Within an organization, Thru Server Endpoints added to a Flow necessitate machine users to have access to Thru SFTP or FTPS endpoints.
These Flow Endpoints are now accessible under the Organization for configuration, including settings for Username and SSH keys or Certificates.
Requiring unique user accounts for source and target SFTP/FTPS endpoints is a security best practice that helps mitigate risks and enhance the overall security posture of file transfer operations.
Isolation and Least Privilege: Requiring unique user accounts for both source and target SFTP/FTPS endpoints follows the principle of least privilege and isolation. Each SFTP/FTPS endpoint, whether it's the source or the target, should have its own dedicated user account with the minimum necessary permissions to perform its specific role. This ensures that if a breach or unauthorized access occurs on one endpoint, the attacker's ability to move laterally within the environment is limited. It prevents a compromised account on one endpoint from directly affecting the other.
For instance, if a shared user account was used for both source and target endpoints, an attacker who gains access to that account (or compromises the password) would have unfettered access to both sides of the file transfer. With separate accounts, the attacker's ability to propagate their access is constrained, reducing the potential impact of a security breach.
Furthermore, this practice also aids in auditing and accountability. With unique user accounts, it becomes easier to track and attribute actions to specific individuals or processes, making it simpler to identify the source of any security incidents or breaches.