Every so often there is a seismic change in the IT security industry that creates a new benchmark upon which everything is measured. One such case of late, is an area that has remained unchanged for the large part of two decades – B2B file transfer.
Today, most organisations will use automated SFTP based file transfers or may have even delved into Applicability Statement (ASx) transfers - mostly AS2. But even those popular standards are nearing twenty years of age.
[You may also be interested to read "Data Breaches and the GDPR - 1 Year Later"]
Machine-to-Machine File Transfer for the Modern Age
In recent months, I have noticed an increase in conversations regarding the use of AS4 for machine-to-machine transfers. In other words, automated transfers of data and files between two processing systems, without human intervention.
A reason for this is the European Union (EU) has been promoting its use for cross-border communications. In particular, success with its eSENs project which was completed in 2017, which involved AS4 data transfers between over 100 public and private actors from 22 countries, as spurred it on.
As a result, cross-border data transfer between various government agencies and private companies is now becoming a standard and has since been fully implemented at:
- IATA - International Air Transport Association;
- EESSI - Electronic Exchange of Social Security Information;
- ENTSOG - European Network of Transmission System Operators for Gas;
- Superstream – Australian Pensions; and
- JEITA - Japanese Association of Electronics and Information Technology Industries.
What is AS4?
So, what is the fuss with AS4 all about?
AS4 is not a complete newcomer, having three predecessors in AS1, AS2 and AS3 - of which, AS1 and AS2 have enjoyed relatively widespread use for some time. Despite this, the old guard is slowly being unseated because of a number of advantages which AS4 has above its rivals. These include:
- It is an OASIS standard; and works with other common standards such as MIME, SOAP and WS-Security.
- It ensures the confidentiality of data transmitted using a subset of WS-Security.
- Guaranteed file delivery using a receipt system which is cryptographically tied to the AS4 message that has been sent. Making it undisputable.
- Payloads support a number of formats including EDI, XML, JSON, binary and more.
In short, AS4 provides a more modern, secure, auditable and versatile file or message exchange solution than previous ASx standards.
Crucially, AS4 also allows for push, as well as pull. This means that applications that are not always online; do not have a permanent IP address; or that are behind a firewall can occasionally connect and pull available messages.
How does AS4 work?
AS4 requires the creation of a Message Services Handler (MSH) at both the sender and recipient locations.
There are two types of messages: user messages which contain the payload to be transferred; and signal message which can communicate the outcome of a transfer (receipt or error) or request a user message pull.
The case of a push, the sending MSH connects to the webservice of the receiving MSH and sends a user message with payload. In the case of a pull, the receiving MSH sends a pull request signal message to the sending MSH, initiating the workflow described previously.
When a user message has been successfully received, the receiving MSH creates a digital signature based on the content of the user message and returns it along with a signal message. This signature is cryptographically tied to the user message and is considered a non-repudiable receipt.
Why is AS4 Becoming so Important?
AS4 is quickly becoming the standard for secure and versatile file transfer where automated machine-to-machine transfers are required because of its unmatched security standards and options for messaging and file transfers.
The AS4 standard is seen as providing greater flexibility and higher levels of security than its predecessors could.
The result of this is that some central government departments and private industries sectors are now moving toward AS4 being their standard for file and message transfers. Those who do not adopt these standards as sure to be left out of key systems, which could affect their operations, competitiveness and credibility.
In recent years, this shift toward AS4 supporting technologies has been recognised by the worlds file transfer vendors, who as a result have integrated the standard into their offerings and solutions portfolios.
[You may also like "UK's Top 4 Regulations Overlap"]