Ericka Chickowski did a nice job in her Dark Reading article on how old-fashioned FTP introduces unnecessarily levels of compliance and security risks to organizations. And here’s an alarming data point from Harris Interactive – approximately 50% of organizations are currently using the FTP protocol to send and exchange files and data.
Talk of security concerns with FTP is certainly not new. FTP was never designed to provide any type of encryption, making it possible for data to be compromised while in-transit. A common answer for this is to use encrypted standards-based protocols such as SSL/FTPS and SSH/SFTP.
Luckily, modern managed file transfer solutions deliver not only the security you know your business requires, but also the visibility and control that IT needs to properly govern company information.
Ipswitch’s Greg Faubert offers his thoughts in the Dark Reading article:
“While FTP is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy…. The PCI standards look specifically at the security surrounding your FTP environment. It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls.”
And yet, somehow, many organizations continue to rely on unencrypted FTP to transport mission-critical or sensitive information. For those guilty, here are a few steps to help you get started in migrating away from antiquated FTP. And don’t worry, it won’t be painful.
Here’s a great write-up of how Rochester General Hospital is using Ipswitch’s MOVEit solution to manage over 400,000 electronic billing transfers per year to dozens of payer systems.
Quick background on the business need: Rochester General Hospital needs to exchange patient records, insurance claims, and billing information from their electronic medical record (EMR) and accounting systems with many health providers and insurance companies.
Security and compliance are critically important: Not only do the transfers need to be reliable to facilitate timely payments, but they also needed to be highly secure and auditable to protect patient privacy and ensure compliance with HIPAA and HITECH.
Ipswitch eliminated complexity and created efficiencies:
“We needed to consolidate on a standard way to transfer files to many different payer systems…. MOVEit consolidated a number of batch files and legacy tools into a single, secure and easy to use file transfer solution,” says Dylan Taft, Systems Engineer at RGH.
“In the event of an audit, MOVEit allows us to provide chain-of-custody and non-repudiation with just a few clicks. Without MOVEit, we wouldn’t have this visibility.”
If we didn’t have MOVEit, we would have to hire one or two additional people just to review the log files every day – not to mention lost files, information arriving late, and frustrated doctors and payers.”
Do you have a great Ipswitch story of your own to tell? Email us at firstname.lastname@example.org…. We can’t wait to hear all about it!
There is so much to absorb at RSA Conference. The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.
Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people. IT leaders are feeling pressure (and rightfully so) to regain control over how people share files with other people. It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.
My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception. Quite frankly, the key insights I learn from talking with customers help me do my job better. Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.
Are you attending RSA Conference next week in San Francisco? If so, stop by booth #629 at the Moscone Center and say hello the Ipswitch team.
This will be my third year attending RSA. Not only and I’m looking forward to talking about how Ipswitch’s portfolio of Managed File Transfer solutions can solve the problems you’re experiencing with your current file transfer and B2B environment…. But I’m also looking forward to learning about topics like security attacks, data breaches, mobile threats, cloud security, and compliance along with the other 15,000+ people attending the largest security conference in North America.
If you’re going to be at RSA this year, stop by our Ipswitch booth (#629) to learn how we can help you:
- Mitigate security risks and data breach exposure. We’ll show you how to secure and control all files/data moving between systems and people — both internally and externally
- Reduce complexity by consolidating and replacing the various file transfer products, homegrown solutions, hard to maintain scripts, and tools people use to share files
- Increases productivity and efficiency by automating manual and labor-intensive workflows with a simple point-and-click interface – No scripting required
- Provide visibility and auditability into all data transfer and file sharing activities, including files, events, people, policies and processes
We hope to see you there.
As companies continue to include the cloud in their overall IT initiatives – taking advantage of elasticity, scalability, interoperability and mobility – concerns around management, governance and control of data are preventing some organizations from fully embracing cloud services.
In fact, according to the recent Ponemon cloud survey, over 30% of IT and compliance respondents claim that concerns about data security have kept their organization from adopting cloud services…. And approximately half place a high priority on security when evaluating cloud providers.
For many, the benefits and the desire to migrate to the cloud in organizations seem to outweigh the security concerns.
That being said, every company’s risk tolerance is different. Some of the variables in play that impact risk tolerance certainly include the type of information being moved and stored in the cloud, the industry (and associated compliance requirements) and of not only the company but also its business partners, as well as the specific security measures provided (or not provided) by cloud providers they are considering.
Not all cloud services are created equal. There are absolutely great differences in the measures different providers have taken to protect information they process and store in the cloud. A few security considerations include authentication and authorization as well as protecting data not only while it’s in transit to the cloud, but also while it remains there.
It’s no secret that more and more companies are turning to the cloud to benefit from all that it has to offer. Subscribing to a cloud service can offer conveniences over deploying software on-premises, including faster deployment, budgeting flexibility, built-in elasticity, near-perfect uptime and it can be significantly less taxing on IT resources.
Managed File Transfer (MFT) is certainly not being left behind in this cloud revolution. According to Gartner, adoption of MFT Cloud Services is growing rapidly and now accounts for approximately 10% of the overall MFT market. While both on-premises and cloud markets will continue to grow about 20% annually, cloud services will become a bigger piece of the MFT pie.
Here’s a nifty graph from the Ponemon Institute’s recently published “The Security of Cloud Infrastructure” report summarizing key cloud drivers from the perspective of both IT/Security and Compliance respondents. Interesting to see that many people believe that cloud services will provide improved security and compliance efforts over doing it themselves on-premises with their resource.
So, how do you feel about cloud security? Are you comfortable with your organization’s data being moved into the cloud?? What cloud security measures would make you feel better???
Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information. We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.
2011 was also a record-breaking year for data breaches. Coincidence? Perhaps. But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations. It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.
Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing. For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more. It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.
We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….
Let’s start to examine the impact of end-to-end visibility and ways it can be put to work for your organization. For starters, let’s dig into correlation.
Correlation involves identifying related actions and events as a file moves through a series of business processes (including what happens after a file is moved, renamed, or deleted), and using that information to make business decisions. Correlation can also associate file transfer metadata with downstream processes such as whether a product was shipped or an invoice was paid after an order was received from a customer.
Ipswitch’s Frank Kenney shares some thoughts in the video below on why correlation is an especially important part of visibility and how it enables you to really understand not only file transfers, but also the applications, processes, purchase orders and other items in your infrastructure that tie back to customers, SLA’s and revenue..
Correlation enables users to easily view all the events related to the transfer and consumption of a single file or set of files, including subsequent applications and resulting business processes. For example, they can track a file through a complete workflow and throughout its entire lifecycle, even if it was shared with a customer or business partner – critical insight that can impact the quality and timeliness of work, service level agreements, not to mention revenue and profitability.
Information flows into, within and out of organizations faster and in greater volumes than ever before. Complicating matters is the growing number of vendor systems, applications and platforms that make up your company’s business infrastructure and touch even your most sensitive and mission-critical information.
If you don’t have visibility into the data and files that are flowing between systems, applications and people — both inside and beyond the company firewall — things can go haywire very quickly.
- Lost files, security breaches and compliance violations
- Broken SLAs and other processes that are dependent on files
- No file lifecycle tracking as data flows between applications, systems and people
- Damaged partner and customer relationships
- Lost opportunities
Relying on the reporting capabilities of each individual system has proven to be risky and inefficient. Chances are, you’re swimming in a sea of not-very-useful-or-actionable data and static reports that are already a week behind with what’s actually happening in your company this very instant.
In today’s blog video, Frank Kenney shares his thoughts why having one consolidated view is critical and why organizations are having such a hard time achieving visibility.
When it comes to your file transfers, many questions exist. Do you have the total visibility your business requires? How do your customers gain visibility into their file transfers?? Do you have all the information you need to meet your service level agreements (SLAs) as well as enabling transparency about integration and file transfers??? Let Ipswitch help you answer these questions and overcome your visibility challenges.
You’re going to be hearing more and more about “VISIBILITY” from Ipswitch, so I’d like to quickly start this blog post with our definition of visibility in the context of files and data flowing into, within and out of your company:
Visibility: “Unobstructed vision into all data interactions, including files, events, people, policies and processes”
Fast, easy access to critical file and data transfer information is a must-have – it’s critical to the success of your business. Whether it’s tracking and reporting on SLAs, analyzing file transfer metrics to identify bottlenecks and improve efficiency, or providing customers and partners with easy self-service access to the file transfer information they require – as well as countless other business objectives – unobstructed visibility is imperative.
Having one consolidated view into all of the systems and processes involved in your organizations file and data transfers will deliver tremendous business value and a competitive edge. Please do take a couple of minutes to watch Ipswitch’s Frank Kenney share his perspective on why visibility is important.
This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.
My answer: “Use both of them, together!”
For starters, here’s a real quick summary of both encryption types:
- Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS. Leading solutions use encryption strengths up to 256-bit.
- File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents. PGP is commonly used to encrypt files.
I believe that using both together provides a double-layer of protection. The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.
Here’s an analogy: Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank. 99.999% of the time that armored Brinks truck will securely transport your delivery without any incident. But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.
One last piece of advice: Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information. Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.
“My company still relies heavily on FTP. I know we should be using something more secure, but I don’t know where to begin.”
The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – Unsecured data is obviously an enormous liability. Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer.
No, it won’t be as daunting of a task as you think. Here’s a few steps to help you get started:
- Identify the various tools that are being used to transfer information in, out, and around your organization. This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc. Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
- Map out existing processes for file and data interactions. Include person-to-person, person-to-server, business-to-business and system-to-system scenarios. Make sure you really understand the business processes that consume and rely on data.
- Take inventory of the places where files live. Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc. After all, it’s harder to protect information that you don’t even know exists.
- Think about how much your company depends on the secure and reliable transfer of files and data. What would the effects be of a data breach? How much does revenue or profitability depend on the underlying business process and the data that feeds them?
- Determine who has access to sensitive company information. Then think about who really needs access (and who doesn’t) to the various types of information. If you’re not already controlling access to company information, it should be part of your near-term plan. Not everybody in your company should have access to everything.
Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data…. As well as provide you with visibility and auditing capabilities into all of your organizations data interactions, including files, events, people, policies and processes.
So what are you waiting for?