Evolution from FTP to

COMPLIANCE

Secure File Transfer

David Stelzl, CISSP
SECURITY

Sponsored by Ipswitch
Do you know where your organizations confidential and sensitive
files were transferred today? Are you sure they even made it to the
L

right people and not into the wrong hands? Are you concerned
with the information and data sharing practices in your company?
If so, you are not alone.

Lessons learned from recent high visibility data breaches illustrate

how the combination of not following low cost, sensible file
transfer best practices coupled with improper controls over the
file transfer environment can and has been a part of company
ending events. As a result, more and more organizations are
moving away from basic FTP solutions and quickly moving
towards information exchange solutions that incorporate secure
file transfer.

This paper will discuss how secure, reliable and manageable

file transfer solutions can help your organization achieve its
key business goals while reducing the amount of organizational
distraction caused by not having a well understood and managed
file transfer process that is aligned and integrated with your core
business processes.
The Importance of Your File Transfer 1
Solution TRANSFER FILES
The Problem With Basic FTP Solutions
Basic FTP – Not Secure, Not Compliant
1
2
ANYWHERE.
SSL 3 ANYTIME.
A Secure Enhancement to Standard FTP
SSH 3 WITH COMPLETE
security.
The Premium Choice for Secure File Transfer
SSH/SSL comparison chart 4
Recommendations for Secure File 4
Transfer
What People Are Saying about Ipswitch 5
WS_FTP Products
About Ipswitch 5
About the Author 6

WS_FTP SERVER
AND WS_FTP
PROFESSIONAL
CONTENTS

www.ipswitch.com
FREE 30-DAY TRIAL
EVOLUTION FROM FTP TO SECURE FILE TRANSFER
What is at stake:
Trust of your business partners • Loyalty of your customers • Efficiency of your business

The Importance of Your File Transfer Solution

Customers, remote employees, and business partners often have to exchange critical data over the Internet. To maintain
competitiveness, organizations are challenged with finding more secure, efficient and reliable ways to manage file transfers.
Electronically exchanging company information — data that is often core to your business, such as corporate financial data,
client data, health records, employee data, and other intellectual property — carries with it the risk of sensitive data falling
into the wrong hands or not even making it into the right hands. The long-term trust of your business partners, loyalty of your
customers, and efficiency of your business operations is dependent on the strategic and tactical implementation of your file
transfer process.
Are you concerned with file transfer practices in your company? If so, you’re certainly not alone. According to a recent research
report from Ziff Davis, the overwhelming majority of survey respondents who are familiar with the file transfer solutions used
within their organizations feel the same way!

What are your four greatest file transfer concerns?

83%
Compromise of Security
73%
Loss of Personal Data
73%
Compromise of Proprietary Data

Failure to Meet Security Audit Requirements 62%

0% 20% 40% 60% 80% 100%

The Problem With Basic FTP Solutions

File Transfer Protocol (FTP) is often deployed as a simple solution to enable the electronic exchange of business information
and data. The adoption of transferring files across the open Internet has been so universally widespread that businesses now
consider this ability to be critical to everyday business operations. In fact, it’s now estimated that 83% of businesses are
using FTP to move and share files and data.1
Basic FTP can be a practical and viable method to transfer files if the data being transported is not critical, has no requirement
for security and is not considered high risk. However, basic FTP itself is a weak link in the process of transferring confidential
data due to its inherent lack of security and data management.
1
“The Why, What, and How of Managed File Transfer in Business”, Ziff Davis Publishing, April 2007.

www.ipswitch.com 1
The business process of file transfer has a history of not being treated as a core part of Improper control of file
IT infrastructure or critical to business operations. The management and security of data transfer environment played
transfers has often been left to individual contributors and lower-level IT staff. As a result, part in company ending event.
decisions have often been made from a limited viewpoint to solve individual tasks rather “In September 2004, an
than from a more holistic view of the larger and strategic company need. File transfer unauthorized party placed a script …
solutions have often been relegated to the darkest corner of the lowest wattage server on the CardSystems platform … This
room, and it’s very common to find long-ago deployed home grown FTP solutions that are script ran on our system and caused
records to be extracted, zipped into a
not well understood, documented or easily maintained by today’s IT staff being used to file, and exported to an FTP site …” 2
manage company data.
“In September 2004, hackers
The combination of businesses having undervalued high risk data and basic FTP itself dropped a malicious script on the
being a weak link in the file transfer process presents a huge business liability. Today’s CardSystems application platform,
injecting it via the Web application
evolving regulatory compliance and corporate governance requirements — not to mention that customers use to access
the recent onslaught of highly visible data theft incidents — have highlighted the need for account information. The script,
something better and more secure than basic FTP. programmed to run every four days,
extracted records, zipped them and
Basic FTP – Not Secure, Not Compliant exported them to an FTP site….
lesson learned too late for old
The original specification of the FTP protocol included minimal, if any, security. As FTP CardSystems” 3
protocol use has increased and the Internet has evolved and become more and more - STATEMENT OF JOHN M. PERRY
open, the security limitations of FTP has been exposed. For example, the standard (former) PRESIDENT AND CEO
CARDSYSTEMS SOLUTIONS, INC.
FTP specification does not include the use of strong authentication, such as encrypted (now defunct) BEFORE THE UNITED
passwords or authentication tokens. Sending the login credentials in clear text allows STATES HOUSE OF REPRESENTATIVES
SUBCOMMITTEE ON OVERSIGHT AND
cyber-thieves to sniff login information, which can then be used to gain unauthorized INVESTIGATIONS OF THE COMMITTEE
access to data. Even worse, the standard FTP does not encrypt the connection that files and ON FINANCIAL SERVICES HEARING
date are being transferred over or even encrypt the files being transferred. Unencrypted ON “CREDIT CARD DATA PROCESSING:
HOW SECURE IS IT?” WASHINGTON,
file transfer, which can potentially allow a man-in-the-middle attack4 and unauthorized D.C. JULY 21, 2005
viewing of data either during transmission or in storage on the server, has become a huge
privacy concern today.
Regulatory compliance is another challenge that many companies are now faced with. In order to meet the legal requirements
of compliance regulations, data must be managed throughout the file transfer business process. Businesses must sufficiently
protect information from harm, whether health or financial records, customer accounts, or intellectual property. Audit trails
which prove the safe management and secure movement of information are now a requirement to provide auditors. In such
environments, standard FTP is not enough, due to its lack of strong security, data management, monitoring, and process
control.
Two common security protocols that help secure and increase the reliability of data Market drivers for electronic
transfer, Secure Sockets Layer (SSL) and Secure Shell (SSH), are specifically designed to secure file transfer
encrypt file transfers and associated administration network traffic. Both SSL and SSH • Security
enhance the security and reliability of file transfer by using encryption to protect against • Compliance Regulations
unauthorized viewing and modification of high risk data during transmission across open
• Corporate Governance
networks such as the Internet.

2
Mimoso, Michael, “Cleaning up after a data attack: CardSystems’ Joe Christensen”, Information Security News, April 2006, Available online: http://searchsecurity.techtarget.com/
originalContent/0,289142,sid14_gci1180411,00.html , last accessed: 18 February 2007.
3
“Hearing on Credit Card Data Processing: How secure is it?”, US Committee on Financial Services, Congressman Barney Frank, chairman, July 2005, Available online: http://
financialservices.house.gov/media/pdf/072105jmp.pdf , last accessed: 18 February 2007.
4
“IT Security Dictionary”, IT Security, Available online, http://www.itsecurity.com/security.htm?s=515 , last accessed: 18 February 2007
www.ipswitch.com 2
SSL – A Secure Enhancement to Standard FTP
If you use a web browser, chances are you have already been using a flavor of SSL encryption, as it was originally developed
and has since been widely deployed to protect connections to web servers. SSL, also known as FTPS or “Secure FTP over SSL”
is also used in conjunction with FTP to provide secure encryption over standard FTP connections. It uses the same two ports as
a standard FTP connection, with the enhancement of the data channel being encrypted. SSL connections encrypt and decrypt
FTP sessions across networks to provide authentication of credentials and to secure private communications. There are
different strengths of SSL available, the most recent being SSL v3 and TLS 1.0, which are stronger than previous versions.
Not only does SSL encryption ensure that the wrong eyes do not gain access to your data, but it also protects against attempts
to modify data while in transit. If an attacker could modify your data during transmission, you could not rely on the accuracy
of the data when used in your application. SSL connections provide substantially increased reliability and decreased risk
when transporting files and data, due to the built-in protection from unauthorized viewing and modification of data during
transmission. When using SSL to protect data on your file transfer server, you must also ensure that all connecting file transfer
clients support the same SSL capability, as the security must be deployed at both ends of the data transport for it to be
utilized.
SSH – The Premium Choice for Secure File Transfer
SSH, also known as SFTP or “Secure Shell File Transfer Protocol” is a premium security protocol that delivers secure
communications and is often considered the best option for secure file transfer. SSH is widely deployed on various operating
systems. It uses Secure Shell 2 (SSH2), a secure tunneling protocol, to emulate an FTP connection and provides a firewall-
friendly and encrypted channel for file transfers using the well-known TCP port 22. SSH offers enhanced security by having
the entire file transfer session, including all session control commands, entirely encrypted at all times while only requiring a
single port be opened on your firewall versus the two ports that need to be opened for FTP and SSL connections.
According to the previously mentioned Ziff Davis report, more and more organizations are moving away from basic FTP
solutions and quickly moving towards Secure File Transfer using SFTP.

File Transfer Protocols Used Today: Planned Implementation During Next 12 Months:

82% 8%
FTP FTP

SFTP/ 67% SFTP/ 48%

SSH SSH
0% 20% 40% 60% 80% 100% 0% 20% 40% 60% 80% 100%

The authentication of both SSL and SSH connections can be based on passwords or certificates. If using passwords, they
should be of sufficient strength so that they are hard to guess by attackers. Policy based enforcement of strong cryptography
algorithms (and passwords) and being able to control length of encryption keys will protect against unauthorized viewing of
data. Such control should be enforced in compliance with your security policy.

www.ipswitch.com 3
SSH is particularly popular in IT environments because most operating systems (including UNIX/Linux) support SSH,
therefore using SSH for file transfer (SFTP) allows for cross-platform IT standardization. Standardization using SFTP ensures
consistent, strong security policy enforcement and simpler administration. SFTP is very firewall-friendly because it uses a
single connection for uploading and downloading, and it improves on the security of standard FTP by encrypting all data
transfer traffic, connection control data and passwords to eliminate eavesdropping, connection hijacking, and other attacks.
As an added feature, it also compresses all data during the transmission, which can result in faster file transfers.
SSH/SSL comparison chart

Protocol Comparison
FTP FTPS/SSL SFTP/SSH
PRODUCTS
WS_FTP Professional -- File Transfer Client
D D D
WS_FTP Server with SSH -- File Transfer Server
D D D
SECURITY CHARACTERISTICS
Credential Encryption
D D D
Transport Encryption (i.e.: “Data-in-Transit”)
D D
Method for security Certificate Keys
Supports PGP File Encryption (ie: “Data-at-Rest”) Optional Optional Optional
Supports File Integrity Checking
D D D
Built-in Compression No No Yes
Number of Ports for Connection 2 2 1

Recommendations for Secure File Transfer

Millions of files are electronically exchanged every day. Unmanaged, insecure file transfers present a significant risk to your
organization. The best electronic file transfer solution should enable secure, reliable file transfer by providing integrated,
strong security of SSL and SSH encryption, along with the tools to effectively manage the end to end file transfer process.
Worrying about security breaches of critical data during file transfers is a distraction from your core business. A reliable and
secure file transfer process can ensure that your organization can concentrate on its core business.
• Treat file transfer as a core business process: Do a full inventory of your file transfer requirements and have
a CxO sponsor. Then move to implement, document, standardize, optimize and fully manage the file transfer
activities of your organization. While technology can help in meeting these criteria, businesses must ensure that
their file transfer architecture maps to a well thought out and well managed business process.
• Require Secure Communications: Limit all file transfers of sensitive data to SSL or SSH protocol. Do not
allow confidential or critical information to be transported by the insecure FTP protocol. Best practices include
requiring the use of strong authentication (mutual authentication preferred), granular access control, secure
audit logging of all activity, and that file transfer clients connect over the strongest encryption strengths, such as
256-AES encryption over SSH and TLS 1.0 connections, all of which are included in the WS_FTP solution.

www.ipswitch.com 4
 • Select and standardize on your Secure File Transfer solution: An end-to-end solution must incorporate all
end users who transfer files with company servers. Both the servers and all connecting clients must support the
required security features – remember, your solution is only as strong as the weakest point. Provide a license of
your chosen file transfer client to all employees, vendors, contractors and customers who exchange information
with your file transfer server. This best practice will ensure that everyone who accesses your file transfer server
is equipped with the same level of security, and enable you to leverage economies of scale benefits for user
licensing, training and support.
Ipswitch WS_FTP solutions enable businesses to meet and exceed regulatory compliance and implement sound security policies
by safely and reliably moving data across the Internet. Over 40 million customers in industries such as healthcare, financial
services, government, software development, retail, manufacturing, telecom and education use the award-winning and market
leading WS_FTP Server and WS_FTP Professional to manage the secure file transfer activities of their organizations.
Visit www.ipswitch.com to learn more about WS_FTP and download a free 30-day evaluation of WS_FTP Server and WS_FTP
Professional.
What People are Saying About Ipswitch WS_FTP Products
“WS_FTP Server is the perfect HIPAA compliant file-transfer solution for us. Its security features and exceptional
support from Ipswitch make it a clear-cut choice.” -- Margaret McDonald, Senior Network & Security Specialist, Pacific
Medical Centers
“WS_FTP Professional is the vehicle we use to securely transfer our data. The encryption, security and reporting
capabilities of WS_FTP ensure that our processing of personal client data is compliant with Sarbanes-Oxley.” - John
Beede, Team Lead, Raymond James Financial
“WS_FTP products have always met my needs of ease of use, management, security, automation and value.” -- Bill
Buehler, President of Foresight Automation
“We chose Ipswitch WS_FTP Server for its security capabilities. It lets me control what folders each customer can
access on our server, and the secure encryption ensures that files remain safe during transfer.” -- Guy Conti, IT Manager
at Pro Image
“I always recommend that my customers use WS_FTP software to securely upload their files and data to my server. As
an owner of a Web hosting business, it is critical that I ensure that my client’s data remain safe and secure. I am fully
satisfied with WS_FTP.” -- Ron Pineda, Owner, Bolibong Web Hosting
About Ipswitch
Ipswitch develops and markets software that works for businesses of all sizes worldwide. More than 100 million people use
Ipswitch software to collaborate via IMail, monitor their networks with Ipswitch WhatsUp®, and transfer files over the Internet
using the market leading Ipswitch WS_FTP® Professional client and Ipswitch WS_FTP Server. Please visit www.ipswitch.com
to learn more about WS_FTP and download a free 30-day evaluation of WS_FTP Server and WS_FTP Professional.

www.ipswitch.com 5
About the Author
David Stelzl, CISSP, a preeminent expert on digital asset protection strategies, is a dynamic speaker and information security
professional who inspires audiences and readers by showing them how to look at security, digital assets, and the protection
of mission critical data. David has a passion for helping organizations find lasting answers which he shares through his
writing, speaking, and consulting. David has spoken to audiences internationally, bringing life to the concepts of information
security, systems, networks, and relevant IT/Business solutions. He provides simple analogies that allow asset owners to
understand the complex concepts of hacking, identity theft, security policy and compliance. David aims, through his writings
to teach organizations how to create relevant security solutions that stop the daily attacks against corporate data.
Over the past twenty years David has worked for companies such as Bank of America (Formally NationsBank), McNeil
Consumer Products, and a number of regional and global consulting firms. Most recently David developed and managed the
Security Practice for Dimension Data, North America PLC. Serving as Director of Security he developed security assessment
methodologies, solutions marketing programs, and served on the Global Security council as a strategist, keeping up with
security trends, global threats, and regulatory compliance issues in the areas of GLBA, HIPAA, and SOX. David is CISSP
certified and has presented topics on security to audiences in the US, Canada, Europe, and Africa.

FREE 30-DAY TRIAL! www.ipswitch.com

www.ipswitch.com 6