As you’ve likely already heard on Sept 24th a new computer security threat was identified and entered into the National Vulnerability Database as CVE-2014-7169.  This vulnerability does not affect any Ipswitch products.

Bug2

The vulnerability, called Shellshock, is a bug in the widely-used Bash shell, the Unix command-line shell that has been around for 20 years.  Shellshock affects almost all Linux, UNIX, and Mac OS X operating systems and the US-CERT has given the flaw the maximum CVSS rating of 10/10/10 for severity, impact and exploitability.

Security is a top priority at Ipswitch and as soon as we became aware of the threat we assessed our products and have determined that all supported versions of MOVEit, WS_FTP and MessageWay are not affected by the Shellshock bug.

We strongly recommend you follow the advisories of your respective Operating System provider.

You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Possibly not. The Internet’s venerable File Transfer Protocol (FTP) is usually supported by Managed File Transfer (MFT) systems, which can typically use FTP as one of the ways in which data is physically moved from place to place. However, MFT essentially wraps a significant management and automation layer around FTP. Consider some of the things an MFT solution might provide above and beyond FTP itself—even if FTP was, in fact, being used for the actual transfer of data:

  • Most MFT solutions will offer a secure, encrypted variant of FTP as well as numerous other more‐secure file transfer options. Remember that FTP by itself doesn’t offer any form of transport level encryption (although you could obviously encrypt the file data itself before sending, and decrypt it upon receipt; doing so involves logistical complications like sharing passwords or certificates).
  • MFT solutions often provide guaranteed delivery, meaning they use file transfer protocols that give the sender a confirmation that the file was, in fact, correctly received by the recipient. This can be important in a number of business situations.
  • MFT solutions can provide automation for transfers, automatically transferring files that are placed into a given folder, transferring files at a certain time of day, and so forth.
  • MFT servers can also provide set‐up and clean‐up automation. For example, successfully‐transferred files might be securely wiped from the MFT server’s storage to help prevent unauthorized disclosure or additional transfers.
  • MFT servers may provide application programming interfaces (APIs) that make file transfer easier to integrate into your internal line‐of‐business applications.
  • MFT solutions commonly provide detailed audit logs of transfer activity, which can be useful for troubleshooting, security, compliance, and many other business purposes.
  • Enterprise‐class MFT solutions may provide options for automated failover and high availability, helping to ensure that your critical file transfers take place even in the event of certain kinds of software or hardware failures.

In short, FTP isn’t a bad file transfer protocol—although it doesn’t offer encryption. MFT isn’t a file transfer protocol at all; it’s a set of management services that wrap around file transfer protocols—like FTP, although that’s not the only choice—to provide better security, manageability, accountability, and automation.

In today’s business, FTP is rarely “enough.” Aside from its general lack of security—which can be partially addressed by using protocols such as SFTP or FTPS instead—FTP simply lacks manageability, integration, and accountability. Many businesses feel that they simply need to “get a file from one place to another,” but in reality they also need to:

  • Make sure the file isn’t disclosed to anyone else
  • Ensure, in a provable way, that the file got to its destination
  • Get the file from, or deliver a file to, other business systems (integration)

In some cases, the business might even need to translate or transform a file before sending it or after receiving it. For example, a file received in XML format may need to be translated to several CSV files before being fed to other business systems or databases—and an MFT solution can provide the functionality needed to make that happen.

Many organizations tend to look at MFT first for its security capabilities, which often revolve around a few basic themes:

  • Protecting data in‐transit (encryption)
  • Ensuring that only authorized individuals can access the MFT system (authorization and authentication)
  • Tracking transfer activity (auditing)
  • Reducing the spread of data (securely wiping temporary files after transfers are complete, and controlling the number of times a file can be transferred)

These are all things that a simple FTP server can’t provide. Having satisfied their security requirements, organizations then begin to take advantage of the manageability capabilities of MFT systems, including centralized control, tracking, automation, and so forth—again, features that an FTP server alone simply can’t give you.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Definitely not. To begin with, there are numerous kinds of encryption—some of which can actually be broken quite easily. One of the earlier common forms of encryption (around 1996) relied on encryption keys that were 40 bits in length; surprisingly, many technologies and products continue to use this older, weaker form of encryption. Although there are nearly a trillion possible encryption keys using this form of encryption, relatively little computing power is needed to break the encryption—a modern home computer can do so in just a few days, and a powerful supercomputer can do so in a few minutes.

So all encryption is definitely not the same. That said, the field of cryptography has become incredibly complex and technical in the past few years, and it has become very difficult for business people and even information technology professionals to fully understand the various differences. There are different encryption algorithms—DES, AES, and so forth—as well as encryption keys of differing lengths. Rather than try to become a cryptographic expert, your business would do well to look at higher‐level performance standards.

One such standard comes under the US Federal Information Processing Standards. FIPS specifications are managed by the National Institute of Standards and Technology (NIST); FIPS 140‐2 is the standard that specifically applies to data encryption, and it is managed by NIST’s Computer Security Division. In fact, FIPS 140‐2 is accepted by both the US and Canadian governments, and is used by almost all US government agencies, including the National Security Agency (NSA), and by many foreign ones. Although not mandated for private commercial use, the general feeling in the industry is that “if it’s good enough for the paranoid folks at the NSA, it’s good enough for us too.”

FIPS 140‐2 specifies the encryption algorithms and key strengths that a cryptography package must support in order to become certified. The standard also specifies testing criteria, and FIPS 140‐2 certified products are those products that have passed the specified tests. Vendors of cryptography products can submit their products to the FIPS Cryptographic Module Validation Program (CMVP), which validates that the product meets the FIPS specification. The validation program is administered by NIST‐certified independent labs, which not only examine the source code of the product but also its design documents and related materials—before subjecting the product to a battery of confirmation tests.

In fact, there’s another facet—in addition to encryption algorithm and key strength—that further demonstrates how all encryption isn’t the same: back doors. Encryption is implemented by computer programs, and those programs are written by human beings— who sometimes can’t resist including an “Easter egg,” back door, or other surprise in the code. These additions can weaken the strength of security‐related code by making it easier to recover encryption keys, crack encryption, and so forth. Part of the CMVP process is an examination of the program source code to ensure that no such back doors exist in the code—further validating the strength and security of the encryption technology.

So the practical upshot is this: All encryption is not the same, and rather than become an expert on encryption, you should simply look for products that have earned FIPS 140‐2 certification. Doing so ensures that you’re getting the “best of breed” for modern cryptography practices, and that you’re avoiding back doors, Easter eggs, and other unwanted inclusions in the code.

You can go a bit further. Cryptographic modules are certified by FIPS 140‐2, but the encryption algorithms themselves can be certified by FIPS 197 (Advanced Encryption Standard), FIPS 180 (SHA‐1 and HMAC‐SHA‐1 algorithms). By selecting a product that utilizes certified cryptography, you’re assured of getting the most powerful, most secure encryption currently available.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Take a quick read of Google’s Terms of Service or Amazon EC2’s SLA Exclusions and you’ll see examples of how cloud platform vendors limit their governance and control responsibility.

So what happens when you put your business in the cloud and then the cloud goes down?  Just ask Foursquare, Hootsuite, Reddit, Quora and others who endured the recent EC2 outage that hobbled their websites, resulting in lost revenue and strained customer support teams.

Chances are some of your critical business processes have already moved to the cloud.  But you still need to know the instant one of them fails.

So how should you treat vendor platforms such as Salesforce.com, Amazon EC2, Rackspace Cloud Files and Microsoft Azure?

As the saying goes, “don’t rely on a fox to guard the chicken coop”.   Don’t rely solely on your service providers to alert you of inaccuracies or outages that they themselves have caused…. Service provider dashboards will be of no use when they themselves are responsible for failure.  A governed pipe will instantly give you that information.

Our suggestion is to treat cloud platform vendors the same way you would treat any other vendor.  Manage all file and data interactions, with visibility, management and enforcement… And carefully craft SLAs that represent end-to-end services and link them to easily trackable key performance indicators.  Cloud does not solve all your data issues on its own, but you can and should leverage your Managed File Transfer (MFT) solution to extend and govern the cloud.

Why does your business (or organization) need a consolidated managed file transfer application?  When working within an organization and with its partners, organizations find that

  • Paper-based processes are inadequate, they are labor-intensive and these paper-based processes slow down the ability to conduct business
  • Doing away with shipping physical media lowers their risk of losing sensitive data to theft and accidental loss
  • Streamlining operations so that there are fewer systems to manage and leverage the lower costs of doing business on the internet, the intranet and in the cloud

From outside an organization, regulatory mandates from agencies and governments are increasing (like PCI, HIPPA and GLBA).  Moreover, markets and business are moving faster.  Companies that can process transactions quickly (e.g., less than a second) can compete on speed and effeciency.

GIF
One MFT Application can replace the disparate file transfer tools and the rogue FTP servers scattered throughout your organization.

As a result, many businesses find they need one file transfer solution that addresses the needs of the entire organization.  These businesses need one application and not numerous point applications and tools from several vendors scattered throughout the organization surreptitiously poking holes in their firewalls.  They need a one-stop shop for their end users (a single, easy to learn and easy to use UI), their applications (a straightforward API) and their administrators and managers (an application that helps to increase revenue, lower their TCO and maintain their high security standards).

Remember, Managed File Transfer (MFT) is software application (or an appliance) that provides organizations of any size with a holistic solution for all their file transfer needs. Unlike point solutions for file transfer, rogue FTP servers or physical media, a consolidated MFT application means that your organization has one product and one vendor to meet all your file transfer needs.  A consolidated MFT application translates into increasing the accessibility and the trackability of your customer, partner and employee information (only for authorized users and uses).  At the same time, it increases security, reduces the risk of exposing critical data and lowers your total cost of ownership.

In addition, a consolidated MFT application means increased revenue because your sales electronically instead of by paper, fax or telephone.  Remember, a consolidated MFT application helps to integrate your applications (and your partner applications) by making it easy to exchange data programmatically.

In short, a consolidated application increases your visibility to all file transfers within your organization, it increases the speed at which you can do business (thereby increasing the revenues) by seamlessly integrating the data from all your applications and it reduces your total cost of ownership for all file transfer (data movement) applications within your organization by providing a one-stop shop for the application (from one vendor), for its web services APIs and for your teams to work with.

Here’s a great story of how retail giant Home Hardware is using Ipswitch MessageWay solutions to efficiently manage, secure and share over 4 million business-critical files annually among its 1,000+ retailers.  And best of all, MessageWay is saving Home Hardware money every single day!

Speed, automation and validation were among Home Hardware’s the key business requirements.  They send over 75,000 essential business files per week (including vendor/product info, pricing and POS software updates, and order confirmations) and also need to reduce download times and validate orders.

Home Hardware is now able to:

  • Move files faster – cutting transfer time from hours to minutes
  • Automate and speed product orders and software updates
  • Prevent lost orders do to file transfer glitches
  • Tighten security around sensitive data transfers
  • Accelerate time to revenue by expediting orders, payments and settlements
  • Ensure compliance and accountability with full visibility into the file transfer process

Why Home Hardware selected MessageWay for Managed File Transfer:

“MessageWay is second-to-none, and our efficiency improved dramatically as soon as we implemented, ”  said Brent Horst, Director of Corporate Applications at Home Hardware.

“MessageWay transformed the way we send and receive files. The speed, automation and reliability are the best we’ve seen.  The most important features that Ipswitch MessageWay provides are the speed of file transfer, file validation and guaranteed delivery,” said Horst.

Got a great Ipswitch story of your own to tell?  Email us at mystories@ipswitch.com…. We can’t wait to hear all about it!

On Wednesday, November 3 and Thursday, November 4, Ipswitch File Transfer will be exhibiting and speaking at SecureWorld Expo, the leading regional security conference that brings together the security leaders, experts, senior executives, and policy makers who are shaping the very face of security.

The “Exhibits and Open Sessions Registration” for SecureWorld Expo is complimentary and it gives you access to the expo floor, the keynote presentations, and open industry expert panels. Plus, you’ll get to hear the luncheon keynote from L. Frank Kenney, The Data Breaches You Don’t See Hurt You The Most,” and the industry expert panel Data Protection: Walking the Thin Line Between Employee Productivity and Security.”

Here are the details:

What: SecureWorld Expo – Dallas

Where: Plano Convention Centre, Plano, TX

When: November 3, 2010 and November 4, 2010

Why: Meet the Ipswitch File Transfer team, learn about our solutions (from WS_FTP to MessageWay), listen in on L. Frank Kenney’s luncheon keynote, and keep up to date on the latest in the security world!

Plus, if you visit us and mention this blog post, you’ll receive a Starbucks gift card – on the spot!

See you in Dallas!

We’re two months into ownership of MessageWay and leading the organization through its second acquisition integration has been fun and challenging. It’s especially nice when we can announce a milestone in the integration process, and that will be coming soon with the release of a “translation connector” existing MOVEit Central customers can use to access the translation capabilities we acquired in the MessageWay software.

Development on the necessary integration components has wrapped up and the package has entered QA.  If you’re interested in a sneak preview, please contact your sales representative for a demonstration.  The screenshot below is from one such demo…

As part of our acquisition of MessageWay Solutions I had the chance to sit down and talk with Architect Bob Cheal.  One of the things I didn’t expect to hear over dinner was our common roots in technology from Burroughs, a key mainframe middleware player in the late 1980s and 1990s, and technology through which much early EDI traffic flowed.

Standard Networks, the company I was acquired into Ipswitch with, got its start developing front-end processors (FEPs) to handle heavy transaction loads to Unisys mainframes and its (often) banking applications.  MessageWay Solutions, our newest acquisition, also had FEP roots in the HP (aka Tandem) NonStop systems.  Both companies’ technical experience in those markets drew directly from Burroughs and its focus on high uptime, accuracy and throughput.

From there Standard Networks’ MOVEit brand specialized in data transmission security, working its way into Fortune 50 enterprise deployments by providing solid answers to security and regulatory challenges.  MessageWay Solutions specialized in high volume/high performance B2B communications and data translation supporting a wide array of data formats  in the banking, healthcare and supply chain markets, working its way into Fortune 50 enterprise deployments by providing solid answers to governance challenges around file lifecycle and performance challenges on open platforms.

With acquisitions of both companies now complete, Ipswitch now has a potent combination of technologies and high-volume, mission-critical experience whose institutional memory stretches back to the 1980’s and beyond.  As our product portfolio evolves, we will be combining these capabilities to provide new and innovative solutions to our existing customers and to the MFT market place, as well as accelerating the development of certain core components that will extend our existing product capabilities to meet the ever changing needs of our customers.

Stay tuned and in touch with your account representatives for more information on this front, or to find out how our recent acquisition of MessageWay can help address your EDI, transformation or multi-platform challenges today.

Industry expert Michael Osterman shares some great editorial and perspective in Messaging News on the Ipswitch acquisition of MessageWay.  He starts by pointing out that Ipswitch is positioned as a “Leader” in the latest Gartner Magic Quadrant for Managed File Transfer….. As well as Ipswitch’s proven track record in the file transfer space (Nearly 20-years for those counting).

He also nailed what the acquisition immediately brings to the table as far as expanding Ipswitch’s range of solution offerings:  “(Ipswitch has) clearly boosted its position in the MFT space with this acquisition given that MessageWay’s MFT solutions are designed for high volume file transfer applications in the large enterprise (Global 2000) and service provider markets.”

I particularly like (and agree with) his answer to the question of “Why is MFT important?”

“Among the many reasons are two key ones:

read more “Why is MFT important?”

Word of today’s public announcement that Ipswitch has acquired MessageWay Solutions is already starting to spread, and fast.  Whether you’re an Ipswitch customer or employee, industry expert, or just learning about the Managed File Transfer space one thing is clear – The MFT industry is evolving and growing worldwide, both in strategic importance and pure volume.

We’ve seen greater emphasis on managing and controlling file processing behind the firewall…. And witnessed customers and prospects describing their need for an MFT solution that includes some B2B and EDI attributes.

Ipswitch’s acquisition of MessageWay creates the industry’s most powerful and complete suite of Managed File Transfer solutions with robust, highly scalable advanced file services that continues where MFT has traditionally left off – at the edge of the network.

[youtube]http://www.youtube.com/watch?v=U06p6axECSY[/youtube]

read more “Advancing MFT Solutions”