Section 4: e-File Transfer Service

Statistics Canada's e-FT Service Environment
Data Flow for File Transfer Conclusion

Statistics Canada has developed an e-File Transfer (e-FT) Service which will enable external partners and Statistics Canada to exchange electronic files in a secure manner using the Internet.

There are a number of applications for this service.  Examples include:

• an external partner who needs to provide Statistics Canada with an administrative file,
• a Statistics Canada division that has the authority to pre-release data or publications to selected partners for review under the Work-in-progress guidelines,
• a Statistics Canada division that has the authority to exchange data with another government department or agencies subject to a data-sharing agreement or discretionary disclosure order,

This service allows client divisions within Statistics Canada to place their focus on “securing” the operational practices and processes around the exchange of files with external partners. The e-FT Service will provide a secure mechanism for conducting the actual file exchange.

Statistics Canada's e-FT Service Environment

In order to ensure the absolute protection of data files exchanged over the Internet using this service, Statistics Canada separates its E-FT into “zones” that cannot interfere with each other. As necessary, these zones are further subdivided with additional firewalls. The operational rules for these firewalls and switch filtering rules robustly limit access, thereby protecting systems from unauthorized access.  

• Access to the service is restricted to Statistics Canada respondents who must authenticate themselves to the service using an access code;
• Access by Statistics Canada staff is restricted to authorized employees who must authenticate themselves to the service using Windows Active Directory credentials;    
• Once an Internet connection has been established between the respondent’s computer and the e-FT Service, the communication is encrypted (HTTPS for respondents using a web client, FTPS for respondents using FTP, and a proprietary, CSE-approved, “vault protocol” for respondents using a transfer application to exchange data files with Statistics Canada);
• All data received or transmitted by the front-end servers (SFE connector for web users and FTP connector for FTP users) is stored in the vault using persistent encryption. Communication between these servers and the vault is encrypted. The vault and front-end servers are located in the Public Access Zone (PAZ).
• Data transmission between Statistics Canada’s secure, private network and the e-FT PAZ respects the network separation (“air gap”) between the two networks. On a scheduled basis, a process residing on an internal server behind another firewall (a pull mechanism for inbound files and a push mechanism for outbound files) moves files between the PAZ resident vault and a second vault that alternates between the two networks. This inter-vault communication is encrypted and takes place when this vault is on the public network. Data files in the vault are stored using persistent encryption.

When the vault is on the secure, private network, a process moves data files between the vault and the Statistics Canada client division’s file systems using a “pull from vault” mechanism for inbound files and a “push to vault” for outbound files. The communication between the server and vault is encrypted. The process is responsible for decrypting data files as they are presented to, and encrypting data files as they are gathered from, the client division’s file systems. 

Data Flow for File Transfer

General e-FT Service Data Flow Description: receipt of files from an external contact

A.  Environment:  Within Statistics Canada's secure, private network

• The authorized administrator connects to an e-FT Service on the public network that provides access to a secured electronic vault ¾ the Public Access Zone (or PAZ) vault.
• The administrator creates external contact’s login credentials by sending information to the PAZ vault using an encrypted communication protocol.

B.  Environment:  Within Statistics Canada's Public Access Zone

• The external contacts’ login credentials are stored in an encrypted manner in the PAZ vault using persistent encryption.
• Notification (e.g., e-mail, letter) is sent to external contacts advising them of their credentials and location (e.g., URL) to which they should direct files being uploaded to Statistics Canada.

C.  Environment: In a location of the external contact’s choosing

• The external contact receives notification containing the e-FT Service credentials.
• The external contact accesses Statistics Canada e-FT Service portal and establishes a secure session.¹
• The external contact is prompted for credentials.
• The external contact authenticates to the portal by entering the credentials provided.

D.  Environment:  Within Statistics Canada's Public Access Zone

• A server collects network traffic-related information¹ for security purposes and to safeguard the implementation.

E. Environment: In a location of the external contact’s choosing

• The external contact is presented with an e-FT Service interface.
• The external contact is asked to upload their file to a specific location within the PAZ vault based on their credentials.
• The external contact uploads the file.

F.  Environment: Statistics Canada's Public Access Zone

• The uploaded file is stored using persistent encryption in the PAZ vault. 
• If for some reason the transmission of a file is interrupted before fully completed, the external contact will either be advised via an error message and will be requested to re-transmit the file, or the re-transmission will take place automatically (it depends on the particular file transfer technology being employed).

G.  Environment: In a location of the external contact’s choosing

• Once the file has been successfully transferred, the external contact is provided with an acknowledgement.
• The external contact closes the e-FT Service interface.

H.  Environment: Statistics Canada's secure, public network

• Stored files received from external contacts are transferred, via a “pull mechanism” initiated from the secure, private network to a second secured electronic vault that alternates between the secure, private network and the public network on a scheduled basis. The communication between the two vaults is encrypted and the files stored in this vault are also protected using persistent encryption. After the file transfer to the vault has successfully concluded, the copy in the PAZ vault is deleted automatically.
• When the vault is on the secure, private network, the files are transferred to contact divisions using a “pull mechanism”. The mechanism decrypts the files and after their transfer deletes the encrypted copies from the vault.

General e-FT Service Data Flow Diagram (receipt of files from an external contact)

General e-FT Service Data Flow Diagram (receipt of files from an external contact)

General e-FT Service Data Flow Description: Transmission of files to an external contact

A.  Environment:  Within Statistics Canada's secure, private network

• The authorized administrator connects to an e-FT Service on the secure, private network that has provides access to a secured electronic vault ¾ the PAZ vault.
• The administrator creates external contact’s login credentials by sending information to the PAZ vault using an encrypted communication protocol.

B.  Environment:  Within Statistics Canada's Public Access Zone

• External contacts’ login credentials are stored in an encrypted manner in the PAZ vault using persistent encryption.

C.  Environment: Statistics Canada’s secure and private internal network

• Files destined for external contacts are transferred from Statistics Canada divisions using a “pull mechanism” to a secured electronic vault¾the vault that alternates between two secure, private networks. The mechanism encrypts the communication during transfer and stores the files in the vault using persistent encryption.
• When the vault is accessible on the secure, private network, files to be transferred to external contacts are transferred via a “pull mechanism” initiated from this network to the PAZ vault that resides in the Public Access Zone. 
• The communication between the two vaults is encrypted and the files stored in both vaults are protected using persistent encryption. After the file transfer to the PAZ vault has successfully concluded, the copy in the vault is deleted   automatically.

D.  Environment: Statistics Canada's Public Access Zone

• Notification (e.g., e-mail, letter) is sent to external contacts advising them of their credentials and the mechanism for retrieving the file(s) from Statistics Canada.

E.  Environment: In a location of the external contact’s choosing

• The external contact receives the e-mail or letter inviting them to retrieve a file from Statistics Canada’s e-FT Service portal with their credentials.
• The external contact accesses Statistics Canada’s e-FT Service portal. A secure session (using SSL, FTPS, or vault protocol² ) is established.
• The external contact is prompted for credentials.
• The external contact authenticates to the e-FT Service portal by entering the credentials provided.

F.  Environment:  Within Statistics Canada's Public Access Zone

• A server collects network traffic related information for security purposes to safeguard the implementation.

G.  Environment: In a location of the external contact’s choosing

• The external contact is presented with an e-FT Service interface.
• The external contact is shown a list of the file(s) they are authorized to download.
• The external contact downloads the file(s). 

H.  Environment: Statistics Canada's Public Access Zone

• If for some reason the transmission of a file is interrupted before fully completed, the external contact will either be advised via an error message and requested to re-do the download, or the download will restart automatically (it depends on the particular file transfer technology being employed).
• After the file has been successfully downloaded by the contact, it is automatically deleted from the PAZ vault.

I.   Environment: In a location of the external contact’s choosing

• The external contact closes the e-FT Service interface.

General e-FT Service Data Flow Diagram (transmission of files to an external contact)

General e-FT Service Data Flow Diagram (transmission of files to an external contact)

Threat and Risk Assessment Grid

Threats	Existing Statistics Canada Safeguards	Probability	Impact	Residual Risk	Assessment  of Residual Risk
Environment: Risk associated with the inadvertent release of sensitive information contained in files being transmitted
Activity: Unauthorized access to e-FT Service
1. There is unauthorized access to the e-FT Service by a person who is not a Statistics Canada employee, or is not the intended source/target of the exchange recipient of the files (i.e., hacker).	The e-FT Service is implemented using a proprietary software package that has been independently evaluated and certified. Files are encrypted when transmitted or stored in the e-FT Service vaults. The time that files remain in transit within the system is minimized (less than 24 hours for inbound files and a limited period of time to be established for outbound files, i.e., 24 to 48 hours).	1.	3.	1.	Acceptable
2. Credentials providing access to the service are used by an unauthorized individual (e.g., were sent to the wrong party).	There are granular access controls¾credentials limit “read, write, delete” to specific files Best practices have been developed on how to use the service (e.g., managing credentials) and training is offered to both internal and external users.	1.	2.	2.	Acceptable
3. Access to a file is given to an external contact not entitled to the information.	Verification that external contact has the authority to have a file will be a key requirement in the procedures. This authority may be in the form of a MOU, discretionary disclosure or work-in-progress approval with security and/or audit provisions.	1.	3.	1.	Acceptable

Conclusion

The e-File Transfer Service has been developed to provide a reliable, secure mechanism for use by Statistics Canada in the exchange of files with external contacts. The service is based upon a commercially-available software product for doing secure managed file transfer. This software has been customized to maximize its use of Statistics Canada’s network and hardware infrastructure and to ensure that it respects Statistics Canada’s separation of networks.  The security of this software product has been independently validated (by ICSA Labs) and provides the necessary level of security required by Statistics Canada.  

Therefore, this assessment did not identify any privacy risks that cannot be managed using existing safeguards or specific ones developed for the e-File Transfer Service.

Note:

1. IP Addresses are part of the network traffic related information collected. The IP address consists of a string of numbers that identifies the Internet Service Provider (ISP) and computer used by the respondent. The IP address may be either dynamic (changes with each session) or static. It may correspond to an individual’s computer or a group of thousands used at the same location. By itself, the IP address can not be used to identify the individual. This information will be deleted from the Electronic Collection portal server 30 days after the end of the survey collection period.
2. The actual protocol will depend on the communication approach chosen by the external contact (web browser, FTP, downloaded program, etc.).