• open panel
  • Home
  • Archive by category 'Data Security'
  • Page 3

Archive for ‘Data Security’

Moving On From FTP: Where To Begin

“My company still relies heavily on FTP.  I know we should be using something more secure, but I don’t know where to begin.”

Sound familiar?

The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – unsecured data is obviously an enormous liability.  Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern managed file transfer solutions offer.

No, it won’t be as daunting of a task as you think.  Here’s a few steps to help you get started:

FTP

  1. Identify the various tools that are being used to transfer information in, out, and around your organisation.  This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc.  Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
  2. Map out existing processes for file and data interactions.  Include person-to-person, person-to-server, business-to-business and system-to-system scenarios.  Make sure you really understand the business processes that consume and rely on data.
  3. Take inventory of the places where files live.  Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc.  After all, it’s harder to protect information that you don’t even know exists.
  4. Think about how much your company depends on the secure and reliable transfer of files and data.  What would the effects be of a data breach?  How much does revenue or profitability depend on the underlying business process and the data that feeds them?
  5. Determine who has access to sensitive company information.  Then think about who really needs access (and who doesn’t) to the various types of information.  If you’re not already controlling access to company information, it should be part of your near-term plan.   Not everybody in your company should have access to everything.

Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data as well as provide you with visibility and auditing capabilities into all of your organisations data interactions, including files, events, people, policies and processes.

So what are you waiting for, give Pro2col a call on 0333 123 1240 and let us help you replace your legacy FTP solutions.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

How will the changes to PCI DSS affect you?

The PCI Security Standards Council have just released version 2.0 of PCI DSS, the Data Security Standard enforced upon all merchants that accept any form of card payments, designed to secure and protect cardholder details.  Although introducing only minor alterations, the main intention of the amendment is to provide greater clarity and flexibility for small merchants, facilitating a more comprehensive understanding of the requirements that must be satisfied under PCI DSS and making them easier to implement and abide by.

From a long term perspective, the amendments made are designed to help merchants manage evolving risks and data security threats whilst maintaining alignment with industry best practices.  Taking a higher level perspective, the main changes cover:

  • Reinforcement of the need to conduct thorough scoping exercises, so that merchants can identify exactly where their cardholder data resides in the business.
  • The need for more effective log management of credit card data within the business.
  • Allowance for organisations to adopt a more risk based approach when prioritising vulnerabilities, taking into account their specific circumstances.
  • The acceptance of unique business environments and accommodation of their specific needs.

More specifically Jonathan Lampe, VP of Product Management at Ipswitch File Transfer and representative of the PCI Security Council has identified the 5 key changes that will directly effect the transfer of sensitive credit card data:

  • Explicit recognition of SFTP  as a secure protocol.
  • Audit of virtual machine infrastructure and virtualisation hypervisors will be brought within the scope of PCI DSS.
  • Rotation requirements for the purposes of key management will be “based on industry best practices and guidelines” rather than an annual stipulation.
  • Identity and authentication requirements for users, “non-consumers” and administrators will be split further.
  • More specific requirements will be implemented around the auditability and security of timekeeping, especially as recorded in audit logs.  (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)

A further step taken by the PCI council to help small merchants achieve the latest 2.0 PCI DSS changes is the introduction of a small microsite.  The implementation life-cycle the of PCI Council’s standards will be extended from the current 2 years to 3 years to give merchants plenty of time to make the necessary changes.  The new 2.0 standard will be effective from 1st January 2011, however validation against the previous 1.2.1 standard will be allowed until 31st December 2011.

For more information regarding PCI DSS compliance and how this can be achieve in terms of secure file transfer, please don’t hesitate to contact the team at Pro2col on 0333 123 1240.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Data: Transferring the Burden Under PCI DSS

GT News have just published a great article written by Jonathan Lampe (Vice President of Product Management at Ipswitch) regarding data transfer requirements under PCI DSS.  If anyone is looking for a PCI DSS compliant solution for file transferring data, these are the points they really need to be taking into consideration:

Data: Transferring the Burden Under PCI DSS

Jonathan Lampe, Ipswitch – 08 Jun 2010

Despite widespread adoption of Simple Object Access Protocol (SOAP) and transaction sets in the financial industry, a surprising high percentage of the data flow is still represented by files or bulk data sets. In 2009, Gartner determined that bulk data transfers comprise around 80% of all traffic. This is probably a surprise if your company is among the many with millions invested in just managing individual transactions – but there are good management and security reasons for this continuing situation.

Why is File Transfer Still Common?

Financial institutions and item processors are still ‘FTP’ing’ (file transfer protocol), emailing, or sending and sharing files instead of transactions for a number of reasons. First, it helps hide the complexity of systems on both ends – there is no reliance and concern regarding libraries of transactions and responses related to one system and a different set related to another system. Second, it reduces the risk of transmission failure and makes it less risky for employees to send a small number of files or bulk data sets rather than a large number of transactions. Finally, it also increases the reliability of an overall operation.

The Managed File Transfer Industry

The managed file transfer (MFT) industry is comprised of providers whose solutions manage and protect these bulk data sets as they move between partners, business areas and locations. Collectively they address challenges presented by bulk data transfers and principles-based rules of the sort that have become common over the past few years – for example the Data Protection Principles or International Financial Reporting Standards (IFRS). Fundamentally, rules that tend to embody real-world outcomes as a standard. So, for example, the reported outcomes of penetration testing depend for certification as much upon the experience of the tester (who may be an employee) as upon the integrity of the network. This is all fine – until your network meets the real world. Principles-based rules tend to put the onus squarely on us to make and maintain systems.

For consumers, consultants and Payment Card Industry (PCI) assessors, this is undoubtedly ‘a good thing’. For those handling card data, the costs of validated and effective compliance represent a potentially significant burden that’s worth passing on to an industry that has quietly got on with the job well before buzzwords, such as ‘cloudsourcing’ or even ‘outsourcing’, entered the lexicon.

Vendors and Technologies Need Evaluation

It therefore makes a great deal of sense to place as much of that onus, and indeed risk and potential liability, on the shoulders of others – suppliers and consultants – as we can. Although PCI Data Security Standard (PCI DSS) can, and does, descend into tick-box detailed level rules in some places – which it makes very good sense to sign off to trusted third parties – nevertheless, significant ongoing parts of our obligations under PCI DSS are essentially management issues. Despite subjective components and PCI requirements to take ongoing account of best practices, the technologies themselves can still be evaluated on a relatively straightforward mechanistic basis, provided that they are submitted to sufficient scrutiny.

At the most basic level, subjective terms such as ‘adequate’ or ‘insecure’ are sometimes to be understood (explicitly or otherwise) as denoting specific technologies or other standards in line with industry best practice and are, therefore, a route to initially evaluating software on a tick-box basis.

Beyond Ticking Boxes – Four Initial Considerations

When evaluating for data security technology in the context of regulated activities, you should look at how four categories – confidentiality, integrity, availability, and auditing – contribute to security and compliance. These headline considerations are designed to assist in assessing whether a data technology or process is likely to provide one-time compliance for the purposes of PCI DSS.

Confidentiality ensures that information can be accessed only by authorised individuals and for approved purposes. For the purposes of PCI DSS this means that employees should have the minimum level of access necessary to do their job. Confidentiality begins with authentication of login credentials on every secure application and starts with putting a strong password policy in place, with robust account expiry procedures and password management.

Integrity, as repeatedly addressed in PCI DSS rules 10, 11 and 12, is relatively under-appreciated and understood solely as a security issue, but is a critical component to compliance. It means ensuring the uncompromised delivery of data, with full Secure Hash Algorithm (SHA)-512 support. In the case of file transfer operations, non-repudiation takes data security to the highest level currently available by adding digital certificate management to secure delivery and data encryption beyond the requirements of PCI DSS. The setting up of alerts is a relatively easy goal – a box ticked on the route to compliance.

Availability is not explicitly addressed in PCI standards but is a critical component of any overall security strategy. It can and should be addressed, if not guaranteed, through load balancing and clustering architectures that support automatic failover and centralised configuration data storage to minimise the chance of a data breach.

Auditing capabilities should be demonstrated by vendors in the form of comprehensive logging and log viewing with tamper evident measures to guarantee the integrity of log files. For technology, security, and other auditing purposes, all client/server interactions and administrative actions should be logged.

The Hitchhiker’s Guide to File Transfer in the PCI DSS Galaxy

The main body of the PCI DSS is divided into 12 requirements.PCI Logo

Section 1 establishes firewall and router configuration standards by requiring all managed file transfer (MFT) vendors to build a product architecture that puts a proxy, gateway or tiered application into a demilitarised zone (DMZ) network segment. This requirement also puts the actual storage of data and any workflows associated with it into internal networks.

The best architectural implementations ensure that no transfer connections are ever initiated from the DMZ network segment to the internal network. Typically this is accomplished using a pool of proprietary, internally established connections. In this way, clients can connect using FTP Secure (FTPS), Secure File Transfer Protocol (SFTP), etc to the DMZ-deployed device, but the transfers involving internal resources are handled between DMZ- and internally-deployed vendor devices by the proprietary protocol.

Section 2 demands that no default or backdoor passwords remain on the system and that systems are hardened. These best practices are generally enforceable with MFT technology, but the best implementations include a hardening utility that also extends protection to the operating system on which the MFT software runs.

Section 3, particularly subsection 3.4, covers encryption of data and storage of keys. To address these issues MFT vendors have an array of synchronous and asynchronous encryption technologies, such as OpenPGP, to ensure data is secured at rest. Cryptography is almost always performed using Federal Information Processing Standards (FIPS)-validated modules and secure overwrite of data is commonly used.

Section 4 covers encryption of data in motion. All MFT vendors currently support multiple open technologies such as Secure Socket Layer (SSL), Secure Shell (SSH) and Secure/Multipurpose Internet Mail Extensions (SMIME) in multiple open protocols, including SFTP, FTPS and Applicability Statement 2 (AS2), to provide this protection.

Section 5 ensures anti-virus (AV) protection is in place for systems and the data that passes through them. Most MFT vendors provide the ability to provide both types of protection with their software. The best allow integration with existing AV implementations and security event and incident management (SEIM) infrastructure.

Section 6 requires secure systems and applications. Most MFT vendors conform to the guidelines here, particularly subsection 6.5 on web application security. However, there are large variations on fidelity to subsection 6.6 in the industry. The best vendors use a battery of security assessment and penetration tools, such as HP WebInspect and protocol fuzzers, to ensure that their software exceeds PCI security requirements – and remains that way from release to release. The best vendors also have multiple security experts working with developers to ensure new features are secure by design. These attributes are not always easy to find on a vendor’s website, but they are critical to the long-term viability of an MFT application – be sure to ask.

Sections 7 and 8 cover the establishment of identity and authority. MFT solutions typically have built-in features that cover these issues from multifactor authentication to sharing of accounts. However, there are two common areas of difference between MFT vendors in these sections. The first is the ability to rapidly ‘de-provision’ users (i.e. disable or delete the account upon termination). The second is the proper storage of passwords: some vendors still use unkeyed hashes or weak Message-Digest algorithm 5 (MD5) hashes, both of which are susceptible to either rainbow table or collision attacks.

Section 9 is about physical access and is one that many software vendors erroneously ignore. However, subsection 9.5 is about off-site backups and is a function that MFT software often provides. One advantage of using an MFT solution for this purpose is that all the security benefits from the MFT solution flow into the backup process as well.

Section 10 is about auditing and visibility into data. MFT vendors also typically have a strong story around these attributes. Common features of MFT include visibility into the full ‘life cycle’ of files, aggregate reporting, detailed logging of every administrative action, and enforcement of specific service level agreements (SLAs). Some MFT solutions also ensure that audit logs and transfer integrity information are tamper-evident to ensure complete non-repudiation of data delivery.

Section 11 is about regular testing of systems and processes. As mentioned above, MFT vendors who perform these types of tests on their own solutions before releasing their software to the public should be sought out and preferred by companies that must adhere to PCI DSS.

Section 12 is about maintaining and enforcing a security policy down to the level of end user training. Like section 9, section 12 is another section many software providers erroneously ignore. However, the best MFT vendors know that providing fingertip reporting and good user experience to both administrators and end users can go a long way toward encouraging proper use of technology.

PCI DSS Appendices A (‘Additional PCI DSS Requirements for Shared Hosting Providers’) and E (‘Attestation of Compliance – Service Providers’) are also often used when managed file transfer services through virtual area network (VAN), software-as-a-service (SaaS), hosted or cloud providers are used. Key requirements here include ensuring that the service provider is not allowing shared users, that different organisations can only see their own logs and that the provider has policies that provide for a timely forensics investigation in the event of a compromise.

Summary

The substance of the PCI burden is an ongoing one. To look down the list of PCI requirements is to scan a list of enjoinders to ‘maintain’, ‘monitor’ and ‘ensure’, that echo the ‘manage, monitor and secure’ objectives of basic FTP technology. However, and, as the March 2008 Hannaford data breach shows, it is possible to be ostensibly compliant – to have ticked all the boxes – and yet not be fully secure.

PCI DSS compliance requires organisations to protect the security, privacy, and confidentiality of information – and to document who accesses the information and the security measures taken to prevent theft, loss, or accidental disclosure.

Click here for further information on the range of products by Ipswitch File Transfer or call Pro2col Sales on 0333 123 1240.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Half a million reasons to beware!

Today was the day that the ICO’s got the power to fine companies for data breaches with the amendments to the Data Protection Act finally coming into force.  With the UK somewhat behind some of the EC this brings us closer in line with the the European Commissions E-privacy directive that the UK signed up to some years ago to uphold the privacy of individuals and specifically personally identifiable data.  A lot has been written about this subject but what does it mean and how does it affect your business?

If your business stores/holds personally identifiable data about individuals, that data is now governed by the Data Protection Act.  If your company has personally identifiable data your company is legally obliged to register themselves with the ICO and appoint one or more a Data Controllers within your organisation.  It is then that persons responsibility to ensure that all personally identifiable data is stored and distributed in a secure manner.  This affects both the data stored within the organisation but the bit we get involved in is the ‘distribution’ or the data, to third parties, customers, suppliers, remote offices or remote workers.  This data now needs to be secure & managed file transfer so that you have a complete audit trail of who sent what, to whom and when – also providing information on when the information was downloaded and if possible where they were when it was downloaded.  Simply put you need to know what’s happening with your data at all times!

ICO Logo

Why should I go and implement new systems, who’s going to know it was me?  Well you could take this approach and to be fair a lot of companies will lose data and won’t get caught but would you seriously want to take the risk that the ICO could find out due to your data ending up somewhere its not supposed to be.  The consequences are up to 10% of turnover (up to a maximum of £500,000) and public humiliation when the ICO provide their statutory reports on which companies have had breaches.  Given that the ICO have been a little bit slow in getting to this stage according to the EC who threatened to fine the ICO at the end of last year you can expect that the ICO will want to take the opportunity to make a statement to the EC when they get the opportunity.  Personally I’d rather it wasn’t my company getting noticed for the wrong reasons – remember TK Maxx?

So what should I do?  Well, if you’d like to speak to someone who’s able to provide you an independent insight into the best way to move your data securely within any given business scenario then you should give Pro2col a call as we’d be pleased to help.  If you don’t want to do anything then good luck and keep your fingers crossed because the ICO are coming!

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Healthcare Industry Beware!

Recent reports have highlighted that hospitals and physicians in the US have been given a deadline of 2015, to convert all health records into digital form and then, to deploy the accompanying technology to handle these digital assets.  Considering only about a quarter of the US population’s health records are digitally stored – this is a bit of a tall order!

Makes you wonder whether, no lets rephrase that, WHEN the UK will follow in their footsteps.  For those organisations operating in the health sector, it may be

stethoscopewise to start reviewing the security and efficiency of you’re file transfer systems now, especially when you take into account the increased ICO powers of enforcement due to come into effect on 6th April 2010.  If a similar mandate were to come into force in the UK, in order to avoid possible fines of up to £500,000 organisations would need ensure that sensitive client files were secured when being transported between locations.

If your a healthcare organisation and you want to review or evaluate your large file transfer processes, please get in touch with the team at Pro2col on 0333 123 1240.  We offer a comprehensive range of secure file transfer solutions and we’re always happy to help.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Secure File Transfer Standards – Are you Compliant?

With the sheer abundance of security standards, laws and legislation in our society nowadays, it’s really easy to get overwhelmed.  Although a necessary measure to safeguard individual’s confidential information and protect your business against prosecution, it can be difficult to fathom which laws apply to your organisation when it comes to secure file transfer.

To complicate matters further, legislation varies between continents, in the US even between states!!  As a result, we have put together a succinct guide detailing some of the most high-profile legislation governing the US and UK in terms of secure file transfer, including some standards that are recognised internationally.  These include acts such as The Health Insurance Portability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley and The Data Protection Act, as well as industry standards like FIPS and ISO 27001.

Data Protection Act

Unfortunately it doesn’t end there.  Once an organisation has established which legislation applies to their business, they then have to make sure that their systems and procedures are actually compliant!  Thankfully, accompanying the majority of legislation is compliance testing – a sure-fire way to guarantee investment in technology and solutions that meet the secure file transfer requirements stipulated by government.

If you would like to discuss security compliance in terms of secure file transfer solutions, don’t hesitate to get in touch – we are happy to provide advice and support.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

ICO gets new powers to address data protection negligence

Announced earlier this week by the Ministry of Justic, amends have been made to the Data Protection Act of 1988 that when passed in April 2010 will allow the ICO to impose fines of up to £500,000 on organisations found to be negligent regarding the privacy of personal data.

Justice Minister, Michael Wills, said: “We want to ensure that the Information Commissioner’s Office has the powers it needs and is able to impose robust penalties on those who commit serious breaches of data protection principles.”

To be subject to the fine there are certain criteria to be met, but the one that should make existing Data Controllers sit up and take notice is:

If the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

ICO Logo

If you’re a Data Controller responsible for your companies data security how does this announcement make you feel?  If you’d like a no-obligation discussion regarding your data security and secure file transfer requirements contact Pro2col today on 0333 123 1240.

Article continues here

 

Share on TwitterShare on FacebookShare on LinkedIn+1
 

UK businesses under increasing pressure to step up data privacy

The European Commission (EC) have publicly stated that the UK Government is not adequately enforcing European data privacy laws and is ready to clamp down on them in 2 months time.  Reported on the Infosecurity web site and backed up by our recent discussions with the ICO; next year is likely to be the year in which Enterprises feel the full force of European legislation regarding the data privacy.  Enterprises will be under increasing pressure to ensure that every step is taken to secure data both at rest (internally) and in transit (e.g. securing file transfers).Judge Hammer

The powers at the disposal of the ICO are also being addressed with individuals responsible for data security breaches potentially being liable for custodial sentences.

Read more: European Commission warns UK over privacy legislation.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

Saving money by ignoring data security – a false economy?

We hear it in the news week in week out.  So and so company has left a laptop on a train containing 4 million unencrypted customer records, a hacker has infiltrated an online payment system stealing thousands of unsuspecting UK consumer credit card details – even today I have walked through the door and the first news alert in my email begins, “ChoicePoint to pay $275,000 for second data breach.” I can’t help but wonder why data security is failing?

Recently, I’ve begun research into the current state of data security in the UK. As part of my research I contacted the ICO (Information Commissioner’s Office) and asked them to provide me with figures detailing reported breaches in the UK over the last few years.  According to ICO figures, 2008 saw the loss of sensitive data on 341 separate occasions, spanning all industry sectors.  So far this year, we as a nation have seen 348 instances of compromised data and we still have 2 1/2 months to go!!!  Before I progress any further I must emphasise the use of the word ‘reported’.  According to a study conducted by The Ponemon Institute using a sample of 615 UK based companies, 70% of the companies surveyed experienced a data breach in the last 12 months – a worrying discovery in itself.  Even more surprisingly, nearly 40% of those surveyed failed to publicly announce a breach in their security, as there’s no legal or regulatory requirement to do so because they are a private sector organisation.

data and lock

Taking into consideration the growing prevalence of digital business systems and processes over the past decade, we all must be aware of the importance of data security in our digitally dominated world.  Especially in light of the abundance of publicity surrounding data breaches – surely it must weigh on the minds of CIO and IT personnel?  So if we are all so acutely aware of the risk, why do some companies not take the precautionary measures required to secure the data they hold or transmit?  I can only make assumptions regarding the factors involved and I would speculate its the cumulative result of a number of factors.

Firstly, the big stumbling block – finance.  From experience, I know there are companies out there that struggle securing the necessary funds from their annual budget to address data security as its often deemed non-critical, especially in the current economic climate.  With the inhibitive cost of some of the security solutions out there, I can’t really blame them.  On the other hand, there are lots of providers emerging in the marketplace offering affordable, scalable solutions, that provide not only the data security they need but also the ability to streamline business processes and reduce operational costs.  Solutions such as this, can provide a significant return on investment and in the long term actually save money – a win-win situation!

The financial consequences of a data breach should also be taken into consideration.  According to a study coordinated by The Ponemon Institute back in 2008, the average cost of a UK data breach incident is £1.73 million – substantially more than the cost of securing the data in the first place!  Then you have to take into consideration the financial implications of a blow to a companies reputation – these intangible costs are likely to be well in excess of any fines.

Secondly, I feel the lack of legislation has a big part to play in the predicament organisations find themselves facing.  Apart from a select few e.g. PCI DSS, the only legal guidelines UK businesses are currently required to abide by, are those outlined in the Data Protection Act.  The problem is, up until very recently the majority of this act has been unenforceable (more to come on that later).  I can’t help but feel this lack of legislation and an authority body promotes a certain amount of apathy in organisations.  If all of these companies in the public eye are receiving minimal fines and a slap on the wrist for contravening Data Protection laws, what is the motivation to spend money on securing data?  Consequently, many organisations opt to sit on an unexploded time bomb and when it finally blows (which it inevitably will)  hold their breath and hope no one gets wind of the incident during the aftermath and leaks the news to valued customers.

The recently appointed UK Information Commissioner, Christopher Graham, has addressed this very issue during his first speech at the Annual Privacy and Data Conference in London on 8th October.  The crux of his speech is that change is afoot.  Mr Graham made it perfectly clear that data privacy and information security are now ‘top of the agenda’ and with the new powers of enforcement being granted to the ICO in the forthcoming Coroners and Justice Bill, he fully intends to use them to maximum effect.  He added: “we’re going to have the resources to go after the bad boys – there’s a well-funded regulator that will hit you hard if you get it wrong… if you don’t take this stuff seriously its going to bite you in the bum.”  He also stated, “If you breach the law you’re going to be in trouble.  It (compliance with data privacy law) isn’t a nice to have – it’s the law of the land.  You will destroy brand value and reputation (by ignoring it).”  Some strong words!

Finally, although aware of the viable threat of data breaches, from our experience as security specialists we have dealt with a number of companies who believe their data is completely secure when in reality – it isn’t.  Therefore a lack of insight and knowledge when addressing company wide data security systems can result in inadequate protection.  This is where the value of a security specialist comes into play.  We can’t be masters of all trades, sometimes its beneficial in the long run to let the experts work their magic as data security can be a minefield, its best left to the professionals.

Taking into consideration the consequences associated with the loss of sensitive data, such as the tangible cost to the company and more significantly a serious blow to reputation, is it really worth risking the security of your company’s data to save money in the short term?

See here to find out more about some of the secure file transfer solutions available in the marketplace.

Share on TwitterShare on FacebookShare on LinkedIn+1
 

The dangers of Cloud computing and online business applications

Right now there is a very clear shift towards Cloud Computing but are we all buying into the concept without considering the implications for our businesses?  Wikipedia describes Cloud Computing very simply as, “a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the “cloud” that supports them.”  It goes on to explain that it can also be described as, “technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.”

Laptops in the Cloud

The key points to pick up from the above description is that ‘business applications‘ are provided online and that the ‘software and data‘ are stored remotely.  With security of data uppermost in the minds of many an IT professional its worth pointing out that there has been a rise in the number of companies using online file transfer applications to send mission critical information to trading partners.  Whilst many of these systems encrypt the data in transit using a variety of options which invariably result in SSL or 3DES usage many don’t consider the implications of this data then residing on remote servers waiting for the secure collection by the intended recipient.

An interesting, yet worrying article by Eric M. Fiterman about called Cloud Danger: Drag and Drop Theft highlights the inadequacies in the audit tools for the virtual cloud space.  He points out that anyone with access to the servers providing your business with a service could very easily walk away with confidential information;

“If your service provider has physical access to your environment, any person with access to the virtual servers can perform activity on your server. Think that some malicious activity involving your virtual memory would be logged or monitored? It’s not likely; audit tools for much of the virtual-cloud space appear to be non-existent. This means I could easily perform some malicious activity on your server – such as copying a file containing personally identifiable information off your server – then rollback the state of the server to hide my activity. You’ll never even know it was taken.”

When chosing a file transfer solution its imperitive that you know not only that your data is going to be secure whilst traversing  the Internet, but also secure on the servers which host the data.  Whilst its almost impossible to guarantee the security of your data at any time doesn’t it make more sense to have an in-house securely managed file transfer solution?

Share on TwitterShare on FacebookShare on LinkedIn+1
 
© Pro2col Ltd 2012 | Terms of Sale | Privacy Policy | Sitemap
Part of the Pro2col Group