Secure FTP: Challenges and SolutionsBanking/Security Leaders Discuss Common Barriers, Strategies
"Let's face it: Banking relies on a trust relationship," says Matt Speare of M&T Bank. "Any loss of trust on the part of the consumer or our business customers has significant impact on our bottom line."
And so to satisfy customers and meet regulatory mandates, institutions need an FTP solution that maintains the integrity of the data and provides an audit trail.
In an exclusive interview about secure FTP challenges and solutions, Matthew Speare and Philip Alexander of Wells Fargo Bank discuss:
- How their institutions historically have approached FTP;
- Key regulatory and security challenges;
- What they need in a secure solution that scales.
Then, Sam Morris and Tony Luque of Attachmate step in to discuss:
- Common FTP challenges in the marketplace;
- Examples of common drivers & solutions institutions have employed;
- Advice for an organization looking to overcome its FTP challenges.
Matthew Speare is responsible for Information Technology Operations, Telecommunications and Networking, Platform Design and Support, Information Security and IT Risk Management, and Business Continuity Planning and Disaster Recovery.
Phil Alexander began his career back in the late 1980s while serving in the U.S. military. Since then he has worked in both the public and private sectors in positions including; engineer, project manager, security architect, and IT director. He currently works for a major financial institution as an Information Security Officer.
Tony Luque, Manager of Security Consulting, Attachmate Corporation, has worked in the information technology industry for more than 13 years. Currently, his primary focus is on working with companies to enhance the strategic use of fraud management and managed file transfer in their enterprises.
See Also: Data Protection: Common Mistakes
Sam Morris is a product marketing manager for Attachmate Corporation, with a primary focus on the company's managed file transfer and SSH solutions. Morris has 15 years of experience in the host access and host connectivity industry having served in roles that include technical support, sales systems engineering, and product management.TOM FIELD: Phil, you are with Wells Fargo. How has your institution historically approached this whole topic of FTP?
PHIL ALEXANDER: Generally, with sensitive information, or information that's covered by various government regulations, and FTP being a clear text protocol, we just don't use it. It's not deemed to be appropriate. And what I mean by clear text is the data is not protected by encryption as it traverses. It could be an internal network or even over the Internet for that matter.
FIELD: Matt, you are with M&T Bank. How has your institution historically approached this whole topic of FTP?
MATT SPEARE: Well just like Wells Fargo, we certainly look at FTP as an insecure protocol. But just as important was that even with a secure FTP mechanism, what is the work flow and audit trail around that? Because as you grow in size just having a mechanism to provide a secure file transfer protocol and put files on it securely on a server to be retrieved by someone, who actually retrieves those? What do they do with it? What is the notification process if there are files there to be picked up and utilized? We think that's just as important in the process overall.
FIELD: Matt, I've got a question I would love to send your way, and Phil if you can just pick up after Matt that would be great. The question is, what are some of the key challenges when you look at regulatory issues and security issues? What do you find to be top challenges?
SPEARE: The number one issue from my perspective is that since banks are regulated under this group of regulators known as the Federal Financial Institutions Examination Council, what is kind of unknown to the general public out there is that we really have the only national requirement to do customer notification in the case of a potential breach. The bar is pretty high for us in that we have to be able to definitively prove that we did not lose a customer's piece of non-public personal information to avoid notifying them and the regulatory agencies, and it becomes incredibly costly. Having to go in a high-level of security with an audit trail, we can definitively prove that we did not lose control of specific customers' records in the case of a breach. That saves us a lot of time and hassle. And let's face it - banking is a trust relationship. Any loss of trust on the part of the consumer or our business customers has significant impact on our bottom line. There is a pretty high level of security that we have to have in place to be able to satisfy and avoid some of the regulatory requirements that are out there. I see those as the big issues for us.
ALEXANDER: I agree 100 percent with what Matt was saying, it was absolutely correct. And we don't just look for the solution that will encrypt data in transit, which we are required to do. But it does need to provide the audit trail, and the term used for certain things is non-repudiation. Can I prove at an electronic level that the data did go where I wanted it to go and was received by the person that was the intended recipient? It needs to protect the data. I need to have an audit trail. I need to log it, and those are things that I maintain the confidentiality, the integrity and basically the ownership of that data until it's securely and successfully passed from point A to its intended point B.
FIELD: Phil, maybe you can tackle this question first and Matt I would love you to jump in. You talked about the challenges here. What do you need in a secure FTP solution that is going to work across your entire scale?
ALEXANDER: I will go ahead and start on that one. Besides from everything that Matt and I have been talking about, within a company the size of Wells Fargo and the different entities that we communicate with, one of the important things is that the solutions work on a variety of platforms. I mean we're not just one platform enterprise-wide, so we need a solution that can not only do everything that we need to do, but can do it for various forms of Windows or various forms of Unix, mid-range and even main frame. The more, as I call it, operating system agnostic that solution can be and meet the different technical requirements and technical challenges, those solutions are deemed very valuable.
SPEARE: From my perspective, and certainly Phil is exactly right, you look at Wells Fargo and ourselves at M&T, we are in the top 20 banks in the U.S. in terms of asset size, but there are 8,000 banks that are smaller than us out there and when you think about it, we are relatively sophisticated from a technology standpoint. Those other banks, the CEO can be the head teller and the chief bottle washer, as well as the technical guy. It needs to have a simplified user interface with a high level of encryption on the back-end so that you can use work flow and be able to get that work flow programmed in a simplified manner where you don't have to have deep technical skills to be able to do it, but still have that high level of assurance that when a secure file comes in that the appropriate user is on with the bank or notified, and that when we go and retrieve it that it is secure in that transmission. Then I can go back and prove that we are handling these files in an appropriate manner so as to not put our organization at risk. Certainly, all those elements that Phil talked about need to be there and it also needs to have a very simple user interface that can provide a high level of functionality for a bank's scale and size.
FIELD: Matt, how do you quantify the business benefits of such a solution, especially in a larger organization? Or perhaps some of the business leaders aren't as close to something like this as you find in a smaller organization.
SPEARE: I think that the number one thing that you can prove definitively is labor arbitrage, by having work flow processes and not having to have people go in and check on a regular basis that you're able to do your settlements and process your work in a more timely manner, and be able to do it with less people. From a financial standpoint that is pretty easy to prove out and it's a compelling enough case. What is more difficult to be able to communicate is the risk mitigation, both from a potential loss and loss avoidance of one. There is nothing worse than having one employee, who was assigned to go in and take care of files and start processing them on behalf of a business customer, and they're out on vacation and no one else is picking up that work. Or they just simply call out on a sick day and nobody realizes it and then you have the after-the-fact settlement. This is going to cost you dollars to do, to make that customer whole, because we all want to provide the best experience at all possible for our customers. When we make a mistake we're liable for it, and so that is harder to prove out. But there are models out there that will allow you to be able to demonstrate that risk mitigation and the cost avoidance having this type of system in place.
FIELD: And Phil, your thoughts on that? What is it that you really need to quantify the business benefits of a secure FTP solution?
ALEXANDER: I agree with everything that Matt said on this. And to build on some things, the particular needs from the various financial institutions may vary somewhat. An end-user dashboard that can be customized to meet the needs, and even in terms of Wells Fargo, not every division of the bank is going to be looking for that same type of dashboard. It can be customized to meet their specific needs. Another very important point was the ease of use. Bankers are generally not technology and computer experts. They are savvy in their field so something that is intuitive to the end user, it has to work. There's a term sometimes used in the computer language ... 5 9's Uptime, which is 99.99 percent. If the solution keeps crashing or is unavailable, or we are consistently reaching out to the vendor for technical support, that of course is an issue that's going to impact business. We are looking for ease of use and for it just to work and work consistently on a day-to-day basis.
FIELD: That is excellent insight. Phil and Matt, I want to thank you both for your insight here.
ALEXANDER: You're welcome.
FIELD: Now Sam and Tony, I want to bring you into this conversation. Perhaps, you could take just a minute to introduce yourselves.
SAM MORRIS: Yeah I'm Sam Morris and I work for Attachmate. I am the Product Marketing Manager for Attachmate's Manage File Transfer solution family, which we call File Express.
TONY LUQUE: I'm Tony Luque, Manager of the Security Consulting Group here at Attachmate across both the Manage File Transfer, as well as Enterprise Fraud Management, solutions.
FIELD: Sam, how do Matt's and Phil's experiences jive with what you currently see in the market place?
MORRIS: I found myself nodding my head quite frequently as I listened to Matt and Phil speak about how they visualize and assess file transfer relative to such things as security and protection of sensitive information, but also from the point-of-view of work flow, auditing, platform support and ease of use. We certainly get the opportunity to speak with a number of financial institutions and discuss how files move within an organization, not just as a transfer from point A to point B, but as part of a broader work flow. I don't think that anybody transfers a file because it's fun to do. It's part of a broader work flow that's just as important as getting the file through itself.
It's also true that ease of use is important, not just from the point-of-view of the end-user - certainly that is important. It needs to be easy for an end-user to consume and that might be from their experience in a web browser transferring files to maybe a file transfer client that they are comfortable and familiar with. But also, it's how IT organizations bridge between their particular data security standards and framework, for instance, SFTP within their data center and bridge out to how their business partners and customers want to exchange files perhaps over different protocols.
I would also validate it's important how organizations are measuring the costs of file transfer from the time spent dealing with file transfer outages, to the time spent provisioning file transfers and users to the harder to measure cost around the risk of security breaches.
FIELD: Tony, based upon what we've been talking about here, what do you find to be some of the common FTP challenges for organizations?
LUQUE: There are really three things that I wanted to highlight that Phil and Matt also touched on. First and foremost is around security, and that is on really multiple fronts. It's not only from the side of confidentiality and integrity, which Phil mentioned the clear text protocol both from the pay load, the actual file, as well as the authentication, the user name and password, but also from the presence of the data residing in the DMZ and it being in a risk-based area. More importantly, from an audit perspective, one of the things that has been mentioned here is that file transfer is a part of a larger process, a business process, and having the ability to know where that file existed, where it went and who has access to that file, can we determine whether or not it had been modified, changed in anyway, and protected all the way through that process. Having the audit capability is obviously one of the key challenges to file transfers.
Another one that I wanted to mention is around scalability and reliability. Businesses are requiring larger and larger files to be moved from internal systems from one to another as well as to external third parties or just from users. With the volume of these files, getting these in batch, reliability is becoming such a critical requirement and challenge around the traditional file transfer. We're quite a ways away from those small 2k files that FTP started transferring. As you get up to several megs, or hundreds of megs and gigabytes of data, the reliability and being assured that the delivery is happening and you can audit that obviously is an area of great challenge for FTP.
Really that leads to the cost that has also been touched on, operational cost predominately. There are always going to be challenges in the process of file transfer. Errors will occur, transfers will fail. How do you begin to deal with that and the operational cost of the resources, internally having to determine where the problem existed? How do we resolve that? How do we manage provisioning? Adding new users, taking away privileges, all of those things and just doing the care and feeding is another challenge. In fact, one of the financial institutions that we are working with was requiring two full-time staff to handle that care and feeding, both provisioning handling the fire drills of managing file transfers within their organization. Obviously, this got the attention of the CIO which initiated a project to implement a manger file transfer solution.
FIELD: Tony this only makes imminent sense. What do you see to be some of the common barriers to organizations adopting these new enterprise solutions?
LUQUE: That's a great question. Really I think one of the main barriers is that there is not a single owner of file transfer within an organization. File transfer is pervasive across business units both from application development to IT operations, to the user to user file transfers. It's really a different way of thinking to suggest that a central framework or a centrally managed file transfer service can drive the reliability and scalability as well as security and overall cost reduction. That is really one of the key barriers.
Another one is that because there is not a single owner, it's often difficult to aggregate the pain across the business units to really drive that change. While there may be specific pains, say for example a user who has to transfer a very large file to a business partner and wants to do that in e-mail or would traditionally do that in e-mail, because of limits within their e-mail system they find another way, whether that is sending it through some personal e-mail or using some standard or non-standard unapproved method to share that file. Or within the application development team, which is rolling out a new project and needs to do some automated transfers between one application and another. Those are all within different silos, which there is pain there. But because there is not a single owner, it's often difficult to get the visibility across each of those different areas in order to recognize that it's time to roll this up into a change agent that we can address and move forward as a project. Those are the two things that I've seen as really the common barriers.
FIELD: Sam, to bring you back into the conversation, maybe you can give us some examples of some of the common drivers and solutions you've seen institutions employ.
MORRIS: Certainly and I would say we've heard some of the initial core concerns around security and regulatory compliance. I know that we were working with one regional bank that obviously made the decision that unencrypted FTP had no role whatsoever to play in operating in compliance with PCI/DSS in their organization. As a result, they replaced their legacy file transfer approach with a managed filed transfer approach that was delivering that protection of files in transit and in centralized auditing. Another context was a couple of a different regional banks who needed to integrate secure file transfer into their multi-stage DMZ arrangement that allowed files to be transmitted in a clear through part of that so they could go about content inspection as those files routed. What was important to them was having the ability to translate in transit between secure protocols and non-secure protocols and encapsulated in very tight and secure firewall zones. Another common driver is really around consolidation. Over the years, a number of institutions find themselves on a project-by-project, by department, basis, growing either internally or through acquisitions of third-party software a variety of file transfer solutions. Consolidation is around bringing cost down and bringing better management by folding those into a single solution. We worked with one financial institution that had an asset management group that was using one solution for exchanging files with other financial institution. Their financial market divisions were doing the same thing with another solution, and the security service division was using their own solution for exchanging documents with various stock exchanges. What we were able to help them do was develop a single solution capable of accommodating the needs of each of those transfer partners through multiple secure protocols, scalability, centralized auditing, so that they could then also improve the security by having records of all of those transfers, and also making those file transfers a single step as they move through the DMZ.
The third, most common driver that we hear about is the need to do more automation. We worked with one regional bank that had a complex process and a manual process that required an individual on a calendar schedule to go out and check a partner's file transfer server that was hosted on the Internet. Their work flow was get a task in the calendar, open up a file transfer client, see if a file had shown up in their directory, transfer the file and then kick off a remote process for processing that file once they brought it local. What manage file transfer solutions are able to do is actually automate that entire process without involving the user, having that automated scan of that remote system, the movement of files internally and the automatic execution of the post-processing once a file gets to where it needs to go. This all rolls up into savings through things like consolidation, improved reliability, getting increased automation, meaning that you are investing less individual time and letting them work on other, and perhaps more revenue-driving activities.
FIELD: Final question, and I'll toss this to you Sam and perhaps Tony you can pick up on it. If you could boil it down, what advice would you give to an organization that is looking to overcome its FTP challenges? Where should it really begin?
MORRIS: I think that's a good question. I think that's a question that organizations are trying to get a handle on as they do react to specific file transfer challenges that bubble up to the level of awareness to them. I would say there are probably three things to focus on and the first would be to actually look across the organization. Many file transfer projects are departmentally driven, so look beyond that department and access where other departments are transferring files and whether there is an opportunity to recognize cost savings and improve efficiency by consolidating. You can recognize also that there are a lot of file transfers that occur via e-mail between users or file transfer that is embedded in applications that are written in-house. This is an organization's opportunity to improve the security and supportability of those file transfers as well. First of all, look across the organization.
LUQUE: Actually that is a great point. When we were looking at one of our customers in the financial area, they actually had, as we started to drill into it, a number of different areas ... and they were rolling out a new banking platform and really needed the reliability of moving data from their mainframe older banking platform to a new modern banking platform. But then, also from their customers, they would share perspectives and other brochures which they needed to send and allow their customers to access through a web browser. Also, they were getting data from third parties. For example, they recognized that another portion of their business was getting data from specific bureaus containing black lists of organizations that may have been engaging in money laundering or other fraudulent activity, and being able to securely get that data to a reliable clip was very important to them. As you can see, they were able to recognize across the organization multiple use cases.
MORRIS: The first piece of advice is to look across the organization. I would say that the second piece of advice is look beyond point A to point B. ... File transfer really does exist as a step or part of a larger process. It helps to understand for the various transfers that you see across the organization what that broader process is and recognize the manage file transfer solutions are designed to improve the efficiency of that broader process by doing such things as reducing the steps and the transfer, automating more of the file transfer and automating the post-transfer action, the things that happen to those files after they get to where they need to go.
And I would say that the third piece of advice is look to governance in order to maximize value. Governance in the context of file transfer includes such things as enforcing security policies, establishing the use of secure file transfer protocols. It encompasses centralized audit records of all file transfers that can be searched and reported on. Governance, in the context of file transfer, also drives toward operational visibility to problems that arise with file transfers. MFT solutions deliver on governance for file transfers and they drive value by reducing security-related risks, awareness of key data movement within the organization and certainly improved responsiveness to file transfer outages. In utilizing this governance across the broadest set of use cases, as we talked about in step one, it certainly allows an organization to get the most value out of a file transfer.
LUQUE: Just to add on to that, one of the things that we have seen is in order to really get the funding or to get that visibility, using the governance committees, the audit group or the compliance group, often there are requirements around manage file transfer or secure data transfer that really can help drive the project forward and use that as a catalyst to get the buy-in and the funding to drive it forward, which we've seen in other use cases.