In today’s digital economy, the ability to easily access and share critical enterprise data has never been more important. This functionality enables companies and their teams to make strategic, effective, and timely decisions, thus helping to improve performance and growth. The increasing volume of files that are being accessed and transferred across enterprises on a daily basis, however, has made traditional file sharing methods (such as email attachments and File Transfer Protocol, or FTP) rather impractical.
To solve this challenge, many companies choose free or inexpensive file transfer solutions for their short-term needs. While these options are highly accessible and affordable, they do not always meet the efficiency and security requirements that today’s business requires. Thus, a challenge arises: how can businesses address their file-sharing needs without relying on impractical methods and putting their company and the integrity of their data at risk?
Kevin Conklin, the Vice President of Product Marketing at Ipswitch, a trusted provider of secure and managed file transfer software, offers some insights on how businesses can master the chaos of moving files across the enterprises. Conklin also shares how MOVEit, the company’s award-winning managed file transfer solution, helps companies enjoy a seamless and secure exchange of data with their key stakeholders.
Why FTP No Longer Works
Kevin Conklin, VP of Product and Content Marketing at Ipswitch
For years, companies relied on FTP solutions to transfer files within and outside of their organization. From sharing product lists to sending payroll information in an internal HR system, FTP has been the method of choice for file transfer with companies. But as businesses increasingly face security, scalability, visibility, and compliance concerns, the 40-year-old FTP process now falls short in satisfying a modern business’ demands.
“When Ipswitch first started offering downloadable file transfer software the world was a different, much simpler place,” shared Conklin. “File transfers were done over an FTP protocol in ‘clear text’ meaning there was no encryption. Most FTP servers ran in an ‘Anonymous’ mode that didn’t require a user ID or password. Security was a minor concern.” But that was before. Today, it’s impossible to separate ease and efficiency from protection. In fact, many cybercriminals now target FTP servers to carry out attacks.
According to Conklin, file transfer systems are a favorite target for cybercriminals. “Having penetrated a network via phishing emails, they target FTP servers to use as ‘command and control platforms’ from which they carry out the multi-stage attacks that eventually end up in data thefts of large amounts of information,” Conklin revealed. But newer cloud-based systems aren’t exempt from such attacks, either. According to Conklin, the rise of cloud-based file share systems has exacerbated problems for security teams. “Their low-cost of entry and drag-and-drop user experience make them popular end-user driven ‘shadow IT’ operations,” he said. “Unfortunately, the fact that they are outside of the control of IT and compliance groups makes them a major risk for loss of sensitive data protected by regulations such as PCI, HIPAA, and GDPR.”
Because of this, Conklin asserts that File Transfer systems today have to provide advanced security features that mitigate the risk of vulnerability exploits. These include multi-factor authentication for login, 256-bit encryption that would take decades to crack, and non-repudiation that guarantees that information arrives to the right user un-altered.
Common Threats to Enterprise Data
“If there’s one thing that recent history has proven, it’s that no organization is safe from data attacks,” stated Conklin. From the 2013 major data breach at Yahoo to the most recent Equifax breach affecting 143 million subscribers, cybersecurity threats have been on the rise over the last few years. Thales’ new Data Threat Report supports this statement, as the report revealed that one in four companies were breached in the last year, up from 21.7% the previous year. One possible explanation for this is a company’s inability to deal with common security holes in the enterprise.
According to Conklin, in order for companies to keep their enterprise data protected, there are three common attack categories that they should be aware of and prepared for:
- Ransomware – this is a type of malicious software that most often targets an employee desktop with the intention of ‘locking’ the files through encryption until a sum of money is paid. These attacks are usually initiated with a ‘spear phishing’ campaign where an unwitting user clicks a link on a compelling email that then downloads malware to their desktop. “Right now, ‘spear phishing’ emails and social networking messages are the weapon of choice for delivering all sorts of malware to a user’s desktop,” said Conklin. He advised that everyone should educate themselves on how to avoid becoming a victim of one of these attacks.
- Sabotage and theft attacks – According to Conklin, sabotage and theft attacks are ‘multi-stage’, meaning that the employee desktop is only an entry point. These attacks are designed to deliver malware to a user’s device, going unnoticed so that they are free to carry out their true intent – identifying the location of valuable data inside the corporate network.
- Locating and establishing a command and control center – Usually, this is set up on a server within the network. This allows the attacker to upload new malware for the third stage of the attack where the target data is located and either encrypted, erased, or copied and then stolen. File Transfer servers make ideal command and control platforms for these attacks because they frequently communicate with other internal resources and receive and send traffic from and to external sources over the internet.
What Enterprises Should Seek Out in a File Transfer System
Because data is the currency of the dark part of the web, companies need to seriously consider the security surrounding their file transfer systems. Conklin believes enterprises can get good guidance from their security teams and/or external compliance auditors. But there are four specific things they should be looking for:
- Encryption of data files that are at rest or in transit. Any data that enters a workflow for eventual external transmission should be encrypted. FTP servers typically do not encrypt files at rest.
- Strong user authentication. Since file transfer systems are targeted by cybercriminals as ideal command and control platforms, access must be strictly controlled. At a minimum, user authentication should be integrated with systems such as Active Directory. Ideally, all administrative access should require multi-factor authentication.
- The system should reside on hardened servers. Whether on-premises or in the cloud, the file transfer servers should be hardened systems. Cyber attacks often leverage recently uncovered system vulnerabilities. The hardening process removes many of the systems normally installed on a server but unnecessary to file transfer function, thus mitigating the risk of exploitation.
- Tamper-evident, centralized logging. All file transfer activities and access should ideally be logged in a central location. Attackers often overwrite (or tamper with) system logs to help cover their tracks. Tamper evident logs assure an accurate record of system access and file transfer activity.
How MOVEit by Ipswitch Enables Seamless, Secure File Transfer
Managed File Transfer (MFT) solutions have been gaining popularity thanks to their ability to enable secure file sharing. MFT tools help organizations (especially those who seek better protection for the exchange of data between their remote data centers, customers, service providers, and cloud applications) track and audit their file sharing, thus increasing accountability among users. One of the more popular MFT solutions available today is MOVEit, offered by Ipswitch.
“Ipswitch offers flexible deployment options for our MOVEit Managed File Transfer system ranging from on-premises, SaaS or public cloud from the Microsoft Azure marketplace,” said Conklin. “In the on-premises and Azure deployment models, while Ipswitch provides the tools to assure secure and compliant file transfers, the user is ultimately responsible for their implementation. Our MOVEit Cloud offering is a PCI and HIPAA certified compliant SaaS offering in which Ipswitch assures the physical security, system hardening and encryption in transit and at rest. MOVEit Cloud is the only certified PCI and HIPAA compliant Managed File Transfer SaaS offering on the market.”
With MOVEit, file transfers can happen between any number of users, whether they are within the same network, working as an outside client, or even located elsewhere in the world. Ipswitch encourages users to integrate their MOVEit implementations with their existing user authentication systems. “We also provide the option of requiring multi-factor authentication for access,” said Conklin. “When MOVEit is used to transfer a file, the data is encrypted and uploaded to a secure server. A notification is then sent to the recipient. The recipient needs to authenticate with the MOVEit system in order to download the file. Users can put time limits on how long the file remains uploaded before it is deleted. The system logs the download and validates the contents of the package have not been altered in transit.”
Practical Applications for MOVEit
MOVEit is applicable to all types of businesses in all industries, especially those that possess large secure file transfer volumes and also partake in sharing sensitive data externally.
Conklin cites healthcare providers and insurers as good examples of businesses who could benefit from MOVEit. “Whenever someone receives services from a hospital, a complex process of exchanges between the provider and potential payers (insurance companies, private entities, government agencies, etc.) ensues,” he mentioned. “Eligibility for coverage must be established and then a back and forth process of payment requests and remittances occurs. With the number of patients a typical provider sees on any given day, you can imagine the volume of ensuing transactions. The data transmitted is among the most valuable data on the black market. Healthcare data is worth considerably more than credit card data.”
“Healthcare data is also regulated in every industrialized nation,” Conklin continued. “Furthermore, the flow of payments from payers to providers is the lifeblood of the industry. And Revenue Cycle Optimization (assuring speedy medical billing and payment) is a mission-critical process for both parties. All of these processes flow through file transfer systems. Further, MOVEit stands out in the industry for ease of use and speed of new process creations. This helps IT teams minimize the cost of operation and gives them the ability to ‘on-board’ new payer or provider partners quickly.”
In the banking industry, meanwhile, Conklin said MOVEit plays a key role in an organization’s ability to upload their daily business records to online banking applications and accelerate the back-end processes that enable online banking portals and loan processing.
What Lies Ahead for File Transfer and Security
As the information economy grows, Conklin believes the need for better ways to safeguard data will also rise. “More organizations will engage in the transfer of data with other organizations as a course of business,” said Conklin. “This puts secure file transfer systems right at the heart of the solution for many industries.”
Conklin believes that data protection regulations will also continue to strengthen on a global basis. “While the political climate in the US has swung toward deregulation, this is not the case in the rest of the world.” According to Conklin, the European Union has enacted legislation that protects the data of any EU resident, no matter where the data is collected or processed anywhere in the world. This General Data Protection Regulation (GDPR) states that means if any company outside of the EU purposefully collects data from EU residents, they must comply with the provisions of the law.
“The provisions are ground-breaking and are based on the concept that your personal data belongs to you,” said Conklin. “This is an alien concept in the US where companies like Equifax may not face any financial penalty for having lost the data of over 145 million people.”
Organizations that routinely share data with external entities in the course of business should carefully consider the systems architectures they rely on for these processes. Secure Managed File Transfer systems offer a great solution for the future.
To learn more about how Ipswitch is helping IT teams manage an increasingly complex landscape, visit Ipswitch’s website.
About Ipswitch
Ipswitch provides downloadable IT management software designed specifically for the user – IT professionals. For over 25 years, Ipswitch has been delivering an outstanding value to today’s IT teams by providing powerful, easy-to-use tools for secure Managed File Transfer and unified IT monitoring for networks, servers, applications, virtual environments, cloud, and storage. Tens of thousands of IT teams around the world depend on Ipswitch products to assure successful, secure and reliable business processes and on-premises, cloud and hybrid IT infrastructures.