Beyond FTP White Paper
Beyond FTP White Paper
Beyond FTP White Paper
Few managers realize the security and management risks that have blossomed in their
This paper examines how FTP has become the organization with standard for business-to-business file transfers. It the prevalent identifies the key pitfalls that face management using this open protocol. Finally, it demonstrates use of FTP. how IT can begin the process of bringing the implementations of FTP into a more modern, secure framework. This new framework can increase user productivity and enhance IT manageability, while decreasing security exposures and adhering to growing compliance requirements.
www.GoAnywhereMFT.com
Some file
transfer scripts
are so
deeply embedded
in applications that IT is only vaguely aware of their detailed functions.
User Interaction
Many organizations allow their employees to perform file transfers directly from their desktops using PC-based tools. However, these tools require manual intervention and are error-prone (e.g. the user may accidently choose the wrong files to send). Some file transfers may rely on more detailed steps to interact with a distant server, requiring knowledge of the underlying protocols and formats to utilize. As these transfers become repetitive or mission-critical, IT is often called upon to help automate those processes within their business applications. As a tactic to simplify file transfers, FTP has a built-in ability to accept scripts (sometimes referred to as batch files) that essentially send keystrokes to the FTP client program. This scripting function mimics the commands that would be hand-typed into the terminal interface, allowing for automation of FTP transfers.
1
Typically the skills of a programmer are needed to help build any required FTP scripts. These scripts often will contain commands to login to the server, get files, put files, remove files, log out, etc. But FTP scripts have their own severe limitations: Scripts have no logic-branching capability, so they cant be programmed to make real-time decisions based upon a servers response. Scripts cant accept prompted user input to guide the process of sending files. Scripts have no inherent means of notifying the user or application when an error has aborted the transfer. So while FTP scripts circumvent the pitfalls of the manual FTP tools, their usefulness can be limited.
Configuration Changes
When the settings (e.g. host names, IP addresses, folder names) for FTP servers change, IT often has to devote resources to reconfigure FTP clients or maintain embedded scripts. The same problem exists when User ID credentials and passwords change, or when new business partners are added. If the underpinnings of FTP transactions are decentralized, IT personnel may have to go to mutliple locations to make these changes.
if FTP
Legacy Support
How many times has your programming team discovered a FTP script inside a custom program or procedure? The person who wrote the application is long gone, but now the code must be maintained because the transfer of data to or from the business partner is crucial. Specialized legacy implementations of FTP are ticking time bombs. They hamper the ability of IT to quickly respond to changes in the business model, and they leave important user credentials and passwords in an insecure state.
transactions are embedded or decentralized, IT personnel are often scrambling to make any
Migration to PC Issues
Any decision to distribute corporate FTP functions away from the central server and out to PCs should be carefully considered. Decentralizing FTP will often introduce serious inefficiencies and increased personnel costs. Lag times and errors will also likely increase as more steps and devices need to be utilized in the chain to get the files in the right format and places at the right times. However, when it comes to management problems, FTPs security exposure is the greatest danger facing the organization.
needed changes
do not meet
the requirements of todays compliance regulations.
Regulatory Compliance
Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), State Privacy Laws, the Food and Drug Administration (FDA) 21 CFR Part 11, and Sarbanes-Oxley (SOX) place significant requirements on companies regarding the exchange of data. For instance: PCI requires that all credit card numbers be encrypted while at rest or in motion. Failure to do so can result in severe fines and potential loss of your merchant account. HIPAA requires that companies demonstrate that only the intended information is shared or exchanged. The FDA requires that administrative controls are in place when electronic systems and records are used in place of paper or manual systems. Sarbanes-Oxley requires that business processes which include automated file transfers are auditable. State Privacy Laws require that customers are notified if their personal information may have been lost or stolen. Some states can assess large fines against organizations if this data is not protected properly. Typical implementations of FTP dont meet the requirements of compliance regulations such as these.
Auditing
Conventional FTP does not natively maintain a record of file transfers. Business processes that rely on FTP to exchange information are simply not auditable using this basic facility. For instance, how do you know what files are being transmitted? Who are the files being transferred to?
PC FTP Applications
Too many organizations have moved the functionality of business-to-business file exchanges to personal computers. But moving data to PCs for these FTP functions can leave sensitive files vulnerable on those machines. Building safeguards to ensure that no data is left in the open on a PC is a costly and error-prone process. Yet, unless IT implements specific security steps its difficult to ensure that data sent through a personal computer has been adequately scrubbed from its hard-disk after the transfer. IT needs to know how and when vital company information is leaving the main system, and how it is being used or transferred to other systems.
Business processes that use plain FTP for transferring data should be closely examined.
Research
The first step is to examine how FTP is being used in your organization. What kinds of data is being sent or retrieved over FTP? Where do the FTP client applications currently reside? What are the reasons for distributing FTP functions (if any) to personal computers or departmental servers? Where are FTP scripts being used? The answers to these and other questions will help you understand the breadth of the security and management problems facing your organization with FTP.
The next step is to identify how the organization needs to manage and secure file transfers. What are the data exchange requirements of your organization and your trading partners (e.g. customers, vendors, banks)? What are the pertinent compliance regulations that must be met? What are the requirements for encryption and authentication? What are the realistic expectations from users who are responsible for the day-to-day transfers of data? How can IT implement a solution that performs file transfers in a manageable and secure manner? There are a number of common elements in a successful solution.
The best solution for securing and controlling file transfers is to manage those functions from a centralized system.
If IT has applications such as these, they should utilize a centralized approach to access encryption and FTP functions through a controlled framework. This strategy will enable the control of server and user credentials, organize configurations, and permit the implementation of other management capabilities such as compliance logging for auditing.
FTP functions
Deploy Encryption
One of the best solutions for protecting your FTP transmissions is to upgrade to Secure FTP encryption technology. The two popular Secure FTP protocols are named SFTP (meaning FTP over SSH) and FTPS (meaning FTP over SSL). Both SFTP and FTPS will create encrypted tunnels between your system and your trading partners. In essence, anything that flows over those tunnels will be protected, including any user ids, passwords, commands, as well as any data that is transmitted.
One of the main differences between SFTP and FTPS is the way authentication is performed. With SFTP, clients can be authenticated with just a password or a Private Key. With FTPS, clients and servers can be authenticated with certificates, which are either self-signed (by your organization) or signed by a Certificate Authority (e.g. Verisign). Choosing the right type of Secure FTP protocol to use will depend on your trading partners capabilities and authentication requirements. You should not leave it up to your users to decide which secure protocol or methodology works best. This can create a hodgepodge of approaches, none of which may meet your overall security and authentication policies. This is an area where ITs expertise is required to ensure that the right form of encryption is utilized, that authentication mechanisms are properly implemented and that regulatory requirements have been met.
IT must bring
But the past, ad hoc implementation of FTP tools throughout the enterprise, the past attempts to automate its functions, and the inherently weak security of its basic design has left IT with an infrastructure that does not meet the requirements of manageability or security. In most cases, the standard use of FTP by organizations is a security hazard waiting to become a corporate catastrophe. IT must bring FTP into compliance, must secure the file transfer processes, and must reengineer how the facility is used and controlled within the organization. The best solution brings FTP into a managed environment that controls and centralizes access, provides inherent encryption technology, and streamlines the entire process. With the right solution in hand designed with centralized control in mind IT can continue to automate the business-to-business exchange of crucial data, meet the requirements of compliance, and satisfy the need of its user base for flexibility and ease-of-use.