Let’s start to examine the impact of end-to-end visibility and ways it can be put to work for your organization.  For starters, let’s dig into correlation.

Correlation involves identifying related actions and events as a file moves through a series of business processes (including what happens after a file is moved, renamed, or deleted), and using that information to make business decisions.  Correlation can also associate file transfer metadata with downstream processes such as whether a product was shipped or an invoice was paid after an order was received from a customer.

Ipswitch’s Frank Kenney shares some thoughts in the video below on why correlation is an especially important part of visibility and how it enables you to really understand not only file transfers, but also the applications, processes, purchase orders and other items in your infrastructure that tie back to customers, SLA’s and revenue..

[youtube]http://www.youtube.com/watch?v=ZOSoT95oFUg[/youtube]
Correlation enables users to easily view all the events related to the transfer and consumption of a single file or set of files, including subsequent applications and resulting business processes.  For example, they can track a file through a complete workflow and throughout its entire lifecycle, even if it was shared with a customer or business partner  – critical insight that can impact the quality and timeliness of work, service level agreements, not to mention revenue and profitability.

Information flows into, within and out of organizations faster and in greater volumes than ever before.  Complicating matters is the growing number of vendor systems, applications and platforms that make up your company’s business infrastructure and touch even your most sensitive and mission-critical information.

If you don’t have visibility into the data and files that are flowing between systems, applications and people — both inside and beyond the company firewall — things can go haywire very quickly.

  • Lost files, security breaches and compliance violations
  • Broken SLAs and other processes that are dependent on files
  • No file lifecycle tracking as data flows between applications, systems and people
  • Damaged partner and customer relationships
  • Lost opportunities

Relying on the reporting capabilities of each individual system has proven to be risky and inefficient.  Chances are, you’re swimming in a sea of not-very-useful-or-actionable data and static reports that are already a week behind with what’s actually happening in your company this very instant.

In today’s blog video, Frank Kenney shares his thoughts why having one consolidated view is critical and why organizations are having such a hard time achieving visibility.

[youtube]http://www.youtube.com/watch?v=ow3l1AetI_Q[/youtube]

When it comes to your file transfers, many questions exist.  Do you have the total visibility your business requires?   How do your customers gain visibility into their file transfers??   Do you have all the information you need to meet your service level agreements (SLAs) as well as enabling transparency about integration and file transfers???  Let Ipswitch help you answer these questions and overcome your visibility challenges.

You’re going to be hearing more and more about “VISIBILITY” from Ipswitch, so I’d like to quickly start this blog post with our definition of visibility in the context of files and data flowing into, within and out of your company:

Visibility:  “Unobstructed vision into all data interactions, including files, events, people, policies and processes”

Fast, easy access to critical file and data transfer information is a must-have – it’s critical to the success of your business.  Whether it’s tracking and reporting on SLAs, analyzing file transfer metrics to identify bottlenecks and improve efficiency, or providing customers and partners with easy self-service access to the file transfer information they require – as well as countless other business objectives – unobstructed visibility is imperative.

Having one consolidated view into all of the systems and processes involved in your organizations file and data transfers will deliver tremendous business value and a competitive edge.  Please do take a couple of minutes to watch Ipswitch’s Frank Kenney share his perspective on why visibility is important.

[youtube]http://www.youtube.com/watch?v=qsxzweLBRGA&feature=channel_video_title[/youtube]

Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.

  1. What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry?  Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
  2. What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
  3. And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
  4. What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?

If you don’t mind I’d like to give the public in general my 2 cents…

The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.

Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:

#5: Teach your staff about information security

Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!

What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.

There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files.  This combination can be the best deterrent to data breaches.

#6: Teach your staff about social engineering

The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.

Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?

#13: Keep an eye on what information you are letting out into the public domain

In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.

Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…

#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?

Stop everything you’re doing and walk from the front entrance of your office to the mailroom.

Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?

A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.

All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.

Over the last few weeks, we’ve been putting the final touches on our next generation of services that will be delivered via the cloud. As with any product or service release, there comes a fair amount of planning including ensuring that one has the best site into competitors, forecast and of course customers. We’ve worked closely with industry analysts, our end-users and prospects and our own internal resources to best understand how and where we should position our cloud services. In presentation after presentation and in conversation after conversation, we were presented market slides showing the enormous growth and opportunity within the overall software as a service (SaaS) markets. The natural reaction is to get excited about all the money we can make in this space; before we did, I issued a strong warning to our team:

“In very much the same way that software is analogous to infrastructure, software as a service is not analogous to infrastructure as a service. That includes integration as a service. The profile of the consumer of SaaS will more than likely expect that things like integration, interoperability, transformation and governance will be part of the service subscription.”

In a nutshell what I was saying was… do not look at forecasts for SaaS and assume that the opportunities for IaaS follow the same trends. If users create content by using services that are delivered via the cloud, they have a reasonable expectation that this content can be shared with other services delivered via the cloud (not necessarily by the same vendor). For example, creating content via salesforce.com and sharing that content with gooddata.com should be as simple as granting the necessary permissions. After all, my Facebook, Twitter and Google+ information is shared by clicking a few buttons. Make no mistake, integration and interoperability are nontrivial, but part of the expectation of using cloud services is that the consumer is shielded from these complexities. As more and more cloud service platforms and providers build in integration and governance technologies the need for a separate IaaS provider will likely diminish.

Don’t get me wrong, I still believe that there is a place for technologies such as managed file transfer and business-to-business integration and collaboration; I definitely believe that Ipswitch will play a significant role in the evolution of those markets. Expect the role of Ipswitch to be evolve as well; not only will we provide the best mechanisms for moving content of any size but we will also govern (or let you govern) that movement and the entire experience around it. This is the centerpiece of Ipswitch’s Cloud strategy.

In my many travels visiting customers and IT professionals around the world, I ask a simple question, “What do you do when you have to send a file to someone that’s just too big?”  They ask me how big is big?  I say too big for your email or even worse, something that is too big for the receiver’s email.  These attachments are typically large powerpoint files, spreadsheets, uncompressed images, media files or even databases.  With a sheepish grin people usually tell me they use one of the free email services, like GMail, MS Live or Yahoo.  However, recently the answer has shifted.  I’m now being inundated with business users and IT professionals professing their love for Cloud services such as DropBox.

In all fairness if you look at my iPad (peeling it from my cold dead hands) you will see my Dropbox app and PAID Dropbox account.  So it’s unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users’ accounts and data… Including mine.  Yep, just type in an email address and use any password you want and it’s all yours.

According to Dropbox there wasn’t any nefarious activity but if YOUR COMPANY’S information was on there – legitimately or illegitimately – you just had a data breach.  So I was a breach victim… And if I had any Ipswitch IP on the servers, the breach is extended accordingly.  To Dropbox’s credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest.  In the end, some of these types of Cloud services will eventually get enough of it right to secure their future.  Some will last, many won’t.

Regardless, how are you going to handle your data breach this morning?  I’m headed over to my bosses office to explain my brazen disregard for corporate data.  He’ll probably buy me a new iPad2 that’s locked down (wishful thinking) and order IT to set up a more secure way for me to be mobile with my documents (more wishful thinking).

Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.

Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.

Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.

Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration.  It’s not too late to watch a replay of it.  In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.

Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel.  The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.

My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email.  According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem.  Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.

Have you provided your employees with a simple tool to send large and confidential files?  Do you have visibility into what is being sent and to whom??  Do you have a documented AND enforced policy around using personal webmail accounts from work computers???

Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files.  It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.

Ipswitch’s Frank Kenney shares his perspective on breach responsibility and security with Information Week:

“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility.  If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.

Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”

Last week I ranted a bit about the importance of governing your cloud vendors.  At about the same time, Ipswitch’s Frank Kenney participated in a panel discussion on cloud security at the Interop conference in Las Vegas.

As you know, there is great debate over whether cloud services are secure enough for businesses to use.  I believe that the cloud model will quickly evolve and prove itself to a point where security is deemed no riskier than doing business with solely on-premises tools.

I also believe that member-driven organizations such as the Cloud Security Alliance – which focus on providing security assurance within Cloud Computing – will help us get there.

At the Interop discussion, Frank Kenney spoke about the safety of the cloud, here’s what he had to say:

“Cloud customers have the obligation to assess the risk of allowing data to be stored in a cloud based on how valuable it is to the customers…. The cloud is as secure as you want it to be.

Cloud services can provide value if performance and service-level agreements align with what customers need.  If not, customers shouldn’t buy them.  It’s not ‘the sky is falling’.  Assign risks appropriately.  Security is just one of many things you have to do.”

Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches.  Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.

Here are a few noteworthy data points:

  • Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
  • 4 million records were compromised in 2010  which is significantly less than the 144 million compromised in 2009
  • Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
  • 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
  • Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component

A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped.  This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.

As the Verizon team points out, in the world of cyber crime, knowledge is power.  Not only do companies require visibility into the  files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.

I, like many others, have received security notifications about the Epsilon data breach.  In the last 48-hours I have been sent email warnings from 8 companies that I trusted with my personal information – Banks, retailers and hotels.

These companies entrusted my private contact information to Epsilon, a 3rd party e-mail marketing company…. And that information has now been compromised by hackers.  Awesome.

Details of this massive breach are still rolling in, but so far the list of affected companies is known to include: Ameriprice Financial; Best Buy; Brookstone; Capital One; Citibank; Disney Destinations; Hilton; Home Shopping Network; JPMorgan Chase; Kroger; LL Bean Visa Card; Marriott; QVC; Robert Half; Red Roof Inn; Ritz-Carlton; Target; The College Board; TiVo; US Bank; Walgreens; 1-800-FLOWERS.  And there are likely many more that we haven’t heard about yet.

The Epsilon e-mail breach is a warning about the data security standards employed by third-party service providers, as well as a not-so-subtle reminder to organizations to require strong contractual obligations related to security practices with every business partner and third-party provider you do business with.  As we learned with Epsilon, the privacy – and trust – of your customers may depend on it.

Lastly, be on the lookout for scam emails in your inbox.  The Epsilon breach is an example of how hackers can now match your name and email address to companies that you interact with.  So get ready for the onslaught of emails trying to trick you into handing over your online usernames and passwords.  I suggest not clicking links embedded in emails, instead always go to the company website directly and logon from their safe homepage.  Check out this informative article on The Last Watchdog for more on spear phishing risks as well as some commentary by Ipswitch’s Frank Kenny on data breaches and customer notifications.