FTP Best Practices

In my previous posts I've tried to identify why FTP - as used by many organizations today - is such a security issue.  The protocol is old, and the implementations of security normally used don't stand up in B2B transactions.

In this post I'm going to talk about the ideal FTP implementation for a small to medium-sized organization where FTP is used to communicate information between business partners.

 

Deploy a System-wide, Comprehensive, and Configurable Methodology for File Transfers

In the past IT had no system-wide approach to file exchange: FTP alone was considered to be enough to get the job done.

But today, as business-to-business transfers proliferate, it’s time for IT to deploy a strategy that meets the overall requirements of security, flexibility, and ease-of-use.

Here are some basic guidelines that can help IT devise this strategy.

Read more...

 

How to Begin a Search for Secure File Transfers

The manner by which businesses are using FTP needs to be reexamined and strengthened. But how should IT begin?

The first step is to examine how FTP is being used in your organization.

  • What kinds of sensitive data is being sent or retrieved over FTP?
  • Where do the FTP client applications currently reside?
  • What are the reasons for distributing FTP functions (if any) to personal computers or departmental servers?
  • Where are FTP scripts being used on personal computers and departmental servers?
  • Which business applications have embedded FTP functions or scripts?
This are the basic questions that must be answered, and they will require that IT do a thorough investigation.  It's almost impossible to develop a comprehensive security policy for the use of FTP without this investigation.  And, since every personal computer in the organization has FTP capability -- and indeed many generic PC applications have embedded FTP functionality (including browser applications, some spreadsheet applications, etc.) -- the examination of how FTP is actually used is bound to create some heat for IT.

Nonetheless, the answers to these and other investigative questions will help you understand the breadth of the security and management problems facing your organization with FTP.

So what are the next steps?

Read more...

 

What Users Don't Understand About FTP Security

In a previous post I noted that the original FTP specification devised over 40 years ago is inherently insecure.  Why?  Because the transmission stream itself is exposed (in the clear).

This means that the conversation between the FTP client and the FTP server has no protection at all. The User IDs, passwords and the data itself can be easily intercepted (or modified) by anyone listening to a router or other device in the path of the transmission.  It's akin to doing all your banking in the street: Anyone sleuth can see your transactions with just a little bit of effort.

Obviously, the solution is to upgrade your FTP transmissions to use some form of "Secure FTP" encryption technology.  But which one?

Read more...

 

FTP Security Exposures: Where We Are Today

FTP was designed 40 years ago as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn't designed for the requirements of the modern, globally connected enterprise. FTP's basic security mechanisms - the User ID and password -- have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

So what are the security issues facing us in the use of FTP today?

Read more...

 

Compliance White Paper Focuses on IT Resiliency

focus_cover4 A new important white paper on IT compliance issues has been released by Business Continuity Today.

Entitled "Compliance and the New Reality of IT Resiliency", the white paper -- presented as a chapter to BCT's continuing series on the topic of business continuity -- discusses the requirements for developing a organization-wide strategy for dealing with issues of compliance.

A preview of the table of contents is available here

Says author Thomas M. Stockwell "Satisfying the requirements of so many compliance regulations and standards isn't a single problem.  You can't buy a piece of software or hardware to satisfy Sarbanes-Oxley or any other regulation.  And IT can't wrestle this problem to the ground alone.  It takes awareness by management officials, study and recommendations by disinterested and knowledgable parties, and coordination with auditors and managers to bring the organization into compliance."

Read more...

 
More Articles...
© Copyright 2011, IT Incendiary