FTP Advice: Managing Files Too Large for Email
by Melisa LaBancz-Bleasdale
In the early 1970's, long before the modern Internet, FTP (File Transfer Protocol) was used as the mainstay for system to system file transfers. Originally used from a text-only interface, FTP now enables the movement of data, documents, images, and web pages from one computer to another via networks leveraging TCP/IP (Transmission Control Protocol/Internet Protocol). Most of us equate FTP with sending or receiving files deemed too large for our email systems to handle. For example: PowerPoint files.
Today's FTP is used as a means to streamline time-consuming activities. Web designers use FTP to send and receive graphic-heavy page layouts. Engineers use it during development to send code between geographically dispersed working groups. Businesses employ FTP to transport confidential documents from one location to another- the latter exposing the organization to unique security risks.
Although file attachments can be sent via email, it has several key disadvantages as a file transfer medium:
- Internal and external email service providers impose restrictions on the individual file size of attachments, limiting what you are able to send in an unzipped format. While you may have the capability to send a large outbound file, your recipient may not have the same inbound capacity.
- Users generally have a limited mailbox capacity. Though this can be remedied by internal IT and/or the purging of excessive amounts of email, it's a disruptive and time-consuming process.
Most spam filters automatically block large file attachments. This can mean graphics, PowerPoint presentations, and those pictures of your vacation can easily be bounced. FTP allows users to circumvent these challenges, but introduces new ones of its own.
Efficiency vs. Security
Although ease of use and an unrestricted nature make FTP an attractive tool for business users, its lack of security has always been a problem. The original FTP specification is widely accepted as an inherently insecure method of transferring files, as it precludes provisions for strong authentication. Without adequate protection, user names, passwords, FTP commands and data are vulnerable to packet sniffers -a program and/or device that monitors data traveling over a network. This same vulnerability applies to many Internet protocol specifications written pre- (Secure Socket Layer) including: HTTP (Hyper Text Transfer Protocol), SMTP (Simple Mail Transport Protocol) and Telnet (TELetype NETwork). Sniffers aside, FTP sends data in plain-text, meaning that information in transit is sent "in the clear," viewable by anyone with an unhealthy interest and a spoonful of skill.
According to Cupertino, CAbased Software Assist Corporation, most companies do not have sufficient knowledge of how much FTP is taking place on their network. Nor what data is moving in and out of the enterprise. Nor who (or what) is initiating FTP activity. "The increased use of FTP throughout an organization creates an increase in data and security exposure. Knowing what FTP is being used for, when it is being accessed and what data is traveling in and out of the enterprise is a critical requirement," says Scott Myers, president of Software Assist.
FTP file transfers are also vulnerable to man-in-the-middle attacks-the process of intercepting and altering data prior to reaching the intended destination. A text book example: website defacement. Although there are numerous ways to hack into a website, many site updates are uploaded using insecure FTP transfers. It's a perfect scenario for opportunistic hackers to intercept administrator login and password information. They copy and manipulate web content and graphics, and then FTP the altered site back to its intended destination-using the originator's identity.
File Transfer Compliance
Issuing lengthy and often ambiguous mandates, the current regulatory regime calls for organizational accountability in nearly every business process. The transfer of files (secure or otherwise) falls squarely within the confines of several well known regulations that require organizations to comply with electronic data privacy and security obligations. HIPAA (Health Insurance Portability and Accountability Act) puts the burden of proof on organizations to show that only intended information is shared or exchanged and that sharing is done in a secure manner. The Food and Drug Administration 21 CFR Part 11 requires that administrative controls are in place when electronic systems and records are used in place of paper or manual systems. SOX (Sarbanes-Oxley), the nemesis of many, requires the adoption of end-to-end auditable business processes.
Most business processes reliant upon FTP are devoid of an audit trail-as traditional FTP itself has no record retention mechanism for tracking all file transfer transactions. According to Myers, FTP usage is largely noncompliant with SOX, HIPAA, Federal Information Security Management Act, Gramm-Leach-Bliley, and other Federal and State regulations. "Many of today's business processes include multi-platform functions that utilize FTP to transfer files between them," says Myers. "Companies need a centralized means of monitoring FTP activity within each process. Due to the typically high volume of FTP activity in most organizations, it is critical to be able to manage this process to enhance overall compliance."
The Next Generation FTP The breadth and scope of the secure FTP market provides a wide variety of solutions. Strong authentication and encryption are now considered de rigueur components of SFTP, yet they introduce a costly challenge. Encryption solutions require that both the sender and receiver use the same encryption software to facilitate a transfer. Case in point, when using a secure Virtual Private Network, the related VPN software, or a VPN appliance, must be present at each end point. Whether or not an organization needs to use and/or implement an SFTP solution depends on individual file transfers, as well as the overall organizational risk profile. Sending a confidential sales presentation through the Intranet poses much less risk than sending it via unprotected FTP. A first step in determining if and what type of FTP solution fits the needs of the business process is to understand what FTP activity is taking place, and assess the acceptable levels of risk. MB/TMP