Secure file sharing: Don’t risk a breach from sharing personal data

Secure file sharing: Don’t risk a breach from sharing personal data

eu-data-protection

When businesses think about cyber security, their thoughts usually jump to phishing scams, malware or other deliberate theft or sabotage. Yet every day businesses are breaching their own security policies and risking compliance. The cause is employees sharing personal data via email or consumer-grade file sharing apps. These aren’t the right tools for the job, so it’s essential to equip staff with secure file sharing technology and knowledge to protect your organisation’s data.

 

Email

Email is one of the biggest problems. Businesses rely on it so much to communicate back and forth, that employees often send things without thinking. Attaching a customer file or patient record is an easy mistake to make. But, in a typical email setup, the servers don’t encrypt the email attachment, so it is not secure. That may constitute a breach of the General Data Protection Regulation (GDPR), the risk of a fine and damage to your reputation.

Email doesn’t provide any guarantee of delivery either, or visibility of the transfer, which is another must for compliance.

 

File sharing apps

If a member of staff needs to send a large file and it’s too big to attach to an email, they often jump onto a file sharing application like WeTransfer or Dropbox. But consumer-grade applications lack in-built security. Again, there’s no audit trail of the transfer and you end up with multiple versions of files sitting in various locations, which no one else can access to wipe if that member of staff leaves. Not all of these solutions will confirm where a file is held either so you may have data stored outside of the EU.

 

Secure file sharing

Anything including sensitive, personal or valuable data – like company IP – needs to be handled very carefully. Our advice is to add a secure file sharing solution to your IT infrastructure, to encrypt and securely transfer files. These are sometimes called secure email, ad hoc, or Electronic File Sync and Share (EFSS) solutions.

Most will provide a plug-in to your email client, which makes it easy to use and accessible. Some can be configured to automatically secure emails under certain conditions based on your IT security policy, so employees don’t even need to know it’s there. There are no file size limits either, and IT maintain a full audit trail. These solutions often support file collaboration between your employees and external partners too, which is an added bonus.

Full features of a secure file sharing solution include:

  • Access control / permissions
  • Secure data wiping
  • Secure protocols (HTTPS and sometimes SFTP & FTPS)
  • User authentication
  • Auditing and reporting
  • Encryption of files (PGP or AES)
  • Administrator overview
  • Data residency within the EU

Recommendations

If you think you need a secure file sharing solution, our free bespoke software comparison service will save you weeks of research time and identify the right solution for you. It is informed by over 15 years’ experience delivering secure file transfer solutions, a deep understanding of user needs and continuous review of the multiple vendors on the market.

You complete a series of questions about your current and future business requirements, and receive a bespoke report from our technical consultants recommending the best solution for your needs and budget. You can either complete the ad-hoc or Managed File Transfer (MFT) service, depending on what you need the solution to deliver.

 

Use this service if you are looking to address person-to-person file sharing only, as outlined in this blog.

 

Use this service if you also need to automate transfers and integrate between applications.

Need further expertise? Download our FREE resources

Three big things wrong with the Software Reviews Info-Tech MFT Data Quadrant

Three big things wrong with the Software Reviews Info-Tech MFT Data Quadrant

There’s been a lot of talk in the Managed File Transfer (MFT) space about the recent Software Reviews Info-Tech MFT Data Quadrant. The report claims to ‘provide a comprehensive evaluation of popular products in the Managed File Transfer market’.

As independent MFT experts with over 15 years’ experience reviewing products, we wanted to provide our take on this report. Our advice is very clear. This is not an accurate representation of the market, and here’s why.

 

Pictured: Info-Tech MFT Data Quadrant, from HelpSystems website.
 

1. Definition of MFT

Info-Tech’s understanding of what constitutes MFT is fundamentally flawed. Of the ten products on the Data Quadrant, four aren’t actually MFT, so it’s not comparing like-for-like.

MFT solutions allow data to be transferred in a controlled, secure fashion, both inside and outside an organisation, between systems and / or users. This includes:

  • System-to-system transfers, such as automated batch transfers or workflows with a series of actions;
  • Transfers between people and systems, such as data capture forms with ongoing automated workflows;
  • Person-to-person or ‘ad hoc’ transfers.

The following four products are not MFT:

Accellion: This is a secure file sharing and collaboration solution only.

Adobe Send & Track: For ad hoc large files.

Citrix ShareFile: Electronic sync and share, for document collaboration.

LeapFile: For ad hoc person-to-person only.

2. Products missing from the Info-Tech MFT Data Quadrant

Only vendors who have paid for the report are able to market what it says about them. This is not independent and it is not a review of the complete market place.

While we firmly agree with the placement of HelpSystems GoAnywhere MFT and Ipswitch MOVEit, who were acquired by Progress earlier this year, there are several other market leaders not included on the Data Quadrant:

Globalscape EFT Server would score highly on both the ‘Feature’ and ‘Vendor’ matrix.

Coviant Diplomat MFT is benefiting from a lot of development at the moment, making it a likely player in the ‘Product Innovator’ quadrant.

We would also recommend Cornerstone MFT from South River Technologies (SRT) as a very good budget solution.

Other credible vendors missing from the quadrant include Axway, Seeburger, Jscape, Cleo and more…

3. Niche or incompatible products

There are several products on the Data Quadrant that just aren’t viable products for the majority of businesses. That’s either because they lack the development, are not enterprise-ready, or are niche to specific industries:

Oracle MFT: Our most recent market research identified there were only around one hundred Oracle MFT customers worldwide. Most of these sales came about to prevent customers discontinuing with their middleware product. There has been little development recently and their roadmap is limited.

SolarWinds Serv-U: This is a budget solution and not something we would recommend for enterprises. Since its acquisition by SolarWinds, the technology hasn’t kept pace with technical innovation and is now a long way behind other vendors. By using a Java web browser plugin, the adoption and usability of their product – especially in risk adverse enterprise environments – will be compromised. This feature is well behind the curve.

FileCatalyst: This is primarily for use within the media industries, with an emphasis on fast file transfer. It doesn’t have the necessary breadth of file transfer protocols or automation options to make it a mainstream MFT player.

IBM Managed File Transfer: This is ensconced in the banking/finance industry, built around their own delivery protocol (NDM). It’s an expensive solution, without the breadth of delivery protocols to make it a mainstream MFT player.

NEXT STEPS

If you are looking for an MFT solution, we strongly advise against using the Info-Tech MFT Data Quadrant for guidance.

Most MFT solutions have the same features but differ in the level of detail and complexity, and how they are delivered. The only way you will be able to identify the right one for your business is to fully scope your requirements. Make sure you look at the vendor closely too and see what their previous development release schedule is like from published release notes. These are the factors that will determine whether your implementation is a success and will ensure you back a vendor that should meet your future needs too.

If you need help, use our free comparison tool, which asks the right questions. You enter your requirements, giving as much detail as you can, and our experts will recommend the right solution for your current and future needs and budget. It’s completely free and there’s no obligation to buy through us.

Interested in a file transfer solution?

Open Source Managed File Transfer Software: Current & Past Options

Open Source Managed File Transfer Software

Current & Past Options [Updated January 2019]

 

If you are looking for an open source Managed File Transfer solution, this blog is for you. It’s written by Pro2col Managing Director James Lewis, who is a self-confessed file transfer geek with over two decades’ experience working with file transfer technologies and vendors. He’s been following open source projects for many years and regularly updates this blog as new options become available.

 

I originally wrote this post back in July 2012, after a number of requests for open source Managed File Transfer from potential customers. They’d found us via our website, which clearly promoted a wide variety of commercial products, with no reference to open source, however they were only interested in open source options.

Free clearly doesn’t pay the bills, but being a bit of an industry geek, I decided to do the research and find out what was available. I identified a couple of SourceForge projects, which I’ve been following over the years.

For the record, I’m a fan of open source. Our previous Technical Director was a thrifty Northerner, who converted me. We ran various elements of the business very successfully on open source projects. Our support ticketing system was based on OTRS and our monitoring system used Nagios. Both were mature applications, widely used in the open source community and provided considerable functionality at a price that suited!

 

open_source

When it comes to open source Managed File Transfer though, the landscape is patchy at best. Open source FTP servers exist in abundance and can provide the landing point for incoming and outgoing files, but open source Managed File Transfer projects appear to be scarce. I suspect that this is because Managed File Transfer hasn’t been one of those technologies that every company deploys.

Recent changes in EU regulation in the form of GDPR, also impacts this space. GDPR legislation requires increased levels of security, audit trails and reporting on any transfers involving personal data. (See our blog posts Encryption at rest for GDPR and Where is your data going and why?)

Open source Managed File Transfer trends

My research over the past 6-7 years has highlighted a few trends that don’t bode well for open source Managed File Transfer projects, and may be a reflection of the wider open source landscape. In general, they have slotted into the following categories:

  • The company is acquired and the free option is removed. Some or all of the functionality is incorporated into a commercial offering.
  • The part-time developer gets a contract or new job and the project gets shelved.
  • The project is labeled as Managed File Transfer, but doesn’t contain the key functions of all commercial offerings in the market.
  • Commercial vendors offer a pseudo open source product with limited functionality and encourage migration to their commercial solution.

Genuine open source projects

There are just two genuine projects that I’ve found so far. I couldn’t recommend either, as I’ve not invested any time personally or asked our technical consultants to review them, however they have ongoing development and support packages.

Yade – an open source project, previously going under the name of SOSFTP. This project has been around since at least 2012. SOS Berlin lists a number of customers on their website and provides support and consulting packages. Currently my favourite option, based upon the length of time they’ve been around.

WAARP – a relative newcomer to the market but it looks to have all the basics covered. It also provides commercial support options and their website provides visibility of who is involved in the project. This is certainly one to watch.

If you’re a user of either Yade or WAARP, I’d be interested in hearing from you. I’m keen to understand how complete the project is, how responsive the development team are and what your experience of their support offering has been like.

Free products from commercial vendors

As I’ve already mentioned, these tend to be products with limited functionality, which will ultimately encourage migration to a commercial solution.

Coviant Diplomat OpenPGP Community Edition – This is a free OpenPGP tool to automate PGP encryption and decryption.

Coviant Diplomat Cloud Storage Community Edition – A free tool to PGP-encrypt files being transferred to cloud storage sites.

HelpSystems Free FTP Server – this is a free edition of GoAnywhere MFT, with administrator dashboard, extensive security, audit reports and more.

FTP Voyager – A free GUI FTP client, FTPS client and SFTP client software for Windows. The main interface is similar to dozens of other FTP clients, but it also includes powerful scheduling utilities and synchronisation utilities for free.

Some open source MFT that is no more

These are some of the open source projects that I have been following, which are no longer available:

Policy Patrol by OPSWAT – has now become Metadefender Email Security. The Managed File Transfer element of the open source project appears to have been shut down.

ShieldShare by BlockMaster – now appears to be part of the DataLocker stable but their focus is on encrypted storage. It’s unclear whether the product was acquired for the encryption capabilities. Project shut down.

Appterra – their open source supply chain integration platform with Managed File Transfer capabilities was acquired by Descartes. The open source project has been shut down.

DivConq MFT – a SourceForge project that looked promising but the developers seem to have ended the project and the associated website has closed down.

Karonte – positioned as an open source Managed File Transfer solution but it doesn’t have the basic functionality we consider critical for MFT.

In conclusion

Whilst the open source marketplace can be a fantastic resource for some business applications, Managed File Transfer isn’t currently one of them. If your business is in the tech space or you’ve got an extensive development and technical team, then open source Managed File Transfer may be a viable option for you.

However, Managed File Transfer is mission critical for almost all of our customers. Many come to us looking to mitigate the security and compliance risks associated with supporting a bespoke or homegrown solution. Unmanaged in-house scripts in particular are one of the biggest risks to an organisation’s GDPR compliance. Additionally, as developers and contractors move on, companies get stuck with a solution without documentation, no training and no one to make changes or fix faults.

If you’d like to discuss your Managed File Transfer requirements and the impact of GDPR, I’d be pleased to talk them through with you. You may be surprised at how much bang you get for your buck these days in commercially available products. You can contact us via the web form, or call 0333 123 1240.

Need further expertise? Download our FREE resources

Choosing the right Managed File Transfer protocol

This blog post answers your questions about Managed File Transfer protocols. Which are the most widely used file transfer delivery protocols? Which should you be using and how do you identify which solution uses which protocols?

A protocol is the set of rules that determines how files are transferred from one computer to another, through a network. That might be an internal network (from one computer to another within the same network) or more commonly a Wide Area Network such as the internet.

The nature of your data and its destination will determine the right protocol for the transfer. For example, personally identifiable data and credit card information will need a secure protocol.

BASIC PROTOCOLS

FTP
(File transfer protocol)

How can it be used?

Upload/download files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files

When can it not be used?

X Secure data at rest
X Secure data in transit (FTPS can)
X Work over just one firewall port
X Provide strong authentication

FTPS
(“FTP Secured” using SSL)

 Secure data in transit
Upload/download files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files
 Provide strong authentication

X Secure data at rest
X Work over just one firewall port

SFTP
(“Secure FTP” using SSH)

Secure data in transit
Upload/download files
Rename and delete files
Create/delete folders
 Provide strong authentication
Work over just one firewall port (22)

X Secure data at rest
X Check integrity of files
X Execute custom commands on server

SCP
(“Secure CoPy”)

Secure data in transit
Upload/download files
Work over just one firewall port (22)
 Provide strong authentication

X Rename and delete files
X Create/delete folders
X Check integrity of files
X Execute custom commands on server

ADVANCED PROTOCOLS

HTTP
(HyperText Transfer Protocol)

HTTP CAN ALWAYS
Download files
Work over one firewall port (80)

HTTP CAN SOMETIMES
Upload files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files

Secure data at rest
X Secure data in transit (HTTPS can)
X Provide strong authentication

HTTPS
(HTTP Secured with SSL)

HTTPS CAN ALWAYS
✓ Download files
✓ Work over one firewall port (443)
✓ Secure data in transit

HTTPS CAN SOMETIMES
– Upload files
– Rename and delete files
– Create/delete folders
– Execute custom commands on server
– Check integrity of files
Provide strong authentication

Secure data at rest

WebDav

WEBDAV CAN ALWAYS
Download/upload files
✓ Rename and delete files
✓ Create/delete folders
✓ Work over one firewall port (443)
✓ Secure data in transit

WEBDAV CAN SOMETIMES
 Provide strong authentication

Secure data at rest
X Execute custom commands on server
X Check integrity of files

EMAIL PROTOCOLS

SMTP
To send mail

Push files as attachments
✓ Be secured with SSL/TLS
✓ Often uses ports 25, 465 or 587

Pull files from other servers

POP3
To get mail

Pull files from servers as attachments
Delete original email from servers
Be secured with SSL/TLS
Often uses port 995

X Push files as attachments
X Synchronize email folder contents
X Not supported in all email environments
POP3 is becoming obsolete

IMAP
To get mail and sync mail folders

Pull files from servers as attachments
✓ Delete original email from servers
✓ Synchronize email folder contents
✓ Be secured with SSL/TLS
Often uses port 993

Push files as attachments
X Be trusted if its key mailbox is also accessed interactively

Which Managed File Transfer protocol?

Guidance on what constitutes a secure protocol will change, adapting to stay one step ahead of cybercrime. That’s why it’s important to choose a vendor that releases regular product updates. With Pro2col’s free Managed File Transfer comparison service, you submit your requirements via a questionnaire. Our experts compare them against the different solutions and recommend the right product for you. Our experts consistently review the marketplace and only select credible solutions from credible vendors, who provide excellent support and regular software updates.

Interested in a file transfer solution?

Managed File Transfer software comparison

Managed File Transfer software comparison 

[Updated – September 2018]

Are you doing a Managed File Transfer software comparison? With over forty products on the market, where do you start?

Globalscape EFT, HelpSystems GoAnywhere, Cornerstone from SRT, Ipswitch MOVEit and Cleo Harmony are all excellent Managed File Transfer products that we recommend to customers. But even from this shortlist, which is the right one for your organisation?

Every business has a unique set of requirements and each solution delivers its feature-set differently. There are so many factors that will determine if your implementation is a success. Sourcing the wrong product will cost you more in the long run.

Pro2col’s free comparison service identifies the right solution for your needs and budget. You complete a series of questions about your current and future business requirements, and receive a bespoke report from our technical consultants, recommending the best solution for you.


WHY REQUEST A MANAGED FILE TRANSFER SOFTWARE COMPARISON?

SAVE TIME

You will save weeks of research time by completing this questionnaire, making use of our technical consultants’ knowledge and expertise.

EXPERTISE

Pro2col experts have been delivering secure file transfer solutions since 2004 across 30 countries. Each technical consultant has a minimum of seven years’ experience working with this niche technology. We are also providers and developers of the only file transfer certification, CFTP.

INDEPENDENT

Software vendors will want to sell you their product, but our technical experts independently analyse the best solution for your unique requirements. They consistently review the marketplace and only select credible solutions from credible vendors, who provide excellent support and regular software updates.

FULLY SCOPE YOUR REQUIREMENTS

Your internal processes and current / future business requirements will determine which solution is the best fit. That is because different software differs in how it delivers the same set of features – the level of detail makes all the difference. Our free Managed File Transfer comparison service asks you the right questions to recommend an exact fit for your organisation, making sure your implementation is a success.

The questionnaire prompts you to consider the following criteria: Key infrastructure questions you need to think about when comparing MFT software; how your solution will be impacted by other policies within the business; requirements for automated transfers
Transfer protocols, which will depend on the security requirements for the data (eg: personally identifiable data, credit card information);
which cloud services you need to connect to; which standards you need to comply with (eg: GDPR, PCI DSS).

How can I find out if a file transfer failed?

How can I find out if a file transfer failed?

Data transfers underpin many operations within an organisation, so it’s important to know if a file is not delivered. Your customer SLAs may depend on it. Read on to find out how an MFT solution can alert you when a transfer fails and identify the reasons why.

Organisations transfer data all the time. That might be financial information in the form of invoices, orders and BACs files, or other operational transfers received through a website or shared between internal offices.

If an automated transfer fails it can disrupt business operations and risk breaching service level agreements (SLA) you have in place for that activity. Unfortunately, for many organisations, the first indication that a transfer has not happened, is a call from a user missing the file. By then, it’s usually too late.

That’s why you need good visibility of all your transfers and
alerts set up to notify you if they fail.

Visibility

Managed File Transfer solutions – or MFT – provide excellent visibility of transfers. At a basic level, that might include email message alerts when a file has been delivered. BUT, this relies on you noticing you haven’t received the email.

These systems record events between the server and client, so – with the right module or add ons – you can usually get a detailed level of reporting. This real-time transfer monitoring allows you to keep an eye on the most important transfers as they happen.

A good MFT system will provide the following:

  • Real time status of your servers and sites
  • Views of transfers in and out of your system
  • A dashboard giving key system statistics
  • The run history of event rules configured on your system

With many systems you can design customisable reports showing transfers, which you can then export to save or share. And – because prevention is better than cure – the IT department can uncover factors which may lead to future errors, such as connection failures, firewall misconfigurations, and data corruption.

How you achieve this will depend on your MFT solution and other monitoring systems in your environment. Ideally they will interact, but if this isn’t possible, you could use SNMP traps, or write to a Syslog server. Many monitoring systems read Windows event logs to detect errors, and happily most MFT systems allow this directly. Alternatively you could use a database as an intermediary location for storing monitoring events. Our technical consultants provide professional services to help you if you need it.

Never miss an SLA again

With a good MFT system, you can build a rule to check if a particular file has been transferred by a certain time. The system will generate an email, alerting the administrator or another specified user, if the transfer has failed.

Setting the rule to check before the file is needed gives you advanced warning. So if – for example – an order isn’t sent or payment not made, you have time to contact the sender and address any difficulties before the SLA is breached.

These rules can be set for file names, file sizes or specific senders. You can also track the number of files sent. For example – you can check that at least three files of 100KB or more were uploaded from a specific group of users, with a file name starting ‘finance’.

Why did the transfer fail?

The more sophisticated MFT solutions on the market will allow you to pinpoint which of several steps in an event rule has failed. This means you can quickly identify the problem, without the cumbersome process of analysing logs. Some solutions will display high-level information in a dashboard view, which can be customised to highlight errors, such as failed logins or PCI compliance. You may be able to display other KPIs as well.

Next steps for your organisation

  • You already use an MFT solution
    Our technical consultants can advise on how to achieve this level of visibility.
    Get in touch
  • You don’t have an MFT solution
    Our free download, Do I need MFT?, will identify if this is the right choice of technology for your organisation.
    Do I need MFT? DOWNLOAD
  • You are ready to compare solutions on the market
    If you know MFT is right for your organisation, our free comparison service will identify the best solution for your needs and budget.
    Request MFT comparison

Interested in a file transfer solution?