In-Depth
Secure File Transfers: P2P Alternatives
P2P file sharing is on the rise, and so are its risks. We show you five tips that can help you select a secure enterprise file-transfer solution.
by Paula Skokowski
It usually starts as an innocent act by an unsuspecting employee; with a few minutes in-between meetings -- just enough time to trade some music with a friend through a P2P file sharing service. In using that P2P software, the employee inadvertently opened private files to other users of the same file-sharing service.
Unfortunately this scenario plays out in many companies today. P2P file sharing is on the rise, as are the news stories about data breaches associated with its use in corporate environments. Even the President recently fell victim to the hazards of P2P file sharing when sensitive information about Marine One, the President's helicopter, was leaked from a contractor's computer through file-sharing software.
The President is not alone; in 2008 we learned of several high-profile P2P-related data breaches: Supreme Court Justice Stephen Breyer and approximately 2,000 others became victims of a data breach caused by P2P file sharing after an investment firm employee used the online file-sharing network LimeWire from his company computer. The Canadian government also reported the same popular P2P file-sharing program exposed the private details of more than 150 people over the Internet.
Although these data breach incidents were accidental they clearly demonstrate the inherent risks and vulnerabilities associated with P2P. Most users don't realize that the same P2P software they use to freely exchange certain personal files may also be configured to access and share virtually all of the files that reside on their computer or network server. This presents an opportunity for those seeking to access and exploit sensitive information while also exposing a corporation to viruses, worms, Trojan horses, and spyware.
The use of P2P in the workplace often happens with the best of intentions. After using P2P to exchange files with friends, an employee up against a work-related deadline may resort to P2P after realizing the proposal is too large to share over the company e-mail network. Filling out a request form and waiting for the IT department to set up a new FTP account isn't an option at this point. The employee thinks, "Hey, I can use the P2P file sharing software; what's the harm?"
Sharing information digitally, often in the form of large documents, media files, or data files, has become a common business practice. The IT systems to make file sharing fast, secure, and easily accessible have not kept pace with demand. Although e-mail seems an obvious choice for sharing files with others, the increasing size and volume of information being shared has taken its toll on e-mail network bandwidth, driving up storage costs and slowing servers. As a result, many companies have instituted file size limits for attachments. Unfortunately, the limits imposed often aren't large enough to accommodate users' needs.
Eventually, IT policies put in place to protect an organization do more harm than good because they push employees to look for alternative ways of sending large files; typically non-compliant and non-secure workarounds such as P2P. If an easy-to-use, secure means to transfer files is not available, users will solve the problem themselves.
It is critical that users understand the security risks P2P file sharing poses in a corporate environment. It is equally important that IT departments take the appropriate steps to prevent P2P software from being installed on computer desktops and block P2P traffic at network gateways. Lastly, IT should implement an enterprise-level technology solution that gives employees an easy-to-use, secure means to transfer large files while meeting their compliance requirements. Let's face it, smart people will find a way to get the job done, and, unfortunately, security is often of secondary concern when evaluating IT workarounds.
To keep your employees away from the temptation of using P2P to share corporate files, provide an enterprise solution for managing file transfer. At Accellion, we work with corporations around the globe helping them implement systems to prevent data leakage at the file-transfer source. Here are some important tips we recommend companies consider when selecting an enterprise file-transfer solution.
1. Pick an enterprise-grade solution. There is a difference between the requirements for corporate and consumer file transfer. There is a big difference between sharing a music file with friends and sharing engineering designs for new products. If you are an enterprise customer, look for an enterprise file-transfer solution. An enterprise solution lets employees transfer files fast without jeopardizing the security of the corporate network, or bringing the e-mail system to its knees. Enterprise features include secure transmission over SSL, file encryption, auditable logs and reports, file lifecycle management, and recipient authentication.
2. Avoid solutions that create IT overload. Pick a file-transfer solution that easily integrates into your existing IT environment and requires minimal IT administration. Look for a file-transfer system that provides automated account creation utilizing LDAP/AD integration to eliminate the IT overhead and time delays previously associated with getting employees and external recipients registered as users. File lifecycle management tools are essential in keeping IT administration for file transfer to a minimum and to ensuring files do not sit around indefinitely waiting for a data breach to happen.
3. Make it easy. If a solution is not easy to use, users will find alternative means for sending large files that often expose glaring security loopholes. Ideally the file-transfer solution should be integrated directly with your e-mail application to provide users with the ease of use of e-mail without the limitations of e-mail size restrictions. For example, if you are using MS-Outlook or Lotus Notes, look for a file-transfer solution that offers e-mail plug-ins for those applications. Ideally users shouldn't have to learn anything new, file transfer should be as easy as clicking on a paperclip, and the file-transfer solution should work behind the scenes to manage the secure transfer of the file.
4. Be compliant. Don't wait until you fail a security audit to implement an enterprise file-transfer solution. Pick a solution that allows for complete auditing and tracking of information entering or leaving your organization. Your corporate file-transfer solutions should provide comprehensive auditable logs and reports that track every file entering and leaving the company.
5. Secure your data. With an enterprise solution for file transfer, a wide range of security features are included, so use them. Data-level security is table stakes for an enterprise file-transfer solution; you should also look for business-level security. Automatic encryption and authentication check points that validate recipients are security features that ensure that confidential information has not been shared and exposed.
Paula Skokowski is the chief marketing officer for Accellion, Inc., a secure managed file-transfer solution provider. Ms. Skokowski received a BA and MA Honors in Engineering Science from Oxford University and an MS in Robotics from UC Berkeley. She has served as advisor on Teradata's Ecommerce Board of Advisors, director for the ComputerWorld Smithsonian Awards Program, and executive director to the LonMark Interoperability Association. You can contact the author at paula.skokowski@accellion.com