This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer:  “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

  • Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS.  Leading solutions use encryption strengths up to 256-bit.
  • File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents.  PGP is commonly used to encrypt files.

I believe that using both together provides a double-layer of protection.  The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy:  Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank.  99.999% of the time that armored Brinks truck will securely transport your delivery without any incident.  But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice:  Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information.  Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.

Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.

All reports indicate that this vulnerability affects the SSL protocol itself and is not specific to any operating system, browser or software/hardware product.  This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic.  It primarily impacts HTTPS web traffic, since the browser is the primary attack method.

SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit.  Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data.  As always, we recommend a defense-in-depth approach for protecting sensitive data.

At this point the vulnerability is not considered a high risk.  Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat.  We agree with Microsoft’s recommendation to prioritize  the RC4 cipher suite and to enable TLS 1.1 in client and server.  And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete.  Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.