Posts from ‘Compliance’
In his white paper, “Business-Class File Sharing Best Practices”, Michael Osterman of Osterman Research assesses the current state of
personal file sharing within business, with recommendations about how information technology, risk management and compliance teams can best address the common issues and risks.
Below is an excerpt from the paper, where Michael summarizes some of the key issues with the status quo with personal file sharing within business. We also invite you to access the full white paper including Michael’s case for why IT needs to provide and manage file sharing solutions.
Excerpted from “Business-Class File Sharing Best Practices”
The Status Quo Doesn’t Work
- Users are stymied because company email systems often do not permit file attachments of more than 10 to 20 megabytes to be sent, and it is not efficient at sending more than a few files at a time. Moreover, email doesn’t typically include a return receipt so the sender can know if the recipient ever received the email. Also, when email is used for file transfer, it imposes increased storage and bandwidth costs, slow message delivery, long backups, long restores, high IT management costs.
- Many users will turn to their personal Webmail account because of their ability to send very large files through these systems. However, when users do so there is no IT visibility into the sent or received content, no tracking, no auditability, and no archiving. Moreover, corporate content can reside in personal Webmail repositories for many years, long after an employee may have left the company. While this makes life easier for users, it increases the risk to the organization.
- USB sticks, tablets and smartphones create the same problems: lack of security, higher costs, their likelihood of being lost or stolen, and the potential for content on them to be accessed by unauthorized parties.
- Dropbox-like file sharing tools and cloud services can be effective, but they do not permit IT management or governance of content. And, they often are individual accounts and not under the sanction of IT which means that IT doesn’t have the visibility or insight into what is being transferred, nor does IT maintain any type of audit trail for this content.
- SharePoint and similar tools are useful for sharing information if both senders and recipients are using it. However, SharePoint require the deployment of a dedicated infrastructure and training for end users, and it is not always easily accessible by remote workers or people external to an organization.
- Basic FTP client-server systems, while useful, require both the sender and recipient to have access to the FTP server to share information, which can be an ongoing provisioning burden for IT.
- Physical delivery of information – such as CD-ROMs or DVD-ROMs that are burned and sent through overnight services – is expensive and the speed of delivery is slow
Again, at this link you can access the full white paper including Michael’s case for why IT needs to provide and manage file sharing solutions.
Ericka Chickowski did a nice job in her Dark Reading article on how old-fashioned FTP introduces unnecessarily levels of compliance and security risks to organizations. And here’s an alarming data point from Harris Interactive – approximately 50% of organizations are currently using the FTP protocol to send and exchange files and data.
Talk of security concerns with FTP is certainly not new. FTP was never designed to provide any type of encryption, making it possible for data to be compromised while in-transit. A common answer for this is to use encrypted standards-based protocols such as SSL/FTPS and SSH/SFTP.
Luckily, modern managed file transfer solutions deliver not only the security you know your business requires, but also the visibility and control that IT needs to properly govern company information.
Ipswitch’s Greg Faubert offers his thoughts in the Dark Reading article:
“While FTP is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy…. The PCI standards look specifically at the security surrounding your FTP environment. It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls.”
And yet, somehow, many organizations continue to rely on unencrypted FTP to transport mission-critical or sensitive information. For those guilty, here are a few steps to help you get started in migrating away from antiquated FTP. And don’t worry, it won’t be painful.
Here’s a great write-up of how Rochester General Hospital is using Ipswitch’s MOVEit solution to manage over 400,000 electronic billing transfers per year to dozens of payer systems.
Quick background on the business need: Rochester General Hospital needs to exchange patient records, insurance claims, and billing information from their electronic medical record (EMR) and accounting systems with many health providers and insurance companies.
Security and compliance are critically important: Not only do the transfers need to be reliable to facilitate timely payments, but they also needed to be highly secure and auditable to protect patient privacy and ensure compliance with HIPAA and HITECH.
Ipswitch eliminated complexity and created efficiencies:
“We needed to consolidate on a standard way to transfer files to many different payer systems…. MOVEit consolidated a number of batch files and legacy tools into a single, secure and easy to use file transfer solution,” says Dylan Taft, Systems Engineer at RGH.
“In the event of an audit, MOVEit allows us to provide chain-of-custody and non-repudiation with just a few clicks. Without MOVEit, we wouldn’t have this visibility.”
If we didn’t have MOVEit, we would have to hire one or two additional people just to review the log files every day – not to mention lost files, information arriving late, and frustrated doctors and payers.”
Do you have a great Ipswitch story of your own to tell? Email us at mystories@ipswitch.com…. We can’t wait to hear all about it!
There is so much to absorb at RSA Conference. The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.
Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people. IT leaders are feeling 
pressure (and rightfully so) to regain control over how people share files with other people. It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.
My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception. Quite frankly, the key insights I learn from talking with customers help me do my job better. Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.
This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.
My answer: “Use both of them, together!”
For starters, here’s a real quick summary of both encryption types:
- Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS. Leading solutions use encryption strengths up to 256-bit.
- File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents. PGP is commonly used to encrypt files.
I believe that using both together provides a double-layer of protection. The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.
Here’s an analogy: Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank. 99.999% of the time that armored Brinks truck will securely transport your delivery without any incident. But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.
One last piece of advice: Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information. Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.
