Posts tagged Managed File Transfer
Dr. Larry Ponemon: Achieving Security in Workplace File Sharing

This is a transcript of The Axway Podcast of the same name.

YouTube Preview Image

PONEMON: We find that about 80 percent of our respondents, therefore almost all of our respondents, see the need to secure documents, especially documents containing intellectual property. The company secret sauces. Business information, for example, that in the wrong hands could be a big problem. Respondents in our study consider the loss of intellectual property to be by far the most negative consequence of insecure file-sharing tools. Even though it’s a big problem, and it’s viewed as a big problem, it seems to happen regularly. That’s another finding of this study.

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.

PALLAGI: In January 2014, The Ponemon Institute — an institute dedicated to advancing responsible information and privacy management practices in business and government — presented the findings of “Achieving Security in Workplace File Sharing,” a study that focused on the practice of public cloud file sharing in the workplace, threats to corporate information, and the features most desirable in achieving security in the sharing of files and documents. Next week on November 18th, Dr. Larry Ponemon, chairman and founder of the institute, will join Dave Butcher, Axway’s Senior Director of Managed File Transfer Solutions, for a candid webinar about the study. So to give our readers and listeners a little preview of the webinar, I caught up with Dr. Ponemon and asked him some questions. First, what did the study find?

PONEMON: What we find in our study is data breaches involving company data, stored in a public cloud environment, are likely to go undetected. This is a big problem for companies, as well as for regulators. Only 11 percent of our respondents say they would be very likely to know if sensitive or confidential information was even lost or stolen as a result of a data breach. So one way of looking at that is that 89 percent, if my math is correct, basically would be not necessarily likely, or maybe unlikely, to know whether or not data was lost or stolen as a result of a data breach. As it would happen, obviously, in a public cloud environment, I think that’s where the most risk is.

PALLAGI: What about employee use of file-sharing tools?

PONEMON: This is a very important issue, obviously. In an organization where you have hundreds, if not thousands, of employees running around doing their job, what we basically find is that employees’ decisions to use certain file-sharing tools — including cloud-based tools and, as I mentioned before, may be insecure — are made without guidance or oversight from the organization. Only 50 percent of our respondents say their organizations have a policy that informs them about approved file-sharing tools. In other words, about half even have a policy, an acceptable use policy.

PALLAGI: Of those who do have a policy, what do they say about the state of their policy enforcement?

PONEMON: So if you do the math, it’s like half don’t have a policy, but those that do, almost half, 48 percent, say that policy is not enforced. And if a policy is not enforced, it means the policy is not really a policy. We also find that 69 percent of our respondents are not likely to know whether employees are even using unapproved and risky file-sharing tools. Even if you have a policy, and even if the policy is not enforced or enforced, there’s a very high percentage of companies that acknowledge the fact that they don’t have the wherewithal to know whether an employee is doing something…not nefarious. Again, good people make mistakes. We say good people do stupid things in the workplace, and it seems to happen a lot in the file-sharing arena.

PALLAGI: Popular cloud sharing services have created problems for IT departments and their organizations for a while now. What were the survey’s findings on that issue?

PONEMON: About half of respondents, in our study, in fact exactly 48 percent, believe that popular cloud-sharing services are, quite frankly, not suitable for business use. But they would worry less about the security of confidential documents in these insecure environments if the data’s encrypted. Especially if it’s encrypted and the encryption keys are in their control rather than in the hands of the cloud provider, and storage was segregated, not shared with other tenants, unlike, for example, servers or at the rack level. If we were able to control the physical storage location and have encryption with key management in the hands of the company, that would go a long way in reducing the concern that people have. But still, it doesn’t solve the problem completely.

PALLAGI: Here’s what Dr. Ponemon had to say about corporate culture as a security challenge.

PONEMON: Corporate culture, in almost all of our Ponemon studies, is a barrier to achieving security in the workplace. And it’s true in the security of workplace file-sharing applications. Fifty-eight percent of respondents say their organizations place more importance on employees’ productivity than they do on security of corporate data. Not to say that corporate data, or the security of corporate data, is not important. But it’s really about employee productivity and enabling them to do all of the cool things that they want to do in the workplace. With the tools that they like, usually. So, with that being said, many of our respondents believe that the use of file-sharing tools increase worker productivity and efficiency. So it’s the yin and yang: on the one hand, we want people to be mindful of security issues, but we want them to do it in ways that do not diminish their productivity and, quite frankly, that can be a problem.

PALLAGI: To minimize the risk, Dr. Ponemon suggests that one solution that would work for many companies would be to provide an approved file-sharing tool.

PONEMON: In fact, 62 percent of our respondents believe providing an approved file-sharing tool would reduce employee use of public cloud. If we have a tool that basically has the same functionality as our favorite file-sharing tools that operate in a public cloud environment, I think a lot of people would recognize the fact that these in-house tools should be used first and foremost. And it would probably reduce demand for basically going outside the organization’s perimeter and choosing tools that are, in fact, creating great security problems. So I think that is kind of a natural. And I think a lot of companies are waking up to the fact that they need to have something that is secure but doesn’t diminish the productivity of the employee.

PALLAGI: Any thoughts about the upcoming webinar?

PONEMON: We have lots of very interesting, and I’ll call them cool, findings. And I think it’s going to be enjoyable for the members of our audience. I would also encourage our audience members to ask good questions. A good webinar happens because you have a good speaker and you have really good questions, otherwise known as a good audience. So we really look forward to a great event. It should be fun.

To sign up for the webinar, please click here.

To read the report in its entirety, please click here.

The Imperative for Effective Data Flow Governance

This is a transcript of the Axway podcast of the same name.

ANDREWS: One of the things that really comes through is that status quo, while it being the easiest thing for IT organizations to deal with…it’s problematic. The reason why is we don’t see technology remaining status quo in any environment or any part of our life, so why should it be that way for IT departments?YouTube Preview Image

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.

PALLAGI: Recently, Axway and Ovum — a leading global technology research and advisory firm — announced the results of a global study that examined data security, governance, and integration challenges facing organizations. The study highlighted how the growing complexity of governance and compliance initiatives challenge IT integration and C-level executives, and how isolation between IT integration and corporate governance forms economic and reputational risks. Of the 450 respondents from North America, Asia Pacific, and EMEA, 23 percent said their company failed a security audit in the last three years, while 17 percent either didn’t believe or didn’t know if they would pass a compliance audit today. The study also revealed that the average overall cost of a data breach was $3 million. So to learn more about the significance of these numbers, I caught up with John Andrews, Axway’s Director of Solution Marketing for Managed File Transfer. Here’s John again.

ANDREWS: Business environments are changing, external threats are changing. If you don’t look at your key technology and adapt it to these upcoming threats in business environments, it exposes problems that may have already been there or it can show new problems that the changing environments have occurred. So what we really want people to look at is, using things like FTP and other traditional file transfer approaches, staying status quo, will ultimately lead to problems in their overall environment.

PALLAGI: The Ovum report pointed out that a comprehensive MFT solution is essential for meeting increasingly complex data security governance requirements.

ANDREWS: It used to be enough to just secure transfers, and what organizations worried about was the delivery. Now, that’s not enough. You have to be able to deliver, track, and audit every transfer that you make. And it has to be done securely, not only for the transport, but securely for the data as well. The only way you really can do this is by implementing a comprehensive governance solution that (not only) manages policies and configurations, but is also easy to manage with updates and changes based on the way that business environments and external threats change. So this ties into that initial point of “staying status quo doesn’t really help organizations.”

PALLAGI: And what about community management and how MFT simplifies it?

ANDREWS: This is probably one of the biggest challenges I think companies experience. It used to be that interactions were dealt with…just external partners, but only a handful of partners. You had key people that you worked with, and you worked with them consistently all year around. Again, with the way the business environments have changed, you still have your core partners, but you have seasonal partners or transitory partners. This is because of the diversification of the way that people are doing business, cost competition in supplying parts, and supplying a product that companies use. And sometimes it’s just timing.

PALLAGI: So, for example, your core partner may not have something that you need at the right time so you’ll engage for a short period of time with a new partner. The problem is that the onboarding process has always been somewhat complex and cumbersome, so if there’s a way to simplify that through a governance process, then THAT can create significant business opportunities for organizations by giving them flexibility on how they interact with different partners.

ANDREWS: Then the Ovum report moves on to talk about a consolidation strategy for file transfer infrastructure, used to reduce footprints and maintenance and support costs. What we’ve seen in the past two to three years is that IT budgets have rebounded somewhat, and because of the security concerns that have been raised through data breaches, the events like Target and most recently JP Morgan Chase have really exposed that there are security concerns. The problem is that money isn’t being thrown at these problems, so IT departments need to come up with cohesive and comprehensive strategy that allows them to address these security needs. And it’s key from when you dig into the facts that file transfer technology has to be part of this. Companies still using FTP are at greater risk of data breaches, and because of this, file transfer technology is probably even more crucial to businesses than it has been in the past.

PALLAGI: Also, the report indicated that there’s a transition going on from governance silos to a central governance layer.

ANDREWS: This is something that, at Axway, we’ve been talking about for a while in that companies need a comprehensive strategy for their file transfer technology. If you look at one of the aerospace companies that we work with, they have both military and civilian divisions. While a civilian divisions does not have the same kind of security requirements as the military divisions, they’re both within the same organization. And by one of the divisions having a more lax environment, it could cause trouble for the military division because they are interconnected.

PALLAGI: That organization took a centralized approach to the way that they do file transfers and made sure that each of the divisions actually adhered to the policies that they laid out.

ANDREWS: This centralized vision and control of information is then independent of the divisional silos, and it makes sure that the data that’s moving in and around the environment, and externally, is secured. Finally, the Ovum report identifies that there needs to be a more thought-out process to MFT, B2B integration, and API management solutions. The way I summarize this is, just like you don’t want corporate silos in your organization for IT, you don’t want technology silos within your IT organization. Meaning, you have a separate MFT group, a separate B2B group, and a separate API group. Those technologies, the technologies that span firewalls, need to be thought of more holistically in the way that they’re managed. This means that they need to have policies that can be applied across all the technologies with similar or the same level of security, and that you should be able to govern them centrally so that you can ensure that there’s consistency in the way that data is moved in and out your environments.

To review the whitepaper titled “The Imperative for Effective Data Flow Governance in Response to Data Security, Risk Mitigation, and Compliance Requirements,” please click here.

To listen to the podcast on YouTube (audio only), please click here.