iot-data-securityThe primary purpose of pursuing an Internet of Things (IoT) strategy is to gain greater insight into how your products and services are being utilized. In capturing IoT data, this allows you to better serve your customers, discover new business opportunities and gain a greater competitive advantage.

Monitoring and Securing IoT Data

IoT is all about capturing data from a broader set of endpoints and making that data available to a wider set of internal and external stakeholders. Due to the sensitivity of this data, it must be moved in a secure and reliable fashion. However, the volume and velocity of the data requires that the data traffic be monitored.

Ultimately, IoT data will be of value to every part of your business in the following ways:

  • The product team will use the data to refine existing products
  • The research and development team will use the data to identify new product opportunities
  • The support team will use the data to identify potential reliability issues and discover new strategies to respond more quickly to service problems
  • Sales and marketing will use the data for upsell and cross-sell efforts

In addition, the data could also be helpful to a company’s third-party sales and service partners, as well as its suppliers.

File Transfer Security and Reliability

This data is highly sensitive and could impact the privacy of the user, so it has to be managed securely. Therefore, IT teams must develop file transfer procedures that can support the transfer of IoT data across to the internal and external constituents.

These procedures need to include mechanisms to ensure continuous visibility into how the data is moving over the wire to IoT products and services. This means IT must also adopt the right network, applications and server monitoring tools to securely transfer data in an automated and reliable manner.

Unfortunately, approximately a third (32 percent) of IT professionals who participated in Ipswitch’s recent survey regarding file transfer security admitted they do not have a file transfer policy in place. A quarter (25 percent) of the survey respondents said their organizations have file transfer technology policies in place but their enforcement is inconsistent.

As the types of data and the volume of data generated from IoT deployments grow, the stakes for implementing strong file transfer policies supported by a solid set of easy-to-use monitoring technologies will also escalate.

THINKstrategies believes CIOs and their IT organizations should carefully evaluate their current file transfer policies and tools to be sure they’re properly designed and configured to meet the more complicated requirements of the IoT world.

Kaplan is Managing Director of jeff-kaplanTHINKstrategies (www.thinkstrategies.com), an independent consulting firm focused on the business implications of the Cloud. He is also the founder of the Cloud Computing Showplace (www.cloudshowplace.com), and the host of the Cloud Innovators Summit series (www.cloudsummits.com). He can be reached at jkaplan@thinkstrategies.com.

Ipswitch surveyed IT professionals across the globe and it turns out that data security and compliance are top challenges for IT teams in 2016.

How We Did It

Ipswitch polled 555 IT team members who work in companies across the globe with greater than 500 employees. We surveyed IT pros globally, partnering with Vanson Bourne in Europe, between October-November 2015 to learn about their File Transfer habits and goals.

Demographics

255 in the US and 300 in Europe (100 each UK, France and Germany)

Totals by industry:

  • Banking/finance 15%
  • Government 15%
  • Healthcare 16%
  • Manufacturing 10%
  • Insurance 6%
  • Retail 6%
  • Other (includes Technology, Consulting, Utilities/Energy, Construction, & others) 32%

2016 State of Data Security and Compliance Infographic

Click on the infographic to see full size. 

2016-ipswitch-state-of-data-security-and-compliance

Share this Image On Your Site

personal healthcare information

This Thursday, January 28th is Data Privacy Day (aka Data Protection Day in Europe).  The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. To honor Data Privacy Day, here are some ways you can protect personal healthcare information (PHI) in-motion, an area of focus for healthcare IT teams handling PHI.

Personal Healthcare Info is a Hacker’s Dream

PHI is considered to be the most sought after data by cyber criminals in 2016. Hackers are moving away from other forms of cyber crime such as that which targets bank accounts. Instead they are focusing more on PHI due to the amount of data contained within it. Valuable data within PHI includes social security numbers, insurance policy info, credit card info, and more.

The lack of a consistent approach to data security throughout the healthcare industry also makes healthcare data easier to obtain. The easier it is to steal, the more lucrative the data becomes to hackers. The healthcare industry has had less time than others to adapt to growing security vulnerabilities, and online criminals don’t take long to take notice.

GDPR and the End of Safe Harbor

It’s not news that governments around the globe are doing their part to promote data privacy. They are doing this by legislating data protection of personal data, and reinforcing with significant penalties for non-compliance.  Check out the recent agreement on the European Data Protection Regulation as the most recent example.

What is changing, however, is the rapid growth in data integration across the open Internet between hospitals, service providers like payment processors, insurance companies, government agencies, cloud applications and health information exchanges.  The borderless enterprise is a fact of life.

Using Encryption to Meet Data Privacy Regulations

It’s well known that a security strategy focused on perimeter defense is not good enough. For one reason, healthcare data must move outside its trusted network.  Encryption is the best means to limit access to protected data, since only those with the encryption key can read it. But there are other factors to look at when considering technology to protect data in motion, particularly when compliance with HIPAA or other governmental data privacy regulations is an issue.

Briefly when evaluating cyphers for file encryption, described in FIPS 197, its important to consider key size, eg 128, 192 or 256 bit, which affects security.   It’s also worth considering products with FIPS 140-2 certified cyphers accredited for use by the US government as an added measure of confidence.

Here are several other things to consider to protect data in motion and ensure compliance:

  • End-to-end encryption: Encrypting files while in-transit and at rest protects data from access on trusted servers via malware or malicious agents with secure access to trusted network
  • Visibility for audit: Reports and dashboards to provide centralized access to all transfer activity across the organization can reduce audit time and improve compliance
  • Integration with organizational user directories: LDAP or SAML 2 integration to user directories or identity provider solutions not only improves access control and reduces administrative tasks, but can also provide single sign-on capability and multi-factor authentication
  • Integration with other IT controls: While data integration extends beyond perimeter defense systems, consider integrate with data scanning systems. Antivirus protects your network from malware from incoming files and Data Loss Prevention (DLP) stops protected data from leaving.
  • End-point access to data integration services: There are more constituents than ever that participate in data exchange. Each has unique needs and likely require one or more of the following services:
    • Secure file transfer from any device or platform
    • Access status of data movement to manage Service Level Agreements (SLAs)
    • Schedule or monitor pre-defined automated transfer activities
  • Access control: With the growing number of participants including those outside the company it’s more important then ever to carefully manage access with role-based security.  Ensuring each have appropriate access to the required data and services.
  • File transfer automation: Automation can eliminate misdirected transfers by employees and external access to the trusted network.  Using a file transfer automation tool can also can significantly reduce IT administration time and backlog for business integration process enhancement requests.

Become Privacy Safe Starting with This Webinar

Protecting PHI within the healthcare system doesn’t have to be painful for hospital administrators or doctors to appropriately access PHI, but it does mean having the right technology and good training in place. And in honor of Data Privacy Day, don’t you want to tell your customers that their data is safe? You will be one step closer by signing up to tomorrow’s live webinar.

Learn how you can implement health data privacy controls to secure your healthcare data >> Register Here

For more on this topic register to hear David Lacey, former CISO, security expert, and who drafted original text behind ISO 27001, speak about implementing HIPAA and other healthcare security controls with a managed file transfer solution.

Security concept: Cctv Camera on digital backgroundThe battle over privacy vs. security is a constant reminder of not just how far the Web has taken us, but how far we have to go to agree on its public usage. On one side you have an army of users who trust you — or aren’t aware they are trusting you — with the sensitive information on their machines. On the other side is an ever-looming governmental presence, which seeks access to users’ data in an effort to protect a much larger set of interests.

How are we to hold these two sides in perfect balance? Is there a perfect balance? Well, yes and no. Bear with me.

Do You Feel Lucky?

Well, do ya? While you may never know the full extent to which the government has “collected” private-sector information, it’s a fair bet that the figure would be humbling. And whether or not you deem this practice justified, surely the rest of the workplace assumes their private information remains just that with support’s help. With this in mind, it’s a good idea to ask yourself, barring the hands you can’t slap away: “Am I actively protecting staff’s privacy?”

As you formulate a response, think about how your staff might react if they found out their privacy had been compromised. Would they — or more likely, their lawyer — see the security measures you do have in place and frown upon them? How about if your own privacy was on the line (and it is)?

Not Where, But How You Draw the Line

It’s important to remember that the fine line you draw between privacy and security isn’t universal. In fact it often isn’t even straight, according to Chris Ellis, former data security officer for a government security contractor and current consultant for all things cybersecurity.

“I think the concept of privacy is a very individual matter,” Ellis suggests. “I’ve met people who wouldn’t bat an eye at checking their bank account on a public computer. When I tell them how easy it can be for someone to steal that information, they’d just shrug it off. On the other extreme, one of my best friends insists on using the ‘Incognito’ tab [Chrome’s private window] for every browsing session, even on his own devices.”

These two archetypes obviously have different thresholds for privacy. It’s ultimately up to the sysadmin to determine which concerns are valid — and to what extent — within the business despite what the government says it needs.

Transparent Policy, Not Security

Ellis’ insight, here, applies to more aspects of your network than you may think. Rather than being a solitary decision based on a static environment, the solution to the privacy vs. security debate is aggregate. Unfortunately for the helpdesk, appeasing everyone’s individual privacy concerns isn’t a practical endeavor. Ellis insists, however, that a happy medium can be found when users are able to appreciate the fragility of online privacy.

“What I’ve come to find is that end users are most concerned with privacy when their information is in someone else’s hands, even legitimately,” he observes. “I’m always surprised to see how much more responsible users are with personal information when organizations are transparent about their security practices and inherent limitations.”

At the end of the day, you can only provide the tools and environments that enable secure data storage and file transfer. As users begin to understand the parameters that separate their own privacy from a greater security standard, they’re less likely to cry foul and more likely to embrace secure habits themselves. I don’t know about you, but in my book that’s a win-win.

Tell your users the risks, show them how they’re protected and provide the tools necessary for them to make up the difference.

>> To learn more about secure managed file transfer, check out our white paper: “Security Throughout the File Transfer Life-Cycle: A Managed File Transfer Imperative”.

Capturerrr
Download your free copy of Managed File Transfer for Dummies today!

Last week, we shared some insight from the first chapter of our new reference book entitled Managed File Transfer for Dummies. This week, we’ll take a look at some highlights from Chapter 2.

Whether by regulation or by a business need, data often needs to be kept secret. Managed file transfer provides many security mechanisms and offers the flexibility to ensure compliance with data privacy regulations and policies. When thinking about secure managed file transfer, you should consider three areas:

  • Compliance: Compliance means conforming to every relevant legal, professional and company standard. For example, a bank or retail company that offers credit card services needs to comply with PCI‐DSS. Audit teams look at the policy and ensure that the actual operations satisfy requirements, often by examining log files and IT systems documentation. Any managed file transfer solution you pick should both specify and prove it’s compliant with the standards important to your business.
  • Audit: One role of audit is when it’s used during an investigation — to find out how the problem happened, when it happened, and what failed. The best managed file transfer systems will provide logging capability and configurable security alerts.
  • Real‐time visibility: Sometimes you need to know exactly what’s going on right now. Your managed file transfer solution should log each and every event to a central database, whether the event is the start of a transfer, the completion or errors. That tells you what has just happened in the system, and you may want to watch in real-time to manage performance and investigate various alerts.

Careful consideration of security needs is important because unauthorized access to data with PII/PHI for one record or millions of them could result in significant fines and have a large and lasting negative impact on your business.

>> Be sure to check back next week when I highlight Chapter 3. In the meantime, download a free copy of Managed File Transfer for Dummies today!

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!