• open panel
  • Home
  • Articles posted by James Lewis
  • Page 3

Author Archive

Box, DropBox, YouSendit vs Managed File Transfer: How secure is your data?

File sharing applications are often free or at least cheap, simple to use and very often difficult for an IT department to trace.  This presents a major problem for the enterprise as highlighted in a recent study by Palo Alto Networks which showed that of the 1,636 enterprises surveyed, a staggering 92% of companies had an average of 13 different browser based file sharing applications in use within their network.

With recent announcements such as the DropBox security loophole and the MegaUpload service being taken down, the net is closing in on file sharing applications and services, and rightly so.  Pretty much all businesses need to share files with colleagues, customers and trading partners, but at what cost? Recent studies by the Ponemon Institute found that the average data breach costs UK firms £1.9m prompting the question, “what would be the impact of a data breach on your company”?

browser_based_file_sharing_apps

Figure 1 – Most frequently detected browser based file sharing apps

Over burdened IT departments throughout the UK are faced with the challenge of enabling their users to carry out day to day tasks, whilst ensuring that their activities don’t compromise the very future of the business they work for.  With legislation surrounding data breaches putting increasing pressure on IT departments and data controllers, the implementation of a secure, managed file transfer solution has never had a higher priority.

When it comes to providing users with a simple, secure file transfer solution, we can help.  Pro2col represents a number of managed file transfer vendors here in the UK and has 10 years experience in finding the right solution for businesses.  Whether its providing cross platform applications for Windows, Mac, Linux or Unix, mobile application integration for iPhone, Android, Blackberry or the iPad or email integration with Microsoft Outlook or Lotus Notes, we have the solution to fit.

If your company is still using online file sharing technologies ask yourself this question – which is right for my business?  A technology over which I have no control or visibility or a secure, managed file transfer solution providing guaranteed delivery, auditing and reporting capabilities and complete control.

For a free consultation contact Pro2col on 0333 123 1240 and speak to a managed file transfer specialist with no obligation.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Powys County Council might have saved £130,000 by using Ipswitch MOVEit DMZ

This month the UK’s Information Commissioner’s Office has served a Monetary Penalty Notice of £130,000 to Powys County Council, after the details of a child protection case were sent to the wrong recipient. The penalty is the highest that the ICO has served since it received the power in April 2010. The severity of the penalty reflects the fact that the local authority had already received a warning from the ICO to tighten up its security measures following a similar breach.

Over the past 18 months Pro2col has worked closely with a number of County Councils looking to implement a simple way of securing person to person, ad hoc   file transfers.  Additionally, with County Councils looking to centralise or share the cost of services (Shared Services), Ipswitch’s MOVEit DMZ with the Ad Hoc module has proved a very popular choice, especially considering the cost of the Enterprise licence in comparison to other vendors.

MOVEit DMZ has another extremely popular feature – the option to licence multiple organisations on the same server, providing separate branding options for other services, e.g. Fire, Police, District and Borough Councils, whilst keeping users and data separate.  This dramatically reduces the total cost of ownership.

If you’re a Council with a requirement to secure person to person file transfer whilst benefiting from an industry leading secure file transfer server, then speak to one of our consultants. We’ll assess your individual requirements and help you to evaluate the best solution for your needs from the market leading managed file transfer vendors with whom we work.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Should I Use Transport Encryption Or File Encryption

This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer: “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS. Leading solutions use encryption strengths up to 256-bit.

File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents. PGP is commonly used to encrypt files.

Encryption Code

I believe that using both together provides a double-layer of protection. The transport protects the files as they are moving and the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy: Think of transport encryption as an armoured truck that’s transporting money from say a retail store to a bank. 99.999% of the time that armoured truck will securely transport your delivery without any incident. But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice: Ensure that your organisation has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information. Although it’s an amazing accomplishment that FTP is still functional after 40 years, please realise that FTP does not provide any encryption or guarantee of delivery – not to mention that tactically deployed FTP servers scattered throughout your organisation lack the visibility, management and enforcement capabilities that modern managed file transfer solutions deploy.

Original: Ipswitch File Transfer

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Moving On From FTP: Where To Begin

“My company still relies heavily on FTP.  I know we should be using something more secure, but I don’t know where to begin.”

Sound familiar?

The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – unsecured data is obviously an enormous liability.  Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern managed file transfer solutions offer.

No, it won’t be as daunting of a task as you think.  Here’s a few steps to help you get started:

FTP

  1. Identify the various tools that are being used to transfer information in, out, and around your organisation.  This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc.  Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
  2. Map out existing processes for file and data interactions.  Include person-to-person, person-to-server, business-to-business and system-to-system scenarios.  Make sure you really understand the business processes that consume and rely on data.
  3. Take inventory of the places where files live.  Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc.  After all, it’s harder to protect information that you don’t even know exists.
  4. Think about how much your company depends on the secure and reliable transfer of files and data.  What would the effects be of a data breach?  How much does revenue or profitability depend on the underlying business process and the data that feeds them?
  5. Determine who has access to sensitive company information.  Then think about who really needs access (and who doesn’t) to the various types of information.  If you’re not already controlling access to company information, it should be part of your near-term plan.   Not everybody in your company should have access to everything.

Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data as well as provide you with visibility and auditing capabilities into all of your organisations data interactions, including files, events, people, policies and processes.

So what are you waiting for, give Pro2col a call on 0333 123 1240 and let us help you replace your legacy FTP solutions.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Secure Managed File Transfer: On Premise v’s The Cloud

Everybody is talking about the cloud; its today’s hot topic with more and more organisations considering a cloud-base (hosted) solution as an alternative to their current on-premise solution.  The shift to cloud based computing is gathering pace and consequently this is an area we’ve been looking at quite closely.

So, is Cloud based secure managed file transfer for me and what are the biggest drivers behind this trend?

1.  Its cheaper! Many IT departments spend at least 50% of their budgets on salaries, and up to 70% of IT staff time is spent on maintenance, according to analysts. In-house IT specialists cost companies for IT management resource. A hosted service, on the other hand, may charge a much-reduced figure for its service along with 24–7–365 monitoring and higher uptime than many companies can achieve with on-premise staff and systems.

Managed File Transfer in the Cloud

2.  Hosted providers can do it better. Hosting vendors store the information on their own servers and manage the entire system for you, drastically reducing the time and energy you spend on keeping your MFT up and running. A growing number of companies just want MFT isolated as an enterprise-class cloud service, with all the modern archiving, compliance and virus protection features they require along with a scalable infrastructure their IT staff never has to worry about or manage.

3. The cloud has gone mainstream. Primed for enormous growth and widespread adoption, recent research indicates that 84 percent of small and mid-size companies and 69 percent of large companies are willing to consider, currently reviewing or already using software-as-service (SaaS) solutions. A big part of this growth is a result of the increase in broadband Internet access, but another key factor is that cloud MFT vendors are making better, simpler and more affordable software that doesn’t require a technical degree to setup or use. It’s also more widely accepted as a safe alternative to on-premise solutions.

4.  Pay as you go. As budgets tighten in this tougher economic period, more and more companies are gravitating toward cloud-based solutions. With no technology to maintain, total cost of ownership is five to 10 times less than installed software, so it’s easier to budget and scale as you add and subtract users. In addition, cloud-based solutions do not require ongoing maintenance, time or complex upgrades, so what was once a capital expense becomes a more balance sheet-friendly operating expense.

As this shift to cloud based computing continues to gather pace, Pro2col is at the forefront of assessing the industries leading vendors to ensure we know which solution is right for your budget and set of requirements.

But, the Cloud isn’t for Everyone

Despite all this optimism for the cloud, we know there are plenty of situations where it may not make sense to move your MFT there. Some data may need to remain on-premise, behind a firewall for legal or regulatory considerations (e.g., HIPAA). Also, other on-premise applications (e.g., document workflows) may be tightly integrated with your on-premise MFT system, so moving your MFT to the cloud could pose challenges if you are hoping to continue coupling these solutions. Finally, many organisations may not have fully made use of their existing on-premise MFT solutions (i.e., they have already invested in it) and may not be able to easily or practically abandon it.

For independent advice on Cloud/Hosted FTP or On-Premise Managed File Transfer solutions contact Pro2col on +44 (0) 333 123 1240 or +44 (0) 1202 433 415.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Planning Considerations for Managed File Transfer in 2011

If you’re considering implementing a managed file transfer solution during 2011 then you’re in luck.  Pro2col has been lobbying Ipswitch’s marketing team to provide a web cast specifically for the UK marketplace to address the considerations that should be taken into account when planning the implementation of a managed file transfer solution.

We’re very pleased to announce that Jonathan Lampe, Vice President of Product Management at Ipswitch File Transfer will be hosting a webinar titled, “Learn how and why MFT should fit into your IT structure, as well as insights into top security, compliance and data breach concerns.”  Jonathan will also be discussing;

  • Smart steps to lower your data breach risk
  • Tips on the “person-to-person” aspect of Managed File Transfer
  • How to evaluate, select, and implement a MFT solution with rapid time-to-value and a positive ROI
  • Strategic approach to MFT project planning

The webinar will take place on Wednesday 26th January at 3.00 pm.

REGISTRATION FOR THIS EVENT IS NOW CLOSED.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Over 5000 legal staff using Biscom Delivery Server for secure file exchange

Biscom’s recent focus on legal firms has really paid dividends having announced that the number of Biscom Delivery Server licenses sold into the legal sector passes 5000 seats.  It seems that the legal marketplace has very much embraced BDS as a solution that understands the data exchange needs of law firms.  This coupled with the integration options with iManage amongst other legal applications make BDS a stand out winner.

Recent customer wins in the legal sector include Latham and Watkins, Akin Gump Strauss Hauer & Feld LLP, McKenna, Long & Aldrich and Reimer & Braunstein to name a few.

If you’re a UK based legal firm or corporate legal department and would like to take a look at Biscom Delivery Server, please don’t hesitate to contact Pro2col today on 0333 123 1240.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

What’s the Most Common Way YOU Send and Receive Large Files?

We’re interested to find out what’s the most common way that you send and receive large files. If you’ve got a spare minute and fancy taking part in our mini poll on LinkedIn – here’s the link to follow:

http://polls.linkedin.com/p/111142/zgtbx

We’ll look forward to hearing from you!

Question Mark

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Data: Transferring the Burden Under PCI DSS

GT News have just published a great article written by Jonathan Lampe (Vice President of Product Management at Ipswitch) regarding data transfer requirements under PCI DSS.  If anyone is looking for a PCI DSS compliant solution for file transferring data, these are the points they really need to be taking into consideration:

Data: Transferring the Burden Under PCI DSS

Jonathan Lampe, Ipswitch – 08 Jun 2010

Despite widespread adoption of Simple Object Access Protocol (SOAP) and transaction sets in the financial industry, a surprising high percentage of the data flow is still represented by files or bulk data sets. In 2009, Gartner determined that bulk data transfers comprise around 80% of all traffic. This is probably a surprise if your company is among the many with millions invested in just managing individual transactions – but there are good management and security reasons for this continuing situation.

Why is File Transfer Still Common?

Financial institutions and item processors are still ‘FTP’ing’ (file transfer protocol), emailing, or sending and sharing files instead of transactions for a number of reasons. First, it helps hide the complexity of systems on both ends – there is no reliance and concern regarding libraries of transactions and responses related to one system and a different set related to another system. Second, it reduces the risk of transmission failure and makes it less risky for employees to send a small number of files or bulk data sets rather than a large number of transactions. Finally, it also increases the reliability of an overall operation.

The Managed File Transfer Industry

The managed file transfer (MFT) industry is comprised of providers whose solutions manage and protect these bulk data sets as they move between partners, business areas and locations. Collectively they address challenges presented by bulk data transfers and principles-based rules of the sort that have become common over the past few years – for example the Data Protection Principles or International Financial Reporting Standards (IFRS). Fundamentally, rules that tend to embody real-world outcomes as a standard. So, for example, the reported outcomes of penetration testing depend for certification as much upon the experience of the tester (who may be an employee) as upon the integrity of the network. This is all fine – until your network meets the real world. Principles-based rules tend to put the onus squarely on us to make and maintain systems.

For consumers, consultants and Payment Card Industry (PCI) assessors, this is undoubtedly ‘a good thing’. For those handling card data, the costs of validated and effective compliance represent a potentially significant burden that’s worth passing on to an industry that has quietly got on with the job well before buzzwords, such as ‘cloudsourcing’ or even ‘outsourcing’, entered the lexicon.

Vendors and Technologies Need Evaluation

It therefore makes a great deal of sense to place as much of that onus, and indeed risk and potential liability, on the shoulders of others – suppliers and consultants – as we can. Although PCI Data Security Standard (PCI DSS) can, and does, descend into tick-box detailed level rules in some places – which it makes very good sense to sign off to trusted third parties – nevertheless, significant ongoing parts of our obligations under PCI DSS are essentially management issues. Despite subjective components and PCI requirements to take ongoing account of best practices, the technologies themselves can still be evaluated on a relatively straightforward mechanistic basis, provided that they are submitted to sufficient scrutiny.

At the most basic level, subjective terms such as ‘adequate’ or ‘insecure’ are sometimes to be understood (explicitly or otherwise) as denoting specific technologies or other standards in line with industry best practice and are, therefore, a route to initially evaluating software on a tick-box basis.

Beyond Ticking Boxes – Four Initial Considerations

When evaluating for data security technology in the context of regulated activities, you should look at how four categories – confidentiality, integrity, availability, and auditing – contribute to security and compliance. These headline considerations are designed to assist in assessing whether a data technology or process is likely to provide one-time compliance for the purposes of PCI DSS.

Confidentiality ensures that information can be accessed only by authorised individuals and for approved purposes. For the purposes of PCI DSS this means that employees should have the minimum level of access necessary to do their job. Confidentiality begins with authentication of login credentials on every secure application and starts with putting a strong password policy in place, with robust account expiry procedures and password management.

Integrity, as repeatedly addressed in PCI DSS rules 10, 11 and 12, is relatively under-appreciated and understood solely as a security issue, but is a critical component to compliance. It means ensuring the uncompromised delivery of data, with full Secure Hash Algorithm (SHA)-512 support. In the case of file transfer operations, non-repudiation takes data security to the highest level currently available by adding digital certificate management to secure delivery and data encryption beyond the requirements of PCI DSS. The setting up of alerts is a relatively easy goal – a box ticked on the route to compliance.

Availability is not explicitly addressed in PCI standards but is a critical component of any overall security strategy. It can and should be addressed, if not guaranteed, through load balancing and clustering architectures that support automatic failover and centralised configuration data storage to minimise the chance of a data breach.

Auditing capabilities should be demonstrated by vendors in the form of comprehensive logging and log viewing with tamper evident measures to guarantee the integrity of log files. For technology, security, and other auditing purposes, all client/server interactions and administrative actions should be logged.

The Hitchhiker’s Guide to File Transfer in the PCI DSS Galaxy

The main body of the PCI DSS is divided into 12 requirements.PCI Logo

Section 1 establishes firewall and router configuration standards by requiring all managed file transfer (MFT) vendors to build a product architecture that puts a proxy, gateway or tiered application into a demilitarised zone (DMZ) network segment. This requirement also puts the actual storage of data and any workflows associated with it into internal networks.

The best architectural implementations ensure that no transfer connections are ever initiated from the DMZ network segment to the internal network. Typically this is accomplished using a pool of proprietary, internally established connections. In this way, clients can connect using FTP Secure (FTPS), Secure File Transfer Protocol (SFTP), etc to the DMZ-deployed device, but the transfers involving internal resources are handled between DMZ- and internally-deployed vendor devices by the proprietary protocol.

Section 2 demands that no default or backdoor passwords remain on the system and that systems are hardened. These best practices are generally enforceable with MFT technology, but the best implementations include a hardening utility that also extends protection to the operating system on which the MFT software runs.

Section 3, particularly subsection 3.4, covers encryption of data and storage of keys. To address these issues MFT vendors have an array of synchronous and asynchronous encryption technologies, such as OpenPGP, to ensure data is secured at rest. Cryptography is almost always performed using Federal Information Processing Standards (FIPS)-validated modules and secure overwrite of data is commonly used.

Section 4 covers encryption of data in motion. All MFT vendors currently support multiple open technologies such as Secure Socket Layer (SSL), Secure Shell (SSH) and Secure/Multipurpose Internet Mail Extensions (SMIME) in multiple open protocols, including SFTP, FTPS and Applicability Statement 2 (AS2), to provide this protection.

Section 5 ensures anti-virus (AV) protection is in place for systems and the data that passes through them. Most MFT vendors provide the ability to provide both types of protection with their software. The best allow integration with existing AV implementations and security event and incident management (SEIM) infrastructure.

Section 6 requires secure systems and applications. Most MFT vendors conform to the guidelines here, particularly subsection 6.5 on web application security. However, there are large variations on fidelity to subsection 6.6 in the industry. The best vendors use a battery of security assessment and penetration tools, such as HP WebInspect and protocol fuzzers, to ensure that their software exceeds PCI security requirements – and remains that way from release to release. The best vendors also have multiple security experts working with developers to ensure new features are secure by design. These attributes are not always easy to find on a vendor’s website, but they are critical to the long-term viability of an MFT application – be sure to ask.

Sections 7 and 8 cover the establishment of identity and authority. MFT solutions typically have built-in features that cover these issues from multifactor authentication to sharing of accounts. However, there are two common areas of difference between MFT vendors in these sections. The first is the ability to rapidly ‘de-provision’ users (i.e. disable or delete the account upon termination). The second is the proper storage of passwords: some vendors still use unkeyed hashes or weak Message-Digest algorithm 5 (MD5) hashes, both of which are susceptible to either rainbow table or collision attacks.

Section 9 is about physical access and is one that many software vendors erroneously ignore. However, subsection 9.5 is about off-site backups and is a function that MFT software often provides. One advantage of using an MFT solution for this purpose is that all the security benefits from the MFT solution flow into the backup process as well.

Section 10 is about auditing and visibility into data. MFT vendors also typically have a strong story around these attributes. Common features of MFT include visibility into the full ‘life cycle’ of files, aggregate reporting, detailed logging of every administrative action, and enforcement of specific service level agreements (SLAs). Some MFT solutions also ensure that audit logs and transfer integrity information are tamper-evident to ensure complete non-repudiation of data delivery.

Section 11 is about regular testing of systems and processes. As mentioned above, MFT vendors who perform these types of tests on their own solutions before releasing their software to the public should be sought out and preferred by companies that must adhere to PCI DSS.

Section 12 is about maintaining and enforcing a security policy down to the level of end user training. Like section 9, section 12 is another section many software providers erroneously ignore. However, the best MFT vendors know that providing fingertip reporting and good user experience to both administrators and end users can go a long way toward encouraging proper use of technology.

PCI DSS Appendices A (‘Additional PCI DSS Requirements for Shared Hosting Providers’) and E (‘Attestation of Compliance – Service Providers’) are also often used when managed file transfer services through virtual area network (VAN), software-as-a-service (SaaS), hosted or cloud providers are used. Key requirements here include ensuring that the service provider is not allowing shared users, that different organisations can only see their own logs and that the provider has policies that provide for a timely forensics investigation in the event of a compromise.

Summary

The substance of the PCI burden is an ongoing one. To look down the list of PCI requirements is to scan a list of enjoinders to ‘maintain’, ‘monitor’ and ‘ensure’, that echo the ‘manage, monitor and secure’ objectives of basic FTP technology. However, and, as the March 2008 Hannaford data breach shows, it is possible to be ostensibly compliant – to have ticked all the boxes – and yet not be fully secure.

PCI DSS compliance requires organisations to protect the security, privacy, and confidentiality of information – and to document who accesses the information and the security measures taken to prevent theft, loss, or accidental disclosure.

Click here for further information on the range of products by Ipswitch File Transfer or call Pro2col Sales on 0333 123 1240.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Ipswitch Acquires MessageWay In Merger Of Managed File Transfer Vendors

Although I was aware of this deal being concluded over a week ago I wasn’t able to let on.  As its now being widely reported online I can confirm that Ipswitch has acquired MessageWay as the managed file transfer marketplace consolidates again after other recent mergers/acquisitions.  Its going to be interesting to see how much more activity between MFT vendors there will be over the coming months.

Here are some further details as penned by Gary Shottes of Ipswitch File Transfer.

Acquisition will pave the way for more secure application-to-application communications, partners say.

Ipswitch Inc., a maker of secure, managed file transfer products and services, today will announce that it has acquired MessageWay Solutions Inc., a provider of managed file transfer and business integration solutions. Terms of the deal were not disclosed.

With the addition of MessageWay to its product family, Ipswitch will provide a wide range of secure file transfer services and capabilities, including of advanced analytics, enterprise-wide monitoring, and high-performance data translation and transformation for EDI, ERP, and a variety of other message formats, the companies said.

“When people in the industry talk about security, one of the things that they don’t often mention is that about 30 percent of the exchanges that go on between companies are exchanges of files between applications, not between people sitting at a desk typing at a computer,” says Greg Faubert, president of MessageWay. “This is an area that’s becoming more important all the time.”

“The file transfer market is changing, not only in the volume and size of messages, but in the way they are handled,” says Gary Shottes, president of Ipswitch. “The worlds of managed file transfer, EDI, and middleware, which have typically been handled by different vendors, are converging. We think we’ll be in a position to take market share away from all of those more focused players, by offering solutions that provide a more integrated approach.” The need for managed file transfer is increasing as organizations look for ways to meet industry and regulatory requirements such as SOX, PCI, FISMA, and HIPAA, the executives said. Many enterprises need a better way to show a “chain of custody” on file transfers, proving to auditors that data is safe as it travels between partners.

“What we offer is the ability to exchange files securely through the DMZ without the file ever landing on disk,” Flaubert says. “Companies can submit files or retrieve files through an open protocol, but without the file ever residing in the red zone.

“Once the data gets to its destination, it’s encrypted and housed in a secure database,” Flaubert explains. “The only way for an attacker to get into those files would be for them to have access to the physical disk, all of the encryption keys, and a copy of our software.”

Ipswitch expects its combined offerings to get traction in industries where secure file transfer is required, such as financial services, government, and healthcare.

Click here for further information on the range of products by Ipswitch File Transfer or call Pro2col Sales on 0333 123 1240

Share on TwitterShare on FacebookShare on LinkedIn+1
 
© Pro2col Ltd 2012 | Terms of Sale | Privacy Policy | Sitemap
Part of the Pro2col Group