IT Incendiary

The manner by which businesses are using FTP needs to be reexamined and strengthened. But how should IT begin?

The first step is to examine how FTP is being used in your organization.

• What kinds of sensitive data is being sent or retrieved over FTP?
• Where do the FTP client applications currently reside?
• What are the reasons for distributing FTP functions (if any) to personal computers or departmental servers?
• Where are FTP scripts being used on personal computers and departmental servers?
• Which business applications have embedded FTP functions or scripts?

This are the basic questions that must be answered, and they will require that IT do a thorough investigation.  It's almost impossible to develop a comprehensive security policy for the use of FTP without this investigation.  And, since every personal computer in the organization has FTP capability -- and indeed many generic PC applications have embedded FTP functionality (including browser applications, some spreadsheet applications, etc.) -- the examination of how FTP is actually used is bound to create some heat for IT.

Nonetheless, the answers to these and other investigative questions will help you understand the breadth of the security and management problems facing your organization with FTP.

So what are the next steps?

The next step is to identify how the organization needs to manage file transfers.

• What are the pertinent compliance regulations that must be met?
• What are the requirements for encryption and authentication?
• What are the management goals for business partner data interchange?
• What are the realistic expectations from users who are responsible for the day-to-day transfers of data?

How can IT bring in a solution that delivers FTP in a more controlled and manageable manner? There are a number of common elements in the implementation of an ideal file transfer solution, and in my next post I'll discuss the ideal business-level FTP solution for IT.