A preview of Axway Connections 2014 in Scottsdale, Arizona, October 22 – 24, 2014

This is a transcript of the Axway podcast of the same name.

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.YouTube Preview Image

PALLAGI: Axway’s Connections 2014 event — a summit where Axway customers can network with their peers and Axway experts, hear customer user stories, and get the latest product news firsthand — kicks off on October 22nd and runs through October 24th, 2014 at the Omni Montelucia Resort & Spa in Scottsdale, Arizona. I recently caught up with some of the key folks behind the event and asked them to give us some insight of what attendees can look forward to.

BERRYMAN: The venue is the Omni Montelucia Resort.

PALLAGI: That’s Ajda Berryman, Axway’s Director of Demand Generation in North America.

BERRYMAN: It’s located in Scottsdale, and it’s an ideal location. It’s really beautiful. It’s right up against the Camelback Mountains, surrounding… In the Sonoran Desert, so it’s really beautiful. It’s got a lot of Spanish influence. Great reviews and so forth. It’s surrounded by a lot of activities — hiking, dining, and so forth. We really thought it was a very special resort. We have not been to this resort in the past, and we wanted something new and exciting for our customers. So it’s a lot of cultural feel and taste and unique experience.

SKOOG: The Omni Montelucia is a very intimate, high-end, boutique hotel…

PALLAGI: That’s Mark Skoog, Axway’s Vice President of Corporate Marketing and Communications.

SKOOG: …I’m sure that the people who will be attending the event will find it to be a very memorable experience in a very nice part of the metro area, and just overall a great venue for this type of event.

PALLAGI: And it’s just a twenty-minute car ride from Phoenix Sky Harbor Airport, too.

SKOOG: A wonderful opportunity for customers to network with each other, to network with other industry experts such as Forrester analyst Randy Heffner. And then, also, Axway senior management who will be in attendance throughout the event. We start on Wednesday with a series of workshops specifically geared towards managed file transfer, B2B, and API management for more detailed, hands-on technical experience, and a detailed understanding of the products and what is new, specifically over the past year. We then move to Thursday and Friday to a series of general sessions in the morning featuring Axway CEO Christophe Fabre, covering the topic of governing the flow of data, followed by Paul French and Mark O’Neill discussing the Axway 5 Suite overview and recent enhancements. Then we break into a networking break and demo for about an hour, followed by track sessions that will be broken into four categories covering product, implementation best practices, and two different versions of either customer or industry sessions that will last into the afternoon throughout Thursday.

PALLAGI: There will be demos running concurrently, too, featuring Axway subject matter experts who know everything there is to know about the entire solutions portfolio. So be sure to bring your toughest questions.

SKOOG: Then, in addition, there are a series of networking and other dinners where attendees can learn best practices and talk specifically with other customers to learn exactly how they have used Axway products within their businesses. On Friday we’ll begin the morning session with Forrester research analyst, Randy Heffner, who will be covering APIs and the critical foundation for your digital business ecosystem, followed by a very interesting presentation by Fidelity. Followed up with some new information for this year’s attendees, discussing operational intelligence and driving business value through real-time visibility into transactional data flows featuring the Decision Insight product line which came over to Axway through the Systar acquisition recently completed this year. All in all, a very exciting lineup, and there are multiple customers speaking, as well, discussing their experiences and best practices.

PALLAGI: I asked Ajda to tell us a little more about Forrester’s Randy Heffner, the keynote speaker.

BERRYMAN: A vice president and principal analyst there. He’s been working in this space in application integration, and also working with API management space, for over 30 years. I think he comes with a lot of experience in the industry, of following market trends, of providing professional advice to other companies that are evolving in their integration strategies and looking to the future. Especially, I think, his presentation will be really relevant to all, and I think that the customers will really value being able to even meet with him in person afterwards and have one-on-one meetings with him. I think that’s going to be a huge plus for them.

PALLAGI: And how about the customer presentations? Previous years’ attendees always rave about those. Here’s Marianne Lontoc, a Sr. Marketing Manager for North America Demand Generation at Axway.

LONTOC: We provide some customer speakers who will be talking about their experiences in Axway products and the entire Axway 5 Suite. In API we have a couple customers from Toyota Financial, BMW, and iC Consult, as well as Fidelity for our MFT customers. ING will be speaking, as well as Experian. And for B2B, UTI will be our customer case study as well, just to name a few.

BERRYMAN: You know, last year we had acquired Vordel and so a lot of our customers got to be introduced to our API management offerings and what that brought to the table in A5 Suite. I think this year, with the Systar acquisition, they’ll see a lot more around operational intelligence and the new Axway Decision Insight. I think that will be something exciting and new that customers will look forward to hearing about and seeing the extended offerings in the A5 Suite.

To learn more about Axway Connections 2014 in Scottsdale, Arizona, please click here.

To listen to the podcast on YouTube (audio only), please click here.

The Home Depot data breach and why hackers love FTP

This is a transcript of the Axway podcast of the same name.

ANDREWS: Security can always be breached. It’s that visibility piece that’s more about detection that really would help people at Home Depot understand that something unusual is happening in their environment. That is, if they were able to get past the security portions of the APIs anyways.

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.

PALLAGI: In early September, The Home Depot’s banking partners and law enforcement notified them of unusual activity connected to their payment systems. The Home Depot’s IT security team immediately began working with leading IT security firms, their banking partners, and the Secret Service to investigate. That investigation confirmed that a breach of The Home Depot’s payment card systems occurred. Since then, they’ve fixed it, but I had a question: What could they have done to prevent it? Here’s what John Andrews, Axway’s Director of Solution Marketing for Managed File Transfer, had to say.

ANDREWS: FTP is a very old technology. The original specification for it was published in April of 1971. The specification actually pre-dated TCP as a major way for technical communication between computers. And so it was done more as an academic research, being able to share… How do academics share information electronically rather than putting their research into an envelope and then mailing it and hoping it gets there? Got used very quickly in computer science circles because it was a way to share information.

PALLAGI: Andrews said that FTP was never designed with security in mind and because of that, it’s become one of the favorite venues for hackers looking to get into a corporate network.

ANDREWS: They have built security on top of it. However, the secure variance, while they provide protection around being able to log in or protect the data in motion, they don’t provide any audit or log capability. So thinking back to the API example, if you can’t track or have visibility into what’s being done, it becomes harder to detect unusual patterns. And so that kind of lack of traceability, visibility, auditability make FTP a very insecure piece of software. If you think along a CSI type of metaphor, there isn’t a lot of evidence left by FTP to trace back or identify who actually committed the crime. And that’s why hackers love it.

PALLAGI: So when it comes to logging into an FTP, you just need to use your name and password and there’s nothing to authenticate that that username and password belong to the person who’s trying to log in. Also, when a person logs in, it’s not actually recorded, so there’s no audit trail.

ANDREWS: If a file is moved, there’s no audit of it being logged. There’s plenty of examples of hackers using FTP to gain user credentials. If you Google on some of these, you’ll find them. And I have a bunch of examples. Like, in 2001, Yale University had 43,000 people — user IDs — exposed because the database information with all that user information was stored on an FTP server. In the same year, in 2001, 40,000 Acer customers had their details stolen — again, because the information was stored on the company FTP server. More recently, 7,000 FTP sites had their credentials circulated in underground forums. And that was found from a company called Hold Security. That was probably just about a year ago when that happened. If you look at all the other events that have happened in the last little while, while it hasn’t been clearly stated, FTP could be a primary suspect in allowing hackers to get into systems.

PALLAGI: Is there anything a business can do to track that activity? Some set of improvised actions? A best practice?

ANDREWS: Once somebody gets access to an FTP server, there’s no log of that activity. Now, you can write manual scripts to try and track that, but it’s far from foolproof, and often requires a lot of maintenance, so you’re never quite sure if you’re getting all the information. In fact, if you Google for a Python script, you can find a script written in Python that will scroll through a range of IP addresses to tell you if there’s an FTP server on that machine, whether it’s working or not, and whether the anonymous login is available on that server.

PALLAGI: What else is it about FTP that makes it so attractive to hackers?

ANDREWS: There are a number of things around FTP that make it highly suspect to hacking. For example, it can be used in a brute force attack, so just checking every single port that is on an IP address to see if it has an FTP server exposed on it. You can do bounce attacks checking to see whether or not your attempt to log into the system is available. Use a port command and try to just access … use the FTP server as a way to connect to another system. You also have packet capture. So the idea is that if you know which port the FTP server is listening on, you can listen on that port and just analyze the packets as they’re going to that server. And while the secure versions of FTP can address this, you still don’t have traceability. Ultimately, an FTP server sits on top of a file system that is usually connected to your internal network. So once you get access to the FTP server, you then have access to the internal file system. Once you have access to the internal file system, you can access databases, you can access LDAP stores. If you know what you’re doing and know where to look, the FTP is that proverbial back door to get into a network environment, then find almost anything you’re looking for.

PALLAGI: What can organizations do to reduce their reliance on FTP and secure information in motion?

ANDREWS: First and foremost, there are two things that really come to mind. And that is there is a higher level of security, meaning that username and password aren’t always going to be enough to connect to an MFT solution. While we can mimic FTP functionality, the ability to access it may not only require username and password, but authentication, so we can up the level of security needed for people trying to access. We also abstract away the actual physical … the physical file system away from the attackers so they don’t have easy access to the back-end network. Most importantly, we track and audit all of the interactions. So if you log in as Mike Pallagi, we will see that login, exactly what protocol you were using, and what you tried to access. That audit log is hugely beneficial, especially in diagnostic and troubleshooting situations. And that is provided through a level of visibility that FTP doesn’t have. With an MFT solution, not only are you going to log that activity, you’re going to be able to see how frequently, how often, and who’s trying to gain access. That preventative… or that visibility, allows for preventative measures rather than reactive measures.

To download the first two parts of Axway’s three-part MFT Survival Guide series, click here

To view the video blog on YouTube, please click here.