As pointed out before, in this blog and when covering this space at Gartner, most consumer file sharing solutions (several well-known vendors) allow files to be uploaded to their platform without antivirus (AV) and malware scans!  You might think that this is not an issue, because your company scans for malware at the gateway and at the desktop, so what is the risk here?

The problem is not when employees are working in your corporate environment, it is when they sync corporate data to other devices (bring your own device to work) when outside the network.  Employees work from platforms which are not supported by corporate IT policies or protected by corporate security defenses; however they are commonly used to  share and send files to customers, partners and other business associates.

Companies are simply not able to force employees to have antivirus at home, however home computers and other personal devices are increasingly being used for work related activity.  This problem typically flies under the radar because corporate IT does not have the resources and funding to deal with it, as they are forced to focus on more visible projects and issues that are obvious to their managers. What is seen as an efficient tool by employees, is a headache from a compliance perspective. Even if there is a policy in place, workers will ignore it simply because they need these unsanctioned tools to get their job done. And that is probably why you are reading this post in the first place.

So ask yourself, how many of your employees use a Mac to work at home and use consumer file sharing services that sync to Macs? Because that might expose you directly to this problem http://www.bgr.com/2012/04/24/though-risks-are-minimal-one-in-five-mac-computers-found-to-contain-windows-malware/

At first glance, consumer Dropbox tools are convenient and easy-to-use, allowing users to share video, music, and private content with family and friends within minutes. It’s no wonder individuals bring these seemingly harmless tools into the workplace. However, consequences arise when these tools are inadvertently used to circumvent corporate security and policies.

Security and Compliance

Companies are exposing themselves to unnecessary financial and legal threats by unknowingly allowing consumer Dropbox type tools onto the corporate network. The risks that are posed to corporate entities are evident in the omission the following requirements for compliance and security:

• HIPAA
• FERPA
• SAS 70
• ISO 9001
• ISO 27001
• PCI certifications
• SOX

Stringent policies have been mandated for protecting sensitive information regarding as evident with a Bank of America online statement in their FAQ:

“If you do not comply with PCI [Data Security Standard], your business may face significant financial and reputational risks.”  “If your cardholder data is compromised, you could be required to reimburse us for card brand fines ranging up to $500,000 per incident, as well as subsequent fraud losses incurred by card issuers resulting from the compromised card data, which may exceed fine amounts.”

Antivirus

When uploading a file to a consumer Dropbox, surprisingly there is an absence of virus and malware protection. Skeptical of such statements posted by the user community, we attempted to dispute these claims but discovered that they were indeed correct. Although not official by any means, we were able to upload various viruses to some of the leading consumer file sharing services. (Feel free to test using the same test file, found here). Thus potentially creating a perfect forum in which a Worm/Trojan could be specifically written to take advantage of these tools, quickly spreading malware to and from millions of computers and consequently onto enterprise networks.

Data Segregation

One of the more obvious difficulties with a consumer Dropbox is the separation between sensitive corporate information and private data. From its inception, the focus has been on the consumer market, making it widely installed on private devices (computers, laptops, mobile phones). Private devices are often inherently less secure, as do not focus on security, but ease of use. This was really never an issue before “bring your own device to work” emerged, users had few ways to share large quantities of data between home and work. Dropbox is now used to share both sensitive corporate information and private data. However users often do not realize accessing data on unsecure devices can put sensitive information at risk. Dropbox solutions needs to offer robust monitoring, policies and plugin to the existing governance framework, not just focus on the individual user, to mitigate data leakage.

Taking about data leakage, there is also a risk users choose a poor Dropbox password, which may enable unauthorized access to their consumer Dropbox and steal confidential data. My personal favourite though, is when data is stored on personal devices over which an organization no longer has control. Furthermore bypassing any automated document retention mechanisms in place, increasing administration for any document retention policies in place.

Join Our Webinar

These are just a few concerns that companies are facing today because of the onslaught of consumer Dropbox solutions that have crept into the enterprise. Join us on April 19th for a live Webinar, The Hidden Cost behind Dropbox Software in the Enterprise. Michael Osterman, President of Osterman Research, will discuss the concerns behind “consumer” file transfer solutions in the enterprise, and provide insight on how to give employees dropbox-type functionality with enterprise level security.
Also, if you are interested in protecting your organization from dropbox threats, check out Thru Dropbox Enterprise File Transfer solution.

In previous blogs we have focused on the increasing adoption of Cloud services by businesses to reduce capital and operating costs.  However, for governments with budgets and funding under intense public scrutiny, the strains on capital and resources are magnified. Furthermore procurement practices have historically resulted in lengthy, expensive inflexible contracts and the procurement process itself had the potential to filter out smaller yet capable vendors.

Governments worldwide are now leveraging the benefits of Cloud computing to offer improved public services (e-government) to citizens and business while reducing their costs.  As an example, in an overview of their strategy for cloud computing, the UK Government says of their G-Cloud Programme;

“Cloud computing has brought about a step change in the economics and sustainability of Information and Communication Technology (ICT). Government is committed to the adoption of cloud computing and delivering computing resources. The G-Cloud is an iterative programme of work to achieve this which will deliver fundamental changes in the way the public sector procures and operates ICT.”

According to the Cabinet Office, “the G-Cloud Programme’s core benefits are cost reduction, improved services, faster delivery and developing the sustainability agenda.” The G-Cloud approach is to create procurement frameworks of suppliers who can provide Cloud services, so that public sector organisations can get access to the services without having to do full and expensive OJEU procurements. So the cost savings and improvements in operational efficiency actually begin with the procurement process itself. Suppliers that successfully responded to an ITT (invitation to tender) for G-Cloud (including Thru) have already been invited to join the first framework. Services on offer will include infrastructure as a service, platform as a service, and software as a service which includes email, customer relationship management, and office productivity solutions.

Thru is proud to have been selected to participate in the innovative G-Cloud programme and is ready to deliver our full range of cloud-based services and solutions to the public sector in the United Kingdom and across the globe.

There has been an increased buzz around what Managed File Transfer is and how it improves security, speed, and manageability of moving large files. This talk is drawing the attention of an increasing number of business executives and managers, often unfamiliar with this term. If this is applies to you, continue to read.

As defined by Gartner:

“Managed file transfer software and services enable users to manage and monitor file transfers within and between organizations.”

In its most simple form, MFT provides performance enhancements at a bare minimum to these four areas listed below:

Large Files and volumes of files can be sent effortlessly using MFT solutions, and often with little or no downtime, a far improved alternative to traditional file transfer solutions, such as FTP. Some MFT solutions, like Thru, allow users to send files or folders of any size, removing the hassle of using complicated and time consuming FTP solutions or email servers that are unable to handle large files.

Security comes in the form of encrypting data in transit and at rest, which is just one aspect often necessary to achieve compliance both for internal and external stakeholders. Auditability is another feature; MFT ensures all actions that have taken place on all files are securely stored for reporting purposes. Furthermore, MFT comes with authorization policies which grant users different levels of clearance to files which can be accessed or transferred. For Cloud MFT solutions, features like datacenter and network security including firewall and intrusion protection devices may be provided. Backup, redundancy, and disaster recovery may be ensured by the use of multiple servers across geographical locations. There are a plethora of other security features available and features continue to accumulate rapidly.

Management is provided in the form of functionality such as monitoring, visibility, scheduling, and reporting. Monitoring allows the tracking of messages, files and transactions, enabling operations such as notifications whenever files are downloaded. Visibility gives insight into existing file transfers, processes, systems, and people who interact with messages and files. MFT solutions can also allow for schedule transfers to be done automatically in the future, as well as detailed or summarized reporting, all from one centralized location.

Integration with third party applications enables MFT solutions to be implemented with little or no change in workflow. Examples of such applications are email clients like Microsoft Outlook, Lotus Notes or CRMs like Salesforce.com, as well as many other applications through Web Services API.

“Elliott Greenleaf & Siedzikowski has sued a former partner and his new firm, Stevens & Lee, for allegedly installing software on Elliott Greenleaf’s computers that allows the partner to have continued access to the firm’s files in the “cloud.”

The article describes how users took advantage of DropBox’s ability to be installed on any computer and consequently under the radar of IT, whereby a link was created to steal data from a former employer. This was achieved by using DropBox to synchronize files from the internal network and making these accessible outside the firewall. In this particular case it meant, “secured” files were made accessible to employees after leaving the firm. According to the article, this was not done by mistake, but with intent. The problem described here is not whether DropBox is secure or not, it’s how “consumer” file transfer solutions can potentially be misused or mismanaged within corporate walls. Unauthorized file transfer solutions are counter-productive to any compliance and governance efforts. How does IT counteract this trend, whether installed with or without intent?

To prevent cases like the one mentioned above, organizations concerned with data security and compliance need to monitor all file transfers in and out of the organization, have a full audit trail of all files communicated, and incorporate governance of file transfers as an ongoing program.

Unfortunately, “consumer” file transfers solutions are everywhere. When working for Gartner, clients told me they typically had as many as three to four “consumer” file transfer solutions installed across the business. The explanation was often the same, file transfer had flown under the radar and more often than not IT had not been proactive with business user’s demands for alternatives to existing FTP and Scripts.

IT is now playing catch-up to get a grip with the consumer based file transfer solutions, which is why IT increasingly sees file transfer as an essential part of center of excellence (COE) for integration, Integration Competency Center (ICC), Service-oriented architecture (SOA) or Business process management (BPM) initiatives. This is done to bring governance back to file sharing and under the control of IT.

Why is Thru different from other file transfer solutions? Thru only sells to enterprises and does not offer any consumer services, free or paid. We don’t fly under the radar of IT; we work with IT and have done so for over 10 years, integrating into existing monitoring tools and policies. Thru’s Managed File Transfer solution enables enterprises with the security and governance needed, furthermore providing business users with an easy to use, alternative solution, with no changes in workflow.

Today many organizations still rely on traditional File Transfer Protocol (FTP) servers to circumvent email size limitations. These legacy systems do not offer any central visibility or provide a unified, integrated solution for all internal and external file transfers, placing a continuous burden on IT personnel. Additionally, business users do not have visibility into the file sharing process such as attempts to add external recipient(s) and tracking of non-repudiation.

Typically multiple FTP servers are utilized for dedicated internal and external communication due to security concerns or firewall limitations. In these cases business users need IT assistance to facilitate transfers from internal FTP servers to external users. Due to these additional implementations, IT organizations also have to spend more time on troubleshooting and testing systems, often investigating multiple FTP and scripts. The burden on IT is particularly heavy when file transfers are part of workflows which traverse multiple operating environments, transfer partners, or are embedded in the implementation of a Service Oriented Architecture (SOA) service. This overhead in combination with an increased focus on compliance and regulations prompts organizations to look at new ways and technologies to govern file transfers, often due to a combination of the above use cases.

For more on this topic, and the limitations of other methods currently used to transfer files, register to download our free white paper, “Extend Your Corporate Email Investment – Effortlessly Send/Receive Large Files”

Feds Shutter Megaupload, Arrest Executives

Megaupload was based on a consumerization model, aka freemium service. This is where a vendor supports “free” users, working to convert the “free” users into paying customers.  By offering a freemium model, the task of governing millions of users and what they upload & download is simply impossible, not to mention costly.

What we have seen is that the easy accessibility of these types of services becomes very attractive to a large percentage of the population and will often creep into the corporate environment.  According to The Application Usage and Risk Report by Palo Alto Networks, which monitored a week’s worth of traffic at 1,636 medium to large size businesses around the world, Megaupload traffic was found on 57% of corporate networks and Dropbox was being used at 76% of these organizations. These unsanctioned file sharing applications, which bypass security policies and use vast amounts of corporate bandwidth, are not going away until enterprises incorporate efficient and secure ways to allow their non-technical staff members and external partners to communicate.   Executives need to be concerned that once these types of unregulated systems, using a platform with millions of users, creep into the corporate environment, organizations are opening themselves up to huge security risks.

Megaupload, Dropbox, and Box.net all have their place in the “consumer” world, but were they built to accommodate the critical business and security requirements of the enterprise?  If you are one of the medium to large size businesses that have seen freemium services creep into your network, then it’s time to consider a service that was built solely to meet enterprise needs, a secure managed file transfer solution that can directly integrate with your email infrastructure or CRM system allowing non-technical staff members and external partners to communicate directly.  It’s time to consider Thru, Inc.

At Lotusphere 2012, we are excited to sponsor the Nerd Girls’ Great Geek Challenge.  This year’s event promises to be another fun and challenging evening as both nerd girls and boys come out and test their knowledge while enjoying food and drinks.  There is no need to register, just show up at the Fountain Restaurant in the Dolphin Hotel on Tuesday, January 17th before 8PM to enter your name into the drawing for the $200 Amazon Gift Certificate and secure your seat at a geek table.  Our own nerd boy, John Herr (who spent New Year’s Eve watching a marathon of the Big Bang Theory), will be at the event representing Thru, Inc.  We look forward to seeing if he has what it takes to win the trophy for Lotusphere’s Greatest Geek.

Thru, Inc. is the first cloud-based managed file transfer solution provider, with direct integration into the Lotus Notes environment so users can send and manage unlimited size files directly through their email client. We are now offering a free 30 day trial for folks attending Lotusphere–register today.

Earlier this year Bitcurrent–an analyst firm focusing on emerging technologies and how to put them to work–released a survey which provides some insight into why companies (of various sizes) are adopting the cloud.  The survey was not comprehensive, but provides some interesting points and coincides with what Thru, Inc. is seeing with regards to why organizations are moving their electronic file management and file transfers to the cloud.

In the managed file transfer market (closely aligned to the survey) Thru is seeing that most of the companies we engage with are moving to the cloud because of its elasticity, quick deployment time, and lower costs.   Furthermore, we are seeing that companies with globally dispersed teams and worldwide partners are adopting cloud solutions the fastest, closely followed by companies that want to send and receive documents with guaranteed instant distribution and legal-grade, tamper-proof evidence of delivery.

The year 2011 was the cloud’s boiling point, as IT departments and management teams began to clearly understand the advantageous of computing as a service.  In 2012 the masses will begin to integrate cloud computing into their corporate infrastructure.