GT News have just published a great article written by Jonathan Lampe (Vice President of Product Management at Ipswitch) regarding data transfer requirements under PCI DSS.  If anyone is looking for a PCI DSS compliant solution for file transferring data, these are the points they really need to be taking into consideration:

Data: Transferring the Burden Under PCI DSS

Jonathan Lampe, Ipswitch – 08 Jun 2010

Despite widespread adoption of Simple Object Access Protocol (SOAP) and transaction sets in the financial industry, a surprising high percentage of the data flow is still represented by files or bulk data sets. In 2009, Gartner determined that bulk data transfers comprise around 80% of all traffic. This is probably a surprise if your company is among the many with millions invested in just managing individual transactions – but there are good management and security reasons for this continuing situation.

Why is File Transfer Still Common?

Financial institutions and item processors are still ‘FTP’ing’ (file transfer protocol), emailing, or sending and sharing files instead of transactions for a number of reasons. First, it helps hide the complexity of systems on both ends – there is no reliance and concern regarding libraries of transactions and responses related to one system and a different set related to another system. Second, it reduces the risk of transmission failure and makes it less risky for employees to send a small number of files or bulk data sets rather than a large number of transactions. Finally, it also increases the reliability of an overall operation.

The Managed File Transfer Industry

The managed file transfer (MFT) industry is comprised of providers whose solutions manage and protect these bulk data sets as they move between partners, business areas and locations. Collectively they address challenges presented by bulk data transfers and principles-based rules of the sort that have become common over the past few years – for example the Data Protection Principles or International Financial Reporting Standards (IFRS). Fundamentally, rules that tend to embody real-world outcomes as a standard. So, for example, the reported outcomes of penetration testing depend for certification as much upon the experience of the tester (who may be an employee) as upon the integrity of the network. This is all fine – until your network meets the real world. Principles-based rules tend to put the onus squarely on us to make and maintain systems.

For consumers, consultants and Payment Card Industry (PCI) assessors, this is undoubtedly ‘a good thing’. For those handling card data, the costs of validated and effective compliance represent a potentially significant burden that’s worth passing on to an industry that has quietly got on with the job well before buzzwords, such as ‘cloudsourcing’ or even ‘outsourcing’, entered the lexicon.

Vendors and Technologies Need Evaluation

It therefore makes a great deal of sense to place as much of that onus, and indeed risk and potential liability, on the shoulders of others – suppliers and consultants – as we can. Although PCI Data Security Standard (PCI DSS) can, and does, descend into tick-box detailed level rules in some places – which it makes very good sense to sign off to trusted third parties – nevertheless, significant ongoing parts of our obligations under PCI DSS are essentially management issues. Despite subjective components and PCI requirements to take ongoing account of best practices, the technologies themselves can still be evaluated on a relatively straightforward mechanistic basis, provided that they are submitted to sufficient scrutiny.

At the most basic level, subjective terms such as ‘adequate’ or ‘insecure’ are sometimes to be understood (explicitly or otherwise) as denoting specific technologies or other standards in line with industry best practice and are, therefore, a route to initially evaluating software on a tick-box basis.

Beyond Ticking Boxes – Four Initial Considerations

When evaluating for data security technology in the context of regulated activities, you should look at how four categories – confidentiality, integrity, availability, and auditing – contribute to security and compliance. These headline considerations are designed to assist in assessing whether a data technology or process is likely to provide one-time compliance for the purposes of PCI DSS.

Confidentiality ensures that information can be accessed only by authorised individuals and for approved purposes. For the purposes of PCI DSS this means that employees should have the minimum level of access necessary to do their job. Confidentiality begins with authentication of login credentials on every secure application and starts with putting a strong password policy in place, with robust account expiry procedures and password management.

Integrity, as repeatedly addressed in PCI DSS rules 10, 11 and 12, is relatively under-appreciated and understood solely as a security issue, but is a critical component to compliance. It means ensuring the uncompromised delivery of data, with full Secure Hash Algorithm (SHA)-512 support. In the case of file transfer operations, non-repudiation takes data security to the highest level currently available by adding digital certificate management to secure delivery and data encryption beyond the requirements of PCI DSS. The setting up of alerts is a relatively easy goal – a box ticked on the route to compliance.

Availability is not explicitly addressed in PCI standards but is a critical component of any overall security strategy. It can and should be addressed, if not guaranteed, through load balancing and clustering architectures that support automatic failover and centralised configuration data storage to minimise the chance of a data breach.

Auditing capabilities should be demonstrated by vendors in the form of comprehensive logging and log viewing with tamper evident measures to guarantee the integrity of log files. For technology, security, and other auditing purposes, all client/server interactions and administrative actions should be logged.

The Hitchhiker’s Guide to File Transfer in the PCI DSS Galaxy

The main body of the PCI DSS is divided into 12 requirements.

Section 1 establishes firewall and router configuration standards by requiring all managed file transfer (MFT) vendors to build a product architecture that puts a proxy, gateway or tiered application into a demilitarised zone (DMZ) network segment. This requirement also puts the actual storage of data and any workflows associated with it into internal networks.

The best architectural implementations ensure that no transfer connections are ever initiated from the DMZ network segment to the internal network. Typically this is accomplished using a pool of proprietary, internally established connections. In this way, clients can connect using FTP Secure (FTPS), Secure File Transfer Protocol (SFTP), etc to the DMZ-deployed device, but the transfers involving internal resources are handled between DMZ- and internally-deployed vendor devices by the proprietary protocol.

Section 2 demands that no default or backdoor passwords remain on the system and that systems are hardened. These best practices are generally enforceable with MFT technology, but the best implementations include a hardening utility that also extends protection to the operating system on which the MFT software runs.

Section 3, particularly subsection 3.4, covers encryption of data and storage of keys. To address these issues MFT vendors have an array of synchronous and asynchronous encryption technologies, such as OpenPGP, to ensure data is secured at rest. Cryptography is almost always performed using Federal Information Processing Standards (FIPS)-validated modules and secure overwrite of data is commonly used.

Section 4 covers encryption of data in motion. All MFT vendors currently support multiple open technologies such as Secure Socket Layer (SSL), Secure Shell (SSH) and Secure/Multipurpose Internet Mail Extensions (SMIME) in multiple open protocols, including SFTP, FTPS and Applicability Statement 2 (AS2), to provide this protection.

Section 5 ensures anti-virus (AV) protection is in place for systems and the data that passes through them. Most MFT vendors provide the ability to provide both types of protection with their software. The best allow integration with existing AV implementations and security event and incident management (SEIM) infrastructure.

Section 6 requires secure systems and applications. Most MFT vendors conform to the guidelines here, particularly subsection 6.5 on web application security. However, there are large variations on fidelity to subsection 6.6 in the industry. The best vendors use a battery of security assessment and penetration tools, such as HP WebInspect and protocol fuzzers, to ensure that their software exceeds PCI security requirements – and remains that way from release to release. The best vendors also have multiple security experts working with developers to ensure new features are secure by design. These attributes are not always easy to find on a vendor’s website, but they are critical to the long-term viability of an MFT application – be sure to ask.

Sections 7 and 8 cover the establishment of identity and authority. MFT solutions typically have built-in features that cover these issues from multifactor authentication to sharing of accounts. However, there are two common areas of difference between MFT vendors in these sections. The first is the ability to rapidly ‘de-provision’ users (i.e. disable or delete the account upon termination). The second is the proper storage of passwords: some vendors still use unkeyed hashes or weak Message-Digest algorithm 5 (MD5) hashes, both of which are susceptible to either rainbow table or collision attacks.

Section 9 is about physical access and is one that many software vendors erroneously ignore. However, subsection 9.5 is about off-site backups and is a function that MFT software often provides. One advantage of using an MFT solution for this purpose is that all the security benefits from the MFT solution flow into the backup process as well.

Section 10 is about auditing and visibility into data. MFT vendors also typically have a strong story around these attributes. Common features of MFT include visibility into the full ‘life cycle’ of files, aggregate reporting, detailed logging of every administrative action, and enforcement of specific service level agreements (SLAs). Some MFT solutions also ensure that audit logs and transfer integrity information are tamper-evident to ensure complete non-repudiation of data delivery.

Section 11 is about regular testing of systems and processes. As mentioned above, MFT vendors who perform these types of tests on their own solutions before releasing their software to the public should be sought out and preferred by companies that must adhere to PCI DSS.

Section 12 is about maintaining and enforcing a security policy down to the level of end user training. Like section 9, section 12 is another section many software providers erroneously ignore. However, the best MFT vendors know that providing fingertip reporting and good user experience to both administrators and end users can go a long way toward encouraging proper use of technology.

PCI DSS Appendices A (‘Additional PCI DSS Requirements for Shared Hosting Providers’) and E (‘Attestation of Compliance – Service Providers’) are also often used when managed file transfer services through virtual area network (VAN), software-as-a-service (SaaS), hosted or cloud providers are used. Key requirements here include ensuring that the service provider is not allowing shared users, that different organisations can only see their own logs and that the provider has policies that provide for a timely forensics investigation in the event of a compromise.

Summary

The substance of the PCI burden is an ongoing one. To look down the list of PCI requirements is to scan a list of enjoinders to ‘maintain’, ‘monitor’ and ‘ensure’, that echo the ‘manage, monitor and secure’ objectives of basic FTP technology. However, and, as the March 2008 Hannaford data breach shows, it is possible to be ostensibly compliant – to have ticked all the boxes – and yet not be fully secure.

PCI DSS compliance requires organisations to protect the security, privacy, and confidentiality of information – and to document who accesses the information and the security measures taken to prevent theft, loss, or accidental disclosure.

Click here for further information on the range of products by Ipswitch File Transfer or call Pro2col Sales on 0333 123 1240.

Bookmark It

Although I was aware of this deal being concluded over a week ago I wasn’t able to let on.  As its now being widely reported online I can confirm that Ipswitch has acquired MessageWay as the Managed File Transfer marketplace consolidates again after other recent mergers/acquisitions.  Its going to be interesting to see how much more activity between MFT vendors there will be over the coming months.

Here are some further details as penned by Gary Shottes of Ipswitch.

Acquisition will pave the way for more secure application-to-application communications, partners say

Ipswitch Inc., a maker of secure, managed file transfer products and services, today will announce that it has acquired MessageWay Solutions Inc., a provider of managed file transfer and business integration solutions. Terms of the deal were not disclosed.

With the addition of MessageWay to its product family, Ipswitch will provide a wide range of secure file transfer services and capabilities, including of advanced analytics, enterprise-wide monitoring, and high-performance data translation and transformation for EDI, ERP, and a variety of other message formats, the companies said.

“When people in the industry talk about security, one of the things that they don’t often mention is that about 30 percent of the exchanges that go on between companies are exchanges of files between applications, not between people sitting at a desk typing at a computer,” says Greg Faubert, president of MessageWay. “This is an area that’s becoming more important all the time.”

“The file transfer market is changing, not only in the volume and size of messages, but in the way they are handled,” says Gary Shottes, president of Ipswitch. “The worlds of managed file transfer, EDI, and middleware, which have typically been handled by different vendors, are converging. We think we’ll be in a position to take market share away from all of those more focused players, by offering solutions that provide a more integrated approach.” The need for managed file transfer is increasing as organizations look for ways to meet industry and regulatory requirements such as SOX, PCI, FISMA, and HIPAA, the executives said. Many enterprises need a better way to show a “chain of custody” on file transfers, proving to auditors that data is safe as it travels between partners.

“What we offer is the ability to exchange files securely through the DMZ without the file ever landing on disk,” Flaubert says. “Companies can submit files or retrieve files through an open protocol, but without the file ever residing in the red zone.

“Once the data gets to its destination, it’s encrypted and housed in a secure database,” Flaubert explains. “The only way for an attacker to get into those files would be for them to have access to the physical disk, all of the encryption keys, and a copy of our software.”

Ipswitch expects its combined offerings to get traction in industries where secure file transfer is required, such as financial services, government, and healthcare.

Click here for further information on the range of products by Ipswitch File Transfer or call Pro2col Sales on 0333 123 1240

Bookmark It

Well, it’s been a while, but in that time we’re pleased to say we’ve managed to launch the ‘new look’ Hermstedt StingRay website (take a peek here) and released the latest StingRay firmware version – 2.6.

We’ve packed StingRay 2.6 full of new features and functionality – designed to make the large file transfer process as quick and simple as possible.  Here’s a rundown of the key features built into StingRay 2.6:

Quicksend – An entirely new file sending option, available when sending files via the StingRay Client Application (Mac version 2.0.2).  Aptly named Quicksend, this feature allows internal users to send files/folders quickly and simply in a few short steps.  Just create a new job, add an email address, attach the desired files/folders and press send.  It really is that simple.

Direct Web Browser Upload – External users can now upload files directly into StingRay’s incoming queue via the external web browser interface.  Significant in terms of automation potential, this new feature is ideal for directing incoming files into internal production workflows, freeing staff from manual downloads and allowing them to focus their attention on more productive, revenue generating tasks.

HTTPS – All of StingRay’s file sending options that rely upon HTTP as the fundamental delivery protocol (Email Hyperlink and Web Browser Upload/Download) can now be secured in transit by HTTPS.  The leading security protocol used on the internet today, SSL provides superior levels of security and is the standard implementation when purchasing items online.  Self-assigned SSL certificates can be created within the internal web browser interface or alternatively, if you have an existing SSL certificate, this can be uploaded to the StingRay.

If that wasn’t enough, a number of tweaks and improvements have been made to the existing features provided by Hermstedt StingRay.  These include:

- Personalised Customer Logins (External Web Browser Upload)
- Progress Bar during file upload (External Web Browser Upload)
- Successful Upload Notification (External Web Browser Upload)
- Email Hyperlink Auto-delete functionality
- Hyperlink Signature Customisation potential

If you want more information, you can download a comprehensive guide that outlines the new features in 2.6 in greater detail.

This is the best bit – the StingRay 2.6 upgrade is FREE for all StingRay 2.5 users that hold and valid Silver or Gold maintenance contract.  Just send an email to customerservice (at) pro2col.com and we will get the upgrade process rolling for you.

Unsupported StingRay users and those holding a Bronze maintenance contract will still be able to upgrade if they’d like, all you’ll need to do is contact the Pro2col sales department on 0333 123 1240 for pricing.

Bookmark It

We made the decision to attend Infosec for the first time this year, with the intent of affirming Pro2col’s position as the UK’s leading supplier and integrator of secure file transfer technologies, with a range of carefully selected products designed to meet the requirements of any business.  Spurred by the formation of partnerships with some of the world’s leading secure file transfer vendors including Aspera, Ipswitch, Data Expedition, Biscom and Stonebranch, we were fortunate enough have experts from two vendors on the Pro2col stand, ready to impart their extensive product knowledge to attendees from around the world.

In customary form, after spending months meticulously planning for Infosec, the days leading up to the show were a little unsettling for us.  With not one but two co-exhibitors traveling from the US to London, nature decided that the pressure of event organisation was not enough and kindly added a humongous ash cloud to the mix – leaving us wondering whether or not half of our stand would actually make the event!

Despite initial concerns over travel arrangements (everyone made it thankfully – even if a little jet lagged), we are excited to say that the show was a great success for all parties involved.  With over 10 years experience within the file transfer arena, we can empathise with how daunting the broad spectrum of solutions in this marketplace can be for businesses when sourcing the most suitable solution for their requirements.  Both resellers and end users alike were very receptive to the impartial file advice and product demonstrations offered by Pro2col representatives, but also pleased to benefit from specialist product information imparted by Jon Laughland – UK Sale Executive for Stonebranch and Charlie Magliato – Channel Manager for Biscom Delivery Server.

From our perspective, it was brilliant to see just how seriously companies are taking the security of their sensitive data.  We spoke to IT professionals from a wide range of market sectors from the public domain (government bodies, health care organisations, universities), to retail, publishing, banking, legal firms – the list is endless!  Although unable to give each visitor the time allocated in a typical demonstration or consultation, we were able to glean valuable insight regarding the way businesses are currently moving their sensitive data and provide a neutral recommendation for products to meet their operational needs.

Another factor that surfaced repeatedly during the event, was the financial investment associated with some secure file transfer solutions.  There’s an abundance of smaller companies out there with a requirement to transfer files securely, that just don’t have the budget for a good percentage of the secure file transfer products available.  Similarly, larger corporate organisations don’t want to be paying over the odds for potential solutions.  Pro2col have spent a great deal of time scouring the marketplace to select products that not only cater for all file transfer requirements, but that do so at an affordable cost!

As we are continually looking for ways to improve the services we provide to both existing and potential customers, Infosec was a great learning experience for us in terms of the security marketplace and a productive exercise for the business in terms of relationship building with customers and resellers.

Bookmark It

Today was the day that the ICO’s got the power to fine companies for data breaches with the amendments to the Data Protection Act finally coming into force.  With the UK somewhat behind some of the EC this brings us closer in line with the the European Commissions E-privacy directive that the UK signed up to some years ago to uphold the privacy of individuals and specifically personally identifiable data.  A lot has been written about this subject but what does it mean and how does it affect your business?

If your business stores/holds personally identifiable data about individuals that data is now governed by the Data Protection Act.  If your company has personally identifiable data your company is legally obliged to register themselves with the ICO and appoint one ore more a Data Controllers within your organisation.  It is then that persons responsibility to ensure that all personally identifiable data is stored and distributed in a secure manner.  This affects both the data stored within the organisation but the bit we get involved in is the ‘distribution’ or the data, to third parties, customers, suppliers, remote offices or remote workers.  This data now needs to be secure & managed file transfer so that you have a complete audit trail of who sent what, to whom and when – also providing information on when the information was downloaded and if possible where they were when it was downloaded.  Simply put you need to know what’s happening with your data at all times!

Why should I go and implement new systems, who’s going to know it was me?  Well you could take this approach and to be fair a lot of companies will lose data and won’t get caught but would you seriously want to take the risk that the ICO could find out due to your data ending up somewhere its not supposed to be.  The consequences are up to 10% of turnover (up to a maximum of £500,000) and public humiliation when the ICO provide their statutory reports on which companies have had breaches.  Given that the ICO have been a little bit slow in getting to this stage according to the EC who threatened to fine the ICO at the end of last year you can expect that the ICO will want to take the opportunity to make a statement to the EC when they get the opportunity.  Personally I’d rather it wasn’t my company getting noticed for the wrong reasons – remember TK Maxx?

So what should I do?  Well, if you’d like to speak to someone who’s able to provide you an independent insight into the best way to move your data securely within any given business scenario then you should give Pro2col a call as we’d be pleased to help.  If you don’t want to do anything then good luck and keep your fingers crossed because the ICO are coming!

Bookmark It

Recent reports have highlighted that hospitals and physicians in the US have been given a deadline of 2015, to convert all health records into digital form and then, to deploy the accompanying technology to handle these digital assets.  Considering only about a quarter of the US population’s health records are digitally stored – this is a bit of a tall order!

Makes you wonder whether, no lets rephrase that, WHEN the UK will follow in their footsteps.  For those organisations operating in the health sector, it may be wise to start reviewing the security and efficiency of you’re file transfer systems now, especially when you take into account the increased ICO powers of enforcement due to come into effect on 6th April 2010.  If a similar mandate were to come into force in the UK, in order to avoid possible fines of up to £500,000 organisations would need ensure that sensitive client files were secured when being transported between locations.

If your a health care organisation and you want to review or evaluate your large file transfer processes, please get in touch with the team at Pro2col on 0333 123 1240.  We offer a comprehensive range of secure file transfer solutions and we’re always happy to help.

Bookmark It

Email is probably the best known and most widely used internet service in the marketplace to date.  With an estimate quarter of the worlds population on the internet and a total of 418,029,796 users in Europe (over 50%), figures indicate that 92% of these users either send or read email.

As technology progresses and file sizes increase, moving data between geographically isolated locations has become more challenging.  Many businesses rely predominately on email for their daily communications and operations but unfortunately, it is being used for purposes it was neither designed nor intended to cope with.  Using email for ad hoc large file transfer can cause huge problems for businesses in terms of  cost, efficiency and reliability.

So if we can’t email large attachments, what can we do?  Introducing our latest white paper; Email Attachment Management – The Future of Ad Hoc File Transfer which is available for download now.  It addresses the issues surrounding the ad hoc transmission of large files and details how email attachment management solutions enable businesses to email large attachments, minus the problems associated with standard email.

If you would like to discuss any of your file transfer requirements ad hoc or otherwise, please contact Pro2col on 0333 123 1240, we are always happy to help.

Bookmark It

Traditionally, when a law firm needs to send confidential documents to a client in a secure manner, they send it via courier or mail.  Organisations are accepting the fact that these methods are no longer adequate for a number of reasons, such as efficiency, security and expense.  Implementing a secure data transfer tool is key to effective communications.

See what Sean Doherty, Technology Editor from Law.com had to say following his evaluation of Biscom’s secure delivery server.

Bookmark It

According to a survey published by Osterman Research Inc. in June-July 2009, using a sample of large organisations (over 500 employees and $5 million dollar revenue), 82% of employees resort to using personal email accounts when sending large files.  This tactic is employed by many to evade the email server attachment limits imposed by IT departments.

Considering 20% of the organisations surveyed send in excess of 500 files a week, this is a seriously disturbing statistic when you take into account the ramifications of using standard email for file transfer.  The most frustrating aspect of this predicament, is that many IT professionals are fully aware of the risks associated with this method of file transfer in particular e.g…

•    Compromised security and non-compliance
•    Lack of tracking, logging and auditing
•    The absence of visibility and monitoring

…and consequently, have introduced strategies and procedures to combat the use of unsolicited file transfer methods. The problem is employees will continue to violate security and procedural policies if they aren’t provided with a comparable, alternative solution that offers the same, simple functionality as their email client.

The results also revealed that 55% of the organisations surveyed had seen a 20% increase in ad hoc file transfer activity during June-July 2009 – the largest growth across all of the business file transfer ‘requirements’.  Evidently, employees have an increasing need to send large files on an ad hoc basis, largely due to the dramatic increase in file size over recent years.

So the moral of this story is, if you want your employees to adhere to company procedural policies when sending large files on an ad hoc basis, IT departments need to provide them with an adequate alternative to their email server!

Bookmark It

With the sheer abundance of security standards, laws and legislation in our society nowadays, it’s really easy to get overwhelmed.  Although a necessary measure to safeguard individual’s confidential information and protect your business against prosecution, it can be difficult to fathom which laws apply to your organisation.

To complicate matters further, legislation varies between continents, in the US even between states!!  As a result, we have put together a succinct guide detailing some of the most high-profile legislation governing the US and UK in terms of secure file transfer, including some standards that are recognised internationally.  These include acts such as The Health Insurance Portability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley and The Data Protection Act, as well as industry standards like FIPS and ISO 27001.

Unfortunately it doesn’t end there.  Once an organisation has established which legislation applies to their business, they then have to make sure that their systems and procedures are actually compliant!  Thankfully, accompanying the majority of legislation is compliance testing – a sure-fire way to guarantee investment in technology and solutions that meet the secure file transfer requirements stipulated by government.

If you would like to discuss security compliance in terms of secure file transfer solutions, don’t hesitate to get in touch – we are happy to provide advice and support.

Bookmark It