In-Depth
Securing Business File Transfers
Despite the security weaknesses of FTP, there are several approaches IT can take to use the protocol safely.
by Kathryn Hughes
In its simplest form, managed file transfer is the exchange of data between one or more parties, but more often it enables the exchange of larger, more sophisticated data and files, particularly confidential, mission critical data subject to service level agreements and regulatory compliance. This data sophistication dictates the best practices for managing data exchange and implementing the most appropriate managed file-transfer technologies.
Many regulated industries, such as health care and financial services, must consider security, confidentiality, and regulatory concerns, forcing a rethinking about the way they handle and manage the transfer of their most sensitive files – patient records, transaction data, and personal information, taking into account aspects such as security, management and reporting/auditing measures.
More often than not, documents in business environments exist only in electronic format, placing the onus on a business to find a reliable and trustworthy solution to manage the electronic transfer of those documents and data. Transferring data efficiently, securely and rapidly to internal and external partners is essential to remaining both productive and competitive, making secure and reliable file transfer a critical function for IT organizations.
The types of data being exchanged with business partners, customers, constituents, and internal users varies by line of business. Often that data includes highly sensitive information, including account data, personal information, and intellectual property. Operations such as just-in-time ordering, supply chain management and speedy fund clearance make file transfers a critical part of modern business processes.
Complicating matters is the fact the file transfer process and the data contained in commonly transferred files, may need to comply with specific regulations and laws. Other types of data (such as intellectual property) may not have this restriction, yet this data is often an enterprise’s most sensitive and may be vital to corporate success.
Despite the above complexities for file transfer, the two most common means of exchanging information are e-mail and File Transfer Protocol (FTP). Both have inherent security challenges and risks with respect to security.
E-mail
Many businesses start using file transfer by attaching PDF or EDI documents to e-mail messages. This technique is straightforward for end-users and can work should the need be to only transfer a few small, insignificant files. However, without e-mail management tools, message delivery cannot be guaranteed. Files transferred via e-mail are treated like all other e-mails, both legitimate and spam, so the sender must trust that the files arrive safely. In many organizations, limits on the size of file attachments imposed on corporate e-mail servers can result in failed transmissions and threaten the reliable delivery of important corporate data.
Enterprises must comply with numerous regulations, laws, and mandates that address the transmission of personal, financial, or other sensitive data. Sending files by e-mail, though simple for end users, leaves data vulnerable to a variety of security breaches, both malicious and accidental and exposes the enterprise to significant damage to their brand and may result in fines. Few e-mail systems allow for managing or auditing files transferred via e-mail.
FTP
A common alternative to simple e-mail transfer is FTP, a standard Internet protocol used to exchange files between computers connected via the Internet. FTP is part of the TCP/IP family of protocols and defines how files move between server and client. Programs that conform to the FTP protocol, including browsers and file transfer utilities, provide many advantages over e-mail, as they typically include menus that make it easy to find the desired file-transfer destination, to initiate and monitor the transfer, and to report when a transfer is complete.
While FTP can accommodate larger messages and provide more robust monitoring, basic FTP provides limited management and security for transferred files. Where user names and passwords exist, they are likely represented in clear text. FTP doesn’t guarantee file receipt or provide automatic checkpoint/restart to complete transmissions that might have failed in the transfer process.
Another FTP characteristic to consider is the lack of auditing and reporting of security violations that should be compensated for in organizations that must track and report transactions. Encryption, often an effective security practice when exchanging files, is seldom available for basic FTP, and if it is, must be an offline process.
Those who must prioritize transactions based on criticality should note that FTP provides no means for controlling critical data-movement operations or for balancing the processing priority of critical and non-critical (low-risk) data transfers. By definition, FTP places all control with the client, and the first client to make a connection generally wins, meaning the most important transactions are not always given priority.
Finally, FTP cannot create a policy for enforcing workload executions based on priority levels or criticality across multiple clients; these limitations can negatively impact processing windows and service-level agreements. This limitation results in a “hidden” cost that isn’t revealed until a network failure results in missed processing windows or service levels.
Securing Transfers
As a result of IT’s inability to enforce security policies with FTP and the protocol’s limited management capabilities, many enterprises have chosen to ban it from production-level use completely, relying on e-mail or—more typically for larger files—secure, dedicated, managed file-transfer technologies.
There are several approaches to securing FTP activities. Many researchers and organizations have developed security enhancements and secure alternatives to FTP.
For businesses that choose to operate using FTP technology, one option is to add enhanced security or reliability patches to solidify the FTP solution. This can add costs – from increased overhead to decreased interoperability and flexibility. Furthermore, home-grown “kludge” solutions must still guarantee compliance with government-mandated requirements.
To satisfy business needs, an enterprise must consider a myriad of issues surrounding data movement operations. Centralized management, notifications, security, data recovery, and automation are all important. The best solution for an enterprise should provide capabilities that meet all these needs and be designed to offer dedicated servers and secure client software as part of an integrated package. Such specialized and dedicated servers offer secure transfers and they guarantee to reduce the risk of technical outages The dashboard-style management of such a system is easy to use and provides a visible audit system to track the data exchange to ensure transmission of critical files and understand when, where and how they have been transferred. Additionally, a secure, managed file-transfer solution must provide the flexibility and key interoperability required to work with existing software while maintaining controls that meet regulatory and legal compliance requirements.
---
Kathryn Hughes is director of product marketing at Tumbleweed Communications; you can reach the author at kathryn.hughes@tumbleweed.com.