informa
/
Compliance
News

FTP Ubiquitous And Dangerously Noncompliant

Its ease of use and prevalence notwithstanding, old-fashioned FTP introduces compliance and security risks
FTP servers might be easy to provision and a convenient means for users to share information across corporate boundaries, but the way most organizations use the protocol introduces unnecessarily high levels of security and compliance risks to organizations.

Despite the risks, a new survey shows that more than half of enterprises still depend on insecure and noncompliant FTP connections to collaborate with business partners and customers.

"The FTP protocol is in the drinking water," says Greg Faubert, vice president of enterprise solutions for Ipswitch File Transfer. "But while it is a ubiquitous protocol, depending on it as a standard architecture for file exchange is a bad strategy."

And yet many enterprises do just that. According to a poll of 1,000 IT decision makers across the globe conducted by Harris Interactive on behalf of IntraLinks, 51 percent of organizations use FTP sites to send and exchange large files. As a file-exchange method, it may be convenient, but it poses problems on the governance, risk, and compliance (GRC) front.

Not only do insecure FTP deployments make organizations more prone to catch the wary eye of regulatory auditors, but as several high-profile incidents during the past year have shown, they're very likely to expose sensitive information stores to the world at large.

For example, last year Yale University exposed data of 43,000 people simply by failing to lock down a database server stored on an FTP server that was eventually crawled by Google’s search spiders. Similarly, 40,000 Acer customers had their details stolen in 2011 when a hacker broke into information stored on a company FTP. Last year also saw an attack against FTP servers at the European Space Agency (ESA) that exposed usernames, passwords, and email addresses for more than 200 users at the agency.

According to Faubert, FTP is an easy target for a number of reasons.

"The first and probably the one that is the biggest point of exposure in a typical FTP is you have the issue of files and credentials at rest in an unsecured area of your network," Faubert says. "[In] a typical FTP model, people connect to your server, they potentially log in, the credentials are validated, they drop a file, and then that file is picked up by another application behind your firewall. So for some period of time that stuff is sitting out in the DMZ, and those credentials are sitting out there."

While some encryption solutions like PGP can be bundled with FTP to encrypt the file, there's still the matter of protecting the login information, says Sam Morris, product marketing manager for Attachmate.

"That still does not provide for the encryption or protection of user credentials," says Morris, who adds that authentication methods, in general, pose problems for security and compliance staff seeking to monitor access to data.

"Good old-fashioned FTP is very constrained in that it's not uncommon to have scenarios where it's just a simple thing to do to just implement anonymous authenticating, which really means you have no way of tracking use," Morris says. "It certainly reduces administrative overhead, but there's some exposure there."

Even with anonymous authentication turned off and security teams pouring through traditional FTP server logs, the infrastructure does not support the level of monitoring required within a regulated environment to figure out who accessed what information and when they did it.

"While some of that information may be logged in traditional FTP server logging files, with the growth of FTP servers and the ease of implementation, it's very challenging to aggregate that data across those logs from those various [feeds]," Morris says.

According to the experts, auditors are increasingly keeping their eyes peeled for insecure FTP file exchange in their investigations of enterprise IT environments. Morris says it is not uncommon for his team to receive requests for a solution to lock down an FTP environment very quickly in response to failed audits. It happens not only in finance and healthcare environments, but also in retail, Faubert says.

"The PCI standards look specifically at your FTP environment and the security surrounding your FTP environment," Faubert says. "It is a significant area of focus for auditors, and they will fail companies in their PCI audits for a lack of adequate controls around their FTP."

According to Morris, FTP persists to be overlooked because it has been "pervasive and around forever" and it is so easy to set up. More critically, says Fahim Siddiqui, chief product officer for IntraLinks, is the fact that IT has not provided the means to safely share information across the corporate firewall. This does not support today’s reality of what he calls the "extended enterprise," which calls for much closure collaboration between business partners and third-party vendors.

"The value chains are more and more disaggregated now. Instead of just going and hiring another 20 people within the organization, they're looking at business partners who can be more agile, move flexibly, and be more responsive to their needs," he says. "In doing that, what happens is you're not just sending orders back and forth and receiving a widget, you actually end up sharing critical business information across the firewall, and it is not needed to produce products and co-invent and co-innovate.” This is where the managed file transfer industry is trying to fill the gaps. According to Forrester, the managed file transfer (MFT) industry measured up to $1.4 billion. As more organizations face the compliance realities of sticking with the old FTP model, that number looks to grow in the coming years, says Ken Vollmer, an analyst with Forrester.

"Our discussions with clients indicate that the primary push for MFT is coming from the business side and is related to the increasing number of compliance regulations that organizations must deal with," he wrote in November. "For example, information security provisions are extensively covered under HIPAA regulations in the US healthcare sector and Sarbanes-Oxley and Basel II laws covering financial reporting. Similar regulations have come up in other sectors as well."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5