For the second installment of my three-part series on file transfer encryption for Ipswitch, I’ll go a little deeper into the how-to’s. (These posts are based on a recent webinar I did with the folks here, available for replay.)

encryption
How will you use file encryption to protect data?

Understanding the basics of file transfer encryption is absolutely critical for securing your file transfer data. However, solely understanding the basics won’t do you much good. You also must understand how exactly you can use it to secure your company’s most private files, and to create an exceptional trail with no unbroken chain of custody. ‎

How will you use encryption?

The type of encryption being used is not as important as how the encryption is done. You must understand how the keys are managed, and the proclivity for files’ encrypted copies to become lost and to fall into the wrong hands.

Utilizing a fairly modern encryption algorithm or product (such as PGP) is a great start, but what it really boils down to is the key handling and execution. If this process is too complicated then someone will end up bypassing it and, most likely, utilize another application (such as Dropbox). This means that every step you took to privatize and secure your data is completely lost. You have completely circumvented the PGP encryption.

Keeping your data integrity

Many of these transaction files have direct financial impact. As scary as this will sound, unauthorized modification transaction is one of the easiest ways to commit fraud.

There is no “one size fits all” for data integrity and file transfer. You have to support the different protocols and types of encryption based on what works best for your company specifically. Although PGP provides data integrity – it enables the user to sign the data and the file to ensure that it wasn’t modified while in transit – it’s just a part of the solution.

Some organizations chose to utilize manual tracking in order to ensure that their check sums are not tampered with at the end of a transaction. However, this completely stands in the way of automation and slows down the process.

Utilizing access control

How different parties access and upload their personal files, while not giving access to other parties’ files, can become incredibly complicated. Many companies find that it become even more difficult when they’re using FTP or custom web applications. Here, if you get past the first level of security, then generally everyone can receive access to everyone else’s files.

Utilizing access controls for both passwords and accounts are critical. If you don’t have a policy built in then your company becomes very vulnerable for attack. But if you do have a policy, be sure to think about how you will be able to unlock accounts when they become mistakenly locked. Also bear in mind that FTP and custom applications are found to be very insecure as well. There is rudimentary authentication in both and many, many holes.

Understanding compliance auditing requirements

Anything that comes into compliance brings with it the need to be audible, or the ability to have a regular trail to track. You must be able to show each access and operation on a file: downloads, uploads, when it was deleted, when it was encrypted, if/when it was decrypted, when it was deleted after being decrypted, etc.

If you choose to use FTP then you will have an audit trail in both your FTP logs and in the file system for the files exposed to FTP. However, relying on native auditing like will be extremely difficult because the information is fragmented, making it extremely cryptic and difficult to interpret – let alone correlate – with one other. Custom web apps are difficult to use because there is no audit log. You will have to employ someone to modify the code to include this tracking capability.

What do you find the most difficult about auditing data for a file transfer? Be sure to leave your thoughts in the comments section below.

Next Steps

If you’re interested in learning more about encryption and file transfer security, be sure to check out the full webinar by clicking here.

And you’re always welcome to visit my own site (UltimateWindowsSecurity.com) for news and analysis.

Randy Franklin Smith
Click here to access replay the “File Transfer Security: Top 8 Risks to Assess & Address” webinar

 

 

It seems that almost every organization – from SMBs to large enterprises – is struggling with secure file transfer. Large companies like Sony Pictures are not immune. They are dealing with the outfall of a successful attack on their secure files. Despite their IT security efforts, hackers have stolen and are leaking terabytes of data from the media company. These security breaches don’t come from a lack of effort or awareness. Rather, it is the result of file transfer practices that have not evolved to meet today’s complex requirements.

The main culprit: standard FTP solutions

Evolving from FTP to Secure File Transfer
Pictured: FTP (left) and Secure File Transfer (right).

File Transfer Protocol (FTP) is widely considered the easiest way to transfer business data, and the numbers back it up; FTP is used by a staggering 83% of businesses. Of this group, however, we find that very few are comfortable with its security, as the majority of respondents express fear about sensitive data being compromised.

File transfer solutions have often been relegated to the darkest corner of the lowest wattage server room, and it’s very common to find long-ago deployed home grown FTP solutions that are not well understood, documented or easily maintained by today’s IT staff being used to manage company data.

As a result of this misunderstanding, FTP is now being used to send highly sensitive data that is subject to HIPAA, PCI, SOX and other industry regulations – putting an organization at risk. for data breaches, compliance violations, financial burdens, and in some cases, a “company death sentence.” Harsh, but true. Of course, this was never FTP’s intended purpose, and now, companies are scrambling to find an alternative.

Acronyms that start with “S”

Luckily, many are finding a viable alternative to FTP in the form of two common security protocols that help to secure and increase the reliability of data transfer: Secure Sockets Layer (SSL) and Secure Shell (SSH). Specifically designed to encrypt file transfers and associated administration network traffic, both SSL and SSH enhance the security and reliability of file transfer by using encryption to protect against unauthorized viewing and modification of high-risk data during transmission across open networks.

Don’t just take our word for it, our customer Enterasys went through their own evolution from FTP to secure file transfer.

SSH is particularly popular in IT environments because most operating systems (including UNIX/Linux) support SSH, therefore using SSH for file transfer (SFTP) allows for cross-platform IT standardization. Standardization using SFTP ensures consistent, strong security policy enforcement and simpler administration.

Are you ready to learn how SSL and SSH security policies can help your organization? Are you ready to toss aside your basic FTP and evolve with the times? Download the free Ipswitch File Transfer Whitepaper: Evolution from FTP to Secure File Transfer.

Worried about how people in your organization send files to other people, both internally and externally?

If not, you should be.

Employees have proven that they’ll use whatever is convenient to send files to other people, including email, USB drives, burning DVD’s and even signing-up for free file sharing websites.  Although convenient to employees, each of these examples has their own set of risks and uncertainty to the company.

Ipswitch File Transfer is pleased to announce the launch of our new person-to-person Ad Hoc Transfer module.  When used in conjunction with any of our WS_FTP Server solutions, the Ad Hoc Transfer module delivers the visibility, management and enforcement that IT departments need to safely enable file sharing interactions, while at the same time making it simpler than ever for employees to quickly, easily and securely share files with other people using either Microsoft Outlook or their browser.

Please do join one of the following webinars to learn more: