Securing your enterprise file transfers
Business critical data should be protected even when in transit
By André Bakken | Network World US | Published: 16:30, 30 August 2011
The typical enterprise transfers thousands of files per day, making it one of the essential business productivity tools.
There are however a number of file transfer security misconceptions floating around that give the technology a black eye. Here are the top five:
All that matters in file transfer is getting data from point A to point B
This is the most common misconception. File transfer tools are seen as a productivity necessity, and employees will often toss security to the wind to get the job done.
Related Articles on Techworld
The truth is there's much more to take into consideration, for compliance, operations and overall security. For example:
Visibility: You can't secure what you can't see, and you can't be compliant if you have no idea who is sending which files where. Full visibility into files moving inside and outside of your network is a necessity in file transfer security and compliance, and it's just as important (if not more important) than the file simply reaching its destination.
Setting and enforcing file controls and permissions: Some files are just too sensitive to sit in the intended recipient's inbox for weeks. Who knows who has access to that inbox?
Password-protected files are a step in the right direction, but they're not a silver bullet. It's important to be able to implement and enforce file security controls that extend beyond your network. For example, you can create a rule that will make sure a sensitive file will automatically delete itself if it has not been opened three days after it was sent.
Moving large files: Files are getting bigger and as a result, our bandwidth needs are increasing, but moving big files isn't as easy as you might think. Sure there are free services out there that will do this, but do you really want to trust them with your corporate data?
For security and operations, it's important to have in-house solutions for moving big, sensitive files efficiently by automating recurring transfers and timing large transfers to take place during off-peak network hours. Don't forget that some of the biggest files moving on your network are likely moving between integrated enterprise applications.
Homegrown FTP and/or encrypted email is 'good enough'
You're probably telling yourself, "My homegrown FTP works just fine" or "We use encrypted email, so my business is secure." Think again.
First, homegrown FTP solutions are littered with inefficiencies, risks and limitations, and they can cost up to 10 times more than other technology solutions on the market. Scripts and disparate homegrown FTP solutions eventually become impossible to manage and, having numerous point applications and tools from several vendors poking holes in your firewall, isn't an ideal scenario for file transfer security.
Second, encrypted email is great. It's a step in the right direction, but all it does is make it difficult for data in transit to be stolen. It doesn't get you the file transfer visibility, control or enforcement needed for compliance. And according to recent research, more than 75% of IT executives surveyed use email accounts to send classified files and information including payroll, customer data and financial information as attachments, and nearly 60% do so weekly. Encrypted email also embodies all the limitations that traditional email does (for example, no sending of files larger than 10MB, etc).
For enterprises today, consolidation is key. We all want to be secure, work with fewer vendors and own less responsibility for the performance of technology that operates within our business. Homegrown technology solutions and half-baked security fixes may temporarily meet your needs, but as your business expands and your network becomes more diverse it makes sense to tap a single, managed solution for file transfer that ensures security and also gives you the benefit of one throat to choke.
My business doesn't transfer any sensitive 'big data'
Big data is anything that's too big to fit in a standalone email. Now, you personally might not transfer sensitive big data, but your company does, especially if it is using large integrated enterprise applications.
On average, 60-70% of files transferred within the enterprise today are large files transferred between enterprise applications through some form of middleware. And those transfers (typically large batch, flat or video files) are usually ungoverned and often contain sensitive information about your company, your employees and your customers. And interestingly enough, the middleware used today for large enterprise software systems was not designed to handle big data and constrains network resources.
When thinking about your network architecture, assume that sensitive big data is only going to get bigger and evaluate effective, flexible file transfer solutions that can manage large, sensitive files better than legacy middleware solutions and more securely.
Employees only use work email to transfer work files
Employees will always take the path of least resistance. If that means circumventing security policies by using personal email to send a large payroll file, so be it. For most employees, security just isn't their top concern and for other employees there is a more malicious intent. A recent study showed that 40% of business professionals are sending sensitive or confidential information through personal email accounts to mask file transfer activity from management, a major security and compliance breach and violation for companies.
Everyone feels that they have the right to check and use their personal email account throughout the business day. The truth is that personal email makes it easy for employees to walk out the door with your IP or sensitive client data, or inadvertently leak it to an untrusted third party. If you're looking to stop your employees from using personal email to send work-related documents, an important first step is providing a simple and secure alternative.
We have a file transfer policy and our employees follow it
As a security professional, you need to follow the age-old mantra of "trust but verify." Policies without enforcement are worthless, and it's dangerous to assume employees know and follow your file transfer policies, let alone partners and other outsiders that log into your network. Yet, according to a study at RSA, the majority of businesses are not enforcing file transfer policies. According to the study, nearly 55% of IT executives say their companies provide but do not enforce policies and tools around sharing sensitive information.
Enforcement is critical to information security. The first step is identifying what files you want to protect and implementing a framework that provides real-time, 24/7 visibility and active network monitoring, enforcement and alerting on suspicious file transfer activity.
This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favour the submitter's approach.