Secure File Transfers: Mind the Gap

Related Articles

• New and noteworthy in online identities 1/29/09
• Messaging Industry Comes Together Against Common Foes
• New and noteworthy open source email implementations

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

The importance of securing file transfers is well documented. However, organizations today have so much on their plates it’s easy to see how secure file transfer could settle to the bottom of the priority list. “I think that people are looking for the most expedient way to provide security but I also think that they have 25 things on their desk and the thing that rises to the top on any given day is going to be the thing they attack,” says Paul French, VP product and solutions marketing for Axway.

While secure file transfer may not be at the top of the list, Paula Skokowski, chief marketing officer for Accellion asks, “Who wants to be the person in charge when a security breach happens? This is not an unknown issue any longer. It’s one thing when something happens and you weren’t aware of it but if something happens and you should have known about it, then I think it’s a big issue.”

Moving Away from Email Attachments

No one really knows how many companies are struggling with insecure file transfers, as there haven’t been any definitive studies. However, one event that may be driving the continued use of non-sanctioned tools is a mass migration and update of email systems that occurred in 2007. Skokowski says that it was around this time people realized they could no longer send email attachments over 10MB in size. “While companies were investing in security technologies to monitor what you could and couldn’t email, they had left the back door open with the files strutting out insecurely, all the ones bigger than 10 megs.” Skokowski goes on to say, “I feel that FTP was a dirty little secret that everybody knew they had. They knew they had these systems for exchanging files that, first of all, were not secure, and secondly, people didn’t want to use. It resulted in insecure workarounds. For many reasons it just never really percolated to the top of the IT priority list but I think right now we have an economic climate where there isn’t much tolerance for screw-ups.”

French explains that people are under such pressure to get their jobs done, but that they may not know how to set up and initiate a file transfer. If they can’t send files through email (due to the size limitations), French believes people will do whatever it takes to get the files where they need to go.

When comparing consumer technology vs. professional, many individuals find existing corporate solutions hard to understand, prohibitive, and counterproductive. “People use peer-to-peer (P2P) file sharing all the time in their personal lives to share music, photos and content,” observes Skokowski. “When they’re at work and they’re up against a deadline and they can’t secure a line out on FTP or send the files through email, they think ‘Oh I’ll use P2P file sharing!’ By using that software they then expose their corporate network to intrusion. Bringing that into their corporate world has very serious security considerations. There is no place for P2P in a corporate environment.”

The other big issue, according to Skokowski, is IM and the ability to attach large files to insecure email systems. “Now there are readily available tools that business users can resort to if they really want to send a file. These didn’t exist five years ago—P2P, IM, etc.—it wasn’t commonly used. Not implementing a secure system for your users is unacceptable. There are more options now.”

All of the vendors interviewed agreed that the solution is for organizations to employ some form of Managed File Transfer (MFT), wherein hardware and software work together to ensure the secure transfer of documents.

Choosing a Solution

“Right now is a very exciting time for a vendor of secure file transfer technology because I think that it’s become evident that non-secure file transfers are a gaping hole in an organization’s security,” observes Skokowski. “That’s good news for Accellion because our whole focus is on helping companies who have inadequate systems in place.”

Gert Adolphsen, co-founder of Stonebranch believes companies can no longer afford not to have a strategy for file transfer, whether internally between applications, for external data exchange with business partners, or through Web-based applications for ad hoc transfers. Adolphsen believes that all reputable MFT vendors should be able to provide security, visibility, manageability, reliability, and compliance. Any solution that does not provide this functionality, he says, is not an MFT solution.

Kathryn Hughes, director of product solutions marketing for Axway, says they take a holistic approach to secure MFT. By encompassing not just physical files such as FTP, but the messaging infrastructure as well, Hughes says Axway can meet all of an organizations MFT needs: B2B, system-to-system and human-to-human. “We have a deep history in security and we’ve got a devotion to modularity, which comes from our legacy in both file movement plus integration,” adds French. “We understand that people aren’t going to walk in the door and start fresh and buy a new copy of everything they ever did. You have to play nice with everybody from other file transfer guys to the FTPs of the world, to integration providers and we do that.”

According to Adolphsen, even if you have an MFT solution in place you may be facing issues such as a lack of functionality, which can cause you to spend too much time and manual effort trying to overcompensate for its weaknesses. “Alternately, you may have products with functionality but the solution is too complex and expensive to be deployed in every instance it’s needed. You may also have too many disparate solutions when what you really need is an intelligent, consolidated strategy.”

Skokowski agrees saying, “Not all secure file transfer solutions are created equal.” By asking the following questions when choosing a solution, she says companies can avoid many of the issues related to the transfer of large data files:

• Does the solution offer the level of security the organization requires? One of the worst things an enterprise can do is implement a consumer offering which has limited, if any, security features.
• Does it offer tracking and auditing capabilities that meet required compliance standards?
• Can the solution integrate into the existing environment?
• Does it fit into a mixed environment, offering both on-premise and off-premise deployment options?
• Does it offer VMware integration?
• Is it available on a cloud platform?
• Does it offer a flexible pricing structure that scales as needed?
• Is it easy to use? If it is too technical, chances are end-users will not embrace it.

Adolphsen comments that choosing an enterprise-wide file transfer solution isn’t a decision that’s made in a vacuum. He offers his steps for choosing the right MFT solution:

• Name an executive sponsor.
• Analyze file transfer use and business context.
• Define security and compliance requirements.
• Evaluate MFT vendors.
• Set enterprise-wide standards.
• Define organizational and operational responsibility.

Yet even with a great MFT solution in place, it doesn’t prevent employees from sending files from their handheld when on the road or if it’s deemed more convenient. “What I would say to that,” Skokowski responds, “is if you don’t provide employees with something then you don’t have a leg to stand on because that’s not giving them any solution. Once you have a solution in place that lets them securely send files whether they’re in the office, on the road or at home, then it is certainly reasonable to set policies in place forbidding the use of handhelds, thumb drives, or any other method. Can you circumvent rules? Yes, but if you haven’t provided employees with anything, you can’t say: ‘You can’t do this’ because you haven’t given them any other way to get it done.”