The fact that the data we all work with every day really is “in motion” will be confirmed after a moment’s thought even by those who have not yet paid much attention to the almost ubiquitous buzzword of digitalization or who have already grown tired of the hype surrounding this term. E-mail is used in almost all companies – regardless of whether they come from an enterprise environment or belong to the middle class.
Even government offices and agencies, which in Germany have an almost notorious fondness for fax machines and their data transmission, are gradually becoming willing to switch to more modern communications such as e-mail. It then seems easy to send data such as entire contracts, image files, videos, or even personal data “quickly” by e-mail. While this type of data transfer was often prevented in earlier times by the very strict size limits for attachments to e-mail messages, today users can also send files the size of several gigabytes by e-mail.
For administrators and data protection officers, this “general data movement” is a nightmare. Even before the Covid pandemic, they also had to contend with the increasing prevalence of so-called shadow IT, in which users blithely and uncontrollably sent data on its way via cloud solutions such as Dropbox, even from the home office. For IT professionals, technical solutions are always good when they have all the factors and setting options in their own hands.
For the most part – despite all their sympathy for modern cloud solutions – they prefer software that can be operated in their own data center. This is especially true if the company wants and needs to pay more attention to the data protection of the information and files it sends. Added to this is the requirement that a corresponding solution for secure “data movement” should also fit as easily as possible into the company’s existing workflows and processes. This is the only way to dissuade employees from using a wide variety of shadow IT programs and to persuade them to use the secure corporate solution alone.
The new Qiata version 3.11.0: Even more data protection and security for everyone
Anyone who wants or needs to move files across the network can choose from many different options and solutions to do so. There are very complicated approaches, which then usually promise a high standard of security, and simple, often free web-based approaches, which IT professionals refer to as “shadow IT” and which usually do not comply with company guidelines for security and data protection. So they should be banned from the corporate network if possible. With its Qiata solution, which is described as a multifunctional edge application, Secudos, a company from Kamen in North Rhine-Westphalia that specializes in IT security and compliance, addresses precisely these problems.
With the Qiata solution, the company provides its customers with a platform that enables files and even entire folder structures to be sent securely and encrypted. A major advantage is that each of the connections to the dedicated appliance is automatically encrypted. This also applies to recipients outside the company itself: they can receive the messages and data sent with Qiata without any problems and also respond to them directly, without the need for special hardware and software.
The current version 3 of Qiata is also based on Secudos’ own DOMOS operating system. At the current time of testing in May 2022, version 5.11 of the Linux operating system based on CentOS is still in use here. However, the developers at Secudos are working intensively on a new version 6 of their DOMOS operating system. The new release should then be deployed on the Qiata systems in the summer or fall of 2022.
Secudos has also equipped version 6 of its operating system with its own system user interface (DOMOS UI), enabling easy installation and simple initial commissioning. Also, the own backup/restore options for the DOMOS configuration as well as for the application data is also available in version 6. This operating system is used in the software appliance, which can run under VMware, Hyper-V or even KVM, as well as in the hardware appliance and the cloud appliance.
Working with the Authenticator – better than SMS or TAN
In addition to security at the base of the platform in the operating system, it is of course very important for a transfer solution of any kind that users can log in and work securely and as easily as possible. Two-factor authentication should be familiar to most users by now – even if many users still find it annoying that they have to log in “again” to access their data. However, many users have probably realized in the meantime that a login that requires the entry of a second authentication feature increases security by a decisive degree.
With the current version 3 of Qiata, the developers at Secudos offer users the option of setting up and using two-factor authentication and, in addition, one-time passwords for their Qiata account. The entire login mechanism relies on Open ID Connect, one of the highest security standards for authentication. As a further step towards more security, the company now also provides the additional OIDC (Open ID Connect) module with this release.
Administrators can use it to easily and securely connect your ADFS (Active Directory Federation Services) server or AzureAD (Azure Active Directory) to Qiata. This represents a significant relief for users: You can then log in directly to Qiata with your known login data. An additional registration of the individual user accounts is not necessary. The system offers an automatic assignment of a group so that the respective users only get the desired permissions and accesses. The developers emphasize that Qiata is no longer involved in authentication in these cases – this is then handled completely via AzureAD, for example. We really liked the fact that not every user in the company automatically has to use their Azure ID in order to work with Qiata.
In the spirit of good manageability, it is up to the administrators and system administrators to decide whether they want to give their users the choice or make it mandatory for them to use this additional security measure. It certainly makes sense for the company to forego the use of SMS messages for two-factor authentication and to rely on corresponding authenticator apps such as “Microsoft Authenticator”, “Google Authenticator” or password apps such as “Enpass”, “KeyPass” or “1Password” for so-called time-based one-time passwords (TOTP).
Administration: New features for more security
IT staff who have already been able to work with Qiata will certainly be pleased to learn that very little has changed in terms of support and administration of the system. The developers at Secudos have managed to keep the interface for administrators consistent despite all the very extensive security enhancements that have taken place under the hood. After logging in with the administrator account, the user browser is still presented with a very clean interface that is functionally designed and completely devoid of “graphic gimmicks”. This also has the very positive side effect that the administrator is completely free to choose his browser – we could not notice any differences in operation with all browser types and versions we used.
Thus, an administrator first has to do some searching if he wants to find the new features and entries in the administration console. The most noticeable thing there is certainly that a special new submenu called “Open ID Connect” is now available under “Organization”. Here, system administrators can then set up and configure a connection to Azure AD or Active Directory Federation Services (ADFS). They will also find the option in the menu to automatically convert user accounts that already exist in Qiata to AzureAD or ADFS.
The administrator does have to look a little closer to find the new “Maximum authentication time” entry in the Properties section of his menu. Here, IT professionals can set the maximum time that may elapse before a user must re-authenticate to the server in the event of inactivity.
This is particularly interesting for companies that do not use AzureAD or ADFS or do not want to connect their Qiata to them. You can also implement single sign-on here, in which case limiting the authentication time makes a lot of sense. However, we found it impractical that the time is given in seconds and requires manual conversion. It should be a big problem to realize a representation in minutes, hours and days here as well.
In the group properties, system administrators can now specify very precisely how users are to log in. For example, they can configure there under “Advanced options” whether a user decides for himself whether he uses a one-time password or whether he always has to use it. As in the previous version of Qiata, however, system administrators can still decide on the general use of passwords, which hardly any administrator would turn off today, or the use of a PIN code. These settings can also be defined generally for an entire user group or individual employees. A setting to the value “Yes” forces users in all three categories to always use this authentication option without exception. If the administrators choose the setting “”Setting per user” here, each user can decide for themselves.
In this context, the developers at Secudos particularly point out that it is not necessary to use an additional solution or another service to enable the use of two-factor authentication with Qiata. This functionality is built into Qiata as a fixed component and can thus be used directly. However, users will need an authentication app on their smartphone in any case (see above). We tried out both Microsoft Authenticator and Google’s program during the test phase and did not encounter any problems during use. Reading the QCR code presented to us by the cloud appliance used for testing here worked smoothly.
Simple and fast: Outlook plug-in or desktop client
Experienced IT staff know how important it is to offer employees easy-to-use solutions if you want to get them away from their “beloved” and familiar applications from the shadow IT environment. Secudos offers users not only the “traditional” access via a browser interface, as they know it from many other solutions, but also the possibility to use a desktop client for Windows 11 as well as for Windows 10 and macOS.
There is also a plugin for Microsoft’s Outlook mail client that can be downloaded from the website and distributed to the company’s own users. Of particular interest to the corporate network, this software can also be easily distributed to end users and installed on their systems using Active Directory.
Secudos has already offered an Outlook plug-in with the previous versions of Qiata and currently also provides a new, updated version of this software with version 188.8.131.52. It can be downloaded directly from the provider’s website as an executable exe or MSI file after registration. This worked without any problems on our test systems. Secudos emphasizes that this plugin has been equipped with new login mechanisms and security standards.
According to Secudos, the developers have replaced the entire login mechanism, which is now based on the new OpenID Connect standard. In the new version, the Qiata software also accesses a “one-time password” configuration. Among other things, this means that users who have already connected their account to an authentication app must then automatically log in to the Outlook plugin in this secure manner as well.
Unfortunately, as with the previous version of this plug-in, the software still cannot cope with the display on the UHD screen of our test system (resolution of 3840 x 2160 pixels) in the current version. If the elements that are displayed by the software in the Outlook ribbon are still shown in the current size ratio, older people definitely have quite a hard time at the latest when selecting the settings (this also includes entering the password for the Qiata appliance), since the font in this window only appears very small on the screen. However, Secudos is currently working on version 4.0, which will offer a completely new user interface. We are already curious.
However, there was nothing to complain about in the functionality of the Outlook plugin during our test phase. Even a total of three updates that Microsoft installed during this period for the Microsoft 365 versions of Outlook that we were using did not cause any problems. The plug-in continued to work without any problems, without us having to reinstall it after the Outlook update – as was repeatedly the case with other Outlook COM add-ins.
The desktop client (SDC – Secure Desktop Client) in the current version 1.6.0 also exclusively uses a connection technology based on OpenID Connect, so the same security standards apply with this application as well. In discussions, the question repeatedly arises as to how sensible it is to offer such a special desktop application at all, when users can access the software via their browser without any problems.
However, if the IT department has a reasonable suspicion that its users are lacking the necessary care in securing their browsers, especially on their notebook systems, one option may be to encourage the use of a secure desktop app instead, or even to make it mandatory for users to use it on these end devices. It is a pity that no corresponding desktop app is available for Linux systems, and apps for Android and iOS are unfortunately not yet available either. Especially on the small smartphone screens (even if they usually exceed 6 inches), working with Qiata in the browser proves to be quite cumbersome. Here, too, the developers want to score with version 4.0.
Conclusion: Digitization and moving data – it works
There is no doubt that it is becoming increasingly clear to those responsible in companies and IT departments that such nice “buzzwords” as digitization are about much more than just the use of PDF files and the use of mail and messenger applications in everyday business. Particularly in view of the GDPR, they need to take a closer look at the “data in motion” – and unfortunately this insight has not yet been accepted everywhere.
In this context, it cannot be a solution to either generally prohibit the sending of documents such as contracts and invoices, as well as other data such as drawings and images, or to restrict it to a few employees. Nor can the use of a wide variety of encryption methods, each of which must be used “manually” and individually by employees, solve the problem. A whole range of different “simple” encryption solutions are available on the market – including free software. Their security and the associated security of the data transferred with them is mostly beyond doubt. However, when it comes to usability and integration into existing programs and workflows, there is hardly anything to be found.
The elegance of using an edge application like Qiata lies not least in the fact that it can be set up and operated in such a way that data is transmitted and stored in encrypted form along all its paths. There is also the undeniable advantage for IT professionals that the appliance can be operated both in the company’s own data center as “real hardware” or as a virtual appliance on its own servers, and in qualified external data centers as a cloud appliance. This allows a company to choose the path that best meets its own security requirements.
With the current release 3.11.0, the specialists at Secudos have also placed an even stronger and clearer focus on security than was already the case with their solution. For example, the introduction of two-factor authentication is already a big step towards greater security. We particularly liked the fact that it has also become possible for administrators and users to additionally secure Qiata accounts with a one-time password (OTP).
In conjunction with the module for Open ID Connect (OIDC), which is now also available, this provides administrators in companies with secure and easy-to-implement options for connecting a Qiata appliance to their Azure Active Directory (AzureAD) or Active Directory Federation Services (ADFS) directory service. In this context, we found it particularly helpful (not only) for this group of users that the company Secudos now also provides detailed instructions in German for this type of connection to Microsoft services in their redesigned online documentation. All in all, a package that achieves a high level of security for the data during transmission and is generally in motion, but also combines this with good usability and integration into existing IT infrastructures.