Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.

Customers should question any absolute, unequivocal claims an MFT vendor makes regarding performance improvements achieved using their particular approach.  A claim of “7x” or “30x” improvement without any documented caveats is simply not credible. The key point is that observed performance enhancements in the WAN are probabilistic, not deterministic. A file transfer occurring multiple times between the same endpoints will in all likelihood produce different latency measurements depending on a large number of factors:

  • Time of day
  • Day of week
  • Physical media traversed
  • Design of intervening switch fabrics and router queues
  • SLA agreements with the carrier
  • End-to-end QoS provisioning (if any)
  • Burstiness (jitter) of co-mingled traffic, etc.

Techniques for improving WAN performance vary by vendor: data caching, compression, truncation, protocol optimization (usually proprietary, as an enhancement to TCP at the transport layer), traffic shaping, and de-duplication, just to name a few. Customers should ask many questions and perform their own “real world” tests to ensure they are in fact receiving the transfer performance improvements they expect, under conditions that are common to their WAN environment.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

SC Magazine just published a short article titled “FTP described as unsecure and generally unmonitored”.

In the article, fellow Managed File Transfer (MFT) vendor Axway correctly points out that “usernames, passwords, commands and data can be easily intercepted and read while files transferred via FTP are uploaded or downloaded without any encryption.”

Not to overstate the obvious, but I wholeheartedly agree (and this should come as no surprise to our avid blog readers).  The FTP protocol turned 40 years old in 2011 and although still functional, it was not designed to provide any encryption or guaranteed delivery.  Unfortunately, many organizations are still relying on outmoded homegrown FTP scripts or have deployed basic FTP servers scattered throughout their organization – all lacking basic security measures, not to mention important visibility, management and enforcement capabilities.

Today, the 40-year old FTP protocol proudly serves as the foundation for the majority of data transfer and application integration technologies that organizations rely on so heavily.    But luckily for us all, modern file transfer solutions deliver much more than basic FTP:

  • VISIBILITY capabilities such as logging; reporting; alerts; notifications; chain-of-custody and file life cycle tracking
  • MANAGEMENT capabilities such as workflows and scheduling of file related processes; person-to-person file transfer;  integration with systems/applications; data transformation; high availability;  virtualized platform support
  • ENFORCEMENT capabilities such as user provisioning;  password policies;  encryption requirements (for example, requiring 256-bit AES encryption over FTPS or SFTP protocols);  file integrity checking;  non repudiation

Now is the time to replace old and often insecure point FTP solutions and hard-to-maintain scripts with technology that includes the benefits of a modern MFT solution.

Great question asked by Wayne Hemrick at ArticleSnatch.  In his answer to “How would you send large files in an ideal world?”,Wayne touches on a few very important considerations when thinking about person-to-person file sharing, including:  ease-of-use, large file size, and security.

I agree that the ability to easily send ginormous files is only part of the problem that a business should be looking to solve.  It’s no secret that people need to send other people files as part of their jobs.  In many cases, these files contain information that is sensitive and confidential.  In my opinion, the real issue is that business users lack a way to ensure the security of these information exchanges.

Wayne correctly points out that many of the currently used tools are insecure, inefficient, complicated and some even require the intervention of IT professionals.  But the growing risk of privacy loss and data breaches has made the security aspect of sending files a top concern.  Organizations need to demonstrate to their customers that they understand this and are taking steps to address it.

Businesses require a simple file sharing solution that:

  • Enables employees to easily send files (any size, any type) to other people
  • Lowers company risk by securing and protecting internal and customer information
  • Provides visibility into what happens after file is sent for auditing and compliance

The ideal solution must provide for guaranteed and trackable file delivery that your business can rely on.

On Wednesday, November 3 and Thursday, November 4, Ipswitch File Transfer will be exhibiting and speaking at SecureWorld Expo, the leading regional security conference that brings together the security leaders, experts, senior executives, and policy makers who are shaping the very face of security.

The “Exhibits and Open Sessions Registration” for SecureWorld Expo is complimentary and it gives you access to the expo floor, the keynote presentations, and open industry expert panels. Plus, you’ll get to hear the luncheon keynote from L. Frank Kenney, The Data Breaches You Don’t See Hurt You The Most,” and the industry expert panel Data Protection: Walking the Thin Line Between Employee Productivity and Security.”

Here are the details:

What: SecureWorld Expo – Dallas

Where: Plano Convention Centre, Plano, TX

When: November 3, 2010 and November 4, 2010

Why: Meet the Ipswitch File Transfer team, learn about our solutions (from WS_FTP to MessageWay), listen in on L. Frank Kenney’s luncheon keynote, and keep up to date on the latest in the security world!

Plus, if you visit us and mention this blog post, you’ll receive a Starbucks gift card – on the spot!

See you in Dallas!

Ziff Davis recently published a study on Managed File Transfer that heralds MFT solutions as “the unsung security and compliance solution”.  Eric Lundquist sets the stage nicely:

“Everyone is talking about the need to collaborate more effectively and put employees closer to customers in a real time business environment.

But until you can assure the security, privacy, and compliance requirements of data transfer, the collaborative enterprise is just a good idea.  MFT is one of those enabling technologies designed to make it a reality.”

The study found that security concerns about current file transfer methods include the usual suspects, such as:  encryption; viruses, user authentication, backup, hacking, enforcing security policies, managing external users, auditing, reporting and defining security policies.

Not surprisingly, data from the study shows that many of those very security concerns that people had with their organizations current file transfer methods are actually strengths of today’s MFT solutions.

Keep in mind that many organizations still rely on homegrown scripts and point-to-point solutions, oftentimes using unencrypted FTP protocol for transport… And with very little visibility, management or policy enforcement.  In addition to being time consuming and expensive to manage and maintain (and commonly built by developers that left the company years ago), many existing file transfer methods are insecure and introduce risk and inefficiency into an organization.

Plus, many companies haven’t even begun to crack the person-to-person nut of file transfer beyond relying on corporate email, unsanctioned personal email or file sharing websites, and even sneakernet!

In my next post, we’ll take a closer look at some of the areas where the study identified MFT solutions as being superior to many commonly used methods for file transfer.

Every so often, you have to SYH (shake your head) at the acronyms created by technology companies
Shane O’Neill, Publisher of CIO magazine and CIO.com

O’Neill has a great point. I remember back in my freelance days I was in some meetings where project managers would reach into a box of Alpha-Bits, grab a handful, toss them on the table and produce the newest acronyms for their latest projects.

Just the other day I was working on a post and came across an acronym I was unfamiliar with. I Googled it, I hit Wikipedia and eventually I figured it out, but it took me much longer than I thought it would take.

Who knew there would be so many definitions for three little letters?

O’Neill poses a lighthearted, but interesting question in his article “Ten Ridiculous New Tech Acronyms.” O’Neill asks if it is “any surprise that acronyms have taken over our lives? They fit perfectly in our fast-paced, multi-tasking society. Why say something in words if you can say it in letters?”

When you consider our industry, O’Neill says that the tech acronyms “can be inscrutable, unintentionally funny, accidentally crass, or just goofy. In total, they add up to a big steaming bowl of alphabet soup.”

Here’s an OMG look at some new LOL acronyms: “Ten Ridiculous New Tech Acronyms

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

As you may have noticed Ipswitch maintains a robust network of qualified partners and distributors (including GSA providers) from which you can buy our technology.

There are also a number of web sites and other “grey” operations that sell old or “backup” WS_FTP products, dispensing license keys from old lists Ipswitch provided to resellers, dispensing copies of product that should be free (e.g., WS_FTP LE) or dispensing dead copies of the software.

From a technical point of view, there have always been risks from accepting these software packages, from installing software that may have been tampered with to add spyware to getting old product that may not work with Windows Vista and Windows 7 because it was developed before those OS’s existed.

However, you also take a risk against your credit history when you do business with these “grey” reseller firms, as they often use dubious financial services to convert your credit card information into cash.  Assuming these services aren’t stooping to the level of unabashed credit card harvesting, a recent security incident demonstrates why doing these transactions is still unsafe.

One of these “grey” financial services, Amsterdam-based, Russian-run Fethard, was recently reported as hacked, possibly by a rival.  This hack exposed shady internal processes and personally identifiable customer data to the entire Internet – information that criminals could use to impersonate and then draw on the credit of customers of sites that use Fethard.

Do you have any experiences with “grey” software vendors or the financial services that enable them (whether you used them for WS_FTP or not)?  If so I’d like to hear them.

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Ipswitch File Transfer is going (more) global. We’re thrilled to announce the expansion of our already successful Ipswitch FT Partner Program.  It now boasts a number of new benefits for our global partners, including a new Elite Partner Level and a deal registration program.

The Elite Level expansion was created for those partners looking for even greater association and support from Ipswitch File Transfer.  A new deal registration program has also been introduced, which will incent resellers with additional discount points for registering qualified net new sales opportunities on the FT Partner Portal.

read more “Going Global: Ipswitch File Transfer Expands Partner Program”

Tax season is behind us (at least for most of us) and we can all give a sigh of relief… but can we? This year, getting my taxes organized and handing them to my accountant seemed to be more difficult than usual. Fortunately for me, the Federal Government gave certain areas that were dealing with flooding a small extension that allowed me to find the time to pass my taxes into my accountant.

Once that task was completed, I was able to relax except for the fact I now had one day to get back into the accountant’s office and sign the documents for them to send to the IRS.

read more “Do People Realize What They Are Sending and the Risks Associated?”