server-side encryption to encrypt data at rest, which protects file data from unauthorized access and data breaches. Data in Azure Storage is encrypted and decrypted using 256-bit AES encryption—one of the strongest block ciphers available—and is FIPS 140-2 compliant.
Data in a storage account is encrypted with the cryptographic keys which are managed by Microsoft Azure in the current version of Thru’s MFT service. Support for customer-managed keys stored in Azure Key Vault is in the feature pipeline for Q3 2023.
Antivirus Scanning
By default, Thru applies antivirus scanning by Microsoft Defender to all files (up to 250MB in our automated file transfer service, however, dedicated single tenant deployments can be configured as required) passing through the transfer and storage system. Infected files are quarantined and the event is recorded in the file audit database and displayed in the portal file audit system for further analysis.
Network Isolation
Thru’s MFTaaS uses Azure Files shares running on the Microsoft global network infrastructure, which provides network isolation and protection against network-based attacks.
Storage Resiliency
Thru’s storage is deployed in Azure’s zone-redundant storage accounts (ZRS). Zone-redundant storage replicates the files synchronously across three Azure availability zones in a Thru service region. Each availability zone is a separate physical location with independent power, cooling and networking. ZRS offers durability for storage resources of at least 99.9999999999% (that is 12 nines) over a given year.
Access Control
Azure Files shares enforce access control policies for the file shares via support of multiple security mechanisms. In the Thru deployment model, each microservice that requires access to a file share runs under a separate service account with least privilege rights.
The service accounts are configured under the policies that allow access to required Azure file shares from specific virtual machines. Operations personnel accounts cannot access file shares unless granted special Azure Storage Contributor role via Azure role-based access control (RBAC) system. This ensures that only authorized applications, virtual machines and users have access to the file data.
Data Retention and Destruction
Thru supports data retention policies which define the lifespan of the files passing through the system. The policies are set by the customer administrators and the files are deleted at the time defined by the policies.
The file data of the customers who no longer subscribe to the Thru service is deleted according to the agreement terms and is not recoverable. Microsoft Azure follows strict standards for deleting data, as well as the physical destruction of decommissioned hardware.
Auditing and Logging
Azure Files shares provides detailed auditing and logging capabilities, allowing tracking of the files’ access for further analysis, if required. This helps to detect and respond to security incidents and ensure regulatory compliance.
Compliance
Microsoft Azure and Azure Storage offer a comprehensive set of certifications and attestations. Compliance offerings on Azure Storage include global, industry, regional and U.S. government compliance standards, such as SOC 1/2/3, ISO/IEC 27001:2013, HITRUST and multiple others.
Azure’s Service Trust Portal provides information on its data security and compliance.
Azure Compliance Documentation page provides a full list of Azure compliance offerings.
Thru Secures Files at Rest
Keeping your files protected in transit or at rest does not have to be complicated. Thru’s MFTaaS protects file transfers from end-to-end. To learn more about the security of Thru’s file transfers, go to our Secure File Transfer page »