Architecture Component Deployment (logical)
The following diagram shows the logical interaction between ITAC SecureFile® MFT components:
According to best security practices, it is recommended the installation of ITAC SecureFile® Agent be as close as possible to where the files are being generated, on servers where the file generating applications reside, thus enabling encryption of files that are to be transferred to either an internal or external server or simply sent to a specific destination. ITAC SecureFile® Agent notifies ITAC SecureFile® Server of the processes performed.
ITAC SecureFile® Server administers any registered agents (ITAC SecureFile® Agent ) and provides the access restrictions and guidelines to users wanting to download files via the ITAC SecureFile® Server portal; the recipient can be notified of the available file in the same way.
ITAC SecureFile ®Gateway is located in the DMZ (perimeter network) and receives requests from users from different connections such as FTP / SFTP / FTPS / HTTP / HTTPS. ITAC SecureFile ®Gateway notifies ITAC SecureFile® Server of the requests received for files to be sent/downloaded by the user.
ITAC SecureFile® Server is the component responsible for validating the uploading and downloading of files contrary to security policies defined by the user authenticated on the system.
ITAC SecureFile ®KMS is the centralized encryption key management solution and serves as support for the lifecycle of the digital keys. ITAC SecureFile ®KMS administers the encryption keys of each agent and is located in the private/internal network.
Deployment Architecture (Full HA)
The following diagram shows a typical deployment view of ITAC SecureFile® MFT components and its interaction using a fault tolerant and high available architecture.
Starting from left to right, you can see the access through which external clients interact with ITAC SecureFile® MFT via web browser using HTTP(s) and/or clients ftp(s), whose requests are enabled by the firewall guarding the entrance to the DMZ. The requests are then received by the load balancer, which forwards them to whichever ITAC SecureFile ®Gateway server is in active mode; this server is responsible for protecting the access, masking the requests and communicating securely with ITAC SecureFile® Server servers that are located in the DMZ. Once the requests have been routed by ITAC SecureFile ®Gateway to the DMZ, they reach the load balancer, which directs them to ITAC SecureFile® Server. The diagram shows two ITAC SecureFile® Server of high availability and fault tolerance using SAN for file storage.
ITAC SecureFile® Server can perform either FileSever functions or interoperate with one that the organization already has.
Regarding exchange of data between systems and/or internal users, it can be seen that both transmitters and receivers of files use ITAC SecureFile ®Agent to perform encryption and communication tasks between the origin file server and ITAC SecureFile® Server.
ITAC SecureFile® Agent can be installed to be run by a user in an assisted manner, define automated workflows or in the case of the organization's internal systems be invoked via API,.
The administrators/users can access ITAC SecureFile® Server via web browser to carry out, amongst other things, administration of users, profiles, logs, associated agents and process flows. ITAC SecureFile® Agent agents can be managed centrally from the server, or locally on the host in which they are installed.
For centralized management and custody of the encryption keys, the MFT suite features ITAC SecureFile ®KMS, which provides a high degree of security given its HSM and strict control over the encryption keys lifecycle.
To ensure monitoring and control of the MFT system, the suite is able to integrate with centralized monitoring servers using SNMP and servers of centralization and correlation of logs using Syslog.