Organizations struggle with the process of sending and receiving large files. File size limits are often strictly enforced on email systems, and alternative secure, large file transfer options usually aren't made available, leaving workers to use personal email accounts, Dropbox and other insecure methods to move files around an organization.
Failing to address insecure file transfer activity is a big mistake and will cause sensitive data to leak out of a network at alarming rates.
In this tip, we'll summarize the security issues with large file transfers, and offer enterprises a few low-cost options (e.g., cloud services, SSH FTP and the like) to ensure file transfer activity isn't a data breach waiting to happen.
The risks of insecure file transfer
Sending files is a part of daily business, and many times an organization's IT systems either are not able to handle these transfers or are configured to send files in an insecure manner. It's common now to use popular personal storage sites to transfer files, but a weak password or lack of due diligence on the part of the service provider can easily result in data exposure.
This is an area that information security teams need to assist the business, allowing them to function properly and securely without limiting their productivity. It's the information security team's job to advise the business of security risks and ways to mitigate those risks using people, processes and technology, and ultimately allow the business to make the decision on how to manage that risk.
In the case of insecure file transfer, the risk can be huge: Files that include sensitive intellectual property, marketing strategy or sales projections, if lost, can negatively affect a company's bottom line; worse still, credit card data, health records and other customer information that isn't transferred securely and in accordance with compliance mandates like PCI DSS and HIPAA can lead to a fine, a loss of trust among customers and ultimately set an organization back years. In this light, the risk of insecure file transfer becomes much more harrowing than it may seem.
A business must limit the ability for users to access sites like Dropbox, YouSendIt, Google Drive and so on, and instead have users funneled to an approved secure file transfer system or service. Since many of these sites are using HTTPS for file transfer, it's becoming harder to look at what's actually being transferred, both into and out of the network. One of the best methods for blocking this inappropriate access is to use Web filtering tools to block this category of sites, and open it only to those that need to use it for business. Blocking this by the domain level is the easiest way to deny access to such sites.
Blocking these sites, both agents and Web-based upload ability cuts off a major avenue by which sensitive files can exit the enterprise unchecked. Also, this allows the security team to monitor who's still trying to use these sites and if there might have been an issue with a particular user or group. It may highlight a business need that requires a special solution. Lastly, there should be a policy and procedure in place on how to access these systems with a clear audit trail of who has access. Setting the guidelines of what's to be expected of users from the start will help set the stage for securing large file transfer.
Addressing the problem
A few vendors, such as Accellion, ProofPoint and LiquidFiles, offer a system on-premises that acts like an "internal" personal storage device. These systems have the files stored locally to an appliance within a network that allows an organization to share via groups or third parties. Many of these systems store the files on this internal storage that can be shared by sending email or links to the recipient to download the files from an organization's site. Many also have mobile apps that allow access to and sharing of an organization's files via a handheld device or tablet. Additionally, all files can be audited and scanned for malicious content while entering or exiting the system.
From the editors: More on secure file transfer
Secure FTP: Best practices for the enterprise
Secure managed file transfers and compliance requirements
There are also many cloud-based services with similar functionality, but they don't have data stored on-premises. These offerings allow for the potential of higher redundancy, backup, and increased storage and scalability. The one downfall here is that a company needs to determine where this data is being stored, who has access to it and what the vendors are doing with it. While cloud-based services have benefits and may be a viable solution for many businesses, it is imperative that companies using this type of service first verify that the data is being encrypted in storage and that extremely confidential data is not sent to the cloud.
Lastly, using systems like SSH File Transfer Protocol (SFTP) or File Transfer Protocol Secure (FTPS) that allow for secure file transfers with minimal cost could be the solution that works best for some businesses. I've seen small businesses that didn't have the budget to accomplish this use standard FTP (which by itself is extremely dangerous) while encrypting the files with PGP encryption software before sending to a third party or vendor. Keep in mind this isn't an ideal solution, but it's more secure than using a protocol like FTP alone or a free public service.
Ultimately there are many options to consider when securing the file transfer needs of a business, but failing to address insecure file transfer activity is a big mistake and will cause sensitive data to leak out of a network at alarming rates. Setting up an approved, secure file transfer method with auditing of accounts is the ideal way to prevent a damaging loss of data.
About the author
Matthew Pascucci is a senior information security engineer for a large retail company where he leads the threat and vulnerability management program. He's written for various information security publications, has spoken for many industry companies, and is heavily involved with his local InfraGard chapter. You can follow him on Twitter at @matthewpascucci or check out his blog at www.frontlinesentinel.com .
This was first published in March 2013