LiquidFiles Documentation
LiquidFiles Documentation

Compliance

Is LiquidFiles compliant with PCI, SOX, HIPAA, ISO 27001, ...?

In short: Yes — LiquidFiles can help you achieve compliance with almost any standard you wish to adhere to.

Overview

Often, it seems that when we get asked if LiquidFiles is compliant to a specific standard that the organization is hoping that by simply installing LiquidFiles in their environment that it will take care of all compliance requirements when it comes to secure file transfer. And although LiquidFiles can meet almost any technical security control posed by standards and auditors, it's unfortunately not as simple as just installing LiquidFiles and you'll be compliant.

Firstly, LiquidFiles is a product that is installed in your environment, on your hardware or virtual platform, on your network infrastructure, behind your firewall(s), IPS's, Reverse Proxies and so on. From a compliance perspective that means that all components needs to be compliant. If you for instance install LiquidFiles on the same network as other systems that transmits anything in cleartext you will most certainly fail certification regardless of having LiquidFiles.

Standards are also very rarely specific and instead filled with generic language such as the following lifted from HIPAA:

Person or entity authentication — §164.312(d):
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Does this mean that username/password or does this require two factor authentication? That is absolutely not clear and what ends up happening is that auditors are required to interpret the standard and what it means for your industry and your organization. LiquidFiles has the capability of supporting both username/password and two factor authentication, whatever is required. But it is up to the auditor to determine what is needed in your situation.

Also, Information security standards are mostly about the organization and very little about technical standards that would involve LiquidFiles. If we look at the headlines from PCI 27001:2013:

  • Information security policies — controls on how the policies are written and reviewed
  • Organization of information security — controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
  • Human resources security — controls prior to employment, during, and after the employment
  • Asset management — controls related to inventory of assets and acceptable use, also for information classification and media handling
  • Access control — controls for Access control policy, user access management, system and application access control, and user responsibilities
  • Cryptography — controls related to encryption and key management
  • Physical and environmental security — controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
  • Operational security — lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
  • Communications security — controls related to network security, segregation, network services, transfer of information, messaging, etc.
  • System acquisition, development and maintenance — controls defining security requirements and security in development and support processes
  • Supplier relationships — controls on what to include in agreements, and how to monitor the suppliers
  • Information security incident management — controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
  • Information security aspects of business continuity management — controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy

As you can see from just looking at the headlines, out of 13 headlines, there's only 3 (Access Control, Cryptography and Communication Security) that directly affects LiquidFiles. So while installing LiquidFiles will certainly help you achieve strong security for transferring files, it won't do anything for your human resources security, operational security or all the other components that make up an Information Security Standard.

Conclusion

So while we have lots of customers that has used LiquidFiles to achieve compliance to various standards such as PCI DSS, SOX, HIPAA and ISO 27001, you will still need to get your environment certified to ensure that you meet your security requirements standards according to the policy you want to adhere to.