Ideals and Realities - Who is Responsible for Ensuring Security and Compliance for Files Transfer?

Summary: How is enterprise files transfer conducted in the trenches? Simply put, not pretty. But, instead of pointing fingers at each other, IT and end users are really looking for the same thing. And, this makes selecting the best solution possible.


-----
In most business processes today, information and data in the form of files are handed off from one person to another for processing and review, either within the organization or to parties outside the organization. This begs the question: when a file is "in motion," who is responsible for its security and ensuring compliance with business policy and government regulations?

The simple and official answer is that both the business user and the IT department have a fiduciary responsibility to ensure that information is protected and handled properly when it is transferred from one person to another (no matter if it is internal or external).

But, if you look closer in the trenches, things do not always work that way.


***An end user often thinks more in terms of ease of use than security and compliance when it comes to how to get his job done in a way that he can control. Applying this truism to file transfer, this usually means attaching a file to an email, or a distant second choice would be burning a CD/DVD – whatever is the most expedient to meet the needs of the work process. Unfortunately, neither process is very secure. Nor would these processes meet regulatory compliance guidelines.

This does not make the end user a bad person - this simply means that he does not have a tool that meets all his needs, which includes fulfilling the security and compliance requirements.

Being responsible as well as accountable for providing the tools, guidelines, and training to ensure the security and compliance of the data, there is more awareness of issues surrounding security and compliance in business process systems and solutions amongst the IT departments. On the other hand, while the IT team works hard to manage risks via appropriate security controls and compliance procedures, what can get lost in the process is the "ease of use" requirement. In practice, this often means that the controls and procedures can become so cumbersome as to impede adoption of a system solution by the end users.

This does not make the IT guy a bad person - this simply means that he does not have a tool that meets all his needs while fulfilling the security and compliance requirements.

Wait! Did I just say that both end users and IT are looking for the same thing!?

Indeed, instead of IT blaming end users for non-compliance of security procedures and end users blaming IT for erecting cumbersome hurdles in getting the job done, what everyone needs is a solution that is easy for the end users and meets all the security and compliance needs as set out by IT.

***

While the specific security and compliance needs differ amongst organizations -- for example HIPAA is of overriding concern for a healthcare practice whereas SOX is what a public firm must follow -- most IT and security people can clearly articulate the key attributes for secure file transfer capabilities as:

• The file is accessible to the sender and the recipient, and no one else in between.
• The file should be encrypted while in motion.
• The file in motion should be checked to see if it has been corrupted by viruses or other malware.
• The file transfer process must document who and when a file in motion is accessed and provide an auditable record of the transaction.

Similarly, what most end users would clearly articulate in terms of the preferred file transfer procedure is to follow a process that is as close to sending email attachments as possible, without all the email attachment problems, of course. Because sending an email attachment is a well understood and accepted process for most end users, an email-like solution would ensure rapid adoption instead of resistance.

So, the conundrum has been solved! The best way to ensure security and compliance in the file transfer process for business needs is to adopt a solution that behaves like email for the end users while transparently running various encryption and auditing capabilities on the backend.

Oh, don't forget to ask for easy to administer and maintain features like automatic user account creation and global file life-cycle policy while you're at it!

***
BTW, did I mention that ease-of-use, security, control, and more, is exactly what an Accellion Courier Secure File Transfer Appliance (SFTA) can do for your IT department and users?

Or, as the IT director of an advertising customer told me recently, he could "feel the love from end users" when he announced Accellion solution.

Shouldn't you feel that love too?

ACA Guy

What FTP access you can get with US$10,000 and other ACA Guy FTP hubris

Summary: "Moral outrage" was the sentiment the otherwise stoic ACA Guy felt when the reporting on an eBay auction for FTP access to a .gov domain surfaced. And, a few other incidents highlighting ACA Guy's FTP hubris quickly followed.

-----
I thought I had seen it all but my jaw dropped when I read the posting about selling FTP access to a .gov domain server.

To quickly recap, there was an auction on eBay for access to "parasitic host" files on a .gov domain with a winning bid of nearly US$10,000.

What is in it for the buyer? You see, in the wild world of SEO/SEM (search engine optimization/search engine marketing), having your information/files addressed in a .gov domain name is like putting your SEO/SEM effort on a super steroid that nobody else can get. And, as a US$10 Billion industry that did not exist just a couple of years ago, there are plenty of SEO/SEM players who will do anything to get that extra edge.

And, this, what I can only presume to be unauthorized, "service" is rendered by sending the seller your files and the seller FTP'ing your files to the destination .gov domain. In other words, a legitimate web server, owned and operated by a government agency, will soon be playing host to unauthorized and unknown files. All because someone left an FTP access that is (I can only hope) unintentionally open.

Like a really good scary story, this is extra spooky precisely because everything makes sense and it could as easily happen to you and me.

ACA Guy's FTP hubris #1: I thought my FTP ghost story was good. But, monetizing unauthorized FTP access is, what can I say, wow!

While we are talking how human users can behave badly around FTP, here is another one as reported by Computer World. The gist of the story is that an employee uploaded a copy of Windows 2000 Professional OS onto a public-access FTP server that is frequently used to download software patches and the like. Needless to say it was not a legal distribution of the copyrighted software. Furthermore, this incident was only discovered after a product marketing person who just happened to notice the "odd" software image on the server. Let's not even speculate on the potential legal liability for the company.

ACA Guy's FTP hubris #2: I am reminded of that saying about firearms and crimals, and I thought - FTP does not kill, users do.

Looking for more ways to scare yourself on FTP? In the world of viruses and other malware, Panda Labs reported that the top ranking malicious code most frequently detected in October 2006 (and in fact, throughout 2006) is Sdbot.ftp which is a script used by the Sdbot family of worms to download themselves via FTP.

ACA Guy's FTP hubris #3: I thought, erroneously, FTP is relatively secure vis-a-vis email as the most prevalent target of virus and malware.

To be fair, FTP has a long and illustrious history in the world of scripted and machine-to-machine file transfers.

But, given the prospect of having somebody making off with US$10,000 in pure profit to insert unauthorized info onto my domain, I would much rather invest $3,500 on an Accellion Secure File Transfer Appliance (SFTA) to have secure control over internal and external file transfer access or, better yet, spend the whole US$10,000 for a beefy SFTA appliance and let your security and compliance officer have a thanksgiving day.

On that note, Happy Thanksgiving to all the gentle readers of ACA Guy based in the U.S. And, a most pleasant rest of the week for everyone else.

ACA Guy

Secure File Transfer for Architecture, Engineering and Construction Users

Summary: Architecture, Engineering and Construction (AEC) firms are increasing looking to Accellion SFTA as a solution that allows end users to easily and securely send large files and folders without requiring IT intervention.

-----
To state the obvious, enterprise users need to send and receive large files to and from people both inside and outside the organization. As transferring large files among work colleagues become de rigueur for many business processes, proactive IT teams have abandoned their FTP servers and added a secure file transfer appliance to make sure their users have the right tools to get those critical business files to the right person, at the right time, securely.

Since this is a Horizontal Business Process Improvement Opportunity, at Accellion, we have found that many industries have a clearly articulated need for solutions like SFTA. The legal industry, as well as healthcare, are two industries I have previously highlighted in this blog.

Architecture, Engineering and Construction, otherwise known as AEC, is another industry where we are seeing a surging demand for a solution that lets end users easily and securely transfer large files and folders. Given the nature of AEC, most of the works are collaborative across organizational and geographic boundaries and they have some pretty hefty files to send around.

For instance, take a civil engineering firm that is designing a freeway overpass. This firm would produce a series of CAD (computer-aided design) drawings for the construction firm that is going to build the bridge. Because industrial CAD files can easily get to the range of hundreds of megabytes in size, this isn’t something you can simply email from one person to another. (Not without getting the evil eye from the email administrator and your fellow co-workers because you just completely choked the email system, anyway.) So, traditionally, this transfer is done either by an FTP server, which usually requires IT intervention, or by overnight delivery service of a CD/DVD, which is costly in transit time.

So, when AEC companies like Bigge Crane & Rigging Company find a solution like Accellion SFTA that allows end users to operate within the familiar email interface while sending large files and folders of any size without impacting the email server, it is a Eureka moment.

Or, as somebody has not so delicately put it, size matters. (When it comes to large files, that is.)

ACA Guy

3 Easy Steps to Secure File Transfer Nirvana - a.k.a. why IT and users love appliance solutions

Summary: Like the humble toasters, a dedicated appliance solution like Accellion Secure File Transfer Appliance can be installed and deployed in three simple steps that would allow IT and users to get on with their lives.
-----
I enjoy all aspects of culinary arts. I can regale you about the Atlantic spiny lobster in Spain as discussed on eGullet or the results of the Dim Sum Civil War in the San Francisco bay area instigated by ChowHounds and I have been known to take three months to prepare a dish (duck confit, in case you are wondering).

But, truth be told, the tool that I use most frequently in the kitchen is the humble toaster. Just press down on the handle and, by the time table is set, crunchy and golden toasts are ready.

I’m convinced that most people prefer simple appliances that do exactly what you need them to do, with practically no setup and intervention. Just press and watch it work.

It’s the same in the IT world. Technology buyers prefer solutions that do exactly what you expect them to do - requiring minimum setup and as little on-going IT intervention as possible.

End users, they want the technical equivalent of a toaster too, because they want to get a job done without getting a second degree in IT support.

In this light, it is only appropriate that the "A" in Accellion's SFTA stands for Appliance (as in Secure File Transfer Appliance). Unlike FTP/SFTP servers or email attachments that require extensive initial setup and vigilant on-going monitoring, you plug in an SFTA and it works.

Toaster for IT Administrators

To prove that I'm not overstating the easy plug-and-play nature of this appliance, I want to share the gist of the installation guide that I got from the Accellion Field Support team. Or, as I like to think, these instructions are the "three steps to secure file transfer nirvana for IT administrators":

Step 1: Pre-installation
- Configure your firewall to allow access to and from the appliance.

Step 2: Physical installation
- Rack mount the server and connect the cables (monitor, keyboard, Ethernet, and power)

Step 3: Configuration
- Specify network settings (host name, IP/subnet mask, DNS, and gateway)
- Choose a notification email address

All told, these instructions should take a prepared IT professional less than half an hour to have an SFTA up and running. When was the last time you had a complete IT solution available to all users in that short amount of time?

Toaster for End users

For an end user to send a large dataset:

a) Select the recipient’s email address
b) Select file/folder(s) to send
c) Add a personal note if desired
d) Press 'Send'

No complicated steps. No long URL strings to copy/paste. No extra settings to worry about. Like Dr John Halamka, CIO of Harvard Medical School, said, "[SFTA] is exceptional because the numerous emails about ad hoc large file transfer have vanished since its installation."

End users like SFTA for their secure file transfer needs. Sort of like making toast with a toaster.

ACA Guy

What Network World and Gartner are saying about Secure File Transfer

Summary: What a difference two years make. What leading publications and analyst firms, such as Network World and Gartner, are saying about secure file transfer and its expanding applications.
-----
Like most information technology vendors, I have my ambivalence about industry analysts. For example, how can anyone not clearly see that Accellion Secure File Transfer Appliance is the best thing since sliced bread? Honestly. On the other hand, it is gratifying to see analyst reports on market growth and feature diversification matching up with experiences on the ground.

In a 2005 Network World review: Learn to love e-mail attachments again, Linda Musthaler, an IT industry analyst, outlined the concerns on "large e-mail attachments several megabytes in size often fail to make it to the intended recipients" and "[FTP], too, has its shortcomings, including lack of security, burdensome administration, lack of document versioning and tracking, and non-compliance with government regulations for certain documents."

Bingo.

When Accellion first rolled out the Courier Secure File Transfer Appliance SFTA solution in late 2004, it was an uphill battle to convince people that SFTA is not only a better technical solution but would make both the end users and the IT support personnel happy.

The typical objection we would hear was that FTP/SFTP and email attachments, while not perfect, were serviceable solutions that both end users and IT departments are willing to put up with.

While we worked with early adopters to overcome these objections, we also began to hear murmurs on the increasing number of FTP/SFTP and email infrastructures that were buckling under the growing volume of information exchanged. Slowly but surely, across industries and business functions, both IT professionals and end users were coming to the realization that secure file transfer is a core business process that cannot be ignored.

Gartner’s 2006 report Replacing FTP With Managed File Transfer: Not All MFT Suites Are Equal states that "Gartner previously defined the MFT suite market as a combination of internal and external technology that enables users to manage all aspects of file transfer. Increasingly, however, we've noticed that there are multiple, disparate deployment scenarios with regard to MFT suites. "

Bingo. Bingo.

Instead of a monolithic and FTP-centric view where only machines need to exchange large files, the market place has embraced and demanded secure file transfer solutions that are user-centric. In other words, machine-to-machine file transfer has become a sub-segment to a much larger market where users need the ability to securely communicate and collaborate with external partners and organizations on an ad-hoc basis with files of any size.

As a result, the market place for MFT solutions deepens and widens to include additional processes and usage behaviors, and we are seeing a surge from proactive IT departments inquiring about the Accellion SFTA solution. This is chiefly driven by the desire to treat secure file transfer as a horizontal business process improvement opportunity. Similarly, instead of us educating the buyers about FTP/SFTP and email attachment issues, we are hearing from them on how FTP means Failure To Protect and what kind of strange maneuvers on Microsoft Exchange/Outlook Attachment Size that they no longer wish to engage in.

Equally important, this need is not confined to a niche industry or function. Many knowledge workers of disparate fields -- ranging from hospitals, research institutions, law firms, to advertising agencies -- are now wondering aloud how they ever lived without Accellion SFTA at their fingertip.

Back at the ranch, Accellion has grown its SFTA customer base from single digit to triple digits in the space of six quarters! In many ways, this feels like we have just passed the early adopter stage and are now on the cusp of an emerging solution that is about to go mainstream for every user and IT professional.

But, more importantly, Accellion pledges to continue to make file transfer easy and secure for end users and IT alike. It’s our belief that the easier we make it, the more it will be used, and the more productive it will make people. And isn’t that the main reason why anyone installs new technology in the first place?

ACA Guy