Posted by SecExtra on March 04th, 2008

FTP is one of the main data transfer systems that we use on a daily basis, though due to its familiar and frequent usage it suffers from a number of issues. We contacted Craig Whitney from Tumbleweed to get his views on the dangers of the File Transfer Protocol.

Several classified military and government documents were recently found and accessible to anyone with an Internet connection – in this case, by a journalist with a major news organisation. What happened? They were posted carelessly to outdated FTP servers used by government agencies and contractors who wanted to share the documents online.

As illustrated by this incident, more and more file transfer breaches underscore the need for better management and security in file exchange. Transferring large, sophisticated files efficiently, securely and rapidly to internal and external partners is essential to remaining both productive and competitive. Yet in the case of FTP, data is frequently accessible by unintended audiences.    

The rudimentary and ubiquitous FTP servers and clients that have been in use since 1971 fall short of the security needed – not just by governmental and military bodies, but in the private sector as well. From customer cardholder data and personnel files, to trade secrets and intellectual property, these files regularly contain highly sensitive information. Unlike the malicious and calculated data leaks by the rogue employee, these are caused by well intentioned employees in the normal course of business.  While IT groups invest significant amounts of time and resource into protecting assets, FTP is presenting a new Achilles heel in messaging security. 

But new managed file transfer technologies, based on established FTP protocols, yet built with new levels of security, control and reporting are being adopted by the most security-conscious companies. These new technologies take into account a myriad of issues that current FTP solutions do not – including security, centralised management, notifications, data recovery, and automation.  For example, newer technologies do not represent user names and passwords in un-encrypted clear text like FTP.  Further, they are capable of guaranteeing file receipt or providing automatic checkpoint/restart to transmissions that might have failed in the transfer process.

Encryption, now considered a best practice when exchanging files, is seldom available for basic FTP, but is a feature that is integrated into the more sophisticated managed file transfer technologies. Many older file transfer solutions also store sensitive and un-encrypted information as it moves between organisations, an enormous threat. New technologies address this with granular data access restrictions and two factor authentication to eliminate all FTP security threats, like the one mentioned above.

To guarantee secure transfers and reduces the risk of technical outages, current best practices for deployment typically encourage having dedicated servers and secure client software as part of an integrated package.  

Further, leading managed file transfer solutions also offer a dashboard-style management console, providing a visible audit system for tracking the data exchange of critical files and enabling administrators to understand when, where and how they have been transferred while maintaining controls that meet regulatory and legal compliance requirements. 

The next big security leak is just on the horizon – with so many rogue FTP servers in use today, it’s not a matter of if, but when.  And yet business communications on the Internet are central to productivity.  This dual reality is pushing managed file transfer to the fore as a critical function for IT organisations.