Q&A: Making File Transfers and Sharing More Secure
Recent breaches have highlighted vulnerabilities with file sharing and file transfer. We examine the risks, look at file-sharing and FTP vulnerabilities, and explore how to secure file transfers with Adam Bosnian, EVP Americas and corporate development for Cyber-Ark.
Enterprise Strategies: In light of the recent breach at Dropbox that was mitigated by adding two-factor authentication, many IT administrators are looking at how files are shared. Is FTP still the predominant method, or are services such as Dropbox and Box more popular?
Adam Bosnian: FTP was created in 1971 as a simple way to move files from one device to another and it has remained the most popular choice for organizations when sending information. It's still the predominant method because it's already in place and easy to use. DropBox entered the scene as a consumer play but has progressively been adopted for business exchanges due to its ease of use. The truth is that both of these methods -- one outdated and one that was frankly not created with the enterprise in mind -- are not equipped to transfer sensitive corporate data.
Today, we're seeing a sharp uptick in customer demand for more holistic and secure managed file solutions as a replacement for legacy FTP systems.
What security risks are posed by this approach?
According to the Trustwave® 2012 Global Security Report, FTP was the second most likely protocol to be used for data exfiltration by malware in 2011, behind HTTP. The engineers who created FTP 40 years ago did not have access to the computer power and software needed for solid encryption and as such, this continues to be a serious weakness for the security of connected machines using this protocol. Within the last year, organizations such as Yale University and Acer have suffered data breaches by failing to secure their FTP server.
Another shortcoming with traditional FTP, and even encrypted FTP sessions, is that after the data is done moving ("data at rest"), it sits on the FTP or SFTP server in plain text. If that server is directly connected to the Internet -- which it typically is to allow business partners to connect to it -- the data is at risk of being accessed and shared.
The Dropbox breach that occurred this past summer was caused by a Dropbox employee that stored an unencrypted document on the service that contained Dropbox users' e-mail addresses. An attacker used that employee's reused password (that had been taken from another compromised site) and logged into the Dropbox employee's account. The attacker then found a copy of the document and used the e-mail addresses to spam Dropbox users.
This breach highlights three critical security issues: the storing of unencrypted documents, the overuse of passwords across multiple sites, and how easy it is to obtain and use these passwords to steal data from sites like Dropbox. Although Dropbox has since implemented two-factor authentication to prevent this situation from happening again, the breach proves that the service, and similar file sharing solutions, can be high-risk methods for transferring files.
A secure file transfer solution must employ the concept of segregation of duties, not only for a single organization but also for departments within that organization -- even when in the cloud. Administrators should be able to access and manage the system for configuration purposes and process management but not have access to the files (content) themselves -- so a separation between content and operations is also preferable.
Is installing two-factor authentication sufficient to prevent future risks or are other technologies preferred to secure current methods?
With today's sophisticated cyber-attackers, two-factor authentication is not enough to prevent future risks.
The preferred approach is a solution that encrypts all files while in transit and at rest and is based on digital vaulting technology -- similar to a physical vault at a bank. A digital vault can provide secure storage for files using multiple layers of security and ensures that only authorized personnel can access, open, and transfer the files.
If FTP isn't recommended, what approaches are available for sharing enterprise IT that are cost effective and secure?
Organizations that want to protect their data in-transit and meet compliance regulations should implement a solution that isolates sensitive data sent over the Internet and provides full and up-to-date monitoring on all file transfer activity to confirm that files are secure and that they reach their destinations. If you can implement a solution that provides full logging and auditing capabilities, this will help your organization meet increasing regulatory compliance requirements.
In addition, enterprise solutions that support secure file exchange environments enable a variety of business uses including the flexibility of sending secure, unlimited sized attachments over e-mail. These solutions also offer file exchange portals, file sharing, and collaboration with external parties, support for mobile device users, and file-transfer automation for business-to-business integration. Moreover, by deploying these solutions, organizations can extend access to their larger customers to enable automated payroll processing.
New features enable those organizations to securely monitor the information transfer process to provide greater visibility into whether the process is complete, or stalled. The payroll services provider benefits from not having to make trade-offs involving the user experience, security, and efficient business operations.
What role does compliance play in securing file transfers?
Because of the high-risks surrounding e-mail and FTP, auditors have placed an enhanced focus on securing files in-transit. Also, with changes that went into effect last year, auditors concerned with PCI compliance are failing organizations that don't demonstrate adequate controls around their FTP. With superior, more comprehensive alternatives to common file exchange technologies such as e-mail and FTP, organizations can avoid the vulnerabilities that are increasingly scrutinized by these auditors and regulatory bodies. Compliance institutionalizes guidelines for better risk management and as such we see PCI, NIST 800-53, HIPAA, and others requiring better controls around file access but also logging who is accessing and what is being done with the files for accountability and better forensic analysis.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).