A Proginet White Paper Version 3.0

Transcription

1 Managed File Transfer: Control & Security for the Enterprise Today's advanced file transfer technologies offer critical functionality and significant advantages over older technologies like FTP Version 3.0

2 Introduction...4 Times Have Changed...4 FTP File Transfer...4 Volumes Increase...4 Performance Issues...5 Service Level Guarantees...5 Application Integration Scenarios...6 B2B Data Movement: Security Needs...6 FTP: High Cost of Ownership...7 Alternatives to FTP...8 Advanced Managed File Transfer...8 CFI Command Center...10 CFI Platform Server...11 Optimised Network Performance...11 Extensive Application Integration...11 Secure B2B Data Movement...12 CFI Internet Server...14 Conclusion...15 About Proginet Proginet Corporation. All Rights Reserved Page 2 of 17

3 Abstract FTP, or File Transfer Protocol, is the Internet Engineering Task Force, or IETF, standard for file transfer. FTP can be found on most desktops today since it is supplied with most computer operating systems and through an Internet Browser such as Internet Explorer. Many organizations opt for more secure file transfer technologies that do not incorporate FTP, despite its free availability. This is due, in part, to the two major FTP security flaws as identified by the Computer Science Department of UC Berkeley. Specifically, both user credential information (IDs and Passwords) and data are sent in clear text. But there are many other issues. This paper discusses limitations concerning the deployment of large-scale FTP-based solutions, and how advanced managed file transfer (MFT) successfully address these limitations to deliver automated and secure data movement for today s business needs Proginet Corporation. All Rights Reserved Page 3 of 17

4 Introduction Times Have Changed Ever since it became practical to connect computers together with some sort of communication facilities, file transfer has been one of the most commonly used software technologies across the world. Organizations of all types and sizes have come to rely on this technology for the exchange of file-based information between different IT systems. But basic file transfer technology is inherently limiting. Its capabilities are fundamentally inadequate. Globalization and evolving corporate requirements only serve to intensify security, control, and regulatory issues placing demands that the technology cannot satisfy. All of these issues are forcing change in the way organizations conduct business changes that cannot be addressed by FTP. The following pages will look at FTP its advantages and disadvantages and provide information to help organizations implement enterprise file transfer strategically in order to meet current and evolving business challenges. FTP File Transfer Volumes Increase As the number of systems installed in the enterprise grows, the quantity and frequency of data exchanged between systems increases and complex challenges are created for management and operations staff. Data transfer scenarios have become so complex that they must be automated to be manageable. FTP usually supplies only a manual interface and requires a language-based wrapper, which is often an unreliable interface. IT staff requires the flexibility to manage by exception with the ability to resolve problems when they occur. In unattended situations, the staff must be automatically notified via pager, cell phone, or mobile device if and when failures occur. FTP does not provide notification. IT staff must be able to remotely monitor and manage data movement operations. FTP does not allow remote management. IT staff require the ability to track data transfer activities, and must be able to confirm if files were delivered should users should have difficulties finding their data. FTP cannot meet this challenge. Data may need to be archived to provide restart/recovery. FTP does not archive data Proginet Corporation. All Rights Reserved Page 4 of 17

5 Performance Issues Despite advances in bandwidth availability and cost reductions, networks may still not be powerful enough to keep up with the growth of data movement requirements. Additionally, system or server throughput may be seriously impacted by extra security demands. Some major issues that affect performance are: Compression: Compressing data can reduce the size of the data file and improve performance. In situations where bandwidth is in short supply, compression can increase performance by up to 900%. It should be noted that some data types, such as graphics, can actually increase in size when compressed. FTP packages typically do not provide compression. Restart: When a connection fails or a server crashes, many file transfer technologies must restart the transfer from the beginning, even if 90% of the data had already been received. This wastes time and network capacity. FTP packages typically do not provide any type of restart when data transfer stops there is no way of knowing if it had successfully completed or stopped due to a system or network failure. Encryption: Most data security includes encryption as a cornerstone of the information protection scheme. Regardless of encryption used, symmetrical or asymmetrical, a specific algorithm, such as DES or Triple DES, can introduce a significant additional processing load. There is a wide range of processing requirements for different encryption algorithms. Generally, newer algorithms, like Blowfish and AES, are designed to consider both security and performance needs. Older algorithms, like DES and 3DES, provide security but also carry a price in terms of degraded performance. Since FTP packages do not provide encryption, security is most definitely at risk. Server Non-Repudiation: In today s world of IP spoofing and hacker attacks, it is important when you allow a business partner to connect to your system via the Internet, and to ensure that the connecting party is who you think it is. Server Non-Repudiation is a method of certifying that the other system is positively identified and can absolutely be identified. FTP does not provide any identification or authentication method for systems. This is a large potential security risk. Since FTP transmits User IDs and Passwords in clear text, a person who intercepted this credentialing information could pose as your business partner. Verifying the identity of their system is another safeguard that you cannot afford to be without. Service Level Guarantees As businesses grow more dependent on sharing and transferring information, business partners rely on the timely and accurate delivery of data. It is becoming increasingly Proginet Corporation. All Rights Reserved Page 5 of 17

6 common for contracts to specify a guaranteed service level with mandated penalty fees if deadlines are not met. The difference between meeting and missing deadlines for some enterprises can be millions of dollars annually. Application Integration Scenarios Data is owned by application systems. Telling these systems when and where to move their data requires Application Programming Interfaces, such as: - C/C++ - COBOL - PL/1 - Visual Basic or VBScript using a Browser such as Internet Explorer - JAVA - XML After data arrives at its destination, the system application needs confirmation of the successful transfer. Simply testing the system to see if a file exists is unacceptable because the file may be: The last data movement that was received but not removed. An incomplete data movement due to network failure. A data movement in progress. A popular concept used in many applications to simplify the network interface is a mailbox. Files are placed in an Outbox and transferred by the Infrastructure Applications to a receiving Inbox. Enterprises that use FTP must have programmers create a script to integrate data transfer with other business applications. Since FTP does not guarantee delivery of transmitted data nor provide notification of successful completion of transfer, the scripting must be complex or risk becoming an incomplete integration. B2B Data Movement: Security Needs Organizations have exchanged data for a variety of business reasons for many years. Traditionally, data movement used a standard Electronic Data Interchange (EDI) protocol X.25, over a Value-Added Network (VAN) or a dedicated private network using expensive leased lines. These were and still are costly methods. They required many dedicated communications lines, transaction charges, and have to be manually programmed and monitored. The emergence of the Internet presented a natural way to exchange data between organizations. However, the Internet is inherently insecure. This means users must take precautions to secure both their connection to the Internet and their data flowing over it. When you access the Internet using your ISP, regardless of the specific line type you use, dial-up, broadband (cable or DSL), full or fractional T-1, etc., your connection must be secure and your information protected. While there are many Proginet Corporation. All Rights Reserved Page 6 of 17

7 methods of accomplishing this, FTP does not include any of them beyond the simplest authentication scheme User ID and Password. However, FTP transmits this sensitive information in clear text, leaving it vulnerable to malicious parties who can intercept it and use it to access your data. Data is one of the most critical resources in an organization and must be protected from unauthorized disclosure or access. Data movement needs a modern encryption algorithm to ensure its security during Internet transfer without placing undue burden on your processing requirements or production windows. Data access requires modern authentication methods that protect User IDs and Passwords, incorporate Digital Certificates to further authenticate parties, provide Digital Signatures to document a method of providing non-repudiation, and use hashing to provide assurance that the data was not changed during transmission. FTP: High Cost of Ownership In spite of being supplied for free, FTP imposes significant operational costs. Some of these extra costs are: FTP sends user credentials in clear text leaving the entire transmission (and any subsequent ones) open to hackers and adversaries. FTP lacks automation features and provides only a manual interface. FTP does not compress data and requires a significant amount of network bandwidth and transmission time. FTP is not easily integrated with applications, because there is only a manual interface that requires programming in a scripting language. FTP does not allow operations to be tracked; the only log is the console output. FTP cannot restart failed data transfer operations nor provide notification that a transfer that ended was unsuccessful. Because of these and other factors, an IT staff must manually operate FTP, or users must write their own scheduling, management and application interfaces. These extra requirements add to the true total cost of ownership for FTP Proginet Corporation. All Rights Reserved Page 7 of 17

8 Alternatives to FTP Although the inherent limitations of FTP are both severe and well documented, there are, thankfully, alternatives. Managed file transfer (MFT) technologies exist that enable the secure, interrupted transmission of sensitive corporate data. The basic components of any secure file transfer solution are: Authentication and Authorization to assure that the parties connecting are valid and are allowed to access specific data. Encryption and Keys to assure that data and the keys used to decrypt the data are secure and protected as it travels across the Internet. Transfer Protocols the transaction, data and formatting standards used so that both ends of the data transfer can communicate effectively. Basic Controls to ensure that the data transfer was successful, that the transfer can be restarted if initial attempts fail, that the file name and space allocated at the destination are correct. Platform Coverage the range of platforms (i.e. mainframe, UNIX, Windows) for which file transfer servers exist. There are many solutions that cover some or all basics for secure file transfer. Some are secure shells that wrap around the basic FTP servers. Many of the solutions achieve security through a number of sequential independent steps that encrypt, transfer, proxy thru firewalls, and decrypt separately. While these Secure FTP solutions may be adequate for a basic data exchange performed under manual controls, many businesses need a more automated, secure, and comprehensive way to programmatically handle large numbers of daily data exchanges. Advanced features like checkpoint restart, guaranteed delivery, pre and post processing, automatic proxies through firewalls, notifications, are necessary to achieve the industrial strength capabilities required for true business to business (B2B) communications. These features are delivered in a true managed file transfer solution. Advanced Managed File Transfer Today's advanced managed file transfer (MFT) suites overcome the failings of FTP, and allow organizations to ensure complete compliance with evolving regulatory mandates. MFT deployment has been extensive and far reaching in industries like banking, insurance, and healthcare, but it is fast coming to include all industries. Proginet has been in the managed file transfer business since the mid-1980 s. Our primary focus is on security, management and control, key drivers that help organizations achieve global process integration, lights-out automation, and improved Proginet Corporation. All Rights Reserved Page 8 of 17

9 efficiencies. Over the last decade or so, our focus has extended into the advancement of secure Internet file transfer and giving organizations the ability to harness the World Wide Web to drive business processes. Secure Internet file transfer is a key tool for today's global organization; the Intranet is fast, free, and reliable, and offers a versatile network that connects parties in virtually any remote corner of the globe. Proginet's flagship solution is CyberFusion Integration Suite (CFI), a totally integrated, advanced MFT solution that enables organizations to securely manage and control all enterprise file-transfer activity, both inside and outside the enterprise. CFI's open architecture supports enterprise integration strategies, promotes automation and efficiency, and ensures that all file-transfer activity can be tracked, logged, and audited at any time. This is increasingly critical in today's challenging regulatory environment. CFI is comprised of three principal components: CFI Command Center A centralized module, the Command Center provides a single point of control to manage all enterprise file transfer, inside and outside the enterprise, and across platforms. The Command Center's Web-based interface provides a single view of all file transfer activity, bringing together features and functions including server management, user profiles, alerts, status reports, and audit logs exactly what you need to keep your pulse on the incoming and outbound file transfers of your company and business partners. CFI Platform Server The Platform Server's core strength is handling multi-platform transfers. The Platform Server provides total security and control for every file entering or leaving the enterprise, regardless of platform. The Platform Server's peer to peer architecture and enterprise-level automation capabilities enable integration with other enterprise applications to deliver true end-to-end processing. CFI Internet Server The Internet Server enables organizations to exchange information securely over the Internet with complete control. The Internet Server is ideal for integrating with your key trading partners: all your partners need is a standard Web browser (no software is required on the client side) Proginet Corporation. All Rights Reserved Page 9 of 17

10 Figure: CFI Architecture CFI Command Center The Command Center is the 'virtual dashboard' of CFI and enables companies to achieve total control and monitoring of every file leaving, arriving, or moving within the entire enterprise. With this easy to use, browser-based application, managers and executives can continuously monitor the real-time status of every transfer, use powerful inquiry tools to track and overcome problems, and access full and detailed historical information for as far back as desired. But the Command Center is much more that an inquiry tool. It is a central point of control for setting up and executing any file transfer within and across an enterprise, and externally with business partners. The Command Center is an invaluable tool in the hands of any management team looking to impose 100% control over enterprise file transfer activity, and it is a central point for all administrative functions enterprise wide Proginet Corporation. All Rights Reserved Page 10 of 17

11 CFI Platform Server The CFI Platform Server is a comprehensive managed file transfer solution that delivers secure, reliable file transfer across both corporate networks and the Internet. Platform Server combines automation, remote execution, administration, audit control with industry standard encryption and compression to provide guaranteed, secure file delivery. Platform Server incorporates industry standard encryption with every file transfer to eliminate risks and guarantee security when sending sensitive information between internal business units / departments and external partners. The solution also provides extensive auditing, reporting and monitoring of all activity over the Internet and throughout the enterprise, ensuring that organizations can meet current and emerging regulatory mandates including Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley. Platform Server also delivers seamless integration with other applications in support of mission-critical, business processes. Additionally, the solution: Transfers data automatically without requiring user intervention Notifies IT staff of problems via , pager, or mobile device Logs all transfer activities for tracking purposes Ensures that data is easy to identify by generating unique file names using Date and Time values, and other values Can be set to archive data after transmission Provides both the Command Center and server-based access to allow authorized IT staff to monitor and control the activities of Platform Servers throughout the enterprise Optimised Network Performance Platform Server makes the most of the network by: Compressing data using Limpel-Ziv compression techniques to reduce the amount of data being sent. This algorithm is similar to that used by ZIP utilities. Compressing data in-stream on a packet-by-packet basis rather than compressing the entire file at once. Providing smart compression by comparing the compressed packet to the original, and transmitting the smaller of the two. Restarting failed transfers at the point of failure, saving time and bandwidth. After a failure, the software negotiates the position between servers to determine the restart point automatically. Extensive Application Integration Platform Server provides interfaces to popular programming environments: Proginet Corporation. All Rights Reserved Page 11 of 17

12 - C/C++ - ActiveX provides easy access from Visual Basic, Delphi and Internet Explorer (IE). By using ActiveX with IE, deployment can be performed using a Web Server. Users customize the operation of the Platform Server control using VBScript or JavaScript to create the desired visual interface presentation. - COBOL - PL/I - JAVA - XML Platform Server s File-to-Job and File-to-Print functionality provide the ability to start commands on remote systems and send reports to remote systems printers, allowing remote applications to produce reports. Platform Server s Post Processing functionality allows users to use logical rules to describe how the systems should handle received files based on the specified criteria. In this manner, Platform Server can easily be integrated into an overall business process without requiring highly specialized programming expertise. Platform Server s Autopilot feature provides the ability to nominate directories as an Outbox, and when files are stored there, data movement is triggered. This allows programmers to use the most basic techniques, such as writing a file, to schedule data movement. Files can be moved/copied/deleted or left after transfer. Secure B2B Data Movement Using Platform Server, organizations can be certain that their data transfers are secure. Platform Server ensures secure data movement by encrypting data using your choice from a number of industry standard algorithms including: AES (Rijndael) Blowfish (56 Bit) Blowfish Long (448 Bit) DES (56 Bit) Triple DES (256 Bit) In addition to making sure that your data is safe during Internet transmission, you must also protect access to your systems from malicious parties. Platform Server allows you Proginet Corporation. All Rights Reserved Page 12 of 17

13 to assign authorization credentials (User IDS and Passwords) to your business partners without disclosing your internal logon credentials. By using Platform Server s account alias feature, you can establish logon credentials for your business partners that will allow them to authenticate to the Platform Server without exposing the true internal syntax of your network User IDs or Passwords. Another important aspect of data transfers to support B2B is the validation of a Server s identity. CFI supports SSL technology to allow you to use Digital Certificates to confirm the identity of any server that attempts to connect to your Platform Server server. This allows you to be sure that sensitive information is not being sent to or received from an unauthorized system, even if valid user credentials are presented. Platform Server provides three levels of security to allow you to rest assured that your sensitive and critical B2B transactions are safe: The server is authenticated. The individual is authenticated. The individual s authorization to access the specific information is approved. Proginet s CFI Platform Server meets your needs for Secure B2B Data Movement by providing: Multilevel Security protects access to your data. Modern Encryption like AES protects your data while in transit. Security Features like Digital Certificates and SSL Capabilities protects access and prevents data tampering. Guaranteed Delivery lets you rest assured that the information absolutely will get where it is needed. Detailed Audit Logs lets you know what happened. Notifications Via , Pager, Or Mobile Device keeps you abreast of successful and/or unsuccessful transfers. Superior Performance reduces production windows and meets performance requirements of your and your business partners Proginet Corporation. All Rights Reserved Page 13 of 17

14 CFI Internet Server The CFI Internet Server enables organizations to securely, effectively, and efficiently exchange information with business partners in a cost effective manner. Internet Server fits into a wide variety of operating environments and platforms and adheres to open standards. Whether a Fortune 100 corporation, a Global 2000 enterprise, a division or department of a company, or a small or medium sized business, Internet Server meets your data sharing requirements without imposing onerous requirements on your business partners. Your business partners need not purchase client software. Your business partners simply connect to the Internet Server using a Web browser and, once authenticated using either standard authentication (User ID and Password) or Digital Certificates, Internet Server client software is downloaded and installed if needed onto any client system with a JAVA Virtual Machine. Internet Server adheres to open standards. Internet Server runs on a JAVA 2 Platform, Enterprise Edition (J2EE) Server and complies with XML, SOAP, UDDI, WSDL, and STRUTS and uses HTTPS as the transport protocol. Internet Server has a flexible configuration. Internet Server can be configured to call another Web service for one of its imbedded functions if you have selected one as a standard, e.g. RSA Security s authentication service. Internet Server is easily adapted to your organization s look and feel. Internet Server has been designed for flexibility to easily allow you to adapt it to the same look and feel as your organization s branding or identity using tools available. Internet Server provides both a GUI interface and a command line interface that can be used with a batch stream for unattended automation. The Internet Server runs on the remote system and is automatically downloaded and installed or updated when required after the client connects to the Internet Server using a Web browser and is authenticated. Internet Server is the heart of the system and may be thought of as the server portion of the software. It may be further broken down into five functions Authentication and Authorization Services, Administrative Web Services, File Transfer Services, File Control Services, and the File Transfer JSP or Applet. The Internet Server can be configured to call a different Web service for some of these functions for organizations that are using web services and have already standardized on specific services for named functions. The Internet Server DMZ Gateway is used to move the data received within the DMZ through the firewall to the corporate network. It performs a proxy service and changes Proginet Corporation. All Rights Reserved Page 14 of 17

15 both the transport protocol as well as the firewall port to isolate the corporate network from the outside. In environments where security policies prohibit the DMZ from sending data behind the firewall, the Internet Server DMZ Gateway can be set up behind the firewall and will pull the data. Figure: A typical CFI network will comprise the Internet Server, any number of Platform Servers, and the Command Center from where all activity can be controlled and managed. Conclusion Today s business environment demands fast access and wide dissemination of mission critical data to a wide range of internal and external stakeholders, including employees, contractors, business partners, and customers. As banks and financial institutions reveal loss after loss of confidential client data data on 400,000 users in one recent instance [June 2005] the risk of exposure comes into total focus. Then there's the requirement to satisfy current and emerging regulatory mandates including Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley Proginet Corporation. All Rights Reserved Page 15 of 17

16 The security of your data is critical and paramount to the future of your business. Proginet's CyberFusion Integration Suite (CFI) offers a comprehensive range of features and functions to meet virtually every conceivable business need. Secure and manage your key corporate assets by contacting Proginet today. * * * * * To request additional copies of this white paper, or to find out more about managed file transfer, please contact Proginet at (516) or info@proginet.com Proginet Corporation. All Rights Reserved Page 16 of 17

17 About Proginet Proginet develops software to enable the controlled integration of data across enterprises of all sizes. Throughout its 20-year history, the company has earned a solid reputation for its multi-platform expertise and dedication to customer service. Its products, including CyberFusion Integration Suite (CFI), CyberFusion, SecurForce, SecurAccess, and SecurPass, support all major computing platforms, from PCs to mainframes. Proginet s global customer base spans more than 23 countries and includes many Fortune 500 companies. The company is headquartered in Garden City, NY, and is publicly traded under the symbol [OTCBB: PRGF]. Visit us online at Proginet Corporation 200 Garden City Plaza Garden City, NY T: (516) F: (516) info@proginet.com Copyright 2006 Proginet Corporation. All rights reserved. This document may be reproduced or distributed so long as doing so is done in its entirety with all content and copyright notices intact and unchanged (the preferred format for reproduction or distribution is hardcopy format). The document may NOT be stored electronically on a retrieval system or Web site, or otherwise transmitted electronically without the express prior written permission of Proginet Corporation Proginet Corporation. All Rights Reserved Page 17 of 17