Some folks from the Ipswitch managed file transfer team and I were at RSA Conference U.S. last week where we had some great conversations with lots of IT and security pros including our own customers. Lots of visitors to our RSA booth were looking to looking to automate manual file transfers to shut-down unmanaged solutions being used internally like Dropbox.

Pictures from Ipswitch at RSA 2015.
Pictures from RSA Conference last week in San Francisco. (That’s me and Randy Franklin Smith in the lower left hand corner).

And I was finally able to meet Randy Franklin Smith face-to-face. He was at our booth to sign our recently published Managed File Transfer for Dummies reference book that he co-authored with me. Not only did we have fun bonding as a team, but I got some interesting insights.  First I’ll start with some quotable security quotes heard during keynote sessions:

  • Cybersecurity is a team sport.” (Michael Daniel, winner of the Excellence in Public Policy award)
  • This is a mindset problem. The world has changed, and trust me, it’s not the terrain that’s wrong.” (Amit Yoran, RSA
  • Challenge the platform/foundation because a culture of tradition will take place and things go awry. The challenge is not the tools, but process and people instead.” (Chris Young, Intel)

Observations and Experiences

More people than ever are looking for two-factor authentication, and they were happy to hear it is available with MOVEit Managed File Transfer via SAML 2 integration with Identity Provider solutions like those from OneLogin. (For more details, check out our SSO webinar with Rob Capozzi from OneLogin).

I personally talked with three customers who replaced Axway’s solution with MOVEit Managed File Transfer. Each of them said that MOVEit offered much better technical support, a more productive automation environment, less overall cost, and simple pricing model that doesn’t require lots of component purchases for what they considered minor additional requirements.

And I heard about the need to integrate managed file transfer technology into the existing IT security infrastructure for improved security and control. This includes security and information event management (SIEM) like Splunk, data loss prevention and anti-virus – all of which integrates nicely with MOVEit.

I’m already looking forward to RSA Conference 2016.

>> Download a free copy of Managed File Transfer for Dummies and learn how to securely manage file transfers in the borderless enterprise; reduce business risk and ensure compliance; and automate file transfers and save money. <<

 

 

 

 

 

RSA BoothReality has set back in. No longer confined in the Moscone Center, I’ve returned home to the frigid New England cold. My favorite part of the show was talking with people about their WTF (Where’s the File) moments—more to come on that through future content.

As a follow up to my first post, I wanted to share a few takeaways from the RSA Conference.

  • Cloud security was HOT. Nearly every booth I stopped by had a spin on how the cloud could be a secure solution—perhaps we’re at that tipping point as an industry in how we all view the security of the cloud.
  • In 2014, the basic challenges associated with file transfer were well understood and we were happy to see more sophisticated, pointed questions around helping them with their file transfer challenges.
  • People understand the needs and issues around Managed File Transfer (MFT) but they may not be familiar with the term. FTP is very well understood, so when we explained how MFT goes well beyond FTP capabilities by adding management, visibility and control, integration and automation, their eyes lit up and they suddenly became interested. Many folks I spoke to suffer from too many file transfer methods and are just starting to realize that they need to consolidate into a common, managed file transfer platform.
  • International presence was higher than expected. We had conversations with folks from Brazil, Mexico, Japan and China in the booth.
  • Don’t expect any fun takeaways from the NSA booth. I think we were lucky to get a smile or two from that bunch but I guess that’s to be expected.
  • The Greek gyro place next to the Moscone center is not to be missed.

What were your takeaways from the show?

rsa conferenceNothing ever stays the same in the world of information security. Each day we see new threats and challenges, along with new solutions, tactics and approaches. Despite the ever-changing nature of the space, there are however a few constants – one of them being the annual RSA Conference.

Considered by many (myself included) to be the premier IT security event, RSA features keynotes and sessions from some of the world’s foremost experts – including those from business, government and academia. If you’re interested in being among the first to know about a particular topic or trend, this is the place to be. In fact, it’s where I’ll be in just a few short days.

So what am I looking forward to the most? Here are five things in no particular order:

1) New Insights on Cloud Security: If you scan the RSA Conference 2014 tracks, you’ll notice that cloud security is getting a fair amount of attention – and for good reason. After realizing the benefits of adopting the cloud (cost, efficiency, etc.) organizations quickly discover the challenges and concerns, which almost always center on security. While we have our own take on this matter, I’m interested to hear what others have to say. Thus, some of the sessions I’m most looking forward to include Is the Cloud Really More Secure Than On-Premise?, Virtualization and Cloud: Orchestration, Automation and Security Gaps and Trust Us: How to Sleep Soundly with Your Data in the Cloud.

2) The Networking: The RSA Conference is well-known for attracting some of the best and brightest from a wide range of industries – and this year’s conference will be no exception. Here are a few of the featured speakers that I’m hoping to catch:

  • Selim Aissi, Vice President, Global Information Security, VISA
  • Marene Allison, Global Chief Information Security Officer and World Wide Vice President of Information Security, Johnson and Johnson
  • Bob Blakley, Global Head of Information Security Innovation, Citigroup
  • Mary Ann Davidson, Chief Security Officer, Oracle
  • Scott Andersen, Director, Global Information Security, Citi
  • Bret Arsenault, Chief Information Security Officer, Microsoft Corporation
  • Joseph Demarest, Assistant Director of the Cyber Division, FBI
  • Eran Feigenbaum, Director of Security, Google Apps, Google

3) Stephen Colbert: I’m not sure how much Stephen Colbert knows about information security, but I’m not sure that it matters. As a long-time fan of the Colbert Report, I was thrilled to find out that he’ll be one of the featured keynote speakers. Who says that information security isn’t funny?

4) Alternate Realities: Here at Ipswitch, we tend to discuss file transfer security, compliance and other matters through the lens of a business. But at this year’s conference, we’ll get to see how security is viewed by large government organizations like the FBI, as well as that of venture capital firms, economists, academics and other personas those of us in the business world sometimes forget about. If you’re looking to expand your understanding of information security, there’s no better place to be than the RSA Conference.

5) The Food: This year’s event will be held in San Francisco, a haven for foodies like myself. Thus, I’ve already spent a considerable amount of time on Yelp scoping out restaurants and other hotspots. Clearly this is important to me. I’ll be coming back with a renewed appreciation for the importance of information security, but also a few good meals. Thankfully, they only hold this event once per year.

********

What are you looking forward to seeing at this year’s RSA Conference? Be sure to let us know in the comments section. Or let me know your recommendations for must-eat restaurants!

There is so much to absorb at RSA Conference.  The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.

Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people.  IT leaders are feeling pressure (and rightfully so) to regain control over how people share files with other people.  It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.

My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception.  Quite frankly, the key insights I learn from talking with customers help me do my job better.  Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.

Are you attending RSA Conference next week in San Francisco?  If so, stop by booth #629 at the Moscone Center and say hello the Ipswitch team.

This will be my third year attending RSA.  Not only and I’m looking forward to talking about how Ipswitch’s portfolio of Managed File Transfer solutions can solve the problems you’re experiencing with your current file transfer and B2B environment….  But I’m also looking forward to learning about topics like security attacks, data breaches, mobile threats, cloud security, and compliance along with the other 15,000+ people attending the largest security conference in North America.

If you’re going to be at RSA this year, stop by our Ipswitch booth (#629) to learn how we can help you:

  • Mitigate security risks and data breach exposure.  We’ll show you how to secure and control all files/data moving between systems and people — both internally and externally
  • Reduce complexity by consolidating and replacing the various file transfer products, homegrown solutions, hard to maintain scripts, and tools people use to share files
  • Increases productivity and efficiency by automating manual and labor-intensive workflows with a simple point-and-click interface – No scripting required
  • Provide visibility and auditability into all data transfer and file sharing activities, including files, events, people, policies and processes

We hope to see you there.

We’ve got some fresh stats and trends to share from data that we collected at the recent RSA Security Conference.  Many thanks to the “statistically significant” number of people that took the time to fill out our survey questionnaire.

Our survey results highlight some major security and compliance concerns for businesses – information security, visibility and policy enforcement remain a major problem in 2011.  Here are a few key data points:

  • 65% have no visibility into files and data leaving their organization
  • >80% use easily lost or stolen portable devices like USB drives and smartphones to move and backup confidential work files
  • >75% send classified documents as email attachments – including payroll, customer data and financial information
  • >25% percent have purposely used a personal email account (like yahoo or hotmail or gmail) instead of their work accounts as a way to hide their file transfer activity
  • 55 percent said their companies provide – but do not enforce – policies and tools around sharing sensitive information

The fact that so many companies admittedly lack visibility into the files and documents that are moving around and leaving their organization is pretty scary.  How can an organization protect information that they don’t know even exists?  Clearly, increased focus is needed to first identifying sensitive data and then protecting it – These critical information security components should be carefully baked into an organizations security, governance and compliance initiatives.

Lastly, I’d like to vent on the last data point for a minute.  Policy creation simply isn’t enough…. the enforcement of that policy is the critical step.  Writing down a policy but not enforcing it is just as risky as not having documented the policy in the first place. Creating the policy is a good start, but please please please don’t stop there.

Why does your business (or organization) need a consolidated managed file transfer application?  When working within an organization and with its partners, organizations find that

  • Paper-based processes are inadequate, they are labor-intensive and these paper-based processes slow down the ability to conduct business
  • Doing away with shipping physical media lowers their risk of losing sensitive data to theft and accidental loss
  • Streamlining operations so that there are fewer systems to manage and leverage the lower costs of doing business on the internet, the intranet and in the cloud

From outside an organization, regulatory mandates from agencies and governments are increasing (like PCI, HIPPA and GLBA).  Moreover, markets and business are moving faster.  Companies that can process transactions quickly (e.g., less than a second) can compete on speed and effeciency.

GIF
One MFT Application can replace the disparate file transfer tools and the rogue FTP servers scattered throughout your organization.

As a result, many businesses find they need one file transfer solution that addresses the needs of the entire organization.  These businesses need one application and not numerous point applications and tools from several vendors scattered throughout the organization surreptitiously poking holes in their firewalls.  They need a one-stop shop for their end users (a single, easy to learn and easy to use UI), their applications (a straightforward API) and their administrators and managers (an application that helps to increase revenue, lower their TCO and maintain their high security standards).

Remember, Managed File Transfer (MFT) is software application (or an appliance) that provides organizations of any size with a holistic solution for all their file transfer needs. Unlike point solutions for file transfer, rogue FTP servers or physical media, a consolidated MFT application means that your organization has one product and one vendor to meet all your file transfer needs.  A consolidated MFT application translates into increasing the accessibility and the trackability of your customer, partner and employee information (only for authorized users and uses).  At the same time, it increases security, reduces the risk of exposing critical data and lowers your total cost of ownership.

In addition, a consolidated MFT application means increased revenue because your sales electronically instead of by paper, fax or telephone.  Remember, a consolidated MFT application helps to integrate your applications (and your partner applications) by making it easy to exchange data programmatically.

In short, a consolidated application increases your visibility to all file transfers within your organization, it increases the speed at which you can do business (thereby increasing the revenues) by seamlessly integrating the data from all your applications and it reduces your total cost of ownership for all file transfer (data movement) applications within your organization by providing a one-stop shop for the application (from one vendor), for its web services APIs and for your teams to work with.

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

Breach, which is set for release in a few weeks, focuses on the true story of an FBI upstart who must investigate his boss who is suspected to be selling secrets to the Soviet Union. For those of you who read the story in paperback or in weekly new journals, a strong lesson materializes in a story early on that is applicable to the numerous breaches we have heard about at TJX and other retail and insurer organizations. Regardless of how strong and robust your physical and digital security plan is, the success or failure of the plan more likely will lie with the human capital charged with installing, managing and watching the systems.

I’ve spent nearly all my career in security related software solutions and I’ve never forgotten the important lesson taught to me as a new recruit at RSA Security a few years ago. No solution, no matter how robust and error proof will survive its goal to protect an organization without the proper declaration and focus of a security plan and the proper screening and training of professionals entrusted to manage the systems. Time haves changed a bit and RSA and other leading security companies have advanced security technologies to make them user-friendly. Still, as I listen to the news day after day, I cannot help but think how much safer consumer data would be today had the breached organizations enabled their staff with proper training and operational-knowledge?

The problem is not a technology one. One need only do a Google search to look-up tens of companies specialized in helping to protect data from RSA (EMC) to Symantec to more specialized firms like Application Security and Ingrian who offer the capability to secure databases with industrial strength encryption and user provisioning. Even my sister product here at Ipswitch, WS_FTP, which revolutionized the way data was transferred from point A to point B has introduced new versions featuring strong encryption and security features to protect the integrity of data in motion and rest after customers and prospects demanded such with strict audits and business rules changing their business models for data sharing. Yet, all of this technology is worth ZERO unless there is a commitment to the proper training of staff that runs these systems.

You might be asking why does the product manager for WhatsUp Gold care so much about security and specifically breaches. First, I like you am nervous about personal data integrity and I have seen first hand in my travels the impact data breaches can have on persons and organizations. Second, I see a strong convergence happening between the security duties and the network duties at organizations around the world. After all, your certificate server, your firewall and your anti-virus boxes are only effective if they are up and running and WhatsUp Gold has the out-of-the-box ability to manage all of the different elements you have running using native SNMP and the related OID’s. For example, in 2006 RSA Security released a version of its flagship ACE Server with SNMP capabilities. Administrators can now monitor the ACE server for common characteristics like up/down as well as other counters for performance. The same is true for SonicWALL, Cisco, Fluke and Adtran equipment to name a few.

Security is an on-going road of progress and never a destination. The marriage between security and network management will ensure the journey has less stops and detours along the way.