|
Business communications over the Internet—including the need to transfer files containing business-critical data—are central to an organization’s productivity in today’s competitive environment. But there are surprisingly few options for conducting this aspect of day-to-day operations easily, securely, and with the ability to centrally manage and track such transfers.
Consider the following scenarios: A mid-level sales manager transferring large amounts of sensitive sales data to partners, customers and colleagues on a regular basis; an HR rep receiving confidential personnel information related to background checks; a company accountant delivering detailed quarterly earnings reports to an outside auditor; or a research assistant for a pharmaceuticals firm sending out clinical trial results to a biotech partner. The fastest, easiest option in all of these cases would be to fire off an email with the data attached. Yet IT departments for many organizations impose strict size limits for attachments, whether sent or received. And attachments may not be secured, even if email messages themselves are protected. Plan B? Upload the document to an FTP server for pick-up – it’s free, relatively simple, and the protocol has been around since the mid-eighties. Or you could backup the data to a disk or tape and send it by courier.
Three solutions, from easiest to most time-intensive. Which should you choose? Based on headlines recently in the news as of this writing, the answer may very well be “none of the above”. Let’s take a look:
“Antipiracy Group Suffers Email Leak”: MediaDefender, a company that has made a name for itself battling intellectual-property pirates on behalf of the media and entertainment industry, was itself the target of hackers, who penetrated employee email and posted confidential communications on the Internet.
“Fox News Security Hole Exposes 1.5 Million Users' Personal Information”: A configuration error on the Fox News website allowed outsiders to log in to an FTP server run by Ziff-Davis, resulting in the theft of names, phone numbers and email addresses of at least 1.5 million people.
“Connecticut State Agency Bank Account Info on Lost Ohio Tape”: A backup computer tape storing potentially billions of dollars worth of state agency bank information, including checking, money market, time deposit, savings, and other account data, was stolen from a college intern's car in Ohio.
Performance Anxiety
Transferring large, sophisticated files efficiently, securely and rapidly to internal and external partners is essential if a business is to remain competitive. But given the security risks illustrated above, what’s the average knowledge worker with substantial file transfer needs to do, and still remain productive? Even more importantly, how can a CIO provide knowledge workers with solutions that are secure, disrupt routine workflow as little as possible, and protect the company from data-loss nightmares?
Where these issues converge is in the need for secure and simple options for transferring files over the Internet. And it’s a concern that a majority of IT professionals admit they share. A recent survey of more than 1,000 IT and compliance practitioners indicates that many of them are pessimistic about their organization’s ability to field privacy and data protection challenges. The study – conducted by privacy and information management research firm Ponemon Institute – reports that 42% of IT professionals think their organization is vulnerable to such exploits right now, and could be doing more to prevent security breaches and theft of confidential information. And only half of them believe they would be able to adequately notify customers should such a security breach occur.
Adapting FTP to Meet Business Challenges
Developed as the standard for file transfer in the mid 80s, FTP remains the cheapest, simplest, most versatile—and therefore the most common—tool for sharing larger files and updating Web sites. Yet the simplicity of the solution itself has led to security challenges of a scale largely unimaginable to early pioneers of the Internet. FTP—both established and homegrown (hgtp)—is the most widely used data-movement vehicle today, yet its supposedly “free” operation comes at a price to security that astute businesses may not want to pay, and can lead to the kind of headlines no company wants splashed across the newswires.
The good news is that new managed file transfer technologies—based on established FTP protocols but architected with robust security, control and reporting features—are now being adopted by the most security-conscious companies.
These new technologies take into account a myriad of issues that current FTP solutions do not, including security, centralized management, notifications, data recovery, and automation. For example, newer technologies do not represent user names and passwords in unencrypted clear text, as does FTP. In addition, these new solutions are capable of guaranteeing file receipt, and providing automatic checkpoint/restart for transmissions that fail during the transfer process.
Encryption—considered a best practice when exchanging files but seldom available for basic FTP—is also a central feature of more sophisticated managed file transfer technologies. Many older file transfer solutions store sensitive and unencrypted information as it moves between organizations, a practice which constitutes an enormous threat to data privacy. New technologies address this challenge with granular data-access restrictions and two-factor authentication, to effectively eliminate all FTP security threats.
And finally, a powerful feature offered by some leading managed file transfer solutions is a dashboard-style management console, which provides a visual audit system for tracking data exchanges, and enables administrators to view when, where and how data has been transferred. These capabilities are essential to regulatory and legal compliance requirements.
Maturing Email for Secure File Transfer
File transfer is the oil that keeps the machinery of business running smoothly. Given that email is by far the most central communication tool for nearly every business these days, it should come as no surprise that email is also the most popular vehicle for file transfer. In fact, ease-of-use makes email file transfer the de facto collaboration tool for most organizations, whether or not the process is secure, or even adequate to the task.
The challenge of using email for file transfer is two-fold. First, most email clients do not allow attachments of more than 10MB at the outside. This roadblock to productivity drives workers to find “out-of-band“ options, such as freeware FTP, FedEx, or Sneakernet, just to name a few commonly adopted alternatives. These methods are not secure, and offer no management or auditing capabilities. Secondly, even when files larger than 10MB can be attached, these files typically are not secured against threats to data privacy—not to mention their annoying propensity for devouring mailbox quota and driving up server storage needs.
So, how can companies empower employees to use email responsibly for file transfer, in a manner than guarantees security and generates clear audit trails? What’s needed is an ad-hoc email solution that integrates seamlessly with an employee’s established workflow, without turning its backs on security and management imperatives. And such email solutions are now beginning to emerge.
These new technologies demonstrate a clear understanding of the keys to secure file transfer via email:
- Ease-of-use: Users must be able to send files transparently from within the most common email clients (such as Microsoft Outlook) with no need to disrupt workflow or go out-of-band.
- Universal delivery: Files must be deliverable to all recipients without client software.
- State-of-the-market security: Data security model should include antivirus and content filtering capabilities.
|
Leading-edge solutions will go beyond plug-in functionality to offer robust data leak protection and policy management features, such as the ability to centrally track and confirm file message delivery (often required for regulatory compliance); the ability to scan large outbound files for intellectual property and other sensitive data; FIPS-certified encryption with repository encryption and authentication; and tools to reduce the size of email stores, pressure on the email server, and overall network traffic.
About the Author:
Dr. Taher Elgamal is the Chief Technology Officer of Tumbleweed Communications. He is a leading expert in computer, network and information security. Recognized in the industry as the "inventor of SSL," Dr. Elgamal led the SSL efforts at Netscape and throughout the industry. He currently oversees the development of Tumbleweed’s innovative and comprehensive security suite – which includes award-winning and industry-leading products for managed file transfer, encryption, data leak prevention and identity validation.
Go Back
|
