Ipswitch surveyed IT professionals across the globe and it turns out that data security and compliance are top challenges for IT teams in 2016.

How We Did It

Ipswitch polled 555 IT team members who work in companies across the globe with greater than 500 employees. We surveyed IT pros globally, partnering with Vanson Bourne in Europe, between October-November 2015 to learn about their File Transfer habits and goals.

Demographics

255 in the US and 300 in Europe (100 each UK, France and Germany)

Totals by industry:

  • Banking/finance 15%
  • Government 15%
  • Healthcare 16%
  • Manufacturing 10%
  • Insurance 6%
  • Retail 6%
  • Other (includes Technology, Consulting, Utilities/Energy, Construction, & others) 32%

2016 State of Data Security and Compliance Infographic

Click on the infographic to see full size. 

2016-ipswitch-state-of-data-security-and-compliance

Share this Image On Your Site

And suddenly, drones are everywhere.

As of September 2015, the Federal Aviation Administration (FAA) has issued 1,407 special permits for companies to operate commercial drones, or Unmanned Aerial Vehicles (UAVs) — with about 50 new permits issued every week, pushing the total over 2,000 well before the new year.

What are drones used for? Several things, some more regulated than others.

Unmanned Aerial Realtor

Package delivery may catch public imagination, and commercial tests have already been carried out. Specifically, Amazon Prime has been carrying out tests for a while now and continues to believe that package delivery via drones is in the cards.  But delivery service isn’t even the leading segment of the commercial drone industry. Currently, the biggest stakeholder is none other than real estate. The housing market accounts for some 35 percent of the first 1,000 commercial drone permits. The real estate industry is mostly using drones for marketing materials, such as sky high views of terrain around homes that are for sale.

Git Along, Little Dogies…

Agriculture also looms large, with 164 of the first 1,000 permits issued specifically for agricultural applications. It isn’t clear whether any ranchers have yet used UAVs to keep watch on their livestock. As the Shelbyville (KY) Times-Gazette reports, however, they’re watching the skies in the farm belt, a ways away from Silicon Valley.

Eye in the Sky

Drones are also set to feature on the local news, as eyes in the sky for traffic and similar news reports dependent on an aerial camera. Television and film accounted for the first six Section 333 permits issued by the FAA last year, and make up about nine percent of the total. Section 333 states the following:

By law, any aircraft operation in the national airspace requires a certificated and registered aircraft, a licensed pilot, and operational approval. Section 333 of the FAA Modernization and Reform Act of 2012 (FMRA) (PDF) grants the Secretary of Transportation the authority to determine whether an airworthiness certificate is required for a UAS to operate safely in the National Airspace System (NAS).

Dr. Drone

The commercial drone game is taking off with such astonishing speed though, that some drones have gotten their degrees in package delivery. Most myths advise their readers of the limitations, but many of them have already been surmounted. Practically speaking, UAVs developed by such firms as Matternet have already been used to make package deliveries of medical supplies. Let’s just say Haiti and the Dominican Republic are forever grateful for certain disaster-recovery responses.

Once a Cult Classic

Drones never really figured into the great old “Tomorrowland” of monorails and personal jet packs. As recently as a couple of years ago, commercial drones were not yet on our cultural radar. Military drones made the news, but parcel delivery services via drones were only supposed to happen sometime after Elon Musk got to Mars.

Nonetheless, the basic technology is not new. Affordable private drones have been around for decades, in the form of radio-controlled (RC) model aircrafts. Like model railroading, it was a hobby that demanded a little money and a lot of time, remaining a niche interest in a community of first-gen techies.

Where There’s a Drone, There’s a Nay

Outside of the military, few really saw a practical, commercial use for drones, and the FAA regulated them accordingly, permitting drone flights only as a hobby. Hence the so-called Section 333 exemptions now required for commercial drones — 1,000+ applications for which are now backlogged at a government agency accustomed to proceeding with simple by-the-checklist deliberation.

Partly due to this regulatory process, the U.S. commercial drone industry is still the preserve of small firms, which account for 85 percent of Section 333 permits. Potential big players like Amazon are doing most of their experimentation abroad, where regulatory frameworks appear to be more favorable to drones.

A Sky Filled With Pizza? Or Lawsuits?

Ultimately, regulatory compliance looms as the biggest challenge for the commercial use of drones, perhaps more than the technical limitations such as battery life (like your smartphone, drones don’t last long without a recharge — but both stay up long enough to be useful).

Terrorist or criminal threats are an apparent safety and security challenge confronting the widespread use of drones. But this problem is dwarfed by the sheer complexity involved in, say, air-traffic control. How many small-package deliveries take place every day in San Francisco? On top of consumer deliveries ranging from prescription drugs to pizzas are the endless demands of business for office supplies, parts and tools, and a host of other small items.

It adds up to a lot of drones crisscrossing in the sky, and keeping them flying safely (handling the inevitable mishaps along the way) could require demanding compliance environment. What are drones used for? Keeping lawyers in business and regulators with jobs, for one thing.

Secure-And-Compliant-FTP

sox-complianceRemember the corporate accounting scandals that took out Enron, Arthur Andersen and WorldCom? They all ended with prison sentences, layoffs, and billions of investor dollars lost forever.

The Sarbanes-Oxley Act of 2002 (SOX) is meant to prevent scandals like these from happening again. How? By establishing strong and transparent internal control over financial reporting (ICFR). All publicly held American companies and overseas companies that have registered securities with the Securities and Exchange Commission (SEC) must demonstrate SOX compliance. Same goes for any company providing financial services to any of these firms. According to CFO.com more than half of the larger companies registered with the SEC will pay $1 million or more to achieve SOX compliance.

What part of this is relevant to you as an IT pro? In 2007, the SEC issued SOX compliance guidance clarifying the IT team’s responsibilities: to identify the company’s biggest priorities when reporting financial risk, sometimes with help from auditors. Your role, then, is to support the processes that minimize all identified risks. The most pertinent sections of SOX for IT teams are 302, 404, 409 and 802. Here they are — or, rather, here’s what they mean.

Section 302: Keep Execs in the Loop

SOX requires the CEO and CFO to vouch for the accuracy of a company’s financial statements. They need to attest that they’ve evaluated ICFR within 90 days of certifying the financial results.

The IT team’s role is to deliver real-time reporting on their internal controls as they apply to SOX compliance. This requires automating tasks like testing, evidence-gathering and reporting on remediation efforts. Reporting should be delivered in both auditor- and executive-friendly language.

Section 404: Establish Controls to Support Accurate Financial Reporting

According to SOX, all businesses should have internal controls in place for accurate and transparent financial reporting. An outside auditor should review these controls every year, assessing how well businesses document, test and maintain those controls.

The IT team’s role here is to identify key IT systems and processes involved in initiating, authorizing, processing and summarizing financial information. This material usually involves security, application testing, the verification of software integrations, and automated process testing. The goal is to ensure all procedures support the accurate and complete transmission of financial data while keeping asset-bearing accounts secure from unauthorized access.

Section 409: Deliver Timely Disclosure

Certain events — like mergers and acquisitions, bankruptcy, the dissolution of a major supplier or a crippling data breach — can significantly shift a company’s fiscal prospects. SOX compliance mandates the timely disclosure of any information that could affect a company’s financial performance.

The IT team’s role is to support alert mechanisms that could trigger this timely disclosure requirement, as well as mechanisms for quickly informing shareholders and regulators.

Section 802: Ensure Records Retention

Today’s SMBs keep both paper and electronic copies of sensitive records when bookkeeping. Spreadsheets on an end user’s computer, email messages, IMs, recorded calls discussing money, financial transactions — all of these have to be preserved and made available to auditors for at least five years.

The IT team’s role is to preserve these records with automated backup processes and ensure the proper function of document management systems (which may or may not include an archive of email and related unified-communications content). IT pros also have to maintain the availability of these records as it migrates to new technologies, such as from old tape-based systems to cloud backup.

Making Audits Go Smoothly

The Unified Compliance Framework (UCF) aggregates requirements from big regulations like SOX, HIPAA and PCI DSS, along with requirements from federal and state laws. With UCF, the IT team can adopt a set of controls to satisfy multiple regulations.

Network Frontiers, which manages UCF, keeps it up to date, which is a huge timesaver for your team. Ron Markham, co-founder of Intreis and former CIO for IBM’s Software Group-Business Analytics, used UCF to cut IBM’s audit time to two weeks and reduce audit-related costs by 80 percent.

In addition to what Markham calls his “test once, comply many” approach, Markham recommends a unifying platform that automates workflows. The solution should integrate a configuration management database (CMDB) and serve as IT’s system of record.

Documenting processes and packaging them in a way that’s easy to audit, both for management and outside auditors, prevents frantic pre-audit scrambling. It also saves those most precious of resources: time and money.

Protecting-FTP-Servers-Exposed

Even though some IT pros would rather have a root canal procedure over a compliance audit, these regular checks are necessary for midsize businesses to ensure each important standard is upheld. And it isn’t a short list to cover, with the most common suspects including PCI-DSS, HIPAA, FISMA, GLBA, SOX, and ISO 27001, among others.

One of the easiest ways to streamline the compliance audit process is to implement a managed file transfer system that includes specific visibility and control features.

Skeptical? Here are three ways managed file transfer makes getting audited a little easier:

1. Dude, Where’s My File?

The biggest benefit of file transfer visibility is support’s freedom to search for a specific file and see exactly where it originated, where it ended up and how it got there. Whether you’re looking for a single document shared between a handful of employees or an app that was deployed to dozens of workers across the office, increased visibility can help identify all data movement across a network no matter how large or small. This is massive for your department since auditors look to track down potentially troublesome files or test the robustness of certain security parameters.

2. Make Sure You Review Activity Logs

Simply knowing where files are isn’t enough to make a tangible difference during the compliance auditing process. Auditors who are looking to investigate specific usage metrics can benefit greatly from looking at activity logs that include detailed information about time of transfer, recipient information and changes in status. Logs that are this extensive — especially for HIPAA compliance, according to SecurityMetrics — will help keep the IT department from tracking down data points manually, presenting auditors with an easy way to analyze current trends in the IT department (and of course make more precise suggestions for improvement).

3. Reporting in for Duty

If there’s one word that truly instills fear and dread in all of us, it’s “report.” Although there are plenty of applications that can help you find and analyze large amounts of information, the manual information-gathering process for file transfer data can be cumbersome and put serious constraints on an already time- and bandwidth-strapped department. Fortunately, managed file transfer programs with enhanced visibility allow you to compile data transfer reports with custom parameters in just minutes, saving them up to several hours of painstaking searches and extensive data analysis.

These benefits will help the auditing process, but they also have the added benefit of assisting the your team on a day-to-day basis. Being able to track files across a network, get status updates in real time and receive notifications about unusual activity will help your IT team stay on top of even recurring file transfers and keep operations running as smoothly as possible. One of the easiest ways to streamline the compliance audit procedure is to implement a managed file transfer, and eliminate — or at the very least, lessen — the dread within the department that often accompanies the process.

social-banner-FT-future-2od

 

ipswitch-data_laws_designIT pros agree new technology presents a mix of new responsibilities, problems and benefits. The technology used to collect, store, share and secure data is no different. Compliance with legislation on data security is a key focus for businesses. They all must exercise due diligence when managing data so it doesn’t result in costly penalties or lawsuits from customers that suffer a breach of confidential information.

What should U.S. companies know about today’s data protection laws? How about those with foreign clients?

Personally identifiable information (or PII) is typically the focus of data protection, regardless of jurisdiction or industry served. Therefore, IT administrators must segregate their data according to best practices, ensuring their data is handled in compliance with the privacy regulations governing your region, your clients’ region (if sharing data) and your market. Those that handle credit card processing or store medical records are subject to additional standards — such as Payment Card Industry Data Security Standard (PCI-DSS) or the Health Insurance Portability and Accountability Act (HIPAA).

A Patchwork Quilt

Unfortunately, there is no single U.S. federal mandate governing the collection and use of personally identifiable information (PII). Instead, there’s a nice, confusing list of federal and state data protection laws on top of individual regulations that may or may not coincide with the aforementioned laws. And it is this ambiguity, along with the actions of Edward Snowden (which illuminated the extent of cyber-surveillance programs practiced by the NSA), that prompted the EU to nullify the Safe Harbor provision for U.S. companies sharing data with Europe. In other words, according to the National Law Review, Safe Harbor compliance is no longer sufficient for American business.

On that note, the primary federal privacy laws include:

  • The Federal Trade Commission Act, designed to act against unfair or deceptive practice and applies to online and offline privacy and security methods
  • The Financial Services Modernization Act, referring to financial data collection and management
  • The Health Insurance Portability and Accountability Act, covering identifiable patient data and health records
  • The HIPAA Omnibus Rule, wherein health-care providers must disclose when a data breach occurs

Others include the The Fair Credit Reporting Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, which are self-explanatory. State laws vary by jurisdiction, though, with California most resembling the European approach to data protection. Privacy and the use of personally identifiable information, as explained by the International Association of Privacy Professionals, is a central focus in its legislation.

Clients Abroad?

By early 2016, the EU’s Data Protection Directive will be replaced by the General Data Protection Regulation (GDPR) — emphasis on “regulation.” In other words, it’s a mandatory requirement and not a recommended “best practice” wherein self-regulation is allowed. Enforcement is expected by late 2017 and will affect U.S. companies that operate in the EU, even if based outside of Europe. Data governance, compliance, privacy, the right to be forgotten and breach notification are all part of this incoming policy, and companies will require a data protection officer (if the company has more than 250 employees).

Of these, the “right to be forgotten” is perhaps most difficult to enforce and will likely change to “right to be erased,” especially in search engine results pages (SERPs). Currently, a search engine will remove the offending results for EU users, at least for those few who have never heard of VPN usage in order to, say, change their reported location to watch Hulu.

Non-compliance will result in fines and sanctions.

Once you assess your compliance requirements, you need to change how you manage your data. Consider the many ways data is shared or collected today; for instance, smartphones, tablets and mobile devices are now commonplace.

Big data, social media, unified communications and public cloud storage all complicate the tracking of increasing data volumes. WebRTC adds to this, offering real-time browser-based communication and file sharing on any website. As if this weren’t bad enough, throw in e-discovery. A client file is shared company-wide and has been stored in the public cloud by a disgruntled employee, shared over VoIP programs and on social media.

Against this backdrop, ask yourself three questions: Can you track storage and movement of customer PII when your client discovers it online? Is your data currently segregated by region of origen and level of confidentiality required for each file or record? How secure is your file-transfer process? You’ll never know if it’s fully compliant until you find out it wasn’t.

social-banner-FT-future-2od

compliance-vs-cost
SMBs face a variety of IT challenges that their larger, corporate cousins would scoff at. Chief among them is an often less-than-ideal budget that leaves no wiggle room for error. The first method many SMBs use to bypass added IT costs is to simply go without. With compliance, however, this tradeoff becomes exponentially more difficult to make.

A recent article by The Examiner notes that 85 percent of cybercrime involve small businesses. With that in mind, it becomes painfully evident that modern SMBs have a harder time managing the strains of a limited budget with the necessity of data compliance. This begs the million-dollar question: How can your IT department successfully meet file transfer compliance standards while traversing the unforgiving budget tightrope?

Putting Your Resources to Good Use

Cost comes disguised as many different things, and your SMB has to find a way to ensure the transfer of digital assets occurs securely, reliably and fully consistent with government and client requirements. The fact that your team may have only a handful of people with which to carry this burden certainly doesn’t help. Fortunately, you can clear these hurdles much more easily with everyone’s favorite IT buzzword: automation.

Before you dismiss this article as another “automation is the answer to everything” plug, think about this: File transfer processes are inherently sequential. You’re simply facilitating the transmission of digital information in (yet again) a secure, reliable and compliant fashion. It makes little sense to waste precious work hours managing such a tedious task with old technology, doesn’t it?

Be sure to steer clear of the “DIY automation,” though. Over-reliance on clunky scripting and patchwork FTP clients could quickly suck away more of your time in maintenance and troubleshooting. It’s a better idea to seek out proven solutions in the managed file transfer arena that can provide reliable failover, data security and process transparency. These automated solutions take the busy work out of managing logs, transfer receipts, backups and user access — all of which are contained in modern compliance.

Managing Integration

If devoting too many resources to repetitive tasks isn’t one of the biggest cost hurdles your department faces, spending those resources on integration of technology certainly is. As the number and complexity of SMB business processes both continue to grow, IT departments — already hamstrung by limited resources — will continue to struggle with the implementation of new technology to facilitate these critical functions.

How can SMB support staff better manage the give-and-take relationship between cost and compliance in these situations? The answer lies in yet another industry buzzword: agility. Achieving an agile infrastructure starts with a proper mindset. Rather than approaching integration from the perspective of configuring technology “A” to reliably work with environment “B,” you should make a more abstract move.

Say you need to facilitate the transfer of high-priority documentation between three remote environments and a central repository. Fearing the cost of new file transfer technology, you choose to repurpose a decommissioned storage server as a quick, homegrown FTP solution to tackle the problem. This may seem efficient at first, but you’ve unknowingly fragmented the critical infrastructure of an equally critical business process.

As the file transfer needs of your applications evolve (along with compliance standards), this non-standardized infrastructure becomes harder and more expensive to integrate. You must continually ask yourself: How will future applications, infrastructure and capacity requirements be met with this static solution? The answer is far more complicated — and costly — than it should be.

In this same scenario, should a more agile component — such as a managed file transfer solution — have been used, future integration costs would be better aligned with an SMB’s capabilities. Agile infrastructure, in this case, is simply a piece of technology with accessible APIs for streamlined integration and hardware abstraction to ensure scalability.

Ultimately, cost vs. compliance doesn’t need to be an issue. You can have both. A large part of the equation is taking a smart approach to agile infrastructure and your use of limited resources. When it comes to file transfer capabilities, deploying an automated and fully managed file transfer solution can be a comprehensive answer to these classic IT challenges.

social-banner-FT-future-2od

Steel is a commodity so Klein Steel knows they need to be unique to stand out in a crowded market. So they created Klein Steel Service’s Advanced Center of Excellence facility to accomplish just that.

At the facility, Klein Steel makes use of cutting-edge technology to process 12,000 tons of custom metal components. These custom components are distributed to 2,400 customers throughout the country. The company must meet strict compliance mandates set by their suppliers and customers. Due to their high demands and high-tech methods, Klein Steel, in turn, has to proactively manage all of its critical systems to get the job done right. Capture2

Yet, while it was able to maintain compliance, it still had too many trouble tickets and too much downtime that halted core operations for hours. Rob Smura, senior systems administrator of Klein Steel, knew a change was needed.

The Hazardous Steel Industry has Serious Regulatory Controls

Klein Steel is NQA1 certified, which means that is able to service oil, gas and nuclear industries. The company must strictly adhere to regulatory controls on materials, quality, handling and shipping. Maintaining this certification is vital to the entire business. Any amount of system downtime is unacceptable.

Rob is responsible for “anything that plugs into a wall and moves electrons or protons,” he said. Rob and his team have a direct impact on overall business operations, as well as ensuring that they meet NQA1 insurance audits.

When Rob stepped into his current role, he saw a great opportunity for improvement. After much research, he landed on Ipswitch WhatsUp Gold network, server, and app network performance monitoring tools.

A Unique IT Environment that Demands Constant Uptime

Klein Steel has an IT environment that transcends the usual endpoints and network management needs of many other organizations. In addition to servers and standard devices, Rob must also manage robots, lasers and high-power water jets.

CaptureThe company makes use of a Kasto inventory storage system robot picker that is integrated into an ERP system. This unique integration allows for cells and robots to accomplish multiple tasks at the same time. A systems failure in the system means that the materials being handled by the robots are completely inaccessible to the rest of the organization. Since the robots are the only way the materials can be handled, a systems failure is completely unacceptable.

Klein Steel also makes use of high-powered plasma lasers and Flowjet cutters to process custom jobs. Each of these systems can be programmed to perform the same task repeatedly. If these systems fail, the task must be handled manually and it quickly becomes labor intensive.

Additionally, system failures mean loss of important data that’s relevant to the business and maintaining compliance. Fortunately, Rob now has all of these devices monitored by WhatsUp Gold. He’s able to see the status of the Kasto robot, plasma lasers and Flowjet cutters – along with the rest of the network.

IT Challenges that Were Impacting the Entire Business

But before Rob made use of WhatsUp Gold, various IT challenges were detrimental to operations. One of the first challenges he noticed when stepping into his current role was the many trouble tickets being submitted by employees. Even if a solution just meant merging tickets, this still required an IT administrator to sort through them all.

Additionally, other challenges were causing organization-wide problems:

  • Vital systems, such as the Kasto inventory management system, were often down for upwards of 6 hours. Such extreme downtimes would result in having trucks lined up waiting for materials until the system was brought back online.
  • Errors in the Kasto system would also cause inventory to not be properly tracked. To correct these errors, employees would have to manually enter missed items – a time-intensive task.
  • Employees who operate work cells would have to call IT at all hours saying they weren’t getting new parts loaded onto the system.

Rob and his team knew that new monitoring software would reduce or entirely eliminate these challenges.

How Network Monitoring Transformed the Organization

Once Rob discovered and installed WhatsUp Gold, he started attacking all of the challenges facing the organization.

Rob used WhatsUp Gold to create a NOC VIEW that is available to every employee in the company. It showcases the complete health of the network in a web browser interface. NOC VIEW is also displayed on large screens outside of the IT area. This empowers employees to check the NOC VIEW before submitting a trouble ticket.

“My predecessor in this job had an average of 40 tickets open at any one time. That was an average ticket load in the queue,” Rob said. Now, “I’m able to be much more effective because the tickets are reduced and the tickets that we do get generated are tickets that need to have some sort of attention.”

WhatsUp Gold was also configured to monitor the Kastor robots and high-powered lasers. Alerts were created so that IT is aware of any issues before they impact business operations – and before users are even aware of them.

Long Term Successes with WhatsUp Gold

Klein Steel has enjoyed a number of long term successes since Rob installed WhatsUp Gold:

  • Systems that were once down for up to 6 hours before IT was even aware of the problem are now monitored every 2 minutes. Minor issues can be corrected before they impact the business. WhatsUp Gold is even set up to execute certain actions based on the issue, such as restarting a server or clearing the cache.
  • IT is now aware of network issues that may impact the Kastor inventory picker system, allowing employees to stop a work cell before it becomes an issue that the operator is aware of.
  • Rob and his team are able to glance at WhatsUp Gold and know that everything in the network is “green,” eliminating stress and simply making life easier.

Rob elaborates on Klein Steel’s unique needs and usage of WhatsUp Gold in his talk at Ipswitch Innovate 2015 User Summit. Watch his full presentation to discover how organizations are using WhatsUp Gold to satisfy their needs.

 

In a recent webinar, “What’s the Future of Your FTP?”, I looked at the key regulatory compliance features within file transfer solutions. Requirements for protecting data being transferred internally or externally vary, but there are commonalities across industry regulations, national and state laws, and security specs.

I identified the ISO 27001 Control groups relevant to file transfer and mapped them to the following regulations: PCI DSS, HIPAA (section 164), SOX, Basel II/III, and FFEIC (Exam Handbook Page).  The right file transfer technology can help organizations satisfy requirements across a range of controls including policy, access control, encryption, and business continuity.

Risk Assessment Justifies Expenditures

A risk assessment will help prioritize organizational weaknesses and justify technology expenditures to best meet critical needs.  Your risk assessment will likely identify:

  • Types of data that require protection such as personally identifiable information or corporate financial data
  • Common vulnerabilities like a lack of encryption or a confirmation of the receipt of a file transfer
  • Typical risks associated with file transfers such as transfer failures, data loss, or data breach

Your next step might be to identify the biggest risks for your infrastructure. Then assess and rank identified risks. Finally, define mitigating controls for the highest priority risks.

The Most Useful Managed File Transfer Technology Features

Consider what managed file transfer can do (below) to identify cost effective mitigation controls to prioritized risks.  When evaluating relative importance of each feature, consider ease of use (for both administrators and end-users), and ability to integrate with other systems.

  • Authorization, authentication and access control: Consider the need for non-repudiation, single sign-on, and integration to user management services like Active Directory/LDAP or SAML (two identity provider solutions).
  • Logging and reporting: Implement a centralized scalable repository for automated report generation and distribution, and protect end user access to logs and reports.
  • Encryption: For encryption in transit and encryption at rest, consider using AES 256-bit and SHA 512 file integrity. Use TLS instead of SSL protocols since PCI DSS no longer recognizes SSL or early TLS versions as strong cryptography due to identified vulnerabilities like Heartbleed
  • File management and disposition: Use automated disposition rules like file compression and encryption before a transfer and file deletion after a specified time limit after a transfer
  • Data scanning: Add integration to anti-virus (AV) or data loss prevention (DLP) solutions
  • Policy enforcement: Dictate and enforce password policies, lockout rules, and alerts/notifications
  • Failover and disaster recovery: Use single server failover and automated failover to remote locations in order to meet SLAs of zero downtime and to prevent data loss
  • Client flexibility: Set up FTP client support, email client, and web browsers

Watch the full webinar for more details like:

  • Full list of managed file transfer technology features as options for risk mitigation controls
  • Overview of recent regulatory changes
  • ISO 27001 IT controls mapped to key regulations and specifications

social-banner-FT-future-2od

trading floor

Trading Frustration for Secure File Transfer

360 Treasury Systems AG (360T) provides multi-bank trading services to more than 4,000 customers, and actively manages the transfer of more than a half million documents to its customers.

Before using MOVEit, Ipswitch’s managed file transfer system, 360T was having trouble providing customers with the information they needed in the form of a secure and convenient file transfer system.

360T, which offers trading platform services, was getting a lot of requests for artifacts, or customer reports, that the company generates weekly and monthly. 360T needed ways to not only send these files, but to protect them via a secure process in order to avoid liability. As a service provider, 360T needed a coherent and consistent way to handle its data assets that both its staffers and customers could easily use and a software solution which could integrate with their Java-based trading platform.

Protecting Large Confidential Files

Company leaders were seeing a lot of different requests from customers. Some customers would request reports on an ongoing basis. Some would ask for older reports. 360T thus needed tool with availability and consistency.

In addition, the company needed the file transfer system to be secure. Records had to be protected because of the confidentiality of the data. But one part of keeping files more secure involved trying to track their use, and 360T couldn’t do that.

“Youstefan-drzazgaheadshot didn’t know what’s happening,” said 360T Java developer Stefan Drzazga. As a member of a team working on infrastructure and development, Stefan realized that the status quo did not provide enough support for the company to have confidence in delivering reports to customers. “This was something we faced for a long time – it was a lack of transparency,” he said. “We wanted to have a secure and transparent file transfer and distribution process.

360T wanted to know whether reports were received, whether a customer looked at them or deleted them and where they were in the pipeline. Stefan says previous tools for report sending were “error-prone” and the wrong customer could get the wrong report. There was no way to automatically retract files to correct the problem. Also, many customers had issues with large file sizes. Reports could range up to three-to-four gigabytes, and lots of customers only had a two-gigabyte limit. The problem was compounded because customers lacked reporting on their ends and relied heavily on data from 360T.

A Formidable FTP Replacement

360T finally had enough and deployed Ipswitch MOVEit, immediately benefitting from the solution’s Java API. Through 360T’s server infrastructure, client reports are now automatically generated and run through QA departments. Then they are made available through a web portal, which Stefan says, is advantageous because 360T’s customers can now access documents a lot more easily. Stefan and his team can also set various security controls. 360T doesn’t let customers manage their accounts. Internal administrators set configurations for passwords and account handling so that credentials stay in-house. Resetting passwords also allows the company to avoid credentials “leaving” the system. For example, when a customer takes a different job, MOVEit allows for setting user permissions that more accurately control what a given user may see.

360T can send customers a package of e-mails and PDF reports, and the attachment stays secure, something Stefan calls “ad hoc functionality.” And MOVEit helps the company avoid silos and promotes better transparency of data within the system.

MOVEit’s Built-in Encryption Protects Data

Stefan appreciates how MOVEit has transformed how 360T sends and manages files. The company can now quickly respond to customer report requests and control its administrative settings, lessening the burden on client service teams.

“We are saving lots of time,” Stefan says, “which [has benefited] our client service teams. In the past, a lot of things were pretty tedious – we dramatically reduced overhead for maintenance.”

Also, 360T now has a lot of transparency when accessing confidential data. The Java API provides feedback on whether files got viewed or downloaded. End-to-end encryption protects data for a fully secure data-in-transit strategy. All of this, Stefan says, adds up to a better combination of security and error-free processes.

Interested in seeing more sessions from Ipswitch Innovate 2015? You can still access all materials on-demand.

Secure Medical Records. Concept image. Narrow depth of field.

When it comes to designing a secure and compliant system for file transfers and data handling, system administrators face multiple competing standards and large regulatory burdens. Thesechallenges require companies to put a lot of effort into defining how their data flows work. It’s not just a question of sending processes through servers. Modern enterprise requires a high degree of risk management, architectural detail and proactive security.

First Steps for Developing Compliant Security Systems

At the recent Ipswitch Innovate 2015 User Summit cybersecurity expert David Lacey discussed some of the essential steps to coming up with the right systems for adequate security and full compliance with industry regulations. Some of the first steps involve looking at the business drivers that necessitate particular use cases. The first business driver is compliance, which David described as “backward-looking”. Another is risk, which can be harder to support:

You can actually find that there’s not enough funding available for mitigating actions,” David said.

Then there’s business opportunity. It may also be harder to fund projects based upon it. Unlike compliance projects, these projects may require the initiators to build a case for their value, he said.

Choosing a Set of Standards for System Design

Companies also face the delicate task of picking a set of standards and applying them to a secure and compliant system design.

In his keynote, David noted the difference between standards such as PCI-DSS (Payment Card Industry Data Security Standard), ITIL (Information Technology Infrastructure Library) and NIST (National Institute of Standards and Technology) in detailing how today’s lead system admins have to work through complexity.

Using the example of PCI-DSS for financial and retail sectors, each standard is composed of many different moving parts, with changing requirements that make it hard to get a handle on full compliance. For example, changes to the PCI standard that now require using TLS instead of the older SSL security certificate formatting. Authors of the PCI standard originally intended to have a “level playing field” with less proprietary acquirements, but that landscape is changing over time. As auditors become more stringent, there’s been a corresponding rise in restrictive requirements.

It can be very expensive to change all of the protocols in your organization,” David said. “You need to close the networks right down and restrict and control all of your data flows very formally.”

Another major contrast is between ITIL, which David characterized as big and expensive, and the NIST standards from the U.S. government, which are available for free. David favors NIST, describing some of its content as useful “how-to stuff” and pointing out that, unlike the British system, the standards are more accessible.

Companies can use open-source alternatives to ITIL, but that still requires a pretty large burden for figuring out how to use these tools and how to implement them in a business.

Another standard is COBIT – something David says is so complex that even auditors struggle to understand it. Speaking of the “numerous dimensions and permutations” built into the auditor-designed standards set, David described COBIT as time-consuming, but possibly valuable in its complexity.

Even COBIT experts will struggle to apply this in its full form,” he said.

Then there’s the ISO set of policy standards, in particular ISO-27001 and ISO-27002, built on 133 controls, 11 domains and 39 control objectives. David described these as highly complicated sets of standards composed of different “vintages” that make it extremely hard to address ISO in a comprehensive way.

The standards are of variable quality and consistency,” David added.

In addition, David described some of the growth and expansion of modern compliance standards. Some, like Sarbanes-Oxley and privacy legislation, apply to almost any type of industry or business. Others are specific to their fields: the financial industry faces compliance with Basel initiatives, while retailers need to adapt to PCI DSS standards, and healthcare companies need to be careful of HIPAA regulations. In addition, David said, there’s also local legislation that can also apply to projects.

Tips for Compliant and Secure Data Transfer

So how do companies build coherent and comprehensive systems?

David states it’s essential to pick a standard. Trying to pick and choose pieces of different standards can get businesses in trouble. At the same time, trying to build one’s own standards inventory is similarly dangerous.

Instead, David recommended starting with existing standards and creating your own risk assessment model. That will be the starting point for a business architecture that addresses all of the needs of that particular company. He also suggested using technology to reduce delays and keep overhead low.

Another good strategy is to select products that have out-of-the-box compliance built-in. This will allow companies to change with the times. And it also greatly decreases the complexity of procurement and implementation. It’s a shortcut to determining how a business system will really protect data, and protect the company from the liabilities of data breaches. Implementing end-to-end encryption and cloud security best practices, companies can feel safe and secure knowing that they are on solid ground.

Pixelated FTP

The State Employee Credit Union (SECU) of North Carolina has a mission to provide the best possible online financial services to its 2 million members.  As a result, the IT team at SECU has created an IT environment that focuses on speed, reliability and security.

Yet, the IT team had serious problems transferring data between different systems and locations. They relied on scripts patched together with custom (?) software, and the results were predictably lacking. Robert Skinner, the team lead of distributed systems at SECU, knew a change had to come.

Robert eventually discovered Ipswitch’s MOVEit platform and used it to modernize how SECU updates and moves data across multiple systems and locations.

A Productive and Secure IT Infrastructure

Robert knew that improving how SECU transferred critical data would allow employees to respond quickly to SECU’s members. His department works with other teams that have to move files internally and externally. A productivity increase in distributed systems means an increase throughout the entire infrastructure.

Secure Data Transfer Detrimental to Sales

Robert examined the workflows of other departments, particularly when and how they need to transfer data. One workflow that he knew could improve was home loan closing, where delays in data exchange can affect sales. He set out to reduce the cost and total time it took for mortgage closing and refinancing.

Still, before Robert was capable of improving the home loan closing process directly, it was vital to understand the challenges and limitations of the current system.

Faced with Challenges and Limitations

SECU faced unique challenges when it came to securely and reliably transferring data between systems and locations:

  • The existing method made use of custom scripts and FTP servers, creating an unreliable way to transfer important data to FTP clients
  • SECU must meet compliance standards that require that data is protected and moved securely, along with upholding SECU’s own risk management and IT security policies
  • Disaster recovery had to be a priority

“The level of compliance that we live up to requires that all data be protected, be securely moved, as well as have an audit trail of when things are moved and who touches different pieces of what information,” Robert said.

Knowing the importance of meeting compliance standards and how speed and reliability could improve workflow, Robert set out to find a tool to get the job done.

File Management That Emphasizes Cyber Security

Once Robert discovered Ipswitch’s MOVEit File Transfer Server and MOVEit Central – a file management software suite that emphasizes security and ease of use – he knew his search was over. MOVEit now allows Robert and his team to streamline the process of moving data across locations and systems. The suite had other benefits:

  • MOVEit File Transfer is an externally facing environment for securely transferring documents and files. Using an interface similar to modern consumer cloud products, SECU required little training to make use of MOVEit DMZ
  • MOVEit Central moves files between MOVEit File Transfer and SECU’s secure internal network, creating a useful audit trail and ongoing security
  • SECU’s business processes now have increased response times and decreased processing times, which creates improved services and reduces overhead costs
  • MOVEit Central satisfies the need for a disaster recovery environment
  • SECU now uses workflow automation that allows for centralization and control of which accounts are moving files, along with which ones were moving between servers

ROI from a Streamlined FT Program

Robert used MOVEit File Transfer to dramatically improve home loan closing, a process that involves external lawyers. Instead of having to physically send and receive documents, which often pushed critical deadlines, the lawyers can now download and upload documents and easily make deadlines.

The lawyers and SECU employees receive alerts when documents are ready, substantially reducing the processing time for home loan closing.

“We’re able to complete transactions, not have people sit around waiting for something. They know, they got an email, the file is here, now they can go ahead and process this,” Skinner reports.

SECU is now capable of saving members $100,000 per month by using MOVEit File Transfer and MOVEit Central. How are they saving so much? Robert dives into deeper detail in his presentation at Ipswitch Innovation Summit 2015.

mm

One night you find yourself watching the news and – surprise! – Another company has reported a data breach. The next day at Starbucks the cashier swipes your card, but the card doesn’t work. Now you have to take a detour to the bank. At the bank you find out that your card has been deactivated because the card number had been compromised in the data breach you just heard about the night prior. They apologize for the inconvenience and say that you’ll get a new card in the mail within 7 business days. They give you a temporary card in the meantime.

This is the average scenario of what a consumer goes through when affected by a data breach. The worst part is the annoying stares you get at places like Starbucks and the time wasted at the bank, so it’s really just an inconvenience. First world problems, nothing more.

But there is an extreme version of this that goes beyond our replenishing credit cards. This scenario is where your entire personal and private information is sold on the online black market and your identity is effectively stolen from you. Even worse is that they know everything about you: where you live, when you got that scar on your head, that embarrassing surgery you got when you were 12, and your social security number.

Cyber Crime and Your Healthcare Data

Medical data is more valuable to cyber criminals than credit card numbers because medical records have far more information. There is enough information on medical records to gain access to any account a cybercriminal sees fit. Information that can be found in your medical records are date of birth, social security number, address, birthplace, and even some of your parents’ information. This information can be used to access bank accounts, open new accounts, and even file insurance claims on your behalf. This information can be used to answer security questions to change passwords on your most important accounts.

But that isn’t even why your medical data is so lucrative to cyber criminals. The most important reason that cyber criminals would go after healthcare records instead of credit card numbers is that the healthcare industry is easier to hack. Criminals can spend less time attaining that information.

HIPAA and Healthcare Data Security

A recent report by BSIMM shows that the healthcare industry isn’t protecting data as well as it should be. Unfortunately, it’s not surprising. The healthcare industry is behind most other industries when it comes to data security. The Anthem breach earlier this year should have been a big indicator that our information isn’t being safeguarded as much as we like to believe.

Healthcare IT departments have been slower than other industries to adapt, but the blame cannot be placed solely on IT. In many cases, the issues lie within weak IT budgets and general lack of awareness from healthcare staff. What’s worse is that due to the lack of security measures in place, it is hard to detect data breaches if and when they do happen. In addition, when the breaches are detected, that business has a 2 month window to notify anyone who is affected by the breach as regulated by HIPAA.

A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. –HIPAA, Breach Notification Rule

Another reason that healthcare IT teams may be slow to adapt is that they may be taking a “good enough” approach. If covered entities are protecting themselves in accordance to the HIPAA regulatory guidelines then IT has done its job. Simply, HIPAA does not go far enough to hold the healthcare industry liable when data breaches are detected. Healthcare organizations get away with not implementing the proper security measures, and the patients are the ones to lose.

Healthcare IT Policies To Minimize Risk

Since budgets fall too short and businesses have no incentive to go beyond the data security measures required by HIPAA, IT can at least protect itself in creative ways. It would not be unreasonable to consider that most of the users in the healthcare industry are not diligent about data security. All that it takes to compromise an IT infrastructure is a simple phishing attack or a hacked personal device connected to the same network as millions of health records. Educating employees on the most common forms of cyberattacks will go a long way in ensuring that a data breach does not happen.

Creating stricter policies around personal device usage on healthcare networks may also be a strong step in the right direction, however being more strict means more time policing the policies that have been put in place. Expecting employees to follow these rules, more likely than not, will become an employee trust system.cartman

Of course there are several ways IT can be creative in keeping employees informed of the threats and asking them to be diligent, but at the end of the day healthcare IT departments need more cash to implement more secure infrastructure.  And unless HIPAA is changed to push for these stronger security measures, healthcare companies are not going to give IT the budget they need to keep their data safe.