By Stuart Lisk
File transfer has been around since the beginning of time. Ok, well maybe that is an exaggeration, but the point is, file transfer was one of the earliest uses of “network” computing dating back to the early 1970’s when IBM introduced the floppy disk. While we have been sharing files with each other for ages, the security of the data shared is often questionable.
Despite File Transfer Protocol (FTP) being published in 1971, it took until the mid-80s for systems to catch up to the original vision of FTP, as LANs were beginning to find their way into the business environment. During this time period, transferring files internally became easier and the ability to move files externally by leveraging the client server typology eliminated the “here’s the disk” approach. If you think about it, these were pretty confined environments with the client and server having a true relationship. Securing the file in this scenario had more to do with making sure that no one could access the data as oppose to worrying about protecting the transport itself. Centralized control and access was the way of the world back in these “good ole days.”
Fast forward to the proliferation of the internet and the World Wide Web, the concern of securing files while in transit to its location then became top of mind. IT managers were ultimately concerned that anyone within a company could log on via the web and access a self-service, cloud based, File Transfer application without IT’s knowledge, adding to the increased security risk for file transfer.
Performing file transfer over the internet, via the “cloud”, has provided major benefits over the traditional methods. In fact, we’ve seen that the ability to quickly deploy and provision file transfer activities actually drives more people to the cloud. However, along with the quick on-boarding of companies and individuals comes the challenge of ensuring secure connectivity, managed access, reporting, adaptability, and compliance.
Having a secure connection is not as easy as it should be. Many companies still utilize legacy file transfer protocols that don’t encrypt traffic, exposing the payload to anyone that can access the network. While FTP protocol is a bit dated, the majority of companies still use it. According to a recent file transfer survey conducted in March 2011, over 70% of respondents currently utilize FTP as their primary transport protocol. Furthermore, over 56% of those responding stated that they use a mailbox or other email applications to transfer files.
In order for enterprises to move beyond FTP to ensure sensitive files are transferred securely, they must implement protection policies that include adherence to security compliance mandates; and do so with the same ease-of-use that exists with simple email. IT managers must be concerned with who is authorizing and initiating file transfers as well as controlling what gets shared. Any time files leave a company without going through proper “file transfer” policy checks puts businesses at risk. Typical email attachments and use of ad-hoc file web-based file transfer applications makes it easy for someone to share files they shouldn’t.
In today’s computing environment, securing file transfer in the cloud requires the use of protocols that integrate security during transit and at rest. Common secure protocols are Secure FTP (SFTP), FTPS (FTP over SSL), AS2, and HTTPS to name a few. Companies need to be actively looking at one of these protocols, as it will encrypt data while minimizing risk.
When leveraging the cloud for file transfer, IT managers need to be sure that the application and/or vendor they are working with utilizes a proven encryption method. Encrypting the file when it is most vulnerable in-transit, is best. Additionally, IT managers would be wise to work with cloud vendors that have integrated security already built into their platform. Built-in encryption, certification and validation of data are vital to ensure a safe delivery of files. While you may not have influence over what your partner implements as their transport, you can take steps to mitigate issues. In fact today there are a number of file transfer applications that validate content prior to and after the file transfer occurs.
Another area of focus for IT mangers when accessing file transfer security is around access controls. Simply put, who has access and to what data. Companies must have a plan to control access to each file and what data is stored there. Again in this scenario, encrypting methods to access the file is the best way to mitigate a breach. As mentioned earlier, FTP does not protect credentials from predators. More than 30% of the respondents from the March survey indicated that access controls is one of the most important criteria for Cloud based transfers.
Receipt notification is yet another way for senders ensure their confidential files are being delivered and opened by the right people. Additionally, using file transfer applications that utilize an expiration time that keeps the file available is a great way to mitigate unauthorized access.
As mentioned earlier, adhering to industry and corporate compliance policies has is critical. Corporate governance regulations include but not limited to:
- Sarbanes-Oxley Section 404: Requires audit trails, authenticity, record retention
- HIPAA requirements: Record retention, privacy protection, service trails
- 21 CFR Part 11: Record retention, authenticity, confidentiality, audit trails
- Department of Defense (DOD) 5015.2: Record authenticity, protection, secure shredding
While there are many criteria to consider when deciding how to implement and leverage file transfer activities within your organization, there are really a few simple areas to focus on:
- Choose a secure protocol
- Implement data protection in-transit and at-rest
- Utilize effective encryption technology
- Maximize access controls
- Leverage auditing and reporting functionality
- Adhere to corporate and industry compliance policies
While that may seem like an endless number of steps, it can be easier than it sounds as long as you evaluate and execute file transfer activity that protects and secure your sensitive data.
Stuart Lisk is a senior product manager for Hubspan, working closely with customers, executives, engineering and marketing to establish and drive an aggressive product strategy and roadmap. Lisk has over 20 years of experience in product management, spanning enterprise network, system, storage and application products, including ten years managing cloud computing (SaaS) products. He brings extensive knowledge and experience in product positioning, messaging, product strategy development, and product life cycle development process management. Lisk holds a Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance, and a bachelor of science in business administration from Bowling Green State University.