Posts from ‘MFT’
I recently attended SecureWorld Detroit and engaged in two days of conversation with top security, IT and risk management professionals.
There was a single theme that I heard the loudest and clearest from the security community:
There is growing concern for how employees transfer files in an ad hoc manner to those outside the organization. Employees are quick to turn to DropBox or YouSendIt to step outside of file size limitations or email speed issues, without realizing the consequences of their actions.
We heard this consistently across multiple industries – Retail, Healthcare, Financial Services, Banking, Government, Automotive.
We heard this from organizations large, medium and small with requirements to manage file transfers with partners, customers or vendors, and in some cases with international and global reach.
It was said in different ways but it came down to the security teams seeing significant risk for leakage with their current situation today. Some soundbites:
- “We need a person to person file transfer solution”
- “My users want to send large files through YouSendIt. Right now I just keeping saying ‘No’, I’d rather have a solution to offer them.”
- “We need to support an ad hoc file transfer requirement for our users”
- “I have people using DropBox today. It is absolutely unacceptable from a security standpoint, but we need to offer them an alternative.”
This risk around person to person file transfer is not going away, it’s getting worse by the day as more and more employees rely on personal email and cloud based services to transfer data. The potential for leakage is amplified when you consider other data transfer devices such as USB drives and personal email use.
We have done extensive research in this area and we have a Research Report summarized in a graphical eBook which will be published later in October. Titled “Are Your Employees Putting Your Company’s Data at Risk?”, this report helps bring the current problems to life with a picture of how users are behaving today.
“My company still relies heavily on FTP. I know we should be using something more secure, but I don’t know where to begin.”
Sound familiar?
The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – Unsecured data is obviously an enormous liability. Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer.
No, it won’t be as daunting of a task as you think. Here’s a few steps to help you get started:
Identify the various tools that are being used to transfer information in, out, and around your organization. This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc. Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.- Map out existing processes for file and data interactions. Include person-to-person, person-to-server, business-to-business and system-to-system scenarios. Make sure you really understand the business processes that consume and rely on data.
- Take inventory of the places where files live. Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc. After all, it’s harder to protect information that you don’t even know exists.
- Think about how much your company depends on the secure and reliable transfer of files and data. What would the effects be of a data breach? How much does revenue or profitability depend on the underlying business process and the data that feeds them?
- Determine who has access to sensitive company information. Then think about who really needs access (and who doesn’t) to the various types of information. If you’re not already controlling access to company information, it should be part of your near-term plan. Not everybody in your company should have access to everything.
Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data…. As well as provide you with visibility and auditing capabilities into all of your organizations data interactions, including files, events, people, policies and processes.
Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.
Join us on September 29 at 1:00 p.m. ET for our latest webcast, Top Tips for Managing File Transfer & Application Integration.
More and more, organizations are beginning to realize that their old batch-file-and-script methods of file transfer and application integration don’t work. They’re unwieldy, primitive, difficult to manage, and often not 100% reliable – not to mention less scalable than the organization might wish. Don Jones, Principal Technologist at Concentrated Technology, and Andre Bakken, Director of Product Management at Ipswitch, will provide the top tips for managing file transfer and application integration in a more modern way. You’ll learn about the key failings in most organizations’ existing techniques, and look at the core capabilities you should be looking for as you move to improve your organization’s treatment of these critical tasks.
Register Now for the webcast!
What: Webcast – Top Tips for Managing File Transfer & Application Integration
When: September 29 at 1:00 p.m. ET
Who: Don Jones, Principal Technologist at Concentrated Technology and Andre Bakken, Director of Product Management at Ipswitch
August 2011: Yale University announced that 43,000 social security numbers posted to an insecure FTP server have been available to Google search engine users for the past 10-months.
May 2011: Southern California Medical-Legal Consultants (SCMLC) disclosed that the medical records of 300,000 injured workers were available online to the public through Google search.
For Yale, it seems that the file containing the names and social security numbers was stored in a FTP server which was used for open source work – That means that ANYONE could access the information without even being asked for a username/password. Although IT Director Len Peters said “there is no indication that the information has been exploited”, that sounds to me an awful lot like “nobody has told us that their information was breached but we don’t have the visibility or audit trail to know for sure.”
For SCMLC, an internal server exposed documents containing health information (including names and social security numbers) of California residents who applied for workers’ compensation benefits. The files were neither encrypted nor password-protected. According to Joel Hecht, President of SCMLC, “We take data security and privacy very seriously, unfortunately, our internal security policies and procedures were not followed.” In theory he’s saying the right things and his company may (or may not) have the proper tools and systems in place, but the key here is they lacked the proper management and enforcement of access controls and security policies. Now there are a gazillion reasons wanting to keep health information confidential, and in this case that list would include workers compensation information being read by possible future employers and impacting hiring decisions.
Ipswitch’s Frank Kenney sums things up nicely in a recent article on the increasing security risks of web-searchable databases:
“In many cases organizations don’t know that they’re wide open. The databases that exist today have ultimately been designed to allow the easiest access from a multitude of devices and places. In many people’s minds they think that there is a measure of safety for the data sitting underneath the application because the application is secure. But your database is sitting out there and it came configured out of the box to be connected to the Internet.”
So take this opportunity to identify what Web-facing databases you have and really dig into the information they contain. If you are exposing any sensitive or confidential information, take measures to properly manage that data, control access to it, set up security policies and of course ensure visibility into all files being uploaded or downloaded from the server.
