comforte s solutions for secure file transfer

Transcription

1 comforte s solutions for secure file transfer Thomas Burg comforte GmbH ITUG San Jose, October 2005 This presentation presents comforte s solution for secure file transfer on the NonStop platform. It was presented during ITUG

2 secure file transfer - Agenda Motivation Standards Solutions The presentation has three main areas: in the Motivation part we talk about why securing of file transfer is important in the Standards part we look at various standards which improve security in the Solutions part we take a look at comforte s offerings 2

3 Motivation: Why secure file transfer? Regulations Audits Best Practises If there is no reason for secure file transfer, we ll all stay with FTP because it s available on every platform and interoperates nicely. We will look at some driving factors next. 3

4 Regulations In a nutshell Enforces HIPAA (1998) Protect medical data Technical recommendations SOX (2002) Protect financial results of publicly traded companies from altering Best Practises, Regular Audits VISA CISP (1999) Protect credit card data Specific set of Best Practises California SB 1386 (2003) Forces disclosure if personal data is lost nothing In the past years, there has been a flurry of regulations effecting IT departments. The table above lists the most prominent ones, some more detail follows here: The Health Insurance Portability and Accountability Act ( HIPAA ) from 1998 lists the protection of the health information of individuals against unauthorized access as one of its objectives. This objective is then enforced by requiring health care providers which are defined in a rather generic context to follow technical recommendations set forth in the standard. In 2002, the United States Congress passed the Sarbanes-Oxley Act ( SOX ). Intended to ensure proper accounting procedures and financial reporting, the legislation applies both to U.S. and multinational publicly traded companies. Among other things, SOX enforces IT controls to prevent and detect any attempted financial manipulation. On a quartarly basis, these IT controls have to be certified by external auditors. The Visa Cardholder Information Security Program ( CISP ) is a set of Security Standards which Visa sets for merchants and service providers who are involved in processing Visa credit card transactional data. Entities which do not comply can be either fined or being restricted for future business by Visa. Various US states require companies who have suffered security breaches involving personal data to make these breeches public. While these laws do not enforce any implementation of security standards, the negative publicity after having to admit security breaches has made many companies take a second look at Best Practices. 4

5 Audits do you have an internal audit department? are your NonStop systems audited? do Auditors like unencrypted FTP traffic? (If no, why not?) Internal auditors are increasingly critical of unencrypted FTP traffic, reasons will be given on the next slide. 5

6 Best Practises Maybe the regulations and auditors have a point? Pick any book on computer security in general Network Security Bible, Cole et al., Wiley 2005 The use of encryption is a security control multiplier; it enhances any security posture FTP is a widely available method of transferring files. It has some vulnerabilities (...) and it sends passwords in the clear (unencrypted). For these reasons, more secure methods of file transfer, such as scp or sftp should be used instead The encryption of network traffic is becoming a standard Best Practise in computer security. Not encrypting FTP traffic puts user names and passwords at risk as they can easily be sniffed off the network. 6

7 Agenda Motivation Standards Solutions Having talked about the motivation for secure file transfers, we now look at industry standars implement secure file transfers. 7

8 Standards for (secure) file transfer Punch Cards (1920ies) Tape Drive (1951, Univac) X25 (60ies) Floppy Disks ( ) ZModem (lates 70ies) TCP/IP FTP (1985) SSH/SFTP (1995) FTP/SSL (2001) This slide looks at some old and new standards for secure (and non-secure) file transfer. Most pictures have been found via Wikipedia, ie 8

9 A look at FTP/SSL SSL established in 1995, well-used in Internet SSL is base of several comforte encryption products (ie Telnet) 2001: first draft of combining SSL with FTP Uses PKI *and* usernames/passwords for authentication 2003: in widespread use in Windows-world: WS-FTP-Pro, : launch of product SecurFTP/SSL by comforte a.k.a. FTPS, FTP-over-SSL, FTP-SSL SSL a.k.a. TLS FTP-over-TLS, FTP-TLS FTP/SSL is the first of two well-established standards for secure file transfer. The next slide will look at the other standard. 9

10 A look at SFTP SSH standard created by a Finnish student in 1995 Initially developped for shell access only ( secure shell ), other functionality added later Governed by multiple RFC s today File transfer implemented using scp and sftp sub-protocols (scp outdated) Widely popular in Unix world early on ( openssh ) Uses Key Pairs *or* username/password for Authentication As of 2005, supported by many popular Windows-clients (ie WS-FTP-Pro) Launch of SecurFTP/SSH product by comforte in 2005 Yet another standard is called SFTP together with FTP/SSL which is described on the prior slide these two standards are the most prominent ones which are in widespread use today. 10

11 FTP/SSL vs. SFTP - Summary Protocol History Authentication Other FTP-SSL SSL was created by Netscape in 1995 to secure Internet traffic FTP-SSL was first drafted as standard in 2001 Uses PKI to authenticate the SSL session Logon to FTP session with username and password Sits on top of FTP standard Popular in Windows world early on SFTP SSH was created by a Finnish student to secure Unix shell access in 1995 Support for file transfer was added a little later Either through Public/Private Key pairs or through username and passwords Not related to FTP standard at all Popular in Unix world early on Openssh in wide use in Unix world Unfortunately, the two most popular standards are named in a somewhat confusing fashion, the above table summarizes the differences. Note that the two standards do the same thing, however they are *not* interoperable. 11

12 Agenda Motivation Standards Solutions Having talked about the why and how of secure file transfer in general, we now take a brief look at comforte s offerings. 12

13 SecurFTP/SSL implements the FTP/SSL standard product launch in sites in production world-wide advanced auditing (including OSS support) firewall functionality fine-grained access control using its own user database RemoteProxy component turns it into any-to-any solution transparent to existing FTP environments small footprint, installs in 5 minutes 13

14 SecurFTP/SSL scenario 1 14

15 SecurFTP/SSL scenario 2 15

16 SecurFTP/SSH implements the SFTP over SSH2 standard product launch in 2005 specifically built for the NonStop platform already in production on two sites advanced auditing (including OSS support) fine-grained access control using its own user database OSS not required, yet fully supported allows transfer of structured files existing batch environments for FTP will have to be modified comforte solution available for NonStop platform only small footprint 16

17 SecurFTP/SSH scenario 1 17

18 SecurFTP/SSL scenario 2 18

19 Bottom line SecurFTP Proven solution in production at various customer sites Implements the two dominant standards for secure file transfer FTP/SSL and SFTP Fully standard-compliant making it operate with other systems running the same standard (Unix, IBM mainframe,...) Two flavours available: SecurFTP/SSL SecurFTP/SSH If you need both, get them bothj Used by various OEM partners as part of their solution (Emergis, DMB Group, Crystalpoint, TIC) also available as plugin for WebViewpoint 19

20 More information comforte web site product sheets articles trial More information about comforte s offerings can be obtained by the sources listed above. Within the next couple of slides, we will take a look at comforte s web site and how it helps to drill down on a given solution. 20

21 comforte s new Web site comforte s Web site was redesigned in late 2004 to enable the quick retrieval of information. The products area shown above allows you to find a product by name fast. So if you know which product you are interested in this is the fastest way to find information for a product. 21

22 comforte s new Web site (contd.) The Solutions area of the web site allows to drill down to a product by asking what does it do? rather than by how is it named?. In the above screenshot, we are looking for encrypted file transfer on the solutions overview page. 22

23 comforte s new Web site (contd.) Clicking there brings us to a page where SecurFTP the product this presentation was about now shows up as a product. 23

24 comforte s new Web site (contd.) The SecurFTP page has a lot of information regarding the product: the main part of the page summarizes the features and benefits publications (ie product sheets and white papers) provide further details a trial can be obtained by clicking on the Downloads area related topics are pages which further expand the topic 24

25 Even more information Two articles for The Connection on their way: Secure File Transfers in Heterogeneous Environments Implementing Enterprise Encryption Mandates on the NonStop platform More information about secure file transfer can be obtained from the two articles mentioned above. The first one is available from comforte upon request; the second is still being edited and will become available early

26 (End of presentation) 26