A quick summary of key industry happenings:

A) The economic impact of piracy (including software) is *really* not understood: http://www.gao.gov/products/GAO-10-423. See pages 15 – 19 of the full report in particular.

I’ve always been skeptical of the piracy claims, good to see someone actually reviewed them. I think it is better for the industry to focus on the valued real customer rather than to fabricate and fret about the unknown and unquantifiable pirate customer.

read more “HTML 5, Memristors and Software Piracy”

I spent the day today at the CompuCom vendor fair in Dallas, TX.  CompuCom is one of Ipswitch’s sales channel partners, and the purpose of attending today’s event was to talk about Ipswitch File Transfer solutions with CompuCom’s team of account managers and sales representatives.

Today’s goal was to raise awareness, education level and excitement about  Ipswitch File Transfer solutions among CompuCom’s 130 or so software sales associates so that they, in turn, will proactively pitch our solutions to their accounts and ultimately close more deals.

I walk away having had dozens of conversations that align with our focus of solving real business problems.   The days of selling “feature feature feature” are over.  In past years, literally thousands of sales centered on a laundry list of features such as 256-bit AES encryption, FTPS, SHA-512 file integrity and administrative separation of duties.  Today, a large (and growing) number of sales conversations center on higher-level topics such as policy enforcement, risk mitigation, visibility into all internal and external file interactions, and how to give end users a simple and secure way to quickly transfer files with other people.

It was definitely a very worthwhile event to participate in and I believe that we successfully raised mindshare and interest level in our portfolio of secure managed file transfer solutions within CompuCom.  And it’s always nice to see some x-large belt buckles while hearing a few success stories from sales reps about how they recently closed some juicy deals.

It’s great to have a line that’s far above the rest. It’s great to see that in the Magic quadrant, it’s great to see that in a wave, it’s great to see that in any industry report. But what does it all mean? The technology provider I understand that corporate executives like dashboards, spreadsheets, charts and graphs. These are the tools that many of them used to run their businesses day-to-day. But what does it mean to see a spike in the line; or what does it mean to see a drop in the line? The key to any reporting capability is to have solid analysis and analytics. For instance a marketing executive needs to know why the dramatic spikes in news reference volume from some vendors and not others. That same executive would also want to consider why search trends don’t follow news volume.

read more “Looking Deeper Into The Data: Analysis and Analytics”

This month I was working with a large U.S.-based bank on a file transfer eDiscovery project.  In the past, when people thought about eDiscovery, they though about email only, or maybe also instant messages.  Now, however, it’s dawned on IT and risk management groups that business documents, plans, sale figures and other files are being sent by their employees to other people outside the company using file transfer capabilities.

In some cases, these “send file” capabilities are being provided by hosted SaaS solutions.  Other times, they are being provided by on-premises software.  Ipswitch provides both hosted and on-premises solutions that allow people to exchange files using browsers, Outlook or other clients, so this topic comes up in many conversations.

The project I was working on with the bank was around the archives of previously sent packages of files.  To bridge the final gaps between their eDiscovery software and our file transfer archives, they needed to see archived packages of files represented as Microsoft MSG and PST files, so we undertook a project to close that gap while preserving the integrity and complete context of the original file send.

I only see this kind of work continuing to be in demand in the sectors we serve, but I’m curious if eDiscovery has had an impact on YOUR file transfer workflows or archiving procedures too.    Please comment below or send me a message if you’d like to share some of your experiences with file transfer and eDiscovery.

As most IT folks already know, “Net Neutrality” was dealt a blow today in federal court.  ( http://www.suntimes.com/technology/2143440,comcast-fcc-net-neutrality-040610.article )

This has impact on the file transfer industry, as some carriers could now consider non-HTTP/S protocols such as FTP, SSH, FTPS and AS3 as non-core or superfluous and work to throttle or block these protocols.   In fact, the root case was around the innovative file transfer protocol used by BitTorrent.

Opinion on the ruling is mixed, but there is an equally healthy debate about whether or not it will stand.  One possible course the FCC may take is to reclassify high-speed Internet as a more regulated class of communications; essentially allowing the FCC to reassert Net Neutrality at that point.

But for now, Net Neutrality is dead – stay tuned.

I’ve been following the data breach that occurred at HSBC Private Bank in Switzerland.    Seems that an employee stole data on 24,000 accounts over three years ago, but the details of the breach weren’t clear to the company until earlier this month when the Swiss government returned data files back to the bank.

That type of lengthy delay is unacceptable.  Forget for a moment the possible resulting impact to an organizations bottom line that a data breach can have.  Instead, think about the individuals that have been violated by either negligence or cybercrime.  They deserve to know and in a timely fashion.

An organization must have clear visibility into all data interactions, including files, events, people, policies and processes.  Best-in-class managed file transfer solutions include tamper-evident cryptographic audit logs, as well as easy archival and retrieval of all transferred files and personal messages that were sent back and forth.  No security can ever be perfect, but the correct audit capabilities mean that losses can be clearly understood without delay.

One last piece of advice to companies that fall victim to a breach:  Don’t keep it to yourself.  Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.

“Why are we still FTP’ing files to each other in 2010?”

That is one of the philosophical questions I get to ponder almost once a week as I chat with my colleagues in the industry.  Part of the answer is easy: “Almost everyone has or knows about FTP.”   Based on that answer, a number of secure variants on FTP (SFTP, FTPS, even our own command-line MOVEit Xfer client) have emerged, along with extensions to the core FTP command set itself.

But why bother moving FILES around when we could all be doing little bitty TRANSACTIONS to each other using SOAP or other transactional-friendly schemes?   The answer to that question didn’t come to me until I’d spent several years in the field, traveling between banks, data centers and large corporations in support of distributed, enterprise-class file transfers.

In the 1990’s the local branch of your bank worked something like this.  At the end of every business day, after all the customers had left, the tellers would compare the cash in their drawers against what the accumulated transactions of the day on the computer said should be there.  During this reconciliation process, adjustments might be made to the record of the day to explain the discrepancies – essentially adding extra transactions after the bank was closed.  However, these transactions often did NOT occur in real time.   Instead, after all balancing was done and local management was satisfied with the result, a fixed set of files with the branch bank’s “final answer” was sent in to the home office, and everyone went home for the night.

So why did/do bank use files for this workflow instead of transactions?  Why did their operations experts only ask branches to send in a single set of files?

  • It hid the complexity of the bank’s central systems from branches.  Branch managers didn’t have to worry about this to this system and that to that system, each with it’s own error codes: they just sent the files and went home.
  • It was less risky for the branch managers and their staff.  Branch managers didn’t have to worry about a misbehaving back-end system keeping their tellers on for an extra hour: they just sent the files and went home.
  • It let central management put faith in the numbers.  When a branch sent in its final report, central management knew that its numbers had undergone local verification, and that its numbers were not going to be superceded by any “last minute” transactions.

Boiled down, the reasons large FILE transfer was used in this interaction (instead of small TRANSACTIONS) was to hide the complexity of systems on both ends, reduce the risk of transmission failure and to increase the fidelity of the overall operation.    Whenever you find similar “do good work, certify it and throw it over the wall” workflows in business processes, the opportunity to solve those workflows with secure and reliable file transfer usually exists.

(Will file transfer and transaction-based architectures ever converge?  I think they already have begun to – look for more on that in future posts!)

One of the hot debates among cloud watchers has been whether cloud vendors will someday federate and provide transparent services across continental boundaries. Microsoft provided an interesting twist to this debate just before the RSA Conference kicked off here in San Francisco.

As noted by Gavin Clark in The Register:
http://www.theregister.co.uk/2010/02/27/microsoft_government_cloud/
“Among the features (in Microsoft’s latest U.S. government cloud offerings) are secured and separate hosting facilities access, to which is restricted to a small number of US citizens who have cleared rigorous background checks under the International Traffic in Arms Regulations (ITAR).”

In other words, Microsoft has defined a large private cloud segment that will never span political boundaries.   However, not every Federal process must comply with ITAR or even the higher levels of FISMA.  It will be interesting to see whether other cloud vendors follow suit with their own private offerings or if private government clouds restricted to and maintained in a single country are just a niche.

Best three questions from floor of RSA Conference today (Tuesday, March 2, 2010):

1) What are you doing about federated authentication? (state government)

Answer: We’re looking at it.  Our products already offer extensive support for LDAP, RADIUS, ODBC and other external authentication sources, and single-signon solutions for CA Siteminder and most SSL client certificates (e.g., Entrust, etc.).  Federated authentication is the next big authentication set ahead of us and will likely have ramifications for both our on-premises and hosted solutions.

2) How is your SSH support more appropriate for a company under SarBox than the OpenSSH deployments I have all over my network?  (financial clearinghouse)

Answer: Do you have your SSH servers configured to deliver you the auditing information you need?  (No.)  Are you able to distinguish individual users by the SSH keys they are providing?  (No.)   Do you believe you’re out of SarBox compliance today?  (Absolutely.)   Our products offer a complete solution to both these critical SarBox needs.  We provide comprehensive, tamper-evident logging (even of administrative actions) to DB, Event Logs and SysLog (your choice).  We can also enforce the use of usernames, passwords and keys on particular users, and you can prove through our audit logs which keys are and were in use by each user.

3) I thought Ipswitch (WS_FTP) would be dead after the world jumped to broadband.  What happened?

The world didn’t quit sending files – instead it sends larger files and now worries more than ever about who, exactly got what and when.  In other words, the technical challenges evolved and governance became much more of an issue.  Solving the technical, security, visibility challenges of file transfer – of both ad hoc and prearranged interactions – in a way that both users and administrators find easy is why Ipswitch, including WS_FTP, is growing and thriving.

Using free online storage and collaboration systems dramatically increases a company’s risk of a data breach.  Many of these tools automatically synchronize desktop folders with folders in the cloud.  Compromised credentials can give hackers easy access to all of a company’s sensitive information.

Companies need to monitor traffic over known P2P ports and over commonly used ones, like 80 and 21.  It’s not just data loss prevention, it’s ensuring that policies that address “what data can be sent to whom” are enforced – regardless of port and security mechanisms.

Most of today’s threats with P2P file sharing come from applications that work in conjunction with cloud services, leaving room for hackers to create desktop onramps for their own use.”

 In a recent case, the FTC found the breach.  The truth is – the companies breached should have found it first.

Many enterprise collaboration tools have browser-based portals set to automatically download documents from specific locations.  Simply changing the default settings away from “My Documents” can prevent employees from unknowingly downloading and installing applications that could increase a company’s risk of a breach.

Frank: “Hey Dad, before I go off into the world what is the one bit of advice that you would give me?”

Frank’s Dad: “If I had to give you one piece of advice it would be save all your receipts and tax returns for seven years in a file cabinet someplace in the back of your closet.”

Frank: “That’s it?! You mean nothing about women? Nothing about credit? Nothing like own at least one suit and a pair of good shoes?”

Frank’s Dad: “Nope that’s it. Trust me you’ll see…”

Now that I’m older I can give this advice to my son. I can also give the same advice to e-mail administrators, “save all your e-mails, someplace safe, for at least three years… preferably more.”

Now here’s the technology part:

It’s becoming more and more apparent that offloading large file attachments from e-mail using a third-party technology integrated with e-mail servers, requires a rethinking of strategy of e-mail and data archival and storage strategy. read more “I’m not a lawyer I just play one on TV OR getting whipped by the tail of the e-mail offloading”

There was yet another security breach inside the government this week and this one involved an employee sending personal information via the Internet.

What in the world does that mean?

Open letter to the White House CIO: please better define what you mean by Internet. As I said in earlier blog posts, whenever you pull people into the middle of information technology it is unreasonable to expect that they will self-enforce 100% of the policies 100% of the time. We won’t lock our laptops all the time. We won’t choose passwords that are totally random with a combination of numbers and punctuation (my WEP password for my wireless router is based on the key 3210abcdef!) No matter how many encryption products you put on our desktop we will forget to use them and we won’t check for SSL encryption and check the certificate on every website that we go to.

  read more “Homeland alert! Beware of the Internet (but e-mailing, web browsing and file sharing are okay)”