In early March, Alessandro Porro, our International Sales Director, traveled throughout Asia to visit some of our WhatsUp Gold partners.  The first two stops of this tour were Japan and Korea, where Alessandro met with Vinetech.  Next, he visited our partner ZeroOne Technology in both China and Taiwan.  ZeroOne Technology, recently named “Distributor of the Year” in Taiwan, hosted a reseller event in both China and Taiwan.  Alessandro was able to share the product management strategy, roadmap, and provide details on our exciting upcoming releases with resellers in these regions. Finally, Alessandro wrapped up his travels in Hong Kong with a visit to Asiasoft.  Also while in Hong Kong, Alessandro met with representatives from AsiaVAD (from Singapore) to discuss current business.  We are so fortunate to have dedicated partners who are committed to making our APAC visit successful!

This trip was a great opportunity to visit our partners at their offices.  It is always exciting to visit with partners and hear from their customers; it helps achieve our mutual success. This was a great trip and we look forward to future visits!

Alessandro Porro during his presentation

Those of you who visited the Ipswitch File Transfer tradeshow booth at the recent RSA Security Conference were likely asked to fill out a short survey.  When the show ended, we tabulated the survey results and there are some staggering data points that we want to share:

  • 83% of IT executives surveyed lack visibility into files moving both internally and externally
  • Nearly 90 percent of survey respondents admitted to using thumb drives or other external devices to move work-related files
  • 66 percent of survey respondents admitted to using personal emails to send work-related files
  • More than 25 percent admitted to sending proprietary files to their personal email accounts, with the intent of using that information at their next place of employment

Here’s my colleague Frank Kenny, VP of Global Strategy at Ipswitch File Transfer, sharing his thoughts on the survey results.


The key takeaway here is that IT organizations are at a greater risk for sensitive company information ending up in the wrong hands if they don’t know who is accessing company information and how they use/move files, where they send them, and to whom they are sent to.  It’s not enough to secure common data access points or provide tools for some employees.  Rather, true visibility into all file and data interactions enables IT organizations to then actively manage, secure and enforce policies for company information, both inside and outside of the organization.

Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison today for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.  The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the U.S. for hacking or identity-theft.

I had some thoughts around the sentence:

  • It’s an acknowledgment that the government isn’t seeing this as an isolated/ individual action; the government recognizes a true crime organization issue on par with any other type of organized crime without the guns and violence… yet.
  • Given some of the emerging detail around the Google/ China incident and the rise in cyber terrorism, raising the bar with sentences like this may detract some future “hackers”.
  • Many of the cyber gangs don’t do it for the money; this wasn’t the case with Gonzalez. The idea of taking 15 million dollars to buy a yacht is seen as no different than if he had robbed a bank at gunpoint. What hasn’t been solved is how do you catch, prosecute and make an example of the cyber gangs that aren’t in it for the money?
  • Gonzalez was given an opportunity to provide valuable information on other people, organizations and methods being used for cybercrime. He choose to be a double agent. This probably did not sit well with the judge.

What’s your take?  Too long a sentence?  Not long enough?  Will this deter future hackers?  I’d love to hear from you.

I participated on a panel discussion at SecureWorld Boston yesterday. The discussion topic was striking a balance between productivity and security and it yielded three thoughts that I would like to discuss in today’s blog.

  1. The notion that our companies are going to employ the same type of security policies that we used over the last 30 years is ludicrous. With the arrival of the digital natives into the workforce, simply assuming that your new knowledge workers can adapt to your existing security policy is a farce.How do you establish security mechanisms for information when the people who use this information and data on a daily basis have a much more radical perception on information security and risk? Most digital natives think nothing of providing personal information via the Internet because there is a firm understanding that the information already exists there. These digital natives have grown accustomed to the idea that you should check your credit report every six months and always look for fraudulent charges when the statement arrives.
    read more “Striking a balance between productivity and security”

Twenty years and counting in business and WhatsUp Gold just keeps getting better!

We’re excited to announce our largest release in the history of Ipswitch WhatsUp Gold today – v14.2.

We couldn’t have done it without our customers – literally. You guys are responsible for the development and inclusion of four new major features:

–       Business hour reporting was the #1 requested feature

–       Blackout summary notifications was the #4 most requested feature

–       Errors and discards monitoring was the #6 most requested feature

–       PDF scheduled/email reports was the #9 most requested feature.

We are also releasing two new plug-ins:

WhatsUp Gold WhatsVirtual – Now you can monitor and manage both physical and virtual VMWare environments from a single console!

WhatsUp Gold Failover Manager – Keep your peace of mind that your WUG data will be safe with this secondary WUG Server in the case of a primary server failure.

In addition we’ve made many improvements to three of the four other plugins, WhatsUp Gold Flow Monitor, WhatsUp Gold WhatsConnected and WhatsUp Gold WhatsConfigured.

But I’ll let you hear about it from the Guru. Don’t forget to check out our YouTube channel for a complete set of tutorial videos for this release!

 

As a participating organization in the PCI Security Standards Council, Ipswitch File Transfer has the opportunity to review documents and recommendations before they become public.  That is the case with the “Securing Virtual Payment Systems” document currently under review.

While I cannot provide specific details or quotes from the document at this time, it is common knowledge (after being stated at the 2008 PCI Community Meeting) that the PCI Council has been trying to get its arms around the proliferation of virtual machines and cloud resources in PCI deployments for some time.

The direction the council seems headed in is to treat not only virtual machines (“guests”) but the hypervisor software that manage all virtual machines as IN SCOPE during PCI audits.   If this comes to pass, this may have the following effects on the credit card processing industry (including many Ipswitch File Transfer customers).

  • Users of Virtualization technology (including EMC VMware and Microsoft Hyper-V) may be encouraged to either segregate their PCI systems from non-PCI systems onto different physical VM platforms or bear an increased control and documentation burden on “mixed” PCI and non-PCI virtualized environments.
  • Users of Virtualization technology will need to control and document their hypervisors as tightly as they control and document their operating systems.

As an accredited security auditor, I wholeheartedly agree with treating hypervisors as in scope and encourage the PCI Council to make this the final recommendation this year.

However, in terms of the direction the PCI Council seems to be taking in the  cloud space, I worry that cloud providers will not be provided the same latitude that existing third-party hosting providers are currently afforded in the later sections of PCI DSS 1.2.

While I cannot cite specific passages here, I believe that limiting the definition of a “private cloud” to equipment that must be entirely owned and controlled by an organization will unfairly exclude third-party cloud providers that would otherwise be able to demonstrate segregated processing.

But all in all, this document is an important step forward into evolving deployments for the PCI Council and I encourage all involved to complete the work to make it official.

Several updates for MOVEit folks today.

First, if you haven’t already done so, please sign on to Linkedin and connect with:

Second, I promised to post some of the results of the survey taken by over 100 MOVEit server administrators last month.

  • 99% of you would “recommend MOVEit” and 95% of you continue to use it for new projects.
  • Over 50% of you took time to write in about the excellent support you get from MOVEit Support Manager Kevan Bard and his team.  Thank you for the accolades – we’ll work to ensure great support is available forever.
  • Over 50% of you said that a web interface on MOVEit Central and combined MOVEit DMZ and MOVEit Central reporting should be a “high” development priority.
  • Over 50% of you listed “data loss protection” (DLP) as a “high” development priority.
  • Your most pressing OS concern was “64-bit support”, beating out other selections like “Virtual Appliance” and “Linux” (in that order).

Finally, the second-most popular “content” feature in that survey was “extract, transform and load” (ETL). This is a modern title for the file transformation, manipulation, splitting, merging and extraction plus a management layer to define the transformation maps.  If you want to contact me (via Linkedin or other methods), I would love to hear how you do this today or how you might see this working with our software in the future.

Event Logs on Windows  servers and workstations can pile up quickly and really, the task of storing, sorting and reporting on that log data is too important to leave room for human error.

lockYour senior management depends on you to take the necessary steps to meet and report on regulatory compliance standards like Sarbanes Oxley, Basel II, HIPAA, GLB, FISMA, PCI DSS, NISPOM and others.

Ipswitch WhatsUp Gold is excited to announce that we have the solution to this balloonson-going issue. We’ve added the WhatsUp Event Log Management Suite to our extensive IT management solution so now these tasks can be automated for you!

And you know the best part of this announcement? We’re offering up to 38% off MSRP when you purchase the Suite. For those without a calculator handy, that’s 60% off buying each solution individually!

If you’re still reading . . . STOP and check out the deal for yourself! The offer stands until June 30th.

Enhanced by Zemanta

I’ve been following the data breach that occurred at HSBC Private Bank in Switzerland.    Seems that an employee stole data on 24,000 accounts over three years ago, but the details of the breach weren’t clear to the company until earlier this month when the Swiss government returned data files back to the bank.

That type of lengthy delay is unacceptable.  Forget for a moment the possible resulting impact to an organizations bottom line that a data breach can have.  Instead, think about the individuals that have been violated by either negligence or cybercrime.  They deserve to know and in a timely fashion.

An organization must have clear visibility into all data interactions, including files, events, people, policies and processes.  Best-in-class managed file transfer solutions include tamper-evident cryptographic audit logs, as well as easy archival and retrieval of all transferred files and personal messages that were sent back and forth.  No security can ever be perfect, but the correct audit capabilities mean that losses can be clearly understood without delay.

One last piece of advice to companies that fall victim to a breach:  Don’t keep it to yourself.  Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.

I recently received an inquiry from a reporter that read like this:

“Are you comforted, or left cold when you hear a product has FIPS 140-2 validation that guarantees it’s implementing encryption modules correctly? Assuming secure data transmission or storage is important in the use case, is this buzzword bingo or a valuable asset?”

My reply to this inquiry was uncharacteristically short:

“Today, fully validated FIPS 140-2 cryptography modules come free or bundled with your OS, your Java runtime, several application packages and some hardware components.   These implementations are typically available for your own applications through well-documented APIs.

“Not using FIPS 140-2 cryptography in the year 2010 is like opening a savings account at a bank without the FDIC’s $250K-per-account guarantee.  You could do it, and it might work, but why take the risk when a safer option is available for no extra charge?”

And so it shall remain: Ipswitch File Transfer products use FIPS 140-2 cryptography to protect data-in-transit and data-at-rest, and will continue to do so until FIPS 140-3 becomes the new law of the land.

Jonathan Lampe

Jonathan Lampe, VP of product management at Ipswitch, Inc., the leading developer of comprehensive secure and managed file transfer solutions, will be presenting at the (ISC)2 Secure San Antonio Conference.  His session – “When Data Moves, Do You Listen?” – will shed new light on the challenges companies face when enforcing and monitoring consistent file transfer policies.

According to Gartner, 80% of the data individuals move is in the form of a file transfer. Whether sent through an FTP upload, an email attachment or a Web download, organizations need to know exactly what was sent, who sent it and who received it, especially when external parties are involved.

Proving the integrity of the data, the fidelity of the credentials and the consistency of the record is also important. Lampe’s session will offer best practices for ensuring security, visibility and compliance – while arming companies with the knowledge they need to overcome the biggest hurdles.

WHAT: Presentation: “When Data Moves, Do You Listen?”
WHO: Jonathan Lampe, VP of product management
WHEN: Tuesday, March 16, 2010 at 11:15 a.m.
WHERE: (ISC)2 Conference 2010, San Antonio, Texas

“Why are we still FTP’ing files to each other in 2010?”

That is one of the philosophical questions I get to ponder almost once a week as I chat with my colleagues in the industry.  Part of the answer is easy: “Almost everyone has or knows about FTP.”   Based on that answer, a number of secure variants on FTP (SFTP, FTPS, even our own command-line MOVEit Xfer client) have emerged, along with extensions to the core FTP command set itself.

But why bother moving FILES around when we could all be doing little bitty TRANSACTIONS to each other using SOAP or other transactional-friendly schemes?   The answer to that question didn’t come to me until I’d spent several years in the field, traveling between banks, data centers and large corporations in support of distributed, enterprise-class file transfers.

In the 1990’s the local branch of your bank worked something like this.  At the end of every business day, after all the customers had left, the tellers would compare the cash in their drawers against what the accumulated transactions of the day on the computer said should be there.  During this reconciliation process, adjustments might be made to the record of the day to explain the discrepancies – essentially adding extra transactions after the bank was closed.  However, these transactions often did NOT occur in real time.   Instead, after all balancing was done and local management was satisfied with the result, a fixed set of files with the branch bank’s “final answer” was sent in to the home office, and everyone went home for the night.

So why did/do bank use files for this workflow instead of transactions?  Why did their operations experts only ask branches to send in a single set of files?

  • It hid the complexity of the bank’s central systems from branches.  Branch managers didn’t have to worry about this to this system and that to that system, each with it’s own error codes: they just sent the files and went home.
  • It was less risky for the branch managers and their staff.  Branch managers didn’t have to worry about a misbehaving back-end system keeping their tellers on for an extra hour: they just sent the files and went home.
  • It let central management put faith in the numbers.  When a branch sent in its final report, central management knew that its numbers had undergone local verification, and that its numbers were not going to be superceded by any “last minute” transactions.

Boiled down, the reasons large FILE transfer was used in this interaction (instead of small TRANSACTIONS) was to hide the complexity of systems on both ends, reduce the risk of transmission failure and to increase the fidelity of the overall operation.    Whenever you find similar “do good work, certify it and throw it over the wall” workflows in business processes, the opportunity to solve those workflows with secure and reliable file transfer usually exists.

(Will file transfer and transaction-based architectures ever converge?  I think they already have begun to – look for more on that in future posts!)