Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

Information flows into, within and out of organizations faster and in greater volumes than ever before.  Complicating matters is the growing number of vendor systems, applications and platforms that make up your company’s business infrastructure and touch even your most sensitive and mission-critical information.

If you don’t have visibility into the data and files that are flowing between systems, applications and people — both inside and beyond the company firewall — things can go haywire very quickly.

  • Lost files, security breaches and compliance violations
  • Broken SLAs and other processes that are dependent on files
  • No file lifecycle tracking as data flows between applications, systems and people
  • Damaged partner and customer relationships
  • Lost opportunities

Relying on the reporting capabilities of each individual system has proven to be risky and inefficient.  Chances are, you’re swimming in a sea of not-very-useful-or-actionable data and static reports that are already a week behind with what’s actually happening in your company this very instant.

In today’s blog video, Frank Kenney shares his thoughts why having one consolidated view is critical and why organizations are having such a hard time achieving visibility.

[youtube]http://www.youtube.com/watch?v=ow3l1AetI_Q[/youtube]

When it comes to your file transfers, many questions exist.  Do you have the total visibility your business requires?   How do your customers gain visibility into their file transfers??   Do you have all the information you need to meet your service level agreements (SLAs) as well as enabling transparency about integration and file transfers???  Let Ipswitch help you answer these questions and overcome your visibility challenges.

You’re going to be hearing more and more about “VISIBILITY” from Ipswitch, so I’d like to quickly start this blog post with our definition of visibility in the context of files and data flowing into, within and out of your company:

Visibility:  “Unobstructed vision into all data interactions, including files, events, people, policies and processes”

Fast, easy access to critical file and data transfer information is a must-have – it’s critical to the success of your business.  Whether it’s tracking and reporting on SLAs, analyzing file transfer metrics to identify bottlenecks and improve efficiency, or providing customers and partners with easy self-service access to the file transfer information they require – as well as countless other business objectives – unobstructed visibility is imperative.

Having one consolidated view into all of the systems and processes involved in your organizations file and data transfers will deliver tremendous business value and a competitive edge.  Please do take a couple of minutes to watch Ipswitch’s Frank Kenney share his perspective on why visibility is important.

[youtube]http://www.youtube.com/watch?v=qsxzweLBRGA&feature=channel_video_title[/youtube]

Security researcher Derek Newton and a few Dropbox users have found a significant security hole in Dropbox. They published their results and Dropbox responded.

Dropbox’s response is not adequate.  It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers.  As such, these users are increasing the risk of their information being stolen and their businesses being compromised.

Instead, Dropbox needs to say what steps they are taking to close this security gap.  If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.

Encryption is the best way for Dropbox to proceed right now.  Encrypting their configuration files would be the first and best place to start.  Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity.  Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.

Third, no application or user should be given implicit access to a user’s files.  All access needs to be explicit.  An end user needs to specify each application and user that has permission to view, update, copy or remove their files. 

As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.

Ziff Davis recently published a study on Managed File Transfer that heralds MFT solutions as “the unsung security and compliance solution”.  Eric Lundquist sets the stage nicely:

“Everyone is talking about the need to collaborate more effectively and put employees closer to customers in a real time business environment.

But until you can assure the security, privacy, and compliance requirements of data transfer, the collaborative enterprise is just a good idea.  MFT is one of those enabling technologies designed to make it a reality.”

The study found that security concerns about current file transfer methods include the usual suspects, such as:  encryption; viruses, user authentication, backup, hacking, enforcing security policies, managing external users, auditing, reporting and defining security policies.

Not surprisingly, data from the study shows that many of those very security concerns that people had with their organizations current file transfer methods are actually strengths of today’s MFT solutions.

Keep in mind that many organizations still rely on homegrown scripts and point-to-point solutions, oftentimes using unencrypted FTP protocol for transport… And with very little visibility, management or policy enforcement.  In addition to being time consuming and expensive to manage and maintain (and commonly built by developers that left the company years ago), many existing file transfer methods are insecure and introduce risk and inefficiency into an organization.

Plus, many companies haven’t even begun to crack the person-to-person nut of file transfer beyond relying on corporate email, unsanctioned personal email or file sharing websites, and even sneakernet!

In my next post, we’ll take a closer look at some of the areas where the study identified MFT solutions as being superior to many commonly used methods for file transfer.

Here’s a nice write-up of one of our newest customers, Salary.com

Every once in a while we like to showcase an exciting new customer and share some of the reasons why they chose to deploy an Ipswitch File Transfer solution to solve their business problems.

Quick background on the business need:

Salary.com exchanges data with thousands of customers and partners daily worldwide.

They sought a flexible, highly available solution that could simplify business operations and meet compliance regulations including SOX, PCI DSS, HIPAA and other state laws around employee privacy.

Security & compliance requirements were driving factors:

“It’s an imperative that our file transfer services maintain our rigorous requirements for keeping our clients’ critical business data secure,” said John Desharnais, managing director of technical operations at Salary.com.

And here’s some insight into their purchase decision:

“Salary.com reviewed several solutions, but selected Ipswitch’s MOVEit suite because of its comprehensive approach to managed file transfer, ability to provide an end-to-end audit trail and granular controls that monitor how files are moved, accessed, and used.”

“Ipswitch’s MOVEit solution is easy to use and ensures that we have complete visibility into all file transfer activity on our network.”

Salary.com, welcome to the Ipswitch family and we look forward to a loooong relationship together.  As your business needs continue to grow and evolve, Ipswitch will be a trusted partner that will continue to bring innovative solutions to market.

I spent my morning reading through the 2010 Data Breach Investigations Report that was just published by the Verizon RISK Team and the United States Secret Service.  This is an amazingly insightful report with lots of information to digest.  If the topic of data breaches interests you, I highly recommend finding time to read through it.

Data breaches are scary.   Nobody wants to be a victim… And nobody wants their company to be the next headline on the news.

Data breaches are expensive.  According to the Ponemon Institute’s 2009 Cost of a Data Breach study, the average cost of each compromised record is $204.

Here are 5 quick recommendations that I’d like you to consider:

  • Recognize your data:  Before you can protect confidential, sensitive and important data you must first go through an exercise of identifying where it lives, who has access to it, how it’s handled, what systems it touches, and make sure any and all interactions with the data is fully visible and auditable.
  • Take proactive precautions:  The majority of breaches were deemed “avoidable” if the company had followed some security basics.  Only 4 percent of breaches required difficult and expensive protective measures.  Enforce policies that control access and handling of critical data.
  • Watch for ‘minor’ policy violations:  The study finds a correlation between seemingly minor policy violations and more serious abuse.  This suggests that organizations should investigate all policy violations.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach.  Actively searching for such indicators may prove even more effective.
  • Monitor and filter outbound traffic:  At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
  • If a breach has been identified, don’t keep it to yourself:  Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.

I’m going to end this blog post by asking you to estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204.  I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.

A quick summary of key industry happenings:

A) The economic impact of piracy (including software) is *really* not understood: http://www.gao.gov/products/GAO-10-423. See pages 15 – 19 of the full report in particular.

I’ve always been skeptical of the piracy claims, good to see someone actually reviewed them. I think it is better for the industry to focus on the valued real customer rather than to fabricate and fret about the unknown and unquantifiable pirate customer.

read more “HTML 5, Memristors and Software Piracy”

I’ve been following the data breach that occurred at HSBC Private Bank in Switzerland.    Seems that an employee stole data on 24,000 accounts over three years ago, but the details of the breach weren’t clear to the company until earlier this month when the Swiss government returned data files back to the bank.

That type of lengthy delay is unacceptable.  Forget for a moment the possible resulting impact to an organizations bottom line that a data breach can have.  Instead, think about the individuals that have been violated by either negligence or cybercrime.  They deserve to know and in a timely fashion.

An organization must have clear visibility into all data interactions, including files, events, people, policies and processes.  Best-in-class managed file transfer solutions include tamper-evident cryptographic audit logs, as well as easy archival and retrieval of all transferred files and personal messages that were sent back and forth.  No security can ever be perfect, but the correct audit capabilities mean that losses can be clearly understood without delay.

One last piece of advice to companies that fall victim to a breach:  Don’t keep it to yourself.  Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.

Multi-enterprise collaborative implementations and deployments can be extremely difficult to benefit from because all too often the companies deploying these solutions overly emphasize the security mechanisms and protocol support. While those aspects are important, the ecosystems around companies are expanding to include smaller partners and Prosumers that need to be managed, provisioned, and have their expectations met. In short, companies will need to spend the time and effort on better managing all aspects of the interactions in their ecosystem.

The agreement between Cleo Communications and Stonebranch is a good step in this direction, but we continue to advise our customers, prospects, and the overall market to strongly consider the visibility, management, and enforcement aspects of any type of integration and collaboration. Much of this partnership seems to be based on technology around providing multiple protocol and security support. I will never underestimate or undervalue the importance of protocols and security mechanisms, but I will always focus on the larger aspects of governance: visibility, management, and consistent enforcement of policies related to security and performance. These are the things that matter. This agreement furthers my strong and publicly stated beliefs that companies are consolidating their approaches to integration and collaboration.

Simply put, there continues to be a high degree of volatility (this impacts the entire marketplace in a positive way) in the managed file transfer market.