Today, organizations are grappling with how to move huge files between business units, geographically dispersed locations and external business partners. What once was a 15MB file is now a full gigabyte thanks to technological advances such as high-definition and multidimensional modeling.
Whether it’s moving batch billing data between servers, sharing a three-dimensional (3-D) CAD file with an external product development consultant or e-mailing a video attachment to a colleague, moving massive files is an integral part of an organization’s process.
The security struggle
Beyond simply getting the files where they need to go, companies must ensure that information is distributed securely. While the security buzzword of the year is undoubtedly “encryption,” file transfer security requires more than just encryption. A holistic approach that takes authentication, authorization, confidentiality, availability, monitoring and securing “data at rest” into account is needed.
In fact, most organizations don’t have the proper processes or technology in place to manage mission-critical file transfers. They rely on homegrown legacy solutions that often can’t keep up with changing regulations and security standards, resulting in disparate and sometimes unsecure file exchanges. Organizations must control access and centrally manage all internal and external file transfers.
Considering the Options
Considering the options
Understanding that file transfer security is a critical component of a successful IT strategy is only the first step. It’s also important to understand the different types of file transfer methods.
Physical methods such as media devices (for example, laptops, thumb drives, PDAs) and printed documents pose the greatest risk, as they can be easily lost or stolen. The security threat is proliferating as thousands of files can easily be stored on a 500MB USB drive. As these devices become ubiquitous, organizations need to account for the changing threats of moving physical files. Electronic file transfer can provide an audit trail and eliminate the “Where’s my file?” confusion. While files moved virtually can be tracked easier than physical methods, this method can still be too problematic when trying to securely manage large amounts of data.
E-mail attachments are not a viable option because there are too many size, space, security and control issues. Generally, HTTP Secure (HTTPS) encryption is used when sending attachments via e-mail but it’s simple and easy to crack. In addition, the risks escalate if a user downloads files at a coffee shop using public Internet access; the minute it’s downloaded, the file is now wide open. Similarly, if e-mail is accessed via unprotected home WiFi networks, files are put at incredible risk. While a quick e-mail attachment might seem like the easiest way for employees and partners to exchange files, it can be detrimental to the organization if the proper restrictions and security measures aren’t in place.
FTP and Encrypted File Transfer
FTP can be an efficient way to move large files between servers or individuals. The protocol itself is proven and mature but often its implementation is the security issue. Many organizations built their FTP systems so long ago that they are horribly outdated and can’t keep up with current security standards. FTP uses clear text to transfer files, regardless of whether or not those files contain sensitive information. Nowadays, organizations understand the need to focus more on data encryption and certification of the people receiving that data. Outdated FTP systems don’t provide the on-the-fly adjustments, guaranteed delivery or error-handling needed to meet ever-changing needs.
Encrypted file transfer
Encrypted file transfer is a safer option. Although Secure File Transfer Protocol (SFTP) or FTP over Secure Sockets Layer (FTPS) adds encryption and helps mitigate risk, this is not enough. Encryption standards don’t make the files being transferred impenetrable to security threats. Organizations must ensure that attachments are fully encrypted while in transit and while at rest awaiting receipt.
The proliferation of software as a service (SAAS) and cloud computing also heightens the security threat. To have a successful SAAS or cloud offering, the underlying technology must be proven, secure and scalable. A solution that securely passes files through the cloud can make moving your business-critical data simpler and more accessible. However, files should never be stored in the cloud, as data at rest is the weakest link.
Putting File Transfer Security into Action
Putting file transfer security into action
So how should an organization ensure file transfer security? A comprehensive managed file transfer (MFT) solution can empower an organization and its external partners to securely share information and track what has been shared by whom and when. The key is simplifying information exchange without requiring technical or professional services or forcing users to modify behavior. Deploying a robust solution can easily automate an organization’s file transfer process, while providing the security and control needed to prevent security threats.
MFT initiatives should take a unified approach that accounts for all file transfer needs, regardless of how it is sent, the file type, protocol, format, etc. It’s also critical to track and manage files with detailed auditing and reporting tools to ensure compliance with mandated standards including the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB).
Five simple steps
Take these five simple steps to make sure your organization has a secure file transfer process in place:
1. Automate and consolidate your file transfer process
2. Account for all file transfer types, sizes, protocols and needs
3. Eliminate the burden on the user; don’t rely on them to modify their behavior
4. Retire the scores of legacy and consumer freeware
5. Keep track; monitor all inbound and outbound file sharing
Every organization should strive to secure files in transit and at rest, monitor files that are moved within and outside the organization, and ensure that those files are only accessible to authorized individuals.
Sandy Weil is President of the Proginet Group at TIBCO. Before this, he was a Director, President and CEO at Proginet Corporation (acquired by TIBCO). At Proginet, Sandy was responsible for providing strategic leadership, direction and management. Sandy joined Proginet in the spring of 2008. Before that, Sandy served as a partner and senior executive at Accenture, one of the world’s leading global management consulting and technology firms. During his 14-year tenure at Accenture, Sandy held senior management positions in the infrastructure outsourcing, business process outsourcing, and managed reference data service practices, with specific responsibility for sales, marketing, strategic alliances and general operations. He was made partner in the firm in 2003. Earlier in his career, Sandy gained experience in the technology industry at various enterprise software and hardware companies. He holds a Bachelor’s degree in Psychology from Hobart College. He can be reached at [email protected].