In your efforts to secure critical business and personal data, don't forget your file transfer and data sharing systems. One often overlooked area that can leave you vulnerable to cyber attack are outdated or under-managed FTP servers.
Since the early days of the internet, there has been a need to send or share files externally. That need was often addressed by setting up an FTP (File Transfer Protocol) server. In many organizations, multiple departments would set up their own FTP servers, often on different hardware platforms and using a variety of scripts to handle any automation needs.
Over the last few years, security conscious organizations have come to realize that a multitude of FTP servers can pose a risk. In some cases, because some FTP servers were originally spun up for innocuous reasons in 'Anonymous' mode where password protection is minimal. In other cases, either the original administrator or a script author has since left the company taking the knowledge necessary for adequate management with them. We've even had customers claim that their network monitoring discovery process has turned up FTP servers they didn't know existed.
Today's cyber threat environment is a lot different. There is an ongoing race between the IT security measures applied by businesses and security threats deployed by cybercriminals. Cybercriminals continue to steal intellectual property and terabytes of data by successfully penetrating network infrastructures and end-user machines. Cybercriminal targets can range from small and medium sized companies or local government agencies up to global enterprises. It seems as though there’s a brand-name company in the news just about every week that’s dealing with the fall-out of a successful cyberattack.
At the same time, our information economy dictates that almost every organization now has an operational need to share data externally. And in many cases, this data is proprietary, mission critical or protected by industry or government regulatory mandates such as HIPAA, GDPR or PCI. Data security is a top concern for every IT organization and increasingly, the spotlight, is being focused on file transfer and sharing solutions.
Let’s Backup to FTP Beginnings—A Popular Protocol…with Reservations
The use of FTP servers to transfer files has been popular for many years, and the FTP protocol was once considered the easiest way to move business data. Studies estimate it’s used by approximately 80% of all businesses. Organizations that need to share protected data, however, are increasingly uncomfortable with their ability to secure and manage environments with multiple, disparate FTP servers. Compliance audit firms often see these environments as a red flag and the U.S. FBI even issued an industry alert bulletin cautioning businesses about the risk that FTP servers can present.
When unmanaged or insecure FTP servers exist in an organization that routinely deals with data that is protected under HIPAA, PCI, FINRA, FDA, SOX or other industry regulations there is also a risk of significant fines. Some 65% of all data breaches originate with a user. The majority of those cases are due to inadvertent errors or poor judgement where sensitive data is mishandled or stored in an unauthorized location - like the file directory of an FTP server or a consumer-grade file sharing service.
While, today, most FTP servers implement the SFTP protocol, there are still nearly a million unprotected FTP servers out on the internet. To a cybercriminal, an unprotected FTP server poses an ideal candidate for a 'command and control' platform. They are often accessible to other servers in the network and provide an ideal exfiltration platform. As a case in point, the data stolen in the Target breach a few years back was exfiltrated using an unmanaged FTP server by sending small amounts of data at a time so as not to raise flags in the Security Operations Center (SOC).
Moving Beyond FTP to SFTP
The Secure File Transfer Protocol (SFTP) arose from the need to provide a secure FTP implementation. It employs SSH (Secure Shell) to provide encryption of communications between the FTP server and client including both authentication and message traffic. A less popular alternative, FTPS also emerged to address file transfer security implementing SSL (Secure Sockets Layer). SSH, however, quickly won out the popularity game as the default for most operating systems (Microsoft Windows being the most notable exclusion). Thus, IT standardization is more easily accomplished via SFTP (SSH) than it is using FTPS (SSL).
SSH in turn leverages SCP (Secure Copy Protocol) which is based on its predecessor RCP (Remote Copy Protocol) and supports file transfer between hosts on a network. In typical operation, the SFTP client opens an SSH connection to the server requesting it to open an SCP session thus enabling the transfer. SSH provides strong authentication and encrypted communications mitigating the risk of interception by cybercriminals.
Because SFTP encrypts file transfers and associated administration network traffic, it enhances the security of external transfers by protecting against data interception or modification during transmission across open networks.
To see an example of SFT in action, check out how Enterasys (now known as Extreme Networks) evolved from FTP to SFT. The change to SFT provided Enterasys end users with fast, secure and reliable access to business-critical. As the same time, Enterasys could prove it protected data with audit trails, which facilitated compliance with critical industry standards.
When to Use MFT over SFTP
If the volume of transfers that occur in a given day or week are moderate and does not involve high-value or regulated data, SFTP servers are a safe bet. If, however, your transfers are business-critical, high-volume or involve data regulated by HIPAA, GDPR, PCI or other data protection laws, you may need to consider migrating to MFT (Managed File Transfer).
MFT solutions often enable a variety of secure transfer methods including SFTP and HTTPS and provide a stronger security and management architecture than is possible with disparate SFTP servers. Ideal use cases are when two of the following three criteria are at play: large volumes of transfers occur on a daily or weekly basis; there is a business impact if transfers don't occur when required; or the data is proprietary, personal of otherwise regulated. MFT provides features that assure the reliable and secure transfer of critical data. Here are some of the key capabilities you can gain and the benefits they provide:
- Control over user access and permissions with real-time visibility into file transfer activities: This lets you remotely administer and manage servers from any Internet connection, and you can assign user or group permissions for uploading, downloading, deleting and renaming files as well as to create directories.
- Encryption in transit and at rest to assure data security: Advanced security features include 256-bit AES encryption, secure copy (SCP2), file integrity, SMTP server authentication, an SSH listener option, login multi-factor authentication encryption, digital certificate management, and mutual authentication of servers and client devices.
- Control over file transfer activities with external authentication: LDAP queries and a wide range of administrative tools enable file transfer customization. You also benefit from support for virtual servers, end-user email notification, end-user folder controls, and IP whitelists for end-user authentication.
- Centralized logging: Key to compliance with a wide array of data protection regulations is having a well-documented audit trail of all file transfer activities. This is difficult to achieve when file transfers systems are disparately managed. MFT provides centralized management and logging.
- Ad-hoc email transfer: Allows you to enforce consistent policies and processes around person-to-person file transfers.
- Immediate failover: When you exchange mission-critical files and have to avoid any downtime, the failover option provides reliability and continuity.
- Streamlined web transfer: Simple, secure, and flexible browser-based file transfers make it easy for users to upload and download files.
Managed File Transfer takes Secure File Transfer to the next level providing considerable advantages when it comes to ensuring compliance with all data protection regulations. This includes hardened systems, data encryption, advanced authentication controls, integration with existing security infrastructures and tamper-evident audit trails.