Possibly not. The Internet’s venerable File Transfer Protocol (FTP) is usually supported by Managed File Transfer (MFT) systems, which can typically use FTP as one of the ways in which data is physically moved from place to place. However, MFT essentially wraps a significant management and automation layer around FTP. Consider some of the things an MFT solution might provide above and beyond FTP itself—even if FTP was, in fact, being used for the actual transfer of data:

  • Most MFT solutions will offer a secure, encrypted variant of FTP as well as numerous other more‐secure file transfer options. Remember that FTP by itself doesn’t offer any form of transport level encryption (although you could obviously encrypt the file data itself before sending, and decrypt it upon receipt; doing so involves logistical complications like sharing passwords or certificates).
  • MFT solutions often provide guaranteed delivery, meaning they use file transfer protocols that give the sender a confirmation that the file was, in fact, correctly received by the recipient. This can be important in a number of business situations.
  • MFT solutions can provide automation for transfers, automatically transferring files that are placed into a given folder, transferring files at a certain time of day, and so forth.
  • MFT servers can also provide set‐up and clean‐up automation. For example, successfully‐transferred files might be securely wiped from the MFT server’s storage to help prevent unauthorized disclosure or additional transfers.
  • MFT servers may provide application programming interfaces (APIs) that make file transfer easier to integrate into your internal line‐of‐business applications.
  • MFT solutions commonly provide detailed audit logs of transfer activity, which can be useful for troubleshooting, security, compliance, and many other business purposes.
  • Enterprise‐class MFT solutions may provide options for automated failover and high availability, helping to ensure that your critical file transfers take place even in the event of certain kinds of software or hardware failures.

In short, FTP isn’t a bad file transfer protocol—although it doesn’t offer encryption. MFT isn’t a file transfer protocol at all; it’s a set of management services that wrap around file transfer protocols—like FTP, although that’s not the only choice—to provide better security, manageability, accountability, and automation.

In today’s business, FTP is rarely “enough.” Aside from its general lack of security—which can be partially addressed by using protocols such as SFTP or FTPS instead—FTP simply lacks manageability, integration, and accountability. Many businesses feel that they simply need to “get a file from one place to another,” but in reality they also need to:

  • Make sure the file isn’t disclosed to anyone else
  • Ensure, in a provable way, that the file got to its destination
  • Get the file from, or deliver a file to, other business systems (integration)

In some cases, the business might even need to translate or transform a file before sending it or after receiving it. For example, a file received in XML format may need to be translated to several CSV files before being fed to other business systems or databases—and an MFT solution can provide the functionality needed to make that happen.

Many organizations tend to look at MFT first for its security capabilities, which often revolve around a few basic themes:

  • Protecting data in‐transit (encryption)
  • Ensuring that only authorized individuals can access the MFT system (authorization and authentication)
  • Tracking transfer activity (auditing)
  • Reducing the spread of data (securely wiping temporary files after transfers are complete, and controlling the number of times a file can be transferred)

These are all things that a simple FTP server can’t provide. Having satisfied their security requirements, organizations then begin to take advantage of the manageability capabilities of MFT systems, including centralized control, tracking, automation, and so forth—again, features that an FTP server alone simply can’t give you.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Definitely not. To begin with, there are numerous kinds of encryption—some of which can actually be broken quite easily. One of the earlier common forms of encryption (around 1996) relied on encryption keys that were 40 bits in length; surprisingly, many technologies and products continue to use this older, weaker form of encryption. Although there are nearly a trillion possible encryption keys using this form of encryption, relatively little computing power is needed to break the encryption—a modern home computer can do so in just a few days, and a powerful supercomputer can do so in a few minutes.

So all encryption is definitely not the same. That said, the field of cryptography has become incredibly complex and technical in the past few years, and it has become very difficult for business people and even information technology professionals to fully understand the various differences. There are different encryption algorithms—DES, AES, and so forth—as well as encryption keys of differing lengths. Rather than try to become a cryptographic expert, your business would do well to look at higher‐level performance standards.

One such standard comes under the US Federal Information Processing Standards. FIPS specifications are managed by the National Institute of Standards and Technology (NIST); FIPS 140‐2 is the standard that specifically applies to data encryption, and it is managed by NIST’s Computer Security Division. In fact, FIPS 140‐2 is accepted by both the US and Canadian governments, and is used by almost all US government agencies, including the National Security Agency (NSA), and by many foreign ones. Although not mandated for private commercial use, the general feeling in the industry is that “if it’s good enough for the paranoid folks at the NSA, it’s good enough for us too.”

FIPS 140‐2 specifies the encryption algorithms and key strengths that a cryptography package must support in order to become certified. The standard also specifies testing criteria, and FIPS 140‐2 certified products are those products that have passed the specified tests. Vendors of cryptography products can submit their products to the FIPS Cryptographic Module Validation Program (CMVP), which validates that the product meets the FIPS specification. The validation program is administered by NIST‐certified independent labs, which not only examine the source code of the product but also its design documents and related materials—before subjecting the product to a battery of confirmation tests.

In fact, there’s another facet—in addition to encryption algorithm and key strength—that further demonstrates how all encryption isn’t the same: back doors. Encryption is implemented by computer programs, and those programs are written by human beings— who sometimes can’t resist including an “Easter egg,” back door, or other surprise in the code. These additions can weaken the strength of security‐related code by making it easier to recover encryption keys, crack encryption, and so forth. Part of the CMVP process is an examination of the program source code to ensure that no such back doors exist in the code—further validating the strength and security of the encryption technology.

So the practical upshot is this: All encryption is not the same, and rather than become an expert on encryption, you should simply look for products that have earned FIPS 140‐2 certification. Doing so ensures that you’re getting the “best of breed” for modern cryptography practices, and that you’re avoiding back doors, Easter eggs, and other unwanted inclusions in the code.

You can go a bit further. Cryptographic modules are certified by FIPS 140‐2, but the encryption algorithms themselves can be certified by FIPS 197 (Advanced Encryption Standard), FIPS 180 (SHA‐1 and HMAC‐SHA‐1 algorithms). By selecting a product that utilizes certified cryptography, you’re assured of getting the most powerful, most secure encryption currently available.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

SC Magazine just published a short article titled “FTP described as unsecure and generally unmonitored”.

In the article, fellow Managed File Transfer (MFT) vendor Axway correctly points out that “usernames, passwords, commands and data can be easily intercepted and read while files transferred via FTP are uploaded or downloaded without any encryption.”

Not to overstate the obvious, but I wholeheartedly agree (and this should come as no surprise to our avid blog readers).  The FTP protocol turned 40 years old in 2011 and although still functional, it was not designed to provide any encryption or guaranteed delivery.  Unfortunately, many organizations are still relying on outmoded homegrown FTP scripts or have deployed basic FTP servers scattered throughout their organization – all lacking basic security measures, not to mention important visibility, management and enforcement capabilities.

Today, the 40-year old FTP protocol proudly serves as the foundation for the majority of data transfer and application integration technologies that organizations rely on so heavily.    But luckily for us all, modern file transfer solutions deliver much more than basic FTP:

  • VISIBILITY capabilities such as logging; reporting; alerts; notifications; chain-of-custody and file life cycle tracking
  • MANAGEMENT capabilities such as workflows and scheduling of file related processes; person-to-person file transfer;  integration with systems/applications; data transformation; high availability;  virtualized platform support
  • ENFORCEMENT capabilities such as user provisioning;  password policies;  encryption requirements (for example, requiring 256-bit AES encryption over FTPS or SFTP protocols);  file integrity checking;  non repudiation

Now is the time to replace old and often insecure point FTP solutions and hard-to-maintain scripts with technology that includes the benefits of a modern MFT solution.

Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches.  Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.

Here are a few noteworthy data points:

  • Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
  • 4 million records were compromised in 2010  which is significantly less than the 144 million compromised in 2009
  • Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
  • 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
  • Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component

A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped.  This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.

As the Verizon team points out, in the world of cyber crime, knowledge is power.  Not only do companies require visibility into the  files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.

I, like many others, have received security notifications about the Epsilon data breach.  In the last 48-hours I have been sent email warnings from 8 companies that I trusted with my personal information – Banks, retailers and hotels.

These companies entrusted my private contact information to Epsilon, a 3rd party e-mail marketing company…. And that information has now been compromised by hackers.  Awesome.

Details of this massive breach are still rolling in, but so far the list of affected companies is known to include: Ameriprice Financial; Best Buy; Brookstone; Capital One; Citibank; Disney Destinations; Hilton; Home Shopping Network; JPMorgan Chase; Kroger; LL Bean Visa Card; Marriott; QVC; Robert Half; Red Roof Inn; Ritz-Carlton; Target; The College Board; TiVo; US Bank; Walgreens; 1-800-FLOWERS.  And there are likely many more that we haven’t heard about yet.

The Epsilon e-mail breach is a warning about the data security standards employed by third-party service providers, as well as a not-so-subtle reminder to organizations to require strong contractual obligations related to security practices with every business partner and third-party provider you do business with.  As we learned with Epsilon, the privacy – and trust – of your customers may depend on it.

Lastly, be on the lookout for scam emails in your inbox.  The Epsilon breach is an example of how hackers can now match your name and email address to companies that you interact with.  So get ready for the onslaught of emails trying to trick you into handing over your online usernames and passwords.  I suggest not clicking links embedded in emails, instead always go to the company website directly and logon from their safe homepage.  Check out this informative article on The Last Watchdog for more on spear phishing risks as well as some commentary by Ipswitch’s Frank Kenny on data breaches and customer notifications.

Would you be surprised if I told you that nearly 40% of all data leaks within the past 3 years have happened between January 1st and April 15th?

According to the DataLoss Database there have been 2,402 data loss incidents reported between 2007 and 2010, and 916 of them happened during tax season.

Coincidence?  Maybe…

Tax season is upon us, and auditors are making the rounds.  So what are companies doing to prevent sensitive information from walking out the door?

Important questions companies should consider:

  • What kind of access is being granted to third parties, like auditors?
  • How are third parties handling and protecting your business-critical information?
  • What tax-related documents are being sent internally and externally – without a lock-and-key?

There is a critical need for visibility and security when handling sensitive documents either internally or with third-party providers – or with anyone else, for that matter.  Organizations must make it a priority to first identify the confidential information floating around its systems, people and between partners.  Then carefully consider where that data lives, who has access to it, and what policies should be implemented to ensure that it’s handled safely.

Here’s a great story of how retail giant Home Hardware is using Ipswitch MessageWay solutions to efficiently manage, secure and share over 4 million business-critical files annually among its 1,000+ retailers.  And best of all, MessageWay is saving Home Hardware money every single day!

Speed, automation and validation were among Home Hardware’s the key business requirements.  They send over 75,000 essential business files per week (including vendor/product info, pricing and POS software updates, and order confirmations) and also need to reduce download times and validate orders.

Home Hardware is now able to:

  • Move files faster – cutting transfer time from hours to minutes
  • Automate and speed product orders and software updates
  • Prevent lost orders do to file transfer glitches
  • Tighten security around sensitive data transfers
  • Accelerate time to revenue by expediting orders, payments and settlements
  • Ensure compliance and accountability with full visibility into the file transfer process

Why Home Hardware selected MessageWay for Managed File Transfer:

“MessageWay is second-to-none, and our efficiency improved dramatically as soon as we implemented, ”  said Brent Horst, Director of Corporate Applications at Home Hardware.

“MessageWay transformed the way we send and receive files. The speed, automation and reliability are the best we’ve seen.  The most important features that Ipswitch MessageWay provides are the speed of file transfer, file validation and guaranteed delivery,” said Horst.

Got a great Ipswitch story of your own to tell?  Email us at mystories@ipswitch.com…. We can’t wait to hear all about it!

Here’s an amazing tale of how Ipswitch WS_FTP software is being used by the European Columbus laboratory to securely transfer hundreds of megabytes of scientific data between the International Space Station and Earth.

“Crew time is so valuable and the volume of data involved is so large that a reliable and secure system for data transfer was absolutely essential,” explained Alain Maillet, Cadmos engineer.

“WS_FTP gives us the possibility to transfer all our scientific data files automatically and securely, not only in space, but also back down to Earth – it is secure, stable and easy-to-use.”

Here’s an action photo of Alain Maillet talking with the International Space Station from Toulouse, France.

Got a great Ipswitch story of your own to tell?  Email us at mystories@ipswitch.com…. We can’t wait to hear all about it!

Ziff Davis recently published a study on Managed File Transfer that heralds MFT solutions as “the unsung security and compliance solution”.  Eric Lundquist sets the stage nicely:

“Everyone is talking about the need to collaborate more effectively and put employees closer to customers in a real time business environment.

But until you can assure the security, privacy, and compliance requirements of data transfer, the collaborative enterprise is just a good idea.  MFT is one of those enabling technologies designed to make it a reality.”

The study found that security concerns about current file transfer methods include the usual suspects, such as:  encryption; viruses, user authentication, backup, hacking, enforcing security policies, managing external users, auditing, reporting and defining security policies.

Not surprisingly, data from the study shows that many of those very security concerns that people had with their organizations current file transfer methods are actually strengths of today’s MFT solutions.

Keep in mind that many organizations still rely on homegrown scripts and point-to-point solutions, oftentimes using unencrypted FTP protocol for transport… And with very little visibility, management or policy enforcement.  In addition to being time consuming and expensive to manage and maintain (and commonly built by developers that left the company years ago), many existing file transfer methods are insecure and introduce risk and inefficiency into an organization.

Plus, many companies haven’t even begun to crack the person-to-person nut of file transfer beyond relying on corporate email, unsanctioned personal email or file sharing websites, and even sneakernet!

In my next post, we’ll take a closer look at some of the areas where the study identified MFT solutions as being superior to many commonly used methods for file transfer.

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Industry expert Michael Osterman shares some great editorial and perspective in Messaging News on the Ipswitch acquisition of MessageWay.  He starts by pointing out that Ipswitch is positioned as a “Leader” in the latest Gartner Magic Quadrant for Managed File Transfer….. As well as Ipswitch’s proven track record in the file transfer space (Nearly 20-years for those counting).

He also nailed what the acquisition immediately brings to the table as far as expanding Ipswitch’s range of solution offerings:  “(Ipswitch has) clearly boosted its position in the MFT space with this acquisition given that MessageWay’s MFT solutions are designed for high volume file transfer applications in the large enterprise (Global 2000) and service provider markets.”

I particularly like (and agree with) his answer to the question of “Why is MFT important?”

“Among the many reasons are two key ones:

read more “Why is MFT important?”

How does the popular UK tech blogger, Jason Slater, use WS_FTP Professional?

WS_FTP Professional User Interface

In his latest blog post, “Mass Transferring Files with WS_FTP Professional,”  Jason reveals that he’s in the process of migrating his websites to a new dedicated web server.

In order to do this successfully, Jason needs to utilize a tool that transfers his data quickly and securely. That’s where WS_FTP Professional comes into play…

Jason explains that he relies on WS_FTP Professional to get this important job done and that he’s been using “WS_FTP for quite some years and [has] seen the product develop into the essential application it is today.”

To read Jason’s full  post on WS_FTP Professional, please visit his website, Jason Slater Technology Blog.