File Transfer Protocol (FTP) use in the enterprise has grown and continues to grow rapidly. The reason is simple: FTP is available everywhere in the enterprise, accessible to almost everyone, and solves data exchange problems with minimal effort and cost. That’s the good news. The bad news is that most FTP activity is unsecured and the exposure to any organization, especially those coping with various new regulatory requirements, is too great to ignore. Lately, we’ve seen several companies endure the embarrassment and tarnishing of their “brand name” caused by a public omission that they lost or exposed sensitive client information.
The Privacy Rights Clearinghouse, a non-profit organization, maintains a list of the publicly announced data breaches that have occurred since February 2005 at www.privacyrights.org/ar/ChronDataBreaches.htm. At the time this was written, breaches of sensitive data for more than 53 million people were listed, all having occurred in a little more than a year. These breaches cost companies millions of dollars in fines, lost reputation, and lost customers. Although many of theses breaches of sensitive data didn’t involve FTP, it illustrates the consequences of not properly ensuring that all exposures have been identified and dealt with. FTP can inherently create one such large exposure.
The use of FTP in many z/OS environments exposes companies to inadvertent disclosure of both logon information and other sensitive data. Unless a secured connection is used when initiating an FTP transmission (and in the z/OS world, secured connections to FTP are the exception, not the norm), all data transmission between the FTP client and the FTP server are in clear text (including the logon information). Additionally, FTP makes it simple to transmit data from one location to another. All that’s required is read-level access to data and an Internet connection for someone to be able to send the data virtually anywhere in the world. FTP is typically not compliant with today’s regulations.
FTP is integral to the business processes of today’s large companies. In our work with z/OS users, it’s not uncommon to see tens of thousands of FTP transactions daily on a single z/OS host system. Couple that with the large volume of FTP activity occurring in the distributed systems environment and a large enterprise could easily be looking at 100,000 or more FTPs daily. Managing this volume of activity is a daunting task and, therefore, is often ignored. Converting this volume of activity to compliant processes is an even larger task; it requires proper upfront planning.
Auditors Are Looking at FTP
Auditors are beginning to target FTP usage as an area that needs to be studied and whose exposures need to be addressed. They look at:
- Who has the ability to transmit data
- Whether FTP usage is being logged and archived for long-term analysis - Whether regularly scheduled audits of FTP usage are conducted
- What sensitive data is being transmitted
- Whether such transmissions are secured or encrypted.
In the event of a data breach involving FTP, data centers will be required to demonstrate due diligence in the management of FTP usage.
Compliance in today’s highly regulatory environment requires more than just ensuring sensitive data is secured during transmission. In addition, the regulations require you to ensure that only intended data is transmitted and then only to where it should be going, that all transmissions are auditable and that proper administrative controls are in place. More specifically, compliance requires: