With global organizations depending on the sharing of sensitive information to support everything from financial transactions to patient care records, many believe they are relying on secure methods to exchange data with trusted partners. However, there is often a significant and alarming gap between perceived security and real vulnerability.
To handle transmission of valuable company data, typical methods that are considered secure include FTP technology, “secure email,” regular email, courier services and the postal service.
However, contrary to popular belief, the aforementioned most common methods used for file transfer are often not secure enough, and lack manageability and governance. Let’s take FTP technology, for instance. A shortcoming with traditional FTP and even encrypted FTP sessions is that after the data stops moving (aka “data at rest”), it sits on the FTP or SFTP server in plain text. If that FTP or SFTP server is directly connected to the Internet — as it most likely will be to allow business partners to connect to it — the data is at risk of being accessed and shared. This is in violation of PCI and HIPAA standards.
FTP technology can also slow down business processes, as an organization’s IT team often needs to modify FTP scripts in order to support a new business initiative or bring on a new business partner that needs to exchange sensitive information with the system. Furthermore, having the ability to know if the files were transferred correctly and on time (i.e., monitoring) is very difficult to do with transfer methods such as FTP, email and couriers.
Central Management
To address these challenges, organizations must strive for greater security, manageability and governance over data transfers among business partners, service providers and customers. Central management of all data exchange and sharing processes allows information to be kept unavailable unless an authorized user or application has permission to access it.
Centralizing all file transfers into a single secure, scalable governed file transfer platform enables organizations to comply with regulations such as PCI, SOX, HIPAA and Basel II by ensuring strong authentication and tamper-proof audit logs. To reiterate, traditional FTP technology does not protect data at rest, which is a violation of PCI compliance.
Beyond guarding against breaches, automation enables companies — particularly those in highly regulated sectors such as financial services and healthcare — to mitigate the business risk of sensitive data loss or exposure. It lowers operational costs, minimizes IT overhead, enables easy integration with existing enterprise infrastructure and legacy systems, and increases the productivity of business users.
With automated file transfer technology, financial companies, for example, can save time and money by avoiding manual operations, costly courier services and shipping data on CDs — while ensuring the security of their overall file transfer processes. In one case, an insurance group was able to lower its operational costs while quickly automating manual processes for exchanging highly sensitive data, including Social Security numbers from its benefits provider and lockbox transfer of its bank account information.
Security, Productivity, Integrity
The healthcare industry is another good example of a highly regulated sector where secure, auditable file transfer processes are essential. Drug development data, clinical trial data, health records, billing information, Xrays, MRIs and Social Security numbers are some of the types of highly sensitive data that are at risk of exposure simply because they are being exchanged frequently among multiple third parties.
Under the 2009 HITECH Act, which extends the Health Insurance Portability & Accountability Act rules for security and privacy safeguards for protected health information (PHI), healthcare organizations are now held responsible for a third party’s handling of their data and can be fined heavily for breaches.
This means these organizations must be willing to invest in more reliable technology and processes to protect their patients and their reputation. By centrally managing and automating all data exchange processes, healthcare providers can ensure that sensitive data is protected both in transit and at rest. In addition, they can enforce audit controls and enhance compliance over all business processes involved with data transfers.
Combining the benefits of automated governed and managed file transfer in one centralized, highly secure platform allows organizations the flexibility to implement more modern, efficient file transfer processes, easily add new partners, and speed up the delivery of new business services to customers. Organizations can upgrade their file transfer technology platform to automate and streamline business processes, while maintaining the ability to exchange documents with their business partners that are using legacy systems.
Overall, organizations that rely on the safe transfer of data can’t make assumptions about the security or manageability of traditional vehicles, especially those that can’t be easily tracked and audited. Furthermore, it’s not just about security — it’s about the ability to ensure productivity and guarantee the integrity of business operations. Investing in the right technology and processes now will go a long way toward getting ahead of the growing volume of data transfers while meeting the demand for better, faster service at lower costs, and providing a larger set of services to increase business volume and profits.
Roy Adar is vice president of product management at Cyber-Ark Software.