Author Archive

Data Breach Remains a Hot Topic for Media

Posted by on Monday, 19 March, 2012

During the past few years, the media has highlighted a variety of examples of the loss of private information by large companies either by theft or misuse.

One of the reasons for the increased media attention is the renewed focus on establishing and enforcing data breach notification laws which apply to companies that own, lease or store private, personally identifiable information. If that data is exposed to unauthorized use either by accident, cyber attack, employee misconduct, or other causes, most states require companies responsible for protecting that data to announce the data breach and individually notify everyone affected. Some states require that credit agencies are also notified.

data breach, managed file transferFor clarification, private data means any information that can be used to identify an individual, including sensitive information such as a credit card number, social security number, or health related data.

There are a few exceptions to having to report the data breach. If the compromised files were encrypted while in transit across the Internet or stored on stolen backup tapes, for example, it is unlikely that the files could be unencrypted, so the individuals’ privacy isn’t as likely to be compromised.

A company that finds itself dealing with a data breach learns quickly that the process is not just embarrassing and costly (sending notifications, providing free credit reports, etc.), it can also damage the company’s hard-earned reputation resulting in the loss of customers. The point is that companies are responsible – and legally liable — for the information that is in their hands.

Securing File Transfers

Most companies use FTP (file transfer protocol) to send data files back and forth to their trading partners, vendors, remote employees, etc. Most often, FTP is used to send files that are too large to email.

However, file transfers like these are captured and compromised by data thieves on the Internet every day — unless security procedures have been put into place to safeguard the files’ data.

Companies need to implement procedures that secure both an in-motion process (files in transit over the Internet) and an at-rest process (files stored on servers or backup tapes). SFTP and FTPS protocols both secure the file while in motion by encrypting the communication link between two systems during the file transfer. PGP encrypts the file itself, protecting it while at rest on the server or backup tapes.

When addressing the challenge of sending ad-hoc files that are too big to email, finding a managed file transfer solution that includes a secure mail feature can mean the difference between an accidental data breach and a successfully delivered file.

Implementing these security procedures is a significant step organizations can take to greatly reduce their risk of data breach, and therefore their exposure to the financial liability and the loss of confidence of their customers and trading partners.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Silence the Nagging By Securing Your Data

Posted by on Monday, 6 February, 2012

Compliance issues and the ever-growing list of compliance regulation acronyms (HIPAA, PCI, SOX, etc.) are persistently nagging IT folks who must meet tough mandates and overly complicated rules.

compliance, HIPAA, PCI DSS, data securityOf course, the real reason we must now pay so much attention to compliance is others’ irresponsible abuse. Somewhere along the data strewn path, a few malicious malcontents had to succumb to the voice of greed and abuse their technological skill sets.  All IT professionals’ jobs are tougher thanks to those that through hacking, sniffing, or lifting data sources chose to steal and sell inadequately secured information.

The truth is, though, that “data” really is sensitive information and we live in a paranoid modern world where dastardly damage is done with a just a little twist of the facts.  So in response to the cries of outrage among our citizens, politicians have wrung their bureaucratic hands and offered plenty of passing legislation designed to protect our data.

Because IT is responsible for the company’s data, we need to stay abreast of the laws that apply to it. We also need to to fully understand and implement the three types of data protection: physical, transitional, and procedural.

Physical

Physical protection is probably the easiest. We secure the data on our servers, backup tapes and offsite facilities with technologies such as passwords, drive encryption, backup encryption, data center surveillance, physical locks, etc. We spare no expense in securing the physical because we can see it and believe it is secured. Or so we think.

Transitional

Transitional protection is a little more difficult.  Any data files that leave our networks should be secured with managed FTP solutions that encrypt the files with SFTP, FTPS, HTTPS, PGP, and other protocols.  Firewalls are set up to control what can leave or enter our data domain. DMZ gateways are set up to increase the virtual protection of the data and still allow designated users access to it.

Procedural

Procedural security is a type of data protection that is least understood and implemented.  A clear and understandable security policy needs to be communicated to the end users so they become familiar with sensitive data is secured, and what consequences may loom if procedures aren’t followed.

The majority of us in IT are protective about who has access to our own sensitive data, so we can understand the reason for protecting everyone else, too.  Yes, it’s a lot of work, but it’s part of the new normal.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

How Important is Auditing Your File Transfers?

Posted by on Monday, 30 January, 2012

When you send someone a file via FTP, how do you know — and later prove — that it was successfully sent?

It might be possible to save a screen shot as long as the process was simple and you can see all the commands on a single screen.  But what if your commands start getting complex? And if you start sending quite a few files every day, how do you organize all these screen shots so that you can easily retrieve proof 2 1/2 weeks from now. What about 2 1/2 years from now?  Believe me, I’ve been there and it’s no picnic.

Why should you care what files you sent two-and-a-half years ago anyway?  To begin with,  it’s the law… for most of us anyway.  Most businesses are required by law to maintain an audit trail of any files that hold personally identifiable information in the data.  Still, we shouldn’t do it just because it is the law, we should do it because it’s is a good business practice to protect and track the movement of all business information.

How to Audit

The screen capture option is probably the worst-case scenario in maintaining an audit trail of all your FTP transactions.  It makes sense to look into better tools to manage your FTP processing that make it easier and safer to prove the files have been sent or received from the correct locations.

In most windows-based FTP tools, whether free or purchased, there are options to maintain a log of all your transactions.  Here’s an example of GoAnywhere Director’s job log that shows the status of your file transfers, and allows you to drill down further into each job to find out even more.

managed file transfer, secure file transfer, audit logs

Other FTP software solutions have similar settings.  Logging your transactions provides the audit trail you need to prove that you have done your part in sending or retrieving the files.  Managed file transfer solutions, in addition to providing necessary file transfer security, provide an even better audit trail by logging exactly who sent or received the files.

Bottom line: Your FTP audit logs should be easy to find and understand just in case you are audited 2 1/2  years from now.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

MFT Helps Strengthen Business Relationships

Posted by on Monday, 9 January, 2012

Our business environment today is really all about relationships.  Not just relationships with people but also our relationship with information: private, sensitive, timely, accurate, priceless data that is literally the lifeblood of the business that we obtain daily from our trusting customers and vendors and exchange with our trusted business partners.

managed file transfer, secure file transferOf concern is how information is being exchanged. Too often, business owners/managers are stuck in the mindset of sending business information by email and if it is too big, perhaps by FTP.  Neither of these methods are, by any means, safe and secure. As businesses grow and its information relationships become more complex, how do we know who within the office is sending what data to which partners? And who is actually receiving it? As the demand for data exchange increases, so do the complexity and risk of managing all of these processes.

This increased complexity exponentially increases the chance of some information getting sent to the wrong place at the wrong time or accessed by the wrong people. If this happens, we are required by state laws to disclose this data breach to our customers, which undermines the trust and the relationships that we have so carefully worked to build with clients and partners.

As business processes continue to become more regulated and complex, it is critical that these data exchanges are improved. Controlling and automating data exchanges can be greatly simplified and secured by implementing a managed file transfer (MFT) system. The good news is that it isn’t too difficult with the right tools.  MFT solutions are available to provide powerful, yet simple ways to address these challenges.

Those companies that can earn and maintain the trust of their customers and trading partners not only through their business interactions, but also by the way they respect and protect their data exchanges, will be the leaders in today’s global business environment.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube