First, let me make this clear: Hacking is totally offensive, immoral and illegal and I don’t completely blame any company that has been hacked. But the consequences of being hacked are so dastardly that we all — service providers and users — should do more to protect ourselves from these invasions. Having said that, there are two points in this article that I will discuss:
1. The strategy and solutions you chose for securing and managing file transfers should not be left to chance.
2. You should do something deliberate now, since the file transfer craze is a big issue that needs to, and can, be solved by the enterprise to address security, cost management and compliance across applications and with trading partners.
Exploding MFT ‘Market’
First, let’s look at the second issue. Sharing — for both companies and consumers — is exploding.Consumers may use their company devices to search, access, and log in (during their lunch hour, of course) to share the moments from Mom’s birthday party, for example; or manage their lives — shopping, paying, learning. You don’t necessarily want to stop them, since they don’t leave the office while doing this. And they may also be using the internet for online education, searching data for products, or doing research for the company’s benefit.
But most of the enterprise traffic is still for official interactions. The typical enterprise has experienced an explosion in document and message sharing due to the nature of work today: outsourcing; working with channel partners; web sales; and self-service services to support administrative functions such as HR, insurance, and purchasing. (Some exchanges are shown in Figure 1.)
And with the cloud craze, the enterprise, consultants, service providers and technology companies that provide cloud apps, hosting, etc. need a managed file transfer mechanism that is automatic, auditable, scalable and secure. From on premise to cloud and back, and from cloud to cloud, MFT is the gateway that lets service providers and customers/users monitor these activities.
Supply chain applications also do a lot of sharing — that is the de facto premise of supply chain.These interactions are critical to meet time, data accuracy, and security standards, whether it is an optimization server; an application that exchanges large files with your ERP; a collaborative architecture such as that which is used in transportation, demand planning, or exchanging messages such as EDI, XML; uploading and downloading big files; or sharing a variety of documents with trading partners.
An overwhelming number of documents and messages are flowing between trading partners. Many of the messages are/should be compliant with PCI DSS, HIPAA, agreed-to industry standards and protocols, or are just plain proprietary to the company. However, a variety of gateways and sign-ons from individual apps access the internet and may allow downloading or uploading of documents. There are also email exchanges between trading partners. These and many other exchanges are uncontrolled and unknown to the CIO. So security is a big issue. Couple that with the fact that enterprise workflow and sharing today is outside your typical transaction or ERP system. So fundamentally you have a ‘two-sets-of-books’ issue going on. You don’t really know what is being shared, secure or not.
Now let’s take Dropbox. Sorry, Dropbox, to use you as an example, but it does point to the methods used by heavyweight enterprise solutions.
Here, in his own words is a statement from Dropbox’s CTO.1 In essence, there was a breach of password security and lack of encryption. I asked a few MFT providers to comment on this situation and tell me what they do:
1. Message encryption — There are various and concurrent methods used to encrypt messaging and files going through an enterprise-weight MFT. SSL (Secure Socket Layer) and SSH (Secure Shell) encrypt the file while it travels from point to point. And then another encrypting method, PKI — Public Key Infrastructure (there are various levels) protects the file while it’s stored (on a server on the cloud, for example). You can’t open it without the right ‘key’ or certificate. Read about PKI at Wikipedia.
2. Access/Account Control — Most secure MFT companies use LDAP (Lightweight Directory Access Protocol) integration which is an ANSI standard/method for managing distributed account passwords. This happens behind the firewall. If I understand this correctly, the user requests sign-on and the server decides whether to grant it based on multi-level corporate account and user access permissions. You can read more about it at Wikipedia, or in (tons of) Google mentions.
Conclusion — Consumer vs. Enterprise Applications
Enterprise services are different than consumer services — managing a few thousand customers vs. millions. No one wants to get hacked. But enterprise-weight application providers have security and compliance staff to create and manage software securely. Cloud providers are already monitoring their servers and customer accounts for malicious activities with both the customers’ accounts or their own services and account. During MFT implementation they help build the proper environment behind your firewall and ensure encryption as messages and files are streaming through the web.
The difference between being consumer-oriented and enterprise-oriented in this MFT space really did not become clear to me until this hack occurred. My analogy is the difference between reading a health magazine (cheaper) vs. having your own primary care physician. Millions of people can use consumer-oriented Dropbox, but Dropbox’s cost to serve each one has to be really low to accommodate the free people, and also the low rate for paying customers. The enterprise MFT is your primary care — you are paying a bigger fee, but you get personalized services specific to your needs.
I am sure Dropbox has the backing to address their consumer security issues when they are the source of the breach. But it is probably too big a job to address all those users directly, beyond making recommendations on the website for consumers to better manage their own security.
My recommendation: consumers — manage your passwords better! Enterprise — get an enterprise MFT.
Read more about security and risk: Risk Management Technology for the Supply Chain
1 Note — the forum for this discussion on DropBox was taken down while we were writing this article, so here is some of the quoted material. “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again. Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen … ” — Return to article text above
Editor’s note — paying accounts do have higher levels of security available to customers, which emphasizes the point that heavyweight and scalable options cost money to develop and come at a price to users. The old adages, “If it is too good to be true, it probably is,” and “You get what you pay for,” carry a measure of truth. Free is not an enterprise solution.
To view other articles from this issue of the brief, click here.