Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.accellion.com/blog/
and update your bookmarks.

Wednesday, September 27, 2006

FTP (Failure To Protect) and an early Halloween ghost story

Summary: According to Microsoft TechNet, FTP fails to protect the data and file that it transfers. And, find out if your FTP/SFTP servers are haunted too.


-----

When I talk with perspective customers about their current file transfer solutions, FTP (file transfer protocol) is a common one, but the insecurity of the service scares them.

As it should.

You don’t need to be an information technology guru to understand the business implications of the shortcomings of FTP as the following passage from Microsoft TechNet describes:

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plain text. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plain text credentials is that someone other than the intended users could log on to FTP and download the files you have placed there.

In other words, don’t put anything on your FTP server that you wouldn’t feel comfortable publishing in a press release – that’s how wide open your data can be. This is especially true today when everything imaginable and unimaginable are being indexed by search engines and as I have noted in FTP (In) Security in the Google Age.

Of course, there are ways to add security to FTP. It generally involves some kind of additional wrapper around the FTP server. It can be an encrypted channel such as a VPN (Virtual Private Network) through IPSec (Secure Internet Protocol). Alternatively, you can utilize some flavor of encryption such as SSL (Secure Sockets Layer) to scramble the traffic.

The problem is that now you’re talking about adding significant complexity and cost, just to be able to transfer files. This level of overhead may have made sense in the old days when a majority of the file transfer were done via scripts and schedulers with minimum human input required. But, given the increasing importance of secure file transfer in the day-to-day business processes by non-IT users for things like multimedia presentations and legal electronic discovery, FTP and SFTP bring unpleasant memories to IT and end-users alike.

***


I recently heard this FTP ghost story about a haunted server.

A contract employee was given access to an FTP server where files pertaining to his project were stored. (As a standard IT procedure, the FTP administrator would provision access for any user who showed a valid need, and this contractor proved his need.)

But then the contractor finished the project and left. (Naturally) the FTP administrator didn’t know this and thus didn't de-provision the user. In other words, the contractor still had the ability to view everything on the FTP server. Unbeknownst to everyone within the organization, this contractor paid a few more visits to the FTP server to download files - after all, no one canceled his access to the FTP server.

And, since this is a process issue, even if the server had been running secure FTP (SFTP) instead, the same haunted scenario could still be played out. So, have you ever wondered what kind of unauthorized FTP/SFTP access is happening in your organization? It is more common than you think! A major vendor is selling a tool that claims to catch exactly this type of detection as noted in my posting Much Ado About Tumbleweed and FTP Security.

So, this could be a fun thing to do to your security officer.

First, tell him about the importance of securing file transfer processes as part of SOX/HIPAA/GLBA compliance - feel free to use my posting Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply? as a cheat sheet.

Then, tell him this FTP/SFTP ghost story.

Booooooo!

And, before the security officer faints, tell him to pay Accellion a visit because Secure File Transfer Appliance SFTA can solve all of these problems and headaches.

ACA Guy

Wednesday, September 20, 2006

Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?

Summary: How to secure file transfer processes in the face of government regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA)? Proactive IT shops are looking for these key capabilities offered by Accellion SFTA.


-----

At Accellion, we say "Accellion Courier Secure File Transfer Appliance (SFTA) offers a key component in implementing secure and auditable file transfer processes required for meeting IP security needs and compliance mandates..." Just what does that mean? How will this product help you with your compliance mandates?

Most large enterprises operate under at least one of the legislative mandates for the protection and validation of private information. For instance, under HIPAA (Health Insurance Portability and Accountability Act), healthcare providers must safeguard the privacy of their patients' medical records. While observing GLBA (Graham-Leach-Bliley Act), financial institutions are required to hold consumers' financial information in strict confidence. Under SOX (Sarbanes-Oxley), public companies must prove that they have adequate internal controls over business procedures and financial information.

Though the legislation can get complicated when examined closely, it really boils down to common sense. Borrowing from the good ole' "do unto others" Golden Rule we all learned as children, think of the (secure) file transfer portion of these compliance mandates at their core as the "Golden Rule for Data Handling." In other words, treat other people's private data as you would want to have your own private data treated.

Common sense aside, since nefarious means such as spyware, IP spoofing, and interception of non-secure wireless traffic abound, there are several key capabilities that growing numbers of proactive IT teams are looking for in order to secure email attachments and other file transfer processes while meeting the regulatory compliance requirements for their respective industries. Many of our customers have come to Accellion to fulfill this duo objectives with SFTA because of these considerations below.

(Hint: The words in italics relate directly to specifications of the legislative mandates we have been talking about.)
  • Automated download receipt - When a recipient downloads the file, a return receipt is generated to the sender. The recipient cannot turn the return receipt off. Users can review and track files sent and their download status.

  • End to end file security - Files are encrypted, uploaded, stored, and downloaded through secure links and recipients are authenticated ensuring only the intended recipients can access the file.

  • File management - File life cycle management is automated so when the prescribed time comes, the file will be deleted to manage the life cycle of files centrally per corporate retention policies. This means neither user nor administrators have to worry about having unattended errant sensitive information.

  • Directory services authentication - LDAP and Microsoft Active Directory are used for authentication and to minimize setup efforts. By allowing users to send large files securely using the same email id and password, this significantly improved the process flow.

  • File transfer auditing and tracking - Auditable records from third party on when recipients download attachments that can be summarized by individual recipient, file name, time and date.
The good news is that government mandates have clearly articulated the needs for securing business processes -- processes which often include the transfer of data from one hand to another. The better news is that encryption, audit trails, recipient authentication, and secure links, to name a few, are the common sense way to handle files securely. And, the best news is that all these are standard features in the field proven Accellion SFTA.

You can read more about how Accellion Courier Secure File Transfer Appliance works for security and compliance here.

ACA Guy

Wednesday, September 13, 2006

Secure File Transfer for Teaching Hospitals and Research Institutions

Summary: Teaching and research hospitals are finding the Accellion secure file transfer solution helps them conduct critical work more efficiently.


-----

Secure transfer of very large file is an universal issue for most organizations. So, in addition to supporting law firms (read Secure File Transfer for Law Firm Attorneys, Counsels, and Clients), Accellion also has a sizable number of installations in teaching/research hospitals throughout the country.

Beyond providing a first class solution to meet users' needs, we do take special pride in supporting these institutions because their Accellion secure file transfer appliances, as part of their everyday workflow, contribute in their own way to improving healthcare and medical research for cancer patients in Boston and children care in Memphis.

It is a karma thing.

Feel good sentiment aside, what these organizations need to address is very similar to most professional organizations that trade in knowledge -- how to exchange very large amounts of information securely and easily with internal and external users.

Researchers at most of these institutions work on projects that draw on resources and knowledge across a number of organizational boundaries to solve life and death questions. A study of avian flu may be conducted in Memphis but the field experts on N5H1 outbreaks with the most current data are in Asia. Or, a less dramatic, but equally pressing, issue for researchers is the ability to share grant data with collaborators on a timely basis because financial support from these grants is what makes most of these works possible.

In these scenarios, the problems are myriad:

  • 1. There may be attachment size limits (within email) so that the sender cannot send the data to the research facility.

  • 2. A recipient may have an incoming attachment size limit so that the email attachment is rejected.

  • 3. An external sender may have an attachment size limit preventing the the data to come back.
The traditional answer is to use a flavor of FTP/SFTP for file transfer. But, end users -- typically brilliant Ph.D.'s and medical doctors -- often find the FTP/SFTP interface confusing and cumbersome to use. (Read When it Absolutely, Positively Has To Get There and Back, Right Now.) So, time can be wasted on IT issues instead of the research at hand.

Worse yet, with FTP/SFTP and its common directory structure, there is a real chance of picking up the wrong data files. Imagine spending a whole week conducting analysis on file "09072006-114B" instead of "09072006-114C". Oh, and as we’ve pointed out in Virus, via Email File Attachment, FTP/SFTP, or Website Download, is still a Virus, FTP is insecure and the research dataset may even get infected with a computer virus, rendering it useless.

So, the real solution is a secure file transfer appliance designed to handle very large files that not only complies with various regulations like HIPAA but also allows users from different organizations to easily share the dataset and grant proposals.

Equally important, with Accellion SFTA's self-provisioning capability for external users, researchers are no longer at the mercy of IT administrators as part of their work flow. And, frankly, from what all the IT people that I have talked with have told me, they too love to get out of the business of setting up FTP/SFTP access for users.

Like my fellow bow-tie collector and Senior Director and Chief Security Officer of Cornell University's Weill Medical College, Dr. Steve Erde, said, "The [Accellion Courier Secure File Transfer] appliance alleviates the concerns associated with file transfers that have troubled our users for many years, and does so in a very cost-effective manner.”

Read the announcement on the Cornell WMC deployment.

Find out more about how Cornell University Weill Medical College uses Accellion SFTA by clicking here.

Yes, folks, we’re all about getting the files from "here" to "there" and "back" quickly, securely, and cost-effectively. And if Accellion happens to help in the race to make your life better, it is all in a day's work.

ACA Guy

Wednesday, September 06, 2006

Secure File Transfer for Law Firm Attorneys, Counsels, and Clients

Summary: Lawyers cannot afford to wait for FTP/SFTP access setup to send large files securely to clients. Accellion meets law firms secure file transfer needs while keeping both attorneys and IT happy.

-----

There are many reasons that people come to Accellion for their secure file transfer needs. Because each industry has its own quirks and specific requirements that may not be obvious to the less nimble vendors, Accellion has built up experiences and insight for a wide spectrum of industry verticals.

The legal space is one of those verticals where Accellion is seeing quite a bit of adoption of our solution.

How does secure file transfer fit into law firms?

It is somewhat of a no-brainer to say that law firms deal in sensitive documents. Traditionally, these documents are in physical forms. With the digitization of the legal practice and proliferation of email as a common communication tool, the focus has shifted to how to best transmit the same information electronically.

So far so good.

What has changed with the digital age, however, is one of expectation. In the old days, the physical transfer of documents could take days, and it's not just accepted, but expected. However, today, when it takes more than 10 seconds for the email attachment to get over to the client, somebody (like those in IT) will have to pay. With billable hours and productivity a major measurement for most attorneys, any delay is no longer acceptable.

Email attachment with its size limits (see my posting on No Pain is Gain - What email focused VAR partners are doing for email size limits) can cause issues on two fronts. One is the internal limit where an attorney would complain that he cannot attach a critical document to send over to the client outside because IT is blocking it. Conversely, some IT departments may have intentionally set no size limit to avoid internal complaint, but the recipient's email infrastructure can have its own incoming email and attachment size limits. So, the same attorney may very well complain about the inability to get that critical document to the client because it is being rejected by the client's email system.

So, it's no surprise that law firms look for an alternative means to transfer digital files and FTP is a typical technology these firms try. The IT team at a law firm regularly has to fulfill requests to provide "FTP" access. FTP (file transfer protocol) is the conventional technical solution for sharing large files. While it does the job well enough, it is a major no-no for law practices because FTP is highly insecure (FTP's security hole is well documented, see my posting FTP (In) Security in the Google Age on the latest twist on the FTP security issues.) So, instead, the IT department has to set up Secure FTP (SFTP) access. And, the problem for SFTP is that its setup and administration are much more cumbersome and time consuming as a result of its additional security components.

And, let's not forget that, in the meantime, the less experienced and anxious legal types are breathing down IT's neck and wondering aloud why it takes so long since sending a file via email takes no more than one click!

Oh, right. Have I mentioned the fact that attorneys, depending on what transaction they are working on, may request "FTP" access any time of the day and any day of the week? Pity be the lone IT support dude on that 1am-9am New Year's Eve watch.

What we are seeing more and more of are proactive IT departments in law firms coming to the realization that bulking up the support infrastructure for these types of ad hoc file transfers is a game that IT can never win. Instead, the strategic insight points to giving users like attorneys and paralegals the ability to control their own secure file transfer process. This not only gets the "SFTP setup" monkey off IT's back, it also makes attorneys happier because their billable hours and client transaction destiny are no longer controlled by IT.

Talk about a win-win solution.

Typical is what Foley & Mansfield, a national law firm, found out. As Adam Pugh, Foley & Mansfield's Director of Information Services & Technology said, "We were looking for a self contained and easy to use secure electronic file transfer solution... our users, other counsel, and clients are busy people... Now, we can send and receive very large files within minutes."

And, the result? Pugh added "since the [Accellion] SFTA deployment, we have been receiving compliments from users inside and outside the firm about our enhanced secure file transfer capability for its ease of use and the time it saves."

Read more about Foley & Mansfield's perspective here.

So, the question for law firms is not whether to move away from SFTP/FTP, but whether Accellion Courier SFTA is the right choice for you. On this point, just like picking an attorney with the right kind of experiences and knowledge for your legal counsel, you should retain Accellion as your secure file transfer counsel because we have been there and done that many times over.

ACA Guy