» 

Blog

Top 10 Managed File Transfer Considerations

Before looking for a managed file transfer solution, it is important to determine how data is currently being transferred from your organization. You should find out what users and applications are performing the data transfers, where the source of the data resides, how sensitive the data is, how the data is formatted for the partners and what GoAnywhere Managed File Transferprotocols are used to transmit the information. If the files are encrypted or compressed before transmission, find out what tools and standards are being utilized.

After you've done your in-house analysis, then start a search for a secure file transfer solution that best fits your needs. Listed below are the Top 10 managed file transfer considerations.

  1. Platform Openness - To reduce the points of connection to sensitive data and reduce the risk of exposure to those without a need-to-know the MFT solution should be installed on the server operating system where the sensitive data and applications reside. If your corporate data mostly resides on the IBM i, then it would make sense to get a MFT solution that runs on the IBM i.
  2. Authorization Controls - To meet many compliance regulations, the MFT solution must provide role based access to limit user access to certain servers or MFT functions based on user credentials.
  3. Secure FTP - Plain FTP is not secure. The MFT solution must support both SFTP (FTP over SSH) and FTPS (FTP over SSL) protocols for secure FTP transfers.
  4. Encryption Standards - At minimum, the solution should support the industry standard encryption standards: AES, Open PGP, AS2, SSH, SSL, TLS and S/MIME.
  5. Database Integration - The MFT should readily connect to DB2, SQL Server, Oracle, MySQL and other popular database servers for extracting and inserting data.
  6. Data Transformation - Is the ability to translate data between popular data formats including XML, CSV, Excel and fixed-width text formats.
  7. Data Compression - Compresses and packages data using popular standards such as ZIP, GZIP and TAR to reduce transmission times.
  8. Application Integration - The MFT should provide commands and APIs for interfacing with your applications.
  9. Scheduling - Allows transfers and other MFT functions to be scheduled for future dates and times.
  10. Key Management - Does the MFT include management tools for creating, importing and exporting keys and certificates? Related Blog Post: What Qualifies a Product as a Managed File Transfer Solution?


FTP Server Security Flaw Discovered

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. "Globbing" is a pervasive function that permits the use of wildcard patterns to identify file names. It's one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001.  That feature - called GLOB_LIMIT - was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place - not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client's data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it's important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.


What is Managed File Transfer (MFT)?

As more and more companies are seeking a MFT to meet their data transfer needs, the question still arises, what exactly is a Managed File Transfer (MFT)? At a minimum, a Managed File Transfer solution is a product that encompasses all aspects of inbound and outbound file transfers that uses industry proven standards with a central, single point of administration. With a wide variety of products claiming to be a Managed File Transfer solution there are some things you may want to ask yourself (and your vendor).

  • Does the solution use industry standards protocols for secure data transfers?
  • Is the solution centrally administered or are there pc components required for administration?
  • Can I be notified in real time of certain events (e.g. errors) if they occur?
  • How will this solution affect my customers, vendors and trading partners?
  • Can audit reports be generated?
  • What type of security controls does the product have in place to allow separation of duties?
  • Are there additional modules or add-ons that might need to be purchased?
  • If our needs grow beyond our current platform, how does this solution grow with us?

As you research a vendor to handle your Managed File Transfer needs, make sure you choose a vendor that is able to not only meet your current needs, but the needs of the future. Feel free to contact us to discuss your current and future needs as well as answers to the above questions and more.


PCI DSS 2.0

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a "need-to-know basis" (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve. QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer's requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI DSS Issues

So what's the best way to both satisfy the requirements of PCI DSS and still make secured data transparent to applications? The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA's three recommendations go beyond the basic requirements of the PCI DSS standard to actually secure the credit card data at the host - and to ensure that the data isn't misused when the data is at rest or while being transferred.

Linoma Software's data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI DSS V2

Industry security analysts will still complain that PCI DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn't provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI DSS Version 2.0 to implement the best possible data security for our customers' credit card data.


Virtually in the Cloud

The buzz around cloud computing and virtualization is exciting. Virtualization is not a new concept as this is a progression from distributed computing. What creates the excitement is that virtualization has gained momentum with a few key players making it easy to manage virtual servers via a console or hypervisor.

Why virtualize secure file transfers? The file management realm grew-up with the notion that nothing is secure unless it can be physically segregated in a locked room. This is not reality anymore. "Bare Metal" or "Domain 0" virtual servers are just as secure as physical boxes, but they need to be hardened at the operating system level in the same way as a physical server.

"Virtualization doesn't fit the traditional mold of dedicated servers to handle a corporation's encryption of sensitive data, secure data transfers or data translation functions," says Bob Luebbe, Chief Architect at Linoma Software. "There were many variables to consider, but we were pleasantly surprised at how easy it was to implement a full VMware environment. The virtual servers were easy to manage and move among hosts."

The GoAnywhere suite of managed file transfer solutions are tested and certified for virtualized and cloud environments. GoAnywhere Director and GoAnywhere Services are the only VMware Ready software-based secure managed file transfer solutions available. GoAnywhere Gateway is the VMware Ready reverse proxy gateway for the DMZ that integrates with GoAnywhere Services.


Cyber Threats: Beyond Entertainment Value

On June 8th, 2010 the National Public Radio (NPR) broadcast a debate by the public charity Intelligence Squared U.S. (IQ2US) entitled "The Cyber War Threat Has Been Grossly Exaggerated." The show's format is based on the traditional Oxford-style debate, with one side proposing and the other side opposing a sharply-framed motion.

The broadcast pitted Marc Rotenberg (executive director of the Electronic Privacy Information Center) and Bruce Schneier, (a security technologist), against Jonathan Zittrain, (a Harvard Law School professor), and the former U.S. Director of National Intelligence, Mike McConnell. Zittrain and McConnell rolled out the heavy security artillery, describing the threats and touting facts and figures, while Zittrain and Schneier pooh-poohed the seriousness of the threat, and tried to cast suspicion onto the U.S. government's C.I.A., claiming that they just want to spy on us.

The debate was both entertaining and informative, but it also shed light on an unusual dichotomy in our public subconscious regarding cyber security: We - as denizens of computer technology - are as wary as Jason Bourne about where, exactly, our cyber security threats are coming from. Are they coming from real terrorists and enemy spies? Is there really some vast criminal conspiracy afloat? Or are these threats perhaps coming from within the very ranks of government itself?  Who do you really trust and why?

Even the term "cyber" is a subconscious mnemonic to the old Marvel Comics super-villain of the same name, and enemy of Wolverine. Cyber, (alias Silas Burr) in the comic book, was once an agent of the Pinkerton Detective Service before he turned into a criminal mastermind. Why wouldn't we be suspicious of government representatives telling us that we're engaged in a kind of comic book war?

But data security is obviously not an issue about comic book super-villains, or government conspiracies. For example, in this same month that IQ2US was airing their debate many of us were receiving notices about a class action settlement. Countrywide Financial - the behemoth that sold mortgages during the real estate bubble and which is now owned by BofA - has begun the process of contacting customers whose identities may have been stolen when their records were pilfered by an employee.

No, it was not Jason Bourne nor Silas Burr, but a former Countrywide senior financial advisor who wanted to sell the names, SS#s, credit information, employment history, and other personal information of mortgage applicants.

The U.S. District Court's remedy in the settlement will be to require Countrywide to provide free credit monitoring of all those involved in the class action suite for a period of 2 years, along with a potential liability against Countrywide of up to $50,000 for each incident of identity theft.

Isn't it time we, in our organizations, got serious about data encryption? Shouldn't we be stepping into this battlefield to fight back with a secure, managed file transfer system between our workstations and servers?

The cyber wars of comic books may populate our imagination, but our company's challenges are much more real. And if we're not mindful to use the right tools in our IT departments, we may all be faced with a customer base of angry Jason Bournes who have lost their identities through our security lapses.

(Listen or watch the televised debate produced by Intelligence Squared U.S. (IQ2US) entitled "The Cyber War Threat Has Been Grossly Exaggerated" by clicking here.)


Linoma Software Achieves Microsoft Gold Certified Partner Status

Microsoft Gold Certified PartnerLinoma Software, a leading provider of data automation and encryption technologies, today announced that Linoma has achieved Gold Certified Microsoft Partner status with competencies as an ISV - independent software vendor.

As a Microsoft Gold Certified Partner, Linoma Software has demonstrated expertise with Microsoft technologies and has proven its ability to meet customers' needs. "The certification assures customers that we have the technical knowledge to run and support applications on the Windows operating system," said Bob Luebbe, Chief Architect for Linoma Software. "The benefits provided through our Gold Certified Partner status will allow us to continue to enhance our solutions and exceed our customers' growing needs."

Microsoft Gold Certified Partners represent the highest level of competence and expertise with Microsoft technologies, and work in the closest relationships with Microsoft.  Only partners which demonstrate exceptional performance levels when delivering solutions that integrate with Microsoft technologies, and have a proven ability to meet customers' needs, are granted Microsoft Gold Certified Partner status. By achieving this status, Linoma Software now has access to specialized training and support from Microsoft, offering a competitive advantage to our clients.


Managed File Transfer Solution is Certified VMware Ready

Linoma Software, a provider of innovative solutions for securing and transferring sensitive data, today announced GoAnywhere Director and GoAnywhere Services have completed testing and validation to receive VMware Ready certification. GoAnywhere Director and GoAnywhere Services are currently the only secure managed file transfer solutions that are VMware Ready certified for virtualized environments.

The VMware certification process requires ISV Partners to implement a full VMware environment and create test logs using VMware's testing application. After VMware's careful review, they authorize the application as VMware Ready.

VMware virtualization is trusted by over 190,000 customers for its proven system management and reliability. The goal of server virtualization is to consolidate physical servers - saving power and other infrastructure related costs. "We initiated the certification process for GoAnywhere Director and GoAnywhere Services with VMware to ensure all file transfers and data translation will remain secure within an Enterprise's private cloud or virtualized environment," says Dirk Zwart, Director of Technology Alliances at Linoma Software.

"Virtualization doesn't fit the traditional mold of dedicated servers to handle a corporation's encryption of sensitive data, secure data transfer or data translation functions," says Bob Luebbe, Chief Architect at Linoma Software. "There were many variables to consider, but we were pleasantly surprised at how easy it was to implement a full VMware environment. The hosts and virtual servers were easy to manage and move around."

"GoAnywhere is an ideal secure managed file transfer solution for companies using virtualized servers," says Bob Luebbe. "It works with most platforms and provides businesses a secure environment to connect with customers and trading partners."

Linoma Software tests its software for interoperability with Enterprise-level operating systems - SUSE Linux, Red Hat, Solaris, AIX, HP-UX, i5/OS, Windows, Mac OS X; popular browsers, and compliance with commercial and federal regulations like PCI DSS, HIPAA, and SOX. "Partnering with VMware provides our customers with confidence that they are supported regardless of their configuration," concludes Dirk Zwart.


Who Insures the Insurer?

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company's website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. It's one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised? As absurd as it may seem at first glance, it's really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record. This would mean that Anthem Blue Cross's breach last month created a liability as great as $40M.

Moreover, there's a ripple effect to organizations that do business with insurance companies that suffer such an information security breach. Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission. Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers. And by the time these organizations realize their vulnerability, it's often too late These companies are often performing these FTP transfers below the radar of their IT departments. How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left "in the open" on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it's subject to theft or secondary security flaws. Insurance agents - whose jobs are to facilitate the processing of the data with their insurance providers - can also suffer from such breaches. The loss of an agent's laptop - through theft, accident, or routine use of USB thumb-drives - poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database. Linoma's CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company's information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual's personal computer. By removing FTP access to the data by any employee's PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring. Linoma's GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution. But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs? The real answer is IT itself. And helping IT achieve a better result will be the subject of this blog over the next few months.