Oded Valin

Over the past year we celebrated the 40th anniversary of File Transfer Protocol (FTP) and witnessed multiple vulnerabilities exploited at the aging technology's expense. For example, there was the incident at Yale University in which the names and Social Security numbers of approximately 43,000 faculty, staff, students and alumni stored on an FTP server were made publicly available via an Internet search engine for about 10 months. Then there were reports of an unnamed police department that was victim to a hacker who used FTP and telnet commands to gain access to a cruiser's digital video recorder (DVR), which was used to record and stream audio and video captured from gear mounted on the vehicle's dashboard. The hacker was able to control the hard drive of the DVR, enabling him to upload, download and delete videos that are often used as court evidence.

How do universities, law enforcement agencies and other organizations such as health care and financial services providers that must share sensitive information with third parties protect themselves? First, they must understand the shortcomings of traditional technologies that may be putting them at risk, unknowingly.

Let's focus on FTP, which was created in 1971 as a simple way to move files from one device to another. However, because the early engineers who created FTP did not have access to the computer power and software needed for solid encryption, the 40-year-old protocol continues to be a serious weakness for the security of connected machines. Because it's so outdated, organizations that utilize FTP are putting sensitive data in potential jeopardy. A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data is done moving (also referred to as "data at rest"), it sits on the FTP or SFTP server in plain text. As the FTP or SFTP server is commonly connected to the Internet to allow business partners access to it, the data is at risk of being retrieved and shared. FTP passwords can also be susceptible to attack when in clear text as any network sniffer can hijack it. Moreover, FTP technology can slow down business processes, as an organization's IT team often needs to modify FTP scripts in order to support a new business initiative or bring on a new business partner that needs to exchange sensitive information with the system. Furthermore, having the ability to know if the files were transferred correctly and on time is very difficult to do with transfer methods such as FTP.

Today, there must be another, more secure and efficient means of transferring sensitive information. But is the cloud really an option, especially when maintaining security and compliance requirements, and remaining accountable to third parties are top priorities?

Ensuring a Safe and Secure Trip to the Cloud
Perhaps surprising to some, for organizations seeking a cost-effective solution for exchanging sensitive files that can be deployed quickly and with minimal training, it may indeed be time to consider cloud-based alternatives. For those interested in starting a successful cloud-based governed file transfer project, either starting from scratch or migrating from an existing enterprise program, here are important considerations.

First, when determining where to start, it's important to identify existing painful and costly processes that would recognize the biggest benefits from a more modern file transfer approach. On the other hand, starting a file transfer program from scratch requires significant IT and administrative investments ranging from setting up the firewall and VPN to engaging with a courier service to handle files that are too large to be transferred electronically. The elasticity of the cloud enables greater flexibility and scalability and significantly decreases the amount of time and resources required to establish a reliable program. Utilizing a cloud-based model, organizations can become fully operational within days or weeks versus months, while reducing the drag on IT resources. Once you've decided to take the journey to the cloud, it's important to take the following steps:

Define Initial Community: Who are the users - internal? external? When exchanging files with third-party partners, particularly business users, it's important to provide a file transfer solution that works the way they work. With the popularity of the "Bring Your Own Device" trend, user communities are increasingly relying on tablets and other mobile, browser-based tools to conduct business. Therefore, the file transfer process and solution's user-interface must reflect the community's skill sets and computing preferences. The ease of deployment and the level of customization made possible in cloud-based environments encourage adoption and effective use of file transfer solutions.

Determine File Transfer Type: Do you need something scalable or ad-hoc? How important is automation? Compared to manual file transfer process, a cloud computing environment can support centralized administration for any file type while also providing the benefits of greater storage, accommodation for large file transfers and schedule-based processes, all without negatively impacting server or network performance.

1. Integrate with Existing Systems: Many organizations believe that file transfer systems are standalone platforms that can't be integrated with existing systems, like finance and accounting, for example. Utilizing a flexible cloud-based solution with open APIs and out-of-the-box file transfer engines and plug-ins not only assists with secure integration with current databases and applications, but it can also be deployed very quickly with the flexibility to support the adoption of a hybrid cloud/on-premise model, should the organization decide that scenario worked best for its business.
2. Define Workflows: Examine how business, operations and security are interrelated. What regulations and transparency requirements need to be considered? How are they different in the cloud? Ensure segregation of duties between the operations and the content, between the content owners themselves. Organizations seeking to adopt a cloud-based file transfer solution must make sure the service provider can support its user-defined workflows. It's also important to ensure your cloud vendor goes "beyond the basics." Specifically, many file sharing services allow organizations to share data and information simply from Point A to Point B. But, if you need to add additional functionality like automatically converting to a .pdf and adding a watermark for additional security, manage audit permissions, scan the file for viruses and other advanced features, an enterprise class cloud solution is necessary.

Finally, organizations must take steps to ensure file download activity is being monitored, file exchange validated, transfers are smooth, and files undergo anti-virus and Data Loss Prevention tools. Organizations must be able to verify when files arrived and know who opened them. These actions are absolutely supported in a cloud environment, and are overall secure file transfer best practices. In order to assess the overall effectiveness of moving to a cloud-based solution, it's important to ask questions about the impact on ongoing operations such as: Is it quick and easy to add new partners or set up new file transfer processes? How reliable is the service in terms of high availability, disaster recovery and automatic recovery of file transfer processes?

Cloud-Based Sensitive File Sharing in Action
To demonstrate the benefits of new cloud-based models, consider the case of the health care division of a global information company that turned to a cloud-based file transfer solution to address a critical business and compliance need: quickly deploy a solution to support ad-hoc external file sharing. This division routinely receives insurance plans and personal health information (PHI), including electronic health records (EHR), which it needs to review before sending back to the provider. While the division had a means for automated "bulk" transfers, secure ad-hoc transmission of sensitive information was a challenge.

By offering secure file transfer capabilities in a protected cloud-based environment and alleviating pressures on the IT department, the organization was able to meet a critical business deadline. The division retains complete control over its data for both security and audit purposes and further benefits from a branded web-based portal that makes it very easy to add and monitor users with minimal training.

To conclude, given the traditional reliance on antiquated technologies and unreliable processes, it's absolutely time for organizations to consider adopting cloud-based alternatives for sensitive file sharing activities. Moving beyond the well-established cost and resource benefits of the cloud, for those organizations with complex requirements or special file transfer needs, the flexibility and security that are possible in the cloud will ensure that high quality standards are continuously met.