Making a secure file transfer, while maintaining transfer speed and functionality, can be tricky. Dan Sullivan, an IT expert in the fields of enterprise security, systems structure and application design, spoke with SearchEnterpriseWAN.com about how file transfer methods must improve, in part one of the interview. In part two of this continued Q&A, he explains how a wide area network (WAN) manager can manage compliance and secure file transfers across a WAN, while adhering to regulations and business requirements.
In your new book, The Shortcut Guide to Eliminating Insecure and Unreliable File Transfer Methods, you state that there are many laws that restrict the flow of information and therefore conflict with the maintenance of the secure file transfers. What are some ways you can maintain the file transfer process while abiding by laws like HIPPA, Sarbanes Oxley, etc.?
Dan Sullivan: That is a really important question. First of all I have to say, I am not a lawyer so … I see compliance from the lens of a systems architect. With that caveat aside—from the layperson’s perspective, I have found over the years that a lot of compliance … is very similar. [Compliance] tends to focus on protecting the confidentiality, sensitivity and the integrity of data. Some [laws] like SOX, are very important to [the process of] protecting the integrity of the data. [For example,] you don’t want anyone tampering with your financial information. In other cases, like HIPPA [for healthcare services] and GLBA for financial services, there is a lot of emphasis on privacy protection. Usually, it’s important that both confidentiality and integrity come in to play in all of them. So, in terms of the secure file transfers, I think some industries may be more concerned with one of those or the other. For example, a public company under SOX would be concerned with protecting the integrity of any file transfer related to how they file their financial reports. Anyone in healthcare or financial services is going to be concerned with confidentiality. So, I think in both cases, being able to encrypt the files before you transfer is important. Obviously, the encryption will help protect confidentiality, but … [you can detect whether] the file is tampered with during the transmission process as well. You certainly want to make sure you have that option of doing an encryption. It is critical for the compliance.
Also—again, this is just a layperson's view—I understand [that under] many of these regulations, not only do you have to do these certain things, but you have to be able to demonstrate that you’re doing them. This is a case where reporting is important. For example, if you have a workflow, where you have to transfer a number of different files to complete your financial report, you want to be able to have an audit trail. Your file transfer mechanism shows that you transferred these files on a certain date, you applied a certain encryption algorithm with a certain key length and the file digest was calculated the same on both ends so you were sure it wasn’t tampered with.
So do the laws help?
Sullivan: It’s certainly a motivation. I think it helps make the business case. It's just one more factor that executives … are concerned about. I would think something they would be primarily concerned with is ensuring the integrity of the workflow that produces the financial reports, but that’s not the only one. I think there are certainly performance issues and being able to deliver business services. If you have a number of business partners and you are exchanging files back-and-forth, having a reliable, scalable and secure file transfer solution is essential to some of your basic business workflows.
Out of the five key drivers for improving file transfer that you mention in your book—compliance; increasing need for file transfer services; support for multiple uses; ease of management; cost control; support for workflows—which is the most important? More specifically, which of these are WAN managers of large enterprises typically responsible for?
Sullivan: Performance and scalability are going to be an issue that gets into workflow efficiency. Flexibility and scalability are probably the key issues. The WAN manager is going to be up to their eyeballs in security issues, so compliance is going to be an issue.
When you have segments with high latency or high volumes of traffic, the scalability is going to be an issue. I think work flow efficiency seems to be more of an issue from an application owner's perspective, or a developer's perspective. The management issues for the WAN manager are not so much [about] the tactical alerts, but particular file transfer fails.… [WAN managers] would probably be more interested in the long term management reporting and being able to understand the trends.
In Chapter 2 of your book, Analyzing 5 Key Drivers for Improving File Transfer, you say that a file transfer needs to have a balance between security and functionality. What is the most important first step in order to make this happens?
Sullivan: Say we’re working with a business where security is highly important. At that point, secure file transfer issues are so important that it's probably worth having security infrastructure, like digital certificate authentication for users in both servers and clients. If you have that infrastructure in place, then the file transfers can use the digital certificates for authentication, which are more secure than using passwords. When … security is more important, you probably have more security infrastructure to work with and probably want to leverage whatever you have there, like a public key infrastructure. On the other hand, if security is less of an issue—for example, if you are a scientific researcher for a public organization and most of your research is public anyway—then scalability and functionality are probably more important. But I don’t want to say this in such a way that anyone would construe it as 'security doesn’t matter.' It always matters! So it’s a trade off. At that point, if what you’re dealing with is a lot of public data, you probably don’t have as much security infrastructure as some of the other organizations would have. So I wouldn’t necessarily think that you would want to run out and establish a public key infrastructure just so that you could do secure file transfers. You may be satisfied under the circumstance with balancing and deciding that you are willing to risk using just username and password authentication.
You list seven essential requirements for reliable file transfer, in Chapter 3 of your book:
- Support for both internal and external information flows
- Support for multiple protocols
- File transfer security
- File transfer optimization
- Reliability and transaction control
- Alerts and process reporting
- Event processing and automation
If a user was in a hurry to transfer important information and did not have time to go through all seven requirements of a secure file transfer, what would you suggest?
Sullivan: I would say, certainly file transfer security. That is always at the top of my list. I would say file transfer optimization is probably second, especially if you’re dealing with large files. Then again, if [a WAN manager is] dealing with just a few files or several small files that need to be saved every hour, file transfer optimization may not be as important as support for multiple protocols since they have to send to different trading partners. In general, I would say file transfer optimization and support for multiple protocols [would be the ones to focus on first]. Reporting is also important. [Companies] may have different requirements. Being able to support event logging may be more important in some cases than others in process reporting. I would say those points in general would help me transfer a file securely in a hurry.
To learn more about compliance, visit SearchCompliance.com.