Migrating Your SFTP Security Policy

Created:
Updated:
Avatar
by C.W. Holeman III
Follow

Overview

Wisetail is currently undergoing a security policy upgrade. We will be updating our SFTP requirements to follow Amazons current standard. (Which we use for incoming SFTP connections.) This includes ciphers, key exchange algorithms (KEXs), and message authentication codes (MACs). Specifically:

Additional information from Amazon: https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

Your existing datafeeds may be impacted as a result and action is required to test your SFTP connection to ensure a smooth transition.

To assist in this transition, we’ve created a temporary FTP server with the new cipher. Your account credentials will remain the same. Simply update the cipher in your SFTP client, then test the connection to confirm it works with Wisetail’s updated security.

Steps for Transitioning

  1. Navigate to the where your SFTP is configured.
  2. Update the URL host to sftp-incoming-new.wisetail.com
  3. You should be prompted to enter your credentials.
  4.  If your credentials work and are able to connect to sftp-incoming-new.wisetail.com, your client software is compatible, and you can return to your original host and configuration as your existing client software version should continue to function after the upcoming change.
  5. Note: If you have multiple data feeds set up that use a SFTP, then you should test each datafeed coming from a different third-party vendor.
  6. While testing, they should keep their current datafeed alive.

In the event your credentials do not work:

  1. You will see a ‘failed message’, indicating the SFTP (ex. FileZilla) tool you’re trying to connect with hasn’t updated to the latest encryption standards.
  2. To avoid disruptions in your datafeed, update your URL host to sftp-incoming-deprecated.wisetail.com to ensure your system continues receiving information as expected.
  3. Once the connection with sftp-incoming-deprecated.wisetail.com has been made, Wisetail recommends reaching out to your third party-vendor to inform them of the update. (Wisetail has included suggested messaging below for communicating with your third-party vendor)

Please be aware that if you do not upgrade your FTP client, you will not be able to connect to Wisetail after February 28, 2025.

Once the FTP client that you were using has been properly upgraded, you can simply continue sending files to bridger.wisetail.com, as you have been doing.

Servers

  • bridger.wisetail.com - Current URL using old cipher. Will migrate to the new cipher next year.
  • sftp-incoming.wisetail.com - Some sites use this rather than bridger.wisetail.com. If this is the case, everything that is said about bridger applies to sftp-incoming.
  • sftp-incoming-new.wisetail.com - New server for testing cipher upgrades only.

Third-Party Messaging

Does a third party manage your datafeed SFTP? They may be required to update their security policy and encryption standards in order to continue sending files to Wisetail on your behalf. Send your vendor representative the below message to advise them of their part in ensuring your data’s security.

[Your company name] currently receives files from [Vendor name] via an SFTP protocol. In order to maintain this connection, Wisetail is requesting [Vendor name] update its servers to AWS’s latest security policy 2018-11 and requires that all SFTP URL hosts are updated to sftp-incoming-new.wisetail.com.

Additional Information

  1. Which file should I use to see if I can connect to the new sftp-incoming-new.wisetail.com?
    1. Both SFTP servers use the same S3 bucket storage, multiple servers pointing to one end point.
    2. If you send a test-only file to the new server, your production datafeed will try and ingest it at its regularly scheduled time, so be certain you are only sending valid and complete files.
  2. What happens if I do nothing?
    1. If you are on the old cipher your datafeed file will no longer be delivered to Wisetail after we cut off the old cipher.
  3. My third-party vendor won’t update to the secure encryption, do I risk losing access to my datafeed?
    1. Yes, this is a risk if it not handled properly. Please reach out to our Technical Support team so we can help with this situation.
  4. Can I use the same credentials I use for my current SFTP?
    1. Yes

Comments

0 comments
Article is closed for comments.