mobile file transferAs mobile computing becomes ubiquitous, employees in all types of industries are enjoying the ability to access, share and update information – and be involved in processes even when they’re not in the office. But while mobility is a wonderful thing, it’s not enough on its own – especially for organizations in highly regulated industries. Such organizations need to make sure information and business processes are not just handled efficiently, but also securely. That’s where managed file transfer (MFT) comes in – it does more than help transfer files that are integral to daily processes; it keeps those files secure and makes it easier to integrate them into business processes. Here we share a few examples of how mobile compliance works in various industries.

Insurance: Initiating Claim Processes from Accident Sites
insurance-iconInsurance adjustors have had to manage much of their daily workload from the field for years. It’s undeniable that mobile devices have streamlined some of the tasks associated with conducting insurance appraisals remotely. But they still don’t address the need to secure the sensitive information being transmitted. In the past, adjustors would need to either wait until returning to the office to securely access internal systems, use a complex FTP client from a remote desktop, or mail documentation as part of a paper-based process.

With today’s MFT solutions, adjustors can securely transfer documents and images from their tablets. That means they can initiate the automated insurance claim review process while still at accident sites, getting their jobs done more quickly and efficiently.

Healthcare: Enabling Collaborative Patient Care
healthcare-iconIn rural and underdeveloped areas, physicians will often treat patients without access to a well-staffed medical facility featuring the latest medicines and diagnostic tools. Mobile devices such as cell phones make it possible to take and send pictures related to a patient case so doctors can get input from other physicians. But these images – and any associated information – comprise protected health information under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. And cell phones on their own don’t keep this information secure.

With MFT, a doctor can take a picture of a patient’s infection with her cell phone and send it securely as part of a patient record update process. Because MFT carries through the process, the medical records department is alerted to the availability of the picture, adds text information like the medical record number, uploads it to the patient record, and sends the picture to the practice management system. The pictures are made available to assisting specialists within the practice and instantly offer important context for collaborative treatment not previously possible. And because of MFT, the entire process satisfies HIPAA and HITECH requirements.

Finance: Freed to Securely Conduct Business from Anywhere
finance-iconIt’s a given that executives and managers in financial services companies need secure access to critical financial and portfolio information. But in the not-so-distant past, they were chained to their desks or forced to put sensitive information at risk using unsecured systems. Now with ready access to mobile devices, these employees are freed to conduct business whether they are at a client location, on a business trip, or even on the way home from work. But protection of sensitive financial information is still a concern.

The right MFT solution allows executives and managers to view sensitive financial documents and reports remotely without storing any unencrypted files on their devices. They can even automatically generate and securely transfer financial reports to appropriate executives. And if the files are not accessed within a pre-determined timeframe, they are automatically deleted, or can be automatically deleted after a pre-set number of views.

Streamline Processes While Ensuring Compliance
With the right MFT solution in place, those in insurance, healthcare, and finance can rest easy knowing they can enforce governance when it comes to the transfer of sensitive information. That’s because a robust MFT solution ensures sensitive information is protected during transfer, that only approved users can access sensitive data, and that the organization can understand at a glance any activity associated with the movement of sensitive files.

In my next post, I’ll show how MFT helps streamline and secure daily processes for those working remotely in non-regulated industries.

NHBC Logo
“Ipswitch FT’s secure MOVEit solution gives us full visibility and management of file transfers, and enables us to avoid fines of up to £250,000 for non-compliance…”Wayne Watson, information security manager for NHBC 

The National House-Building Council (NHBC) , the UK’s leading home warranty and insurance provider has greatly expanded its use of MOVEit to ensure the organization adheres to  file transfer best practices, while meeting compliance with internal standards and external regulators, including the Financial Conduct Authority (FCA).

Securing Builders’ Drawings, Architectural Designs, Legal Files and More
Secure, managed file transfer (MFT) is a high-priority for NHBC. In the past six months alone, the company has doubled the number of employees successfully using MOVEit, with over 200 active users now securing file transfers. Its business straddles the heavily regulated insurance and building sectors, and daily activities demand a constant flow of secure, confidential, copyright and personal documents and communications. These include builders’ drawings, architectural designs, legal files and more, sent between internal departments and on to external stakeholders such as solicitors, lawyers, builders, architects and homeowners.

No More File Sharing Via USB drives, Email Attachments, or Unsecured Apps
By using Ipswitch File Transfer’s MOVEit system as a compliance solution, NHBC now meets strict ISO 27000 internal security standards and exceeds compliance and regulation requirements such as those set by the FCA and the Data Protection Act (DPA). Previously, NHBC employees had to encrypt and share files via SD cards, USB drives, CD-Rs, email attachments and an assortment of unsecured web-based file sharing apps. But a tremendous shift in attitudes in recent years has led to more organizations like NHBC integrating MFT platforms, making unsecured email attachments and portable media things of the past.

Wayne Watson, information security manager for NHBC, said: “Ipswitch FT’s secure MOVEit solution gives us full visibility and management of file transfers, and enables us to avoid fines of up to £250,000 for non-compliance, as well as maintaining our company’s 75-year trusted reputation.”

Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

Let’s start to examine the impact of end-to-end visibility and ways it can be put to work for your organization.  For starters, let’s dig into correlation.

Correlation involves identifying related actions and events as a file moves through a series of business processes (including what happens after a file is moved, renamed, or deleted), and using that information to make business decisions.  Correlation can also associate file transfer metadata with downstream processes such as whether a product was shipped or an invoice was paid after an order was received from a customer.

Ipswitch’s Frank Kenney shares some thoughts in the video below on why correlation is an especially important part of visibility and how it enables you to really understand not only file transfers, but also the applications, processes, purchase orders and other items in your infrastructure that tie back to customers, SLA’s and revenue..

[youtube]http://www.youtube.com/watch?v=ZOSoT95oFUg[/youtube]
Correlation enables users to easily view all the events related to the transfer and consumption of a single file or set of files, including subsequent applications and resulting business processes.  For example, they can track a file through a complete workflow and throughout its entire lifecycle, even if it was shared with a customer or business partner  – critical insight that can impact the quality and timeliness of work, service level agreements, not to mention revenue and profitability.

Information flows into, within and out of organizations faster and in greater volumes than ever before.  Complicating matters is the growing number of vendor systems, applications and platforms that make up your company’s business infrastructure and touch even your most sensitive and mission-critical information.

If you don’t have visibility into the data and files that are flowing between systems, applications and people — both inside and beyond the company firewall — things can go haywire very quickly.

  • Lost files, security breaches and compliance violations
  • Broken SLAs and other processes that are dependent on files
  • No file lifecycle tracking as data flows between applications, systems and people
  • Damaged partner and customer relationships
  • Lost opportunities

Relying on the reporting capabilities of each individual system has proven to be risky and inefficient.  Chances are, you’re swimming in a sea of not-very-useful-or-actionable data and static reports that are already a week behind with what’s actually happening in your company this very instant.

In today’s blog video, Frank Kenney shares his thoughts why having one consolidated view is critical and why organizations are having such a hard time achieving visibility.

[youtube]http://www.youtube.com/watch?v=ow3l1AetI_Q[/youtube]

When it comes to your file transfers, many questions exist.  Do you have the total visibility your business requires?   How do your customers gain visibility into their file transfers??   Do you have all the information you need to meet your service level agreements (SLAs) as well as enabling transparency about integration and file transfers???  Let Ipswitch help you answer these questions and overcome your visibility challenges.

You’re going to be hearing more and more about “VISIBILITY” from Ipswitch, so I’d like to quickly start this blog post with our definition of visibility in the context of files and data flowing into, within and out of your company:

Visibility:  “Unobstructed vision into all data interactions, including files, events, people, policies and processes”

Fast, easy access to critical file and data transfer information is a must-have – it’s critical to the success of your business.  Whether it’s tracking and reporting on SLAs, analyzing file transfer metrics to identify bottlenecks and improve efficiency, or providing customers and partners with easy self-service access to the file transfer information they require – as well as countless other business objectives – unobstructed visibility is imperative.

Having one consolidated view into all of the systems and processes involved in your organizations file and data transfers will deliver tremendous business value and a competitive edge.  Please do take a couple of minutes to watch Ipswitch’s Frank Kenney share his perspective on why visibility is important.

[youtube]http://www.youtube.com/watch?v=qsxzweLBRGA&feature=channel_video_title[/youtube]

“My company still relies heavily on FTP.  I know we should be using something more secure, but I don’t know where to begin.”

Sound familiar?

The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – Unsecured data is obviously an enormous liability.  Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer.

No, it won’t be as daunting of a task as you think.  Here’s a few steps to help you get started:

  • Identify the various tools that are being used to transfer information in, out, and around your organization.  This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc.  Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
  • Map out existing processes for file and data interactions.  Include person-to-person, person-to-server, business-to-business and system-to-system scenarios.  Make sure you really understand the business processes that consume and rely on data.
  • Take inventory of the places where files live.  Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc.  After all, it’s harder to protect information that you don’t even know exists.
  • Think about how much your company depends on the secure and reliable transfer of files and data.  What would the effects be of a data breach?  How much does revenue or profitability depend on the underlying business process and the data that feeds them?
  • Determine who has access to sensitive company information.  Then think about who really needs access (and who doesn’t) to the various types of information.  If you’re not already controlling access to company information, it should be part of your near-term plan.   Not everybody in your company should have access to everything.

Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data…. As well as provide you with visibility and auditing capabilities into all of your organizations data interactions, including files, events, people, policies and processes.

So what are you waiting for?

 

As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough:  Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.

Clearly, there’s a need for organizations to better secure confidential and private customer information.  It seems that a week rarely passes without a new high-profile data breach in the news.  In fact, 2011 is trending to be the worst-ever year for data breaches.  And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.

The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?

I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.

My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation:  “The devil is in the details with these laws.  We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data.  Companies are already victims in these attacks, so why are we penalizing them after a breach?  I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”

In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up.  First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?).  Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.

Citi was recently fined $500,000 by the Financial Industry Regulatory Authority (FINRA) for its failure to pick up on an employee skimming over $750,000 from the accounts of 22 Citi customers over the last eight years .

When I first read the headline, my initial thought was that this was yet another unfortunate example of an organization not having set-up or maintained appropriate access controls (to grant access to only those who really need it) and that lacked visibility into what activities are actually happening.

Turns out, my initial thoughts were wrong.  As part of her job, the employee needed access to the information.  And it also sounds like the fraudulent activity should have been visible to Citi:

“FINRA said its investigators had determined that Citi failed to detect or investigate a series of so-called red flags that should have alerted the bank to Moon’s fraudulent use of customer funds.

The red flags included exception reports that highlighted conflicting information in new account applications, as well as customer account records that reflected suspicious funds transfers between unrelated accounts.”

It sounds like that with the systems and exception reports Citi already had in place that they should have detected the suspicious activity involving transfers and disbursements in the accounts.

This is a reminder that simply investing in technology isn’t good enough.  Successful deployment must include not only training for the IT department on how to properly install and configure, but also training for end users that are responsible for consuming and acting on the information provided by the system.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Possibly not. The Internet’s venerable File Transfer Protocol (FTP) is usually supported by Managed File Transfer (MFT) systems, which can typically use FTP as one of the ways in which data is physically moved from place to place. However, MFT essentially wraps a significant management and automation layer around FTP. Consider some of the things an MFT solution might provide above and beyond FTP itself—even if FTP was, in fact, being used for the actual transfer of data:

  • Most MFT solutions will offer a secure, encrypted variant of FTP as well as numerous other more‐secure file transfer options. Remember that FTP by itself doesn’t offer any form of transport level encryption (although you could obviously encrypt the file data itself before sending, and decrypt it upon receipt; doing so involves logistical complications like sharing passwords or certificates).
  • MFT solutions often provide guaranteed delivery, meaning they use file transfer protocols that give the sender a confirmation that the file was, in fact, correctly received by the recipient. This can be important in a number of business situations.
  • MFT solutions can provide automation for transfers, automatically transferring files that are placed into a given folder, transferring files at a certain time of day, and so forth.
  • MFT servers can also provide set‐up and clean‐up automation. For example, successfully‐transferred files might be securely wiped from the MFT server’s storage to help prevent unauthorized disclosure or additional transfers.
  • MFT servers may provide application programming interfaces (APIs) that make file transfer easier to integrate into your internal line‐of‐business applications.
  • MFT solutions commonly provide detailed audit logs of transfer activity, which can be useful for troubleshooting, security, compliance, and many other business purposes.
  • Enterprise‐class MFT solutions may provide options for automated failover and high availability, helping to ensure that your critical file transfers take place even in the event of certain kinds of software or hardware failures.

In short, FTP isn’t a bad file transfer protocol—although it doesn’t offer encryption. MFT isn’t a file transfer protocol at all; it’s a set of management services that wrap around file transfer protocols—like FTP, although that’s not the only choice—to provide better security, manageability, accountability, and automation.

In today’s business, FTP is rarely “enough.” Aside from its general lack of security—which can be partially addressed by using protocols such as SFTP or FTPS instead—FTP simply lacks manageability, integration, and accountability. Many businesses feel that they simply need to “get a file from one place to another,” but in reality they also need to:

  • Make sure the file isn’t disclosed to anyone else
  • Ensure, in a provable way, that the file got to its destination
  • Get the file from, or deliver a file to, other business systems (integration)

In some cases, the business might even need to translate or transform a file before sending it or after receiving it. For example, a file received in XML format may need to be translated to several CSV files before being fed to other business systems or databases—and an MFT solution can provide the functionality needed to make that happen.

Many organizations tend to look at MFT first for its security capabilities, which often revolve around a few basic themes:

  • Protecting data in‐transit (encryption)
  • Ensuring that only authorized individuals can access the MFT system (authorization and authentication)
  • Tracking transfer activity (auditing)
  • Reducing the spread of data (securely wiping temporary files after transfers are complete, and controlling the number of times a file can be transferred)

These are all things that a simple FTP server can’t provide. Having satisfied their security requirements, organizations then begin to take advantage of the manageability capabilities of MFT systems, including centralized control, tracking, automation, and so forth—again, features that an FTP server alone simply can’t give you.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Definitely not. To begin with, there are numerous kinds of encryption—some of which can actually be broken quite easily. One of the earlier common forms of encryption (around 1996) relied on encryption keys that were 40 bits in length; surprisingly, many technologies and products continue to use this older, weaker form of encryption. Although there are nearly a trillion possible encryption keys using this form of encryption, relatively little computing power is needed to break the encryption—a modern home computer can do so in just a few days, and a powerful supercomputer can do so in a few minutes.

So all encryption is definitely not the same. That said, the field of cryptography has become incredibly complex and technical in the past few years, and it has become very difficult for business people and even information technology professionals to fully understand the various differences. There are different encryption algorithms—DES, AES, and so forth—as well as encryption keys of differing lengths. Rather than try to become a cryptographic expert, your business would do well to look at higher‐level performance standards.

One such standard comes under the US Federal Information Processing Standards. FIPS specifications are managed by the National Institute of Standards and Technology (NIST); FIPS 140‐2 is the standard that specifically applies to data encryption, and it is managed by NIST’s Computer Security Division. In fact, FIPS 140‐2 is accepted by both the US and Canadian governments, and is used by almost all US government agencies, including the National Security Agency (NSA), and by many foreign ones. Although not mandated for private commercial use, the general feeling in the industry is that “if it’s good enough for the paranoid folks at the NSA, it’s good enough for us too.”

FIPS 140‐2 specifies the encryption algorithms and key strengths that a cryptography package must support in order to become certified. The standard also specifies testing criteria, and FIPS 140‐2 certified products are those products that have passed the specified tests. Vendors of cryptography products can submit their products to the FIPS Cryptographic Module Validation Program (CMVP), which validates that the product meets the FIPS specification. The validation program is administered by NIST‐certified independent labs, which not only examine the source code of the product but also its design documents and related materials—before subjecting the product to a battery of confirmation tests.

In fact, there’s another facet—in addition to encryption algorithm and key strength—that further demonstrates how all encryption isn’t the same: back doors. Encryption is implemented by computer programs, and those programs are written by human beings— who sometimes can’t resist including an “Easter egg,” back door, or other surprise in the code. These additions can weaken the strength of security‐related code by making it easier to recover encryption keys, crack encryption, and so forth. Part of the CMVP process is an examination of the program source code to ensure that no such back doors exist in the code—further validating the strength and security of the encryption technology.

So the practical upshot is this: All encryption is not the same, and rather than become an expert on encryption, you should simply look for products that have earned FIPS 140‐2 certification. Doing so ensures that you’re getting the “best of breed” for modern cryptography practices, and that you’re avoiding back doors, Easter eggs, and other unwanted inclusions in the code.

You can go a bit further. Cryptographic modules are certified by FIPS 140‐2, but the encryption algorithms themselves can be certified by FIPS 197 (Advanced Encryption Standard), FIPS 180 (SHA‐1 and HMAC‐SHA‐1 algorithms). By selecting a product that utilizes certified cryptography, you’re assured of getting the most powerful, most secure encryption currently available.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!