For every IT pro who’s ever struggled to keep their head above water in a sea of changing network monitoring and secure file transfer requirements, here’s the lifeline you’ve been waiting for. file-transfer-securityEspecially in the wake of the recent ruling that struck down Safe Harbor, more likely than not your IT team is going to need to implement drastic changes to how your company transfers data internally and externally.

The upcoming Ipswitch Innovate 2015 virtual summit has brought together two leading IT authorities to offer free advice on FTP compliance in an ever-changing IT landscape and protecting the data that streams inside and outside your enterprise.

Secure File Transfer For FTP Compliance

On October 21, 2015, Cybersecurity expert David Lacey will give his top tips for building a secure, compliant file transfer system – from the standards you choose to the trends driving information security forward.

Why could a staged approach to securing file transfer be better for your business? Lacey’s answer might surprise you. But he would know, since he drafted the original text behind the ISO 27000 family of standards and was the first to develop a fraud detection system based on the human immune system.

Scaling Your Company’s Bandwidth for IoT

Tune in on October 22, 2015, to hear what THINKstrategies founder Jeff Kaplan says your IT teams should do now to prepare for the Internet of Things (IoT) that’s shaping our high-bandwidth future.

How connected is your network and do you have the bandwidth you need to scale for IoT? Kaplan’s advice is a must-have for upgrading your bandwidth requirements. No one knows the topic better. Kaplan was recently ranked in the “Top 100 Individuals and Brands in the Internet of Things Landscape,” by Onalytica, and was also named “Top 50 Cloud Bloggers of 2015” by The Channel Company and CRN.

Come See Us at Ipswitch Innovate Virtual Summit

Come to Ipswitch Innovate 2015. It’s free to sign up and you’ll get three hours per day of live webcasts and a virtual exhibit hall where you can evaluate network monitoring and data transfer solutions like WhatsUp Gold, WS_FTP and MOVEit. You can even navigate your way to the online Genius Bar for real-time answers to your product questions.

Feeling lucky? Sign up by October 15, 2015 for your chance to win a Pebble Smartwatch. Use the promo code “PWATCH” when you register.

innovate-TW-1025x512

 

It seems that almost every organization – from SMBs to large enterprises – is struggling with secure file transfer. Large companies like Sony Pictures are not immune. They are dealing with the outfall of a successful attack on their secure files. Despite their IT security efforts, hackers have stolen and are leaking terabytes of data from the media company. These security breaches don’t come from a lack of effort or awareness. Rather, it is the result of file transfer practices that have not evolved to meet today’s complex requirements.

The main culprit: standard FTP solutions

Evolving from FTP to Secure File Transfer
Pictured: FTP (left) and Secure File Transfer (right).

File Transfer Protocol (FTP) is widely considered the easiest way to transfer business data, and the numbers back it up; FTP is used by a staggering 83% of businesses. Of this group, however, we find that very few are comfortable with its security, as the majority of respondents express fear about sensitive data being compromised.

File transfer solutions have often been relegated to the darkest corner of the lowest wattage server room, and it’s very common to find long-ago deployed home grown FTP solutions that are not well understood, documented or easily maintained by today’s IT staff being used to manage company data.

As a result of this misunderstanding, FTP is now being used to send highly sensitive data that is subject to HIPAA, PCI, SOX and other industry regulations – putting an organization at risk. for data breaches, compliance violations, financial burdens, and in some cases, a “company death sentence.” Harsh, but true. Of course, this was never FTP’s intended purpose, and now, companies are scrambling to find an alternative.

Acronyms that start with “S”

Luckily, many are finding a viable alternative to FTP in the form of two common security protocols that help to secure and increase the reliability of data transfer: Secure Sockets Layer (SSL) and Secure Shell (SSH). Specifically designed to encrypt file transfers and associated administration network traffic, both SSL and SSH enhance the security and reliability of file transfer by using encryption to protect against unauthorized viewing and modification of high-risk data during transmission across open networks.

Don’t just take our word for it, our customer Enterasys went through their own evolution from FTP to secure file transfer.

SSH is particularly popular in IT environments because most operating systems (including UNIX/Linux) support SSH, therefore using SSH for file transfer (SFTP) allows for cross-platform IT standardization. Standardization using SFTP ensures consistent, strong security policy enforcement and simpler administration.

Are you ready to learn how SSL and SSH security policies can help your organization? Are you ready to toss aside your basic FTP and evolve with the times? Download the free Ipswitch File Transfer Whitepaper: Evolution from FTP to Secure File Transfer.

For most companies FTP is not enough. As the amount of daily file transfers skyrockets, so, too, has the cost associated with file transfer blunders. With the increased risk of data breaches, compliance violations and other pitfalls, companies are quickly realizing the need for a file transfer solution that grants them heightened security, visibility and ease-of-use.

Companies hit the wall with FTP when they encounter issues around:

  • Capacity & Volume: A recent survey from The Aberdeen Group suggested that the number of users needing to transfer files is growing at a rate of 6%-9% each year. The volume of data transferred is also increasing by 8%-11% each year, as is the size of the files themselves, at 6%-7% per year. Each of these figures highlights the strain that current file transfers are putting on traditional solutions.
  • Time & Complexity: When organizations use multiple systems and custom scripts to manage file transfer, they needlessly increase complexity for employees, customers and partners. The same research found that, on average, traditional FTP users spent 75% more time on manual file transfer tasks than their MFT counterparts.
  • Security & Visibility: With traditional methods, even the most highly-sensitive files are transferred via email attachments, thumb drives, the public cloud and other outdated means. Not only are these options insecure, they are also practically untraceable to IT staffs.

    Ipswitch FTP
    There are four different file transfer scenarios, and, when you consider managed file transfer, you should be looking for a single
    solution that can support all of them.

Fortunately, these weaknesses exhibited by traditional file transfer methodologies are among the strengths of managed file transfer (MFT). As a comprehensive system that automates transfers between people and processes, MFT was designed for companies that want enhanced visibility, security and ease-of-use. Here’s a quick look at some of the high-level value MFT offers:

  • Security: MFT supports broad range of protocols, including end-to-end encryption, authentication and delivery confirmation, helping to ensure delivery, scalability and reliability.
  • Automation: MFT empowers IT to establish new file transfer processes without the need for custom programming.
  • Centralized Reporting: Easily build enterprise reports for auditing, compliance and governance to meet corporate security policies and government regulations, such as HIPAA and PCI.
  • Connectivity: Accessible on any device and familiar desktop apps, MFT is easy for employees, customers and partners to adopt and use.

In other words, MFT solutions have capabilities that extend beyond traditional FTP systems, providing a single source of truth for handling all of your file transfer needs.  With the right MFT solution, organizations can reduce security risks and compliance incidents, help increase an organization’s efficiency and productivity, and lower the costs associated with file transfer.

Want to learn more?  Download the free Ipswitch File Transfer whitepaper: The Definitive Guide to Managed File Transfer: Attaining Automation, Security, Control & Compliance.

checklist complianceIn my last post, I covered common regulations, who is affected, and what is required from a file transfer standpoint to satisfy them. In this post, I explain three steps your organization can take to make sure your file transfers satisfy regulatory requirements.

  1. Characterize the types of file transfers your firm does as part of its day-to-day business.
    Most firms are dependent on file transfers to get work done. For example, healthcare organizations send patient billing information to Medicare, financial firms confirm equity trades, and airlines schedule delivery of on-board food with their vendors. The first two require by law secure file transactions and an audit log of activities. While the third file transfer isn’t impacted by any regulation, best practice is to secure the information being exchanged.
  2. Craft policies and procedures to ensure your file transfer activities are in compliance.
    Lay out your workflows, focusing on the data and file transfers identified in step one above. Where is your data at risk? When undertaking your planning, addressing and defending against both internal and external threats is a critical part of the process. Hackers make the news but rogue employees can potentially cause damage over extended time frames and across your firm’s entire operations.
  3. Educate your people on the why’s and how’s of the policies and procedures.
    Many companies fall short on the operational execution of regulatory compliance. A significant cause of failure is poor communication. People respect policies when they understand their purpose and what they are defending against and the consequences of failure. For example, companies with dual-use technology, governed by ITAR, can lose their ability to export or do business if their products are sold to restricted countries. Imagine the impact to your organization if you lost 100% of your non-US revenue. Moreover, responsible individuals could go to jail. Other impacts are monetary fines of thousands of dollars. Or consider if a retailer exposes its customer credit information. The real impact is not the financial penalty. The potentially devastating impact is the loss of existing and future customers who lose trust in the firm’s brand and reputation.

In addition to spelling out the potential consequences of non-compliance, reinforce the use of existing file-transfer workflows, assuming you have designed these with compliance in mind.

Ensuring compliant file transfers
By taking these three practical steps, you can minimize the likelihood that your company’s file transfers will put the organization at risk of non-compliance with both internal policies and external requirements.

In addition, you can take advantage of Managed File Transfer (MFT) to more easily address compliance issues around a variety of regulations. MFT helps ensure sensitive information is protected during transfer. Leading MFT solutions also enable robust user access control. The user access control ensures only those who should ‘see’ sensitive data are able to. Plus, such solutions keep a journal of activities and historic audit logs. Together these features enable firms to meet their compliance needs by demonstrating governance around who has access to private data (e.g., credit card information) and demonstrate who accesses what and when.

We welcome any other suggestions for ensuring compliance when it comes to file transfers. Share your thoughts in the comments!

Ericka Chickowski did a nice job in her Dark Reading article on how old-fashioned FTP introduces unnecessarily levels of compliance and security risks to organizations.  And here’s an alarming data point from Harris Interactive – approximately 50% of organizations are currently using the FTP protocol to send and exchange files and data.

Talk of security concerns with FTP is certainly not new.  FTP was never designed to provide any type of encryption, making it possible for data to be compromised while in-transit.  A common answer for this is to use encrypted standards-based protocols such as SSL/FTPS and SSH/SFTP.

Luckily, modern managed file transfer solutions deliver not only the security you know your business requires, but also the visibility and control that IT needs to properly govern company information.

Ipswitch’s Greg Faubert offers his thoughts in the Dark Reading article:

“While FTP is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy…. The PCI standards look specifically at the security surrounding your FTP environment. It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls.”

And yet, somehow, many organizations continue to rely on unencrypted FTP to transport mission-critical or sensitive information.  For those guilty, here are a few steps to help you get started in migrating away from antiquated FTP.  And don’t worry, it won’t be painful.

It’s no secret that more and more companies are turning to the cloud to benefit from all that it has to offer.  Subscribing to a cloud service can offer conveniences over deploying software on-premises, including faster deployment, budgeting flexibility, built-in elasticity, near-perfect uptime and it can be significantly less taxing on IT resources.

Managed File Transfer (MFT) is certainly not being left behind in this cloud revolution.  According to Gartner, adoption of MFT Cloud Services is growing rapidly and now accounts for approximately 10% of the overall MFT market.  While both on-premises and cloud markets will continue to grow about 20% annually, cloud services will become a bigger piece of the MFT pie.

Here’s a nifty graph from the Ponemon Institute’s recently published “The Security of Cloud Infrastructure” report summarizing key cloud drivers from the perspective of both IT/Security and Compliance respondents. Interesting to see that many people believe that cloud services will provide improved security and compliance efforts over doing it themselves on-premises with their resource.

So, how do you feel about cloud security?  Are you comfortable with your organization’s data being moved  into the cloud??  What cloud security measures would make you feel better???

Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

You’re going to be hearing more and more about “VISIBILITY” from Ipswitch, so I’d like to quickly start this blog post with our definition of visibility in the context of files and data flowing into, within and out of your company:

Visibility:  “Unobstructed vision into all data interactions, including files, events, people, policies and processes”

Fast, easy access to critical file and data transfer information is a must-have – it’s critical to the success of your business.  Whether it’s tracking and reporting on SLAs, analyzing file transfer metrics to identify bottlenecks and improve efficiency, or providing customers and partners with easy self-service access to the file transfer information they require – as well as countless other business objectives – unobstructed visibility is imperative.

Having one consolidated view into all of the systems and processes involved in your organizations file and data transfers will deliver tremendous business value and a competitive edge.  Please do take a couple of minutes to watch Ipswitch’s Frank Kenney share his perspective on why visibility is important.

[youtube]http://www.youtube.com/watch?v=qsxzweLBRGA&feature=channel_video_title[/youtube]

This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer:  “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

  • Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS.  Leading solutions use encryption strengths up to 256-bit.
  • File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents.  PGP is commonly used to encrypt files.

I believe that using both together provides a double-layer of protection.  The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy:  Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank.  99.999% of the time that armored Brinks truck will securely transport your delivery without any incident.  But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice:  Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information.  Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.

“My company still relies heavily on FTP.  I know we should be using something more secure, but I don’t know where to begin.”

Sound familiar?

The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – Unsecured data is obviously an enormous liability.  Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer.

No, it won’t be as daunting of a task as you think.  Here’s a few steps to help you get started:

  • Identify the various tools that are being used to transfer information in, out, and around your organization.  This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc.  Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
  • Map out existing processes for file and data interactions.  Include person-to-person, person-to-server, business-to-business and system-to-system scenarios.  Make sure you really understand the business processes that consume and rely on data.
  • Take inventory of the places where files live.  Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc.  After all, it’s harder to protect information that you don’t even know exists.
  • Think about how much your company depends on the secure and reliable transfer of files and data.  What would the effects be of a data breach?  How much does revenue or profitability depend on the underlying business process and the data that feeds them?
  • Determine who has access to sensitive company information.  Then think about who really needs access (and who doesn’t) to the various types of information.  If you’re not already controlling access to company information, it should be part of your near-term plan.   Not everybody in your company should have access to everything.

Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data…. As well as provide you with visibility and auditing capabilities into all of your organizations data interactions, including files, events, people, policies and processes.

So what are you waiting for?

 

Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.

Customers should question any absolute, unequivocal claims an MFT vendor makes regarding performance improvements achieved using their particular approach.  A claim of “7x” or “30x” improvement without any documented caveats is simply not credible. The key point is that observed performance enhancements in the WAN are probabilistic, not deterministic. A file transfer occurring multiple times between the same endpoints will in all likelihood produce different latency measurements depending on a large number of factors:

  • Time of day
  • Day of week
  • Physical media traversed
  • Design of intervening switch fabrics and router queues
  • SLA agreements with the carrier
  • End-to-end QoS provisioning (if any)
  • Burstiness (jitter) of co-mingled traffic, etc.

Techniques for improving WAN performance vary by vendor: data caching, compression, truncation, protocol optimization (usually proprietary, as an enhancement to TCP at the transport layer), traffic shaping, and de-duplication, just to name a few. Customers should ask many questions and perform their own “real world” tests to ensure they are in fact receiving the transfer performance improvements they expect, under conditions that are common to their WAN environment.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!