Steve Staden

Steve Staden, CISSP is responsible for product line management and strategy. His broad skill-set includes general management, integration,PLM, SDLC, Agile/Scrum and computer security. Steve has worked with the MOVEit line of products for over 10 years and is an expert in all things MOVEit. Most recently Steve was the Director of Development and QA for the Ipswitch FT division. He led all development projects, processes and releases. Before that Steve worked as a Development Manager and Security Analyst leading small development teams on MessageWay, MOVEit and WS_FTP Server releases. Before Ipswitch, Steve worked for Standard Networks (acquired by Ipswitch in 2008) in the support and professional services area. He then created and led the QA department for Standard Networks as the QA Manager improving the automation and testing coverage. Steve has a B.S. degree in Computer Science and Finance from Northern Illinois University and an M.B.A. from University of Wisconsin.

Moving files from Point A to Point B…if only it were that simple. As the number of files being transferred continues to rise, so does associated costs. Likewise, as technology evolves, so does the need to ensure security and compliance.  So how can your organization determine the best way to go about transferring files securely? …in compliance with regulations? …and without breaking the bank? All very important questions.

Guide to Managed File Transfer
Guide to Managed File Transfer

No surprises here that the answer (to all of them) is a Managed File Transfer solution. As we explain in our Definitive Guide to Managed File Transfer: Attaining Automation, Security, Control & Compliance, it’s no longer enough for organizations to transfers files via email attachments, zip drives or even standard FTP. These methods are clearly not secure enough – and even if they were – they would leave enormous holes in terms of efficiency and visibility.

This is a realization that many organizations have arrived at in recent years, but it’s one that first requires them to ask some critical questions about the state of file transfers. Here are a few, extracted from the aforementioned eGuide:

What’s actually in these files?

Without asking this question, there’s a pretty good chance you’ll put your organization at risk. For instance, just imagine if these files ended up in the wrong hands:

  • Personally Identifiable Information (PII): Name, physical and email addresses, phone number, date of birth, Social Security/national identification number, vehicle registration information, driver’s license number, digital credentials, biometrics
  • Financial Customer Data: Credit card numbers, financial statements, credit applications, claims
  • Business Customer Data: Letters of agreement, statements of work, purchase orders, invoices, corporate financial information, intellectual property, business plans
  • Legal Information: Contracts, discovery, privileged communications
  • Medical: Patient-provider communications, patient records, test results, X-rays, CT Scans, PT Scans, MRIs, prescriptions, insurance claims
  • Government and Regulatory Data: Compliance information/audits, tax filings
  • Personnel Information: Payroll data, workmen’s compensation, unemployment tax filings, HR records, 401K data, benefits information, employee applications, offers, agreementsHow do files travel today?

As complex as it might seem, all file transfers can be classified into 1 of 4 categories

  1. Process-to-process: Many files are automatically transferred between systems. This is especially true when it comes to an organization’s external partners – clients, vendors, service providers, government organizations.
  2. Process-to-person: These transfers occur when an automated process creates a file or report and transfers it automatically to a person, based either on a schedule or an event.
  3. Person-to-person: Ad hoc or impromptu file transfers from one person to one or more other parties.
  4. Person-to-process: In this scenario, an employee, customer or partner transfers a file that is automatically uploaded into storage or a business system.Why is this important? Simple. If you’re going to simplify your file transfer processes, then you need a solution that can address all of these scenarios, not just one or two.

What’s wrong with the status quo?

At this point, it’s common to wonder—if all your files are reaching their destination—why there’s a need to revamp or think your approach. Several reasons:

  • Manual complexity: When organizations use multiple systems and custom scripts to manage file transfer, they needlessly increase complexity for employees, customers and partners.
  • Control (or lack thereof): For security and compliance reasons, companies now need a greater level of visibility and control over file transfer activity.
  • Shadow IT: Without an enterprise-grade solution, employees will use whatever means necessary to move files. Most of these methods are intended for personal use, not for sensitive data, putting your organization at risk of a data breach or compliance violation.So can the status quo get the job done? Yes. Does it put your organization at risk, and create needless complexity and additional work? Absolutely.

Next Steps

If you’re currently asking these questions, you’re on the path to adopting a more comprehensive, powerful method of transferring files—but why stop here? Be sure to read our eGuide in its entirety: The Definitive Guide to Managed File Transfer: Attaining Automation, Security, Control & Compliance>>>

owasp-footer-logoIn a previous article, I briefly talked about the Open Web Application Security Project (OWASP) and based on some recent projects, I wanted to shed some light on this incredible organization. Established in 2001, OWASP’s mission is simply to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. As a result of OWASP providing best practices, guidelines, advice and tools, web applications have become even more secure. Unlike other security organizations, OWASP’s strength lies within the open, global community independent of commercial pressures, so they can provide the most effective and innovative approaches to security. Organizations and practitioners alike can utilize the resources from OWASP to help reduce the security exposure for applications with a level of trust from an open community.

My first one-on-one interaction with OWASP was during one of my late Monday night security training courses. The class talked in detail about following the OWASP Top 10 list and using that document as a guide to making sure applications are secure. That served as a catalyst to my understanding and usage of OWASP resources. Without a doubt, the OWASP Top 10 is the most popular project in the community. Notably the PCI Council relies on it for PCI DSS along with other large companies like Microsoft, Oracle and Citrix. In addition, the U.S. Defense Information Systems Agency (DISA) recommends using the Top 10 for the DoD Information Assurance Certification and Accreditation Process (DIACAP).

“So, what is the Top 10 all about?” you might ask. The value of the Top 10 is that is serves as an awareness document that identifies risks for organizations and the 2013 edition marks the 10th anniversary of the Top 10 (last updated in 2010). It covers items like SQL injection attacks under the A1-Injection section and provides cheat sheets for engineers to prevent flaws. It should be noted that OWASP is not limited to just the Top 10 list, there are many other projects around guides, tools for both learning and work, and code as well to utilize.

Throughout the last decade I have found OWASP to be a valuable resource that I’d recommend to all security practitioners. I’m happy to say Ipswitch is now sponsoring OWASP so that the project can continue to help improve security awareness. At Ipswitch, we believe in the mission and core values and want to see the continued success of the OWASP community along with being engaged with it. I definitely recommend checking out the projects and resources at OWASP if you haven’t already.

I’m interested in hearing about any tips or recommendations based on OWASP that you may have—please share below in the comments section.

Zemanta Related Posts ThumbnailIn my last post, I covered the first two steps in a proven four-step plan for ensuring a smooth implementation. Here are I cover the final two steps of this blueprint for success.

3) Release to Production – This step is usually coupled with step 2 and iterated for each process. As I said, most successful file transfer implementations will break down and group business processes and then slowly build them up into the new system. Like any product, there is a learning curve with managed file transfer and the more you use it, the easier and faster it is to bring new processes and partners on board.Some tips to ensure success:

  • Keep lines of communication open between the person implementing the solution, network administrators and partners so there is visibility into the new process.
  • Gather as much information up front as possible, like usernames, passwords and host information.
  • Always check with your network administrator to make sure the file transfer system will have access to the endpoints to avoid disruptions in processes that rely on file transfer. Though this type of issue is usually discovered in Step 2, it can crop up again since the production system is usually on a different network than the test network.

4) Debugging and Troubleshooting – Inevitably something will go wrong, whether it’s a failed connection or a file was not received. This is where it’s helpful to use a file transfer system that logs and audits everything. Being able to trace connections and see login information is incredibly useful, as it allows you to drill down into the root cause of issues. Many times, file transfer is interrupted due to a network hiccup and simply trying the transfer again will resolve the problem. Other times, a system has changed a host key and that key needs to be accepted or exchanged before the process can resume. And if you still can’t isolate the issue, it’s nice to know there is a friendly support staff ready to assist if needed. I should know – that’s where I started!

So there you have it – a blueprint for a successful implementation of a file transfer solution. What roadblocks have you run up against in your file transfer deployments? Any additional best practices to share?

file transfer project blueprintl
To complete a successful file transfer project, you need to put a plan in place.

Cutting over to any new software is daunting, but by following a proven methodology – or blueprint – if you will, you can pave the way for success.

The biggest issue I see come up is wanting to move everything over “as-is” into a new solution in a short amount of time. It’s completely understandable – usually file transfer is just one aspect of a very busy administrator’s day – however, it’s paramount to set the expectation that to be successful, you need to put a plan in place. In this first of a two-part post, I cover the first two steps in a proven four-step plan for ensuring a smooth implementation.

  1. Research and Preparation – Moving one or several processes over to a new system requires some strategy and thought. First, research which processes will be transitioned over to the new file transfer project. Make sure to meet with key stakeholders as you come up with the list. It’s a good idea to focus on some small to medium processes to move over first.At the same time, this is an opportunity for some spring cleaning – to eliminate unused processes, and make other processes more efficient. Because this is a tedious exercise, it should be done well in advance of the actual implementation.The most successful implementations I’ve seen are those done in phases instead of via a large cut-over that is bound to be stressful and problematic. Whether you stage it by business unit or by specific process, breaking down the implementation into smaller chunks will equate to a successful and seamless implementation.
  2. Implementation and Testing – Once the preparation is done, implementing is typically a straightforward process. It’s good to be familiar with the product and also have someone on the project team knowledgeable about current processes. However, when that’s not the case, you need to figure out the relevant processes and translate them into the new product. With custom scripts this can be quite daunting, which is why it’s helpful to use a product that includes integration points and scripts to make things easier.It is crucial to test the system before putting it into production and making changes to avoid any SLA (Service Level Agreement) violations. Most partners will provide test files to ensure a successful test. Both the partner and the administrator should be aware of tests to make sure no test files are processed that could disrupt a production business process. Normally during a test, files are transferred or received and both parties acknowledge the successful receipt and also what should happen after a successful transmission, for example a file is archived or deleted.

In my next post, I’ll cover steps three and four of this proven methodology.

pgp file transfer encyrptionWhen you’re moving files containing sensitive information, you want to make sure it’s encrypted and not available to prying eyes, whether the data is at rest or in motion. A proven way to protect files before, during, and after transfer is via PGP file encryption. In this post, I’ll go through key considerations for PGP, as well as the importance of integrity checking.

First a brief definition of PGP: this program for encryption and decryption uses a public key model. In this model, one party shares the key with other parties to encrypt the data, and then uses the private key to decrypt the data. Here is an expanded definition of PGP.

Now on to five areas to consider for PGP:

1) Don’t let PGP bog down processes. Perhaps your company wants to maintain its current processes involving PGP or needs to continue supporting PGP because your business partners use it. No matter how PGP is being used as part of the file-transfer process, it’s important to ensure that the process doesn’t get slowed down because of the signing, encryption, decryption and key exchange steps.

2) Make it easy to use PGP. Many PGP libraries – and the associated encrypting/decrypting process – are command-line driven. As a result, it can be tedious to use them. But some products allow you to manage PGP from a GUI, which is a desirable option for most organizations and users who need to manage the process.

3) Ensure interoperability. In addition, you want to ensure you can easily and securely share files with any company. To do that, you not only need to support their encryption method of choice, but all possible encryption libraries. The OpenPGP file encryption standard enables interoperability between most libraries, and is the preferred choice these days for PGP, so look for a solution that supports this.

4) PGP is optional. Organizations that adopt managed file transfer often recognize the ability to eliminate PGP encryption from the equation because they understand their files are being secured at the transport layer. That said, make sure your solution is using the strongest possible SSL or TLS ciphers during data transport.

5) Rule out file tampering. Part of ensuring files are securely transferred is to be able to validate that transferred files have not been compromised in any way either before, during or after transfer. Integrity checking uses hashing to verify that the file sent from the source is the same file received. In other words, it allows you confirm that the file’s contents have not changed between the time it was sent and received – or during its subsequent storage.

You can perform integrity checking when using PGP if the sender signs the data. Look for a solution that lets you log all authentication integrity-checking details so you have an audit trail.

Managed File Transfer & PGP
Advanced file transfer solutions take measures to address these concerns. Specifically, Managed File Transfer (MFT) systems can aid with PGP encryption and decryption by offering easy-to-use key management that allows administrators to import, export and create keys from a simple user interface. From there, these solutions should allow administrators to easily create automated processes with just a couple clicks to encrypt or decrypt files on a scheduled or event-driven basis. And they should make it possible to do all this while being fully audited and logged in one system.

Want to learn more about encryption, person-to-person file transfer, compliance, logging, and central management? Download this free eBook .

managed file transfer security
While best practices can improve an organization’s overall security posture, we’ve built software improvements into MOVEit that further increase security

Through the years my role at Ipswitch has changed from someone taking front-line calls, going to customer sites and working with the engineering staff to someone who is responsible for the “health” of the MOVEit product. During this time a lot has changed in the market as well. As an example, in the past ten years I have seen the ability to secure FTP go from a “nice-to-have” to a “must-have”, including transporting files securely along with applying security at rest. These days organizations are a lot more focused on services they sign up for and the security risk they represent. As a result, they ask more detailed questions about managed file transfer security like “What encryption and hashing algorithms are being used?,” and also ask third parties to audit the services for compliance. In my opinion, now more than ever, administrators need products they can trust with sensitive data.

In my opinion security is to MFT what location is to real estate, which is of course to say paramount. As I sat down to write this post, I tried to imagine transferring files without any security or controls. To me that seems absurd because businesses move files to get work done and people lose jobs when the proper security or control is not in place.

The truth is, software needs to do more to protect all the sensitive information that is exchanged. Just as the security triad of confidentiality, integrity and availability has evolved, so must software, along with the way it is built. That was a hard realization when we started working on the MOVEit 8.0 release. We understood that we needed to adapt to the changing landscape and get ahead of our customers’ audit and compliance issues.

With that in mind, I created the following cheat sheet to help those interested in making MFT software (whether MOVEit or another product) more secure.

Based on my experience, here are eight steps administrators should take:

1. Harden the host machine, or run a trusted tool to harden it.

2. Enable the strongest password policy allowed by the organization and expire passwords on a routine basis. If possible, utilize secure, external authentication such as LDAP to centrally manage and control passwords.

3. Set expiration policies and lockout policies on all accounts. Also, enable any system-level whitelist or similar functionality to block password-harvesting scripts.

4. Constrain external traffic to secure ports like TCP/443, TCP/22 and disable non-secure FTP in favor of explicit FTP over SSL/TLS or implicit FTP over SSL/TLS. Minimize the attack surface to only the necessary services and use those services in the most secure way.

5. Use FIPS mode, if possible, and/or disable weak SSH and SSL algorithms. This allows administrators to use only the strongest security.

6. Configure and review built-in security audit reports on a regular basis.

7. Utilize two-factor authentication like SSL certificates if possible for additional security.

8. Enable user sessions to expire after a set amount of inactivity. This prevents anyone from gaining access from an open browser that is unattended.

While the best practices above help improve an organization’s overall security posture, we’ve built software improvements into the latest release of MOVEit that augment these operational changes to further increase security, Specifically, MOVEit 8.0 incorporates the following:

1. OWASP Top Ten – For as long as I can remember, we have focused on standards for MOVEit, like the RFC for securing FTP using TLS.  Enter the OWASP Top Ten, a consensus document of the top web application vulnerabilities to eliminate in software. MOVEit now has all the latest protection against these common issues like cross-site scripting (XSS) and injection attacks and more, which is one tenet of PCI DSS 2.0. In a future post, I’ll elaborate on OWASP.

2. Transport Encryption Algorithm Control – Now MOVEit administrators can enable/disable weak transport encryption algorithms for FTP over SSL and SFTP. These options, coupled with the ability to enable FIPS, allow administrators the control they need for secure file transfers both now and in the future. They can also regulate the system to only use the most secure transmission between users and partners.

3. MOVEit Security Tool – We have improved the MOVEit Security Tool “SecAux” which was initially created to help administrators easily harden their machines without having to run through the registry and local security policy. The tool is run during installation (or can be run manually) and makes it easier for overburdened administrators to apply security policies.

4. Improved Security Process and Tools – A year ago we realized we needed to improve the way we think about and securely develop our software. So we set out to utilize the best tools available, formalize processes and engage a third party to validate our work. It is by no means perfection, but I think MOVEit 8.0 reflects the continued commitment to the best-in-class security MOVEit has been known for over a decade.

All of these security improvements and more are included in MOVEit 8.0 to give businesses and administrators the confidence they need in an enterprise-class managed file transfer solution where security is paramount. There is of course more in MOVEit 8.0 and I encourage those interested to review the release notes as I’ve just given an overview of what’s available.

Lastly, I wouldn’t be true to my Midwest roots unless I thanked you for taking the time to read my post. I welcome your comments and plan to write again soon, so please check back.