iPad/AT&T data theft shows need to lock down file transfers

June 23rd, 2010

Data has become like gold dust in the Internet economy. Companies collect it, exchange it, store it, and use it to leverage their business models. In this LastWatchdog guest blog post, Gary Shottes, President at Ipswitch File Transfer, outlines the emerging security and legal liability implications. Ipswitch supplies file transfer management tools.

By Gary Shottes

We are in the midst of an evolution of how companies manage and control their data. Recent high-profile data breaches — such as AT&T’s disclosure of the e-mail addresses of 100,000 high-profile iPad users, and the resulting consumer backlash, have made protecting company information less of a policy question and more of a mission-critical operational task for IT departments.

The iPad/AT&T incident vividly showed how disclosure can happen in unexpected ways if certain doors to the enterprise are left unguarded because they only serve a supporting or maintenance function, as file transfers between business partners often does.

Even at the most attentive companies, the contradictory mix of ever-increasing data volumes, increasingly strict corporate governance and rising availability expectations lead people to wonder how all those file transfers can be supported, let alone secured.

Facebook is an example of a company whose public struggles with volume, privacy/security and availability challenges have been well documented. In January one of its partners, a widget provider called RockYou, was hit with a class action lawsuit alleging that the company failed to protect its users’ Personally Identifiable Information.

Whether or not this lawsuit will directly affect Facebook may hinge on the technical care Facebook took of any data exchanged with RockYou.

Outside partners aren’t the only ones increasing legal risk. Internally, hard-working employees are doing it too. These are the highly-motivated workers willing to do whatever it takes to get the job done, with or without IT. Employees, whose job requires them to send information to colleagues, partners, vendors or customers around the globe, have literally thousands of file transfer options.

If IT fails to provide employees with a fast and easy way to share information, they will take matters into their own hands, even if that means using technology that’s not sanctioned by IT. They may use a personal webmail account, smartphones, USB drive, or even transfer data via Facebook and LinkedIn.

Fortunately, there are solutions out there that can help companies secure and manage files and data. Financial institutions and health care companies have been doing it at a high level; some have dedicated “transmission teams” whose entire job is to balance risk, availability and throughput.

One transmission team, based in Charlotte, NC, uses a technology deployment that spans multiple firewalls and data centers. Several hundred thousand daily transmissions pass through this system and are monitored 24/7 from a single point of control. Some transmission end points use their own server-based deployments of similar technology; others use branded agents created by a software vendor and distributed by the transmission team itself.

The technology supporting this process is called Managed File Transfer. MFT can scale from projects involving less than 25 people to enterprise-wide deployments. In all forms, Gartner believes that purchases of MFT technology and supporting services now accounts for about $500 million a year and is growing by about 25% annually. MFT technology can help companies:

  • Monitor and manage the entire spectrum of data interactions.
  • Create and enforce security policies.
  • Enable a simple, secure way to quickly transfer files

MFT systems can be deployed for a project or enterprise-wide; handle person-to-person or system-to-system transfers; be implemented on-premises or in the Internet cloud. Organizations should examine how effective they are at ensuring that  transfers of sensitive files, within and outside of the company, are secure, compliant and fully auditable. Those that don’t are simply opening doors for data thieves and putting their companies at risk.

About the author: Gary Shottes is President at Ipswitch, responsible for driving the worldwide strategy for product development, service offerings, sales and marketing. Gary brings a depth of knowledge in identifying new business opportunities globally and a proven ability to orchestrate a market leading vision for the organization. Ipswitch File Transfer, located in Lexington, Massachusetts, builds software to help individuals and businesses securely move their most valuable data.