Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.

  1. What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry?  Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
  2. What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
  3. And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
  4. What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?

If you don’t mind I’d like to give the public in general my 2 cents…

The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.

Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.

Customers should question any absolute, unequivocal claims an MFT vendor makes regarding performance improvements achieved using their particular approach.  A claim of “7x” or “30x” improvement without any documented caveats is simply not credible. The key point is that observed performance enhancements in the WAN are probabilistic, not deterministic. A file transfer occurring multiple times between the same endpoints will in all likelihood produce different latency measurements depending on a large number of factors:

  • Time of day
  • Day of week
  • Physical media traversed
  • Design of intervening switch fabrics and router queues
  • SLA agreements with the carrier
  • End-to-end QoS provisioning (if any)
  • Burstiness (jitter) of co-mingled traffic, etc.

Techniques for improving WAN performance vary by vendor: data caching, compression, truncation, protocol optimization (usually proprietary, as an enhancement to TCP at the transport layer), traffic shaping, and de-duplication, just to name a few. Customers should ask many questions and perform their own “real world” tests to ensure they are in fact receiving the transfer performance improvements they expect, under conditions that are common to their WAN environment.

Over the last few weeks, we’ve been putting the final touches on our next generation of services that will be delivered via the cloud. As with any product or service release, there comes a fair amount of planning including ensuring that one has the best site into competitors, forecast and of course customers. We’ve worked closely with industry analysts, our end-users and prospects and our own internal resources to best understand how and where we should position our cloud services. In presentation after presentation and in conversation after conversation, we were presented market slides showing the enormous growth and opportunity within the overall software as a service (SaaS) markets. The natural reaction is to get excited about all the money we can make in this space; before we did, I issued a strong warning to our team:

“In very much the same way that software is analogous to infrastructure, software as a service is not analogous to infrastructure as a service. That includes integration as a service. The profile of the consumer of SaaS will more than likely expect that things like integration, interoperability, transformation and governance will be part of the service subscription.”

In a nutshell what I was saying was… do not look at forecasts for SaaS and assume that the opportunities for IaaS follow the same trends. If users create content by using services that are delivered via the cloud, they have a reasonable expectation that this content can be shared with other services delivered via the cloud (not necessarily by the same vendor). For example, creating content via salesforce.com and sharing that content with gooddata.com should be as simple as granting the necessary permissions. After all, my Facebook, Twitter and Google+ information is shared by clicking a few buttons. Make no mistake, integration and interoperability are nontrivial, but part of the expectation of using cloud services is that the consumer is shielded from these complexities. As more and more cloud service platforms and providers build in integration and governance technologies the need for a separate IaaS provider will likely diminish.

Don’t get me wrong, I still believe that there is a place for technologies such as managed file transfer and business-to-business integration and collaboration; I definitely believe that Ipswitch will play a significant role in the evolution of those markets. Expect the role of Ipswitch to be evolve as well; not only will we provide the best mechanisms for moving content of any size but we will also govern (or let you govern) that movement and the entire experience around it. This is the centerpiece of Ipswitch’s Cloud strategy.

Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.

Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.

 For example:

  • the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
  • the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
  • the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.

Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.

The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.

This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!

According to the Washington Post, Deputy Defense Secretary William J. Lynn III just confirmed that a classified military network was breached with a single USB drive in 2008.

http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html

As a security expert, the fact that someone used a USB drive on the wrong machine isn’t surprising: it happens every day when people use these drives to swap files between work and home computers.

What is surprising is Lynn’s statement that: “code spread undetected on both classified and unclassified systems”.  This suggests that neither the content of the files being distributed nor the network behavior of the malicious application were being analyzed – even on a secure network.

This incident demonstrates that even the most sensitive network can be breached if there is only a single layer of defense.   With data loss prevention (DLP), intrusion detection, antivirus and integrity technology there should be multiple layers of defense seeking and listening for threats in a coordinated manner on any modern secure  network.

The government’s reaction to the incident was also interesting: ban all USB drives.  The military did it in 2008…and survived.

So what about the file transfers that needed to occur between the military’s various networks?  Managed file transfer technology is all about answering that question, and answering it with easy-to-use, scalable solutions built on the concept of defense in depth.

Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?

We’re two months into ownership of MessageWay and leading the organization through its second acquisition integration has been fun and challenging. It’s especially nice when we can announce a milestone in the integration process, and that will be coming soon with the release of a “translation connector” existing MOVEit Central customers can use to access the translation capabilities we acquired in the MessageWay software.

Development on the necessary integration components has wrapped up and the package has entered QA.  If you’re interested in a sneak preview, please contact your sales representative for a demonstration.  The screenshot below is from one such demo…

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Have you heard about the Russian Spies that got busted recently for basically using for security what we get as prizes in our Boo Berry Cereal. Invisible ink pens? Really? What’s next? Dr. No using Mad Libs and carrier pigeons to transfer data? For you spies out there, let this be a lesson in security:

Russian Spy Ring Needed Some Serious IT Help” [from NetworkWorld]

”]

Ipswitch File Transfer is going (more) global. We’re thrilled to announce the expansion of our already successful Ipswitch FT Partner Program.  It now boasts a number of new benefits for our global partners, including a new Elite Partner Level and a deal registration program.

The Elite Level expansion was created for those partners looking for even greater association and support from Ipswitch File Transfer.  A new deal registration program has also been introduced, which will incent resellers with additional discount points for registering qualified net new sales opportunities on the FT Partner Portal.

read more “Going Global: Ipswitch File Transfer Expands Partner Program”

Tax season is behind us (at least for most of us) and we can all give a sigh of relief… but can we? This year, getting my taxes organized and handing them to my accountant seemed to be more difficult than usual. Fortunately for me, the Federal Government gave certain areas that were dealing with flooding a small extension that allowed me to find the time to pass my taxes into my accountant.

Once that task was completed, I was able to relax except for the fact I now had one day to get back into the accountant’s office and sign the documents for them to send to the IRS.

read more “Do People Realize What They Are Sending and the Risks Associated?”

In the automated file transfer world there are two general user experiences.

Workflow #1: Inbox/Outbox – When an end user (or application) signs on, it sees either one or two folders: an “inbox” where it can drop files and an “outbox” where he/she/it can pick them up.  Frequently when items are placed into the inbox they disappear into an internal system almost immediately.  Frequently when items are downloaded from the outbox they also disappear immediately.

A common variation on this is the combined inbox/outbox where any items visible to the end user are “outbox” items and end users simply upload new items, which do disappear immediately, to the same folder.

read more ““Inbox/Outbox” vs. Folders When Designing File Transfer Workflows”