IT Incendiary

FTP was designed 40 years ago as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn't designed for the requirements of the modern, globally connected enterprise. FTP's basic security mechanisms - the User ID and password -- have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

So what are the security issues facing us in the use of FTP today?

Regulatory Compliance - Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), State Privacy Laws, the Food and Drug Administration (FDA) 21 CFR Part 11, and Sarbanes-Oxley (SOX) - place significant requirements on companies regarding the exchange of data.

For instance:

• PCI requires that any credit card numbers are encrypted while "at rest" or "in motion".  Failure to do so can result in severe fines and potential loss of your merchant account.
• HIPAA requires that companies demonstrate that only the intended information is shared or exchanged.
• The FDA requires that administrative controls are in place when electronic systems and records are used in place of paper or manual systems.
• Sarbanes-Oxley requires that business processes - which include automated file transfers - are auditable.
• State Privacy Laws require that customers are notified if their personal information may have been lost or stolen.  Some states can assess large fines against organizations if this data is not protected properly.

Typical implementations of FTP don't meet the requirements of compliance regulations such as these. Business processes that use plain FTP as a means of transferring data are suspect and should be revisited, reexamined, and re-engineered.

Auditing - Conventional FTP does not natively maintain a record of file transfers. Business processes that rely on FTP to exchange information are simply not auditable using this basic facility.  For instance, how do you know what files are being transmitted?  Who are the files being transferred to?

PC FTP Applications - Too many organizations have moved the functionality of business-to-business file exchanges to personal computers. But moving data to PCs for FTP functions can leave sensitive files vulnerable on those machines.

Building safeguards to ensure that no data is left in the open on a PC is a costly and error-prone process. Yet, unless IT implements specific security steps it's difficult to ensure that data sent through a personal computer has been adequately scrubbed from its hard-disk after the transfer.

IT needs to know how and when vital company information is leaving the main system, and how it is being used or transferred to other systems.

Script File Exposure - The use of FTP scripts or batch files leaves User IDs and passwords in the open, where they can easily be hacked.

Script files can expose not only your data to misuse, but can also expose your business partner's system to attacks.

IT should avoid the use of embedded scripts except for the most generic of file transfers where User IDs and passwords are not required.

File Encryption Processes - Native FTP does not encrypt data. Consequently, files are often transferred as "clear text", leaving them open to hacking.

Where file-level encryption is used, too often it requires a two-step process to first encrypt the data and then to send it.  Furthermore, the Keys or Passwords used to encrypt and decrypt these files are often not secured and managed properly.

IT has a responsibility to bring FTP use under control within the organization.  But getting there isn't an easy task.

Over the next few articles, I will  be identifying the best means and IT strategies for acheiving control of FTP transfers.