Security : File Lifecycle Management : File Security : Process Automation
Secure File Transfer Protects Data In Motion
According to industry research firm IDC, between 2006 and 2010 the information added annually to the digital universe will increase more than six fold. The impact of digital data is felt everywhere as file sizes grow larger, richer media is used and the quantity of files explodes. Data leakage and non-compliance liability are major and growing concerns. The issue of how to securely transfer large files is key to solving these problems, reaffirming the need for companies to implement an enterprise secure file transfer solution.
Virtually all businesses today have work processes that dictate the need to share critical business information with people outside as well as inside the organization. The information may be highly confidential intellectual property, patient health records, sensitive customer data or financial information. This presents a challenge:
How do you transfer data from one person or company to another in a secure, auditable, reliable, compliant and easy to use manner?
I find it troublesome that though the problem is pervasive across all industries, very few companies are doing anything about it. This means that the average corporation keeps risking the privacy and security of its own as well as its customers’ digital assets through unsecure large file transfer.
Unsecure file transfer methods put data at risk
Email attachments are currently the preferred method for workers to send and receive digital data. Email is ubiquitous, easy to use, and relatively fast. However, email attachments have become so common as a file transfer method that IT administrators have had to tighten email policies to avoid bandwidth bottlenecks and reduce storage costs. In fact, Microsoft Exchange best practices recommend that individual users have a file size limitation of a meager 10 or 20 megabytes.
The policies put in place to conserve email resources often do more harm than good as they push employees to look for alternative ways of sending large files; typically they turn to non-compliant and unsecure workarounds. For example, many users forward their email to a Web-based mail service such as AOL, Google, MSN, or Yahoo to avoid small attachment size limits or overfull mailboxes. The prob¬lem with this approach is that the email messages as well as the attachments are sent unencrypted through public servers which could potentially be accessed by unauthorized parties. FTP is another common workaround. Not only is it unsecure, it is complicated and difficult for the average person to use and the setup often requires IT intervention. (SFTP is more secure but even more difficult to set up as decryption software needs to be installed on the recipient’s computer.) A final time consuming and expensive file transfer workaround frequently used is putting unencrypted information on CD-ROMs or “thumb drives” and sending them via courier or FedEx.
These common file transfer processes are risky, normally non-auditable and non-compliant with legislative mandates, including SOX, that dictate appropriate information handling procedures. Yet they keep being used. Why is this? Because they are usually the only readily available options people have to send large files and get their work done. If companies want to decrease their data leakage and reduce the risk of regulatory breaches, now is the time to implement secure file transfer solutions that end users will embrace!
IT has a responsibility to act
A recent Osterman Research survey revealed that a majority of businesses are concerned that they are not doing enough to a) secure their private data when it is “in motion” and b) meet the compliancy requirements of government or industry regulations. This is especially true for businesses that are under government mandate to manage the control of all data.
Protecting data is usually accomplished by observing how and when the data is at risk, and finding appropriate methods to mitigate those risks. Mandates such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others provide guidelines on what companies can or must do with the information they handle. Given that we are talking about digital data, the responsibility to secure it falls on IT. It is incumbent on the IT department to take the above guidelines and implement appropriate business and technology measures to ensure compliance with legislative mandates as well as corporate policies.
In the case of a secure file transfer solution, the IT department needs to provide workers with the file transfer technology that addresses security and compliance needs without putting an unreasonable burden on normal work processes and the ways people prefer to work.
To help companies avoid many of the pitfalls related to the transfer of large files, I felt compelled to draw upon my company’s experience in solving these types of issues and share the following tips with organizations concerned about preventing data leakage at the file transfer source:
1. Pick a business level solution. There is a difference between corporate and consumer file transfer offerings, just as there is a difference between a confidential business plan and a photo you want to send to Grandma. In a moment, I’ll outline the features to look for in an enterprise secure file transfer solution.
2. Avoid IT overload. Select a solution that easily integrates into your existing IT environment and requires minimal IT administration. Knowing today’s IT workload, I recommend an “install and forget it” application solution – one that employees as well as outside guests can use with little or no training and support from IT. Installation, account creation and ongoing maintenance should require little time from the IT department.
3. Make it easy. Look for a solution that employees will readily embrace because it is easy for them to use. It is best if large file transfer is integrated directly into email applications or standard Web interfaces, but without suffering from email size limitations. If a solution is not easy to use, workers will find alternative means – often with glaring security loopholes – for sending their files.
4. Be compliant. Choose a solution that allows for complete auditing and tracking of information entering or leaving the organization.
5. Secure your data. Accept no less than business-level security. Automatic encryption of files and authentication check points that validate recipients provide added levels of security to show that confidential information has not been shared and exposed.
Solutions built for the enterprise
In the absence of an IT-provided enterprise file transfer solution, savvy end users sometimes turn to consumer-oriented file transfer utilities such as Pando or SendThisFile. After all, these tools work well at home when sending a collection of photographs or a homemade video to friends, and the cost is minimal, if not free. Peek under the covers, though, and you’ll learn the frightening reasons why consumer-grade file transfer is completely unsuitable for the enterprise.
Consumer file transfer products based on peer-to-peer technology parse a large file and send it through a network of unknown home computers. The data will not be encrypted as it makes its way across the Internet, leaving it exposed. There’s no way to authenticate who receives the file, and there’s no audit trail to know where it has been. Those are the issues with consumer-grade file transfer utilities. They simply must not be used for business and enterprise-level files.
Fortunately, there are several very good enterprise solutions that simultaneously address the need for ease of use for end users, ease of administration for IT, as well as security and compliance for the whole company. As you evaluate and select your secure file transfer solution, look for the following features and capabilities:
End-to-end file security. Files are encrypted, uploaded, stored, and downloaded through secure links. Recipients are authenticated, ensuring only the intended recipients can access the file. Files can be scanned for viruses on upload/download.
File lifecycle management. Workers and/or administrators can manage the lifecycle of a file. That is, they can control how long it is available for download or retrieval by the intended recipient. Files that exceed that threshold are automatically deleted, saving storage costs and administration time.
Directory services authentication. The file transfer solution uses enterprise directory systems such as Microsoft Active Directory and LDAP for user authentication and to minimize setup efforts.
File transfer auditing and tracking. The system provides auditable records and reports detailing when recipients download the files sent to them. The reports can provide details according to individual sender, recipient(s), file name, time and date.
Automated download receipt. When a recipient downloads the file, a return receipt can be generated to the sender as well as to a log file. The file recipient is not in control of the return receipt and cannot turn it off.
Integration with the enterprise email system. A superior enterprise file transfer solution operates in parallel as a plug in with the enterprise email system, so that users can transfer files easily from within the email client. However, in this way files are not sent via the email system itself so they do not overload it.
Integration with enterprise storage policies and infrastructure. Administrators can centrally manage the lifecycle of files per corporate retention policies. Multiple copies are identified and removed based on set demand levels or after a period of time and can be archived to long-term storage over time.
Easy access for guest users. Outside “guest” users can be given credentials that allow them to use the same system to send files to registered “inside” domains. Files generated by guest users are secured in the same fashion as files sent from inside the organization.
Checkpoint/restart capabilities. Complete and secure delivery of the information is automatically ensured, even in the event of a disruption during transmission.
File integrity. Data integrity is automatically maintained, including confirmation that precisely what was sent is precisely what was received.
Business process automation. For file transfers that are an integral part of a business process, the activity can be automated so that no human intervention is required, including scheduling file transfers on a regular basis from server to server or from an individual email address to another individual email address.
Secure file transfer is increasingly becoming a requirement for enterprises and knowledge workers. The IT department has a responsibility to provide a solution that simply and easily meets workers’ needs while providing maximum security for corporate and customers’ assets. By implementing an optimal enterprise secure file transfer solution compliance with government and industry regulations can be achieved with ease of use and minimal IT support.
Yorgen Edholm is President and CEO of Accellion, a pioneer and leading provider of secure file transfer and collaboration solutions. A Silicon Valley veteran, Yorgen has more than 25 years of Enterprise Software expertise. Yorgen co-founded Brio Technology and during 12 years as CEO, took the company public and grew it to $150 million in revenues with over 700 employees and a customer base of over 5,000 organizations. He can be reached at firstname.lastname@example.org
Advertise your product/service here!