We give five examples of use cases where the Impex Data Lock would be a good fit for enhancing the security:

1.	Transfer of files from IT and OT environments
2.	Export of files from OT and IT environments
3.	Content control in internal integration flows
4.	Import of files from external company
5.	Import of software updates from a less secure network into a more protected computer environment

In the cases the Impex Data Lock can provide the following security

  • Strong authentication. Impex works with cryptographic keys, not passwords
  • Proof of reception. Impex will create a signed receipt that get sent to target node to allow for verification
  • Network choke point. Block all network traffic except the file transfer method allowed. When setup using two interfaces, only allow file pass-through that is performed after all checks have been accepted.
  • Termination of network traffic. Make sure that all sessions get terminated, no pass-through
  • Content inspection. Inspect content of transferred files using inspection rules written in the powerful domain specific language yara
  • Malware protection. Check files transferred using multiple AV engines.
  • Audit trail. Provide logging and alerts of operations performed by the data lock and collect metadata, including cryptographic checksums, of all transferred files.
  • Trust boundary. Useful for implementing an explicit trust boundary between two networks.
  • Zone model compliance. Developed to be used with zone models and tier models.

Transfer of files from IT and OT environments

Files from an office environment need to get transported to an OT or ICS environment. Transferred files are settings files used in the physical process.

Instead of the traditional method of allowing a file transfer through a firewall, the Impex Data Lock is used to terminate traffic at a trust boundary, strongly authenticate connection, control the content for malware and violation of policy and create audit records of the transfer. The Impex can be used in combination with a firewall to have more defense-in-depth.

Any transfers that are determined to be non-compliant will result in those files not being transferred.

Export of files from OT and IT environments

Files from a SCADA system need to get transported to a system in the office environment. Transferred files consist of statistics of the operations.

The Impex is receiving the files from the source which strongly authenticate connection via cryptographic keys, control the content for malware and violation of policy, create audit records of the transfer. Any transfers that are determined that it is non-compliant will result in that the files will not be transferred.

Content control in internal integration flows

An integration creates a traffic flow between internal application servers which exchange files. One server receives the file output from the application running on another server. Instead of having direct file transfer between the two servers, an Impex Data Lock is introduced to be the advanced security controller that both inspect the transferred files, to protect against malicious content, to get audit trails, and to provide proof of reception. Non-compliant content is blocked during the transfer. An Impex Data Lock is especially useful if integrations traverse internal zone instances or other network boundaries.

Import of files from external company

A 3rd party performs bulk scanning of invoices to the company. After a digital copy of the invoice exists, it gets transferred to the company over the Internet. As part of the import of the scanned files into the organization, an Impex Data Lock is introduced as a gatekeeper to control the receiving end from the external party. Trust boundaries are preserved in a zone edge, the source is authenticated via strong means, the transferred files are checked against malicious content. A record of the transaction is stored in the audit log. Non-compliant content is blocked during the transfer.

Import of software updates from a less secure network into a more protected computer environment

An IT environment is built to contain sensitive information. It is separated from the ordinary IT environment via data diodes, i.e. low-level security devices that on a physical layer restrict traffic to only pass into the environment. An Impex Data Lock is to be used to complement the function of the data diode by adding application level control by adding additional security controls. The Impex Data Lock adds a network choke point for who can access the data diode and thus preserving trust boundaries and a strong authentication controls access to the upload area. All imported software is checked against malicious content and policy settings. Records of any imports are saved in the audit log on a separate server. Non-compliant content is blocked during the transfer.

More information

Please contact us for detailed information, for prices or tech demos. You find contact information here