Wednesday, June 10, 2009
New blog location
I've moved this blog to our web site -- http://blog.biscomds.com -- please check out our musings and opinions on things like SharePoint, cloud computing, laws, compliance, and all things related to secure file transfer!
Monday, March 2, 2009
President's helicopter Marine One details leaked!
I could probably keep this blog filled with all the data breaches happening these days, but that would be an exercise in futility -- there are just way too many to report, and for every one reported, there are probably hundreds that aren't.
One data breach, however seems particularly scary -- President Barack Obama's ride (when he's not flying in Air Force One) had its blueprints and details of its avionics package leaked. Tiversa, a company that monitors P2P networks, discovered the information on an IP address in Tehran, Iran, and traced the leak back to a defense contractor's computer in Bethesda, MD.
First, the person who installed this P2P sharing software should have known better. Second, the company should have these network sharing applications locked down, especially for anyone who has access to sensitive information. But we all know that where there's a will, there's a way. I'm sure this isn't the only sensitive military secret that's escaped from a computer on a P2P network.
Who knows what the P2P software on this computer was installed for -- most likely sharing music, but what if the person used it to share legitimate business information because it was the easiest way to get his or her job done? It just goes to show you that it's so important to have the tools in place, like a secure file transfer solution, so that employees don't resort to non-secure methods to share information.
One data breach, however seems particularly scary -- President Barack Obama's ride (when he's not flying in Air Force One) had its blueprints and details of its avionics package leaked. Tiversa, a company that monitors P2P networks, discovered the information on an IP address in Tehran, Iran, and traced the leak back to a defense contractor's computer in Bethesda, MD.
First, the person who installed this P2P sharing software should have known better. Second, the company should have these network sharing applications locked down, especially for anyone who has access to sensitive information. But we all know that where there's a will, there's a way. I'm sure this isn't the only sensitive military secret that's escaped from a computer on a P2P network.
Who knows what the P2P software on this computer was installed for -- most likely sharing music, but what if the person used it to share legitimate business information because it was the easiest way to get his or her job done? It just goes to show you that it's so important to have the tools in place, like a secure file transfer solution, so that employees don't resort to non-secure methods to share information.
Thursday, February 26, 2009
Gartner's Key Issues for Managed File Transfer, 2009
Just got a copy of Frank Kenney's latest note on Managed File Transfer called "Key Issues for Managed File Transfer, 2009" published this month. In our last meeting, Frank told me about MFT evolving from a siloed point solution into a broader, more integrated solution that has multiple touch points within an organization's data delivery and management services. In addition to the obvious security requirements, Frank ties in aspects such as monitoring, reporting and auditing, provisioning, and workflow. He also flags a key issue -- companies need visibility into the processes and systems that transport content, and a way to lock that content down during delivery. Frank also discusses adaptability, which he defines as the ability to leverage and connect to existing systems and infrastructure.
Biscom Delivery Server will definitely benefit from this new viewpoint -- we've always believed that tying into existing investments such as LDAP and Active Directory, SAN and NAS storage systems, and common clients like email and Web applications, are critical features of any MFT/SFT solution. And it's about time people looked at secure file transfer as not just a single, discrete function, but as an integrated enabling tool for sharing all sensitive information in this increasingly paranoid world. The demand is not just internal -- companies are feeling greater pressure from their own customers and partners who are wary of how they are sending their personal and confidential data in.
There's a lot more to Frank's piece, so I recommend you request this paper if you're a Gartner client. I'm just scratching the surface of Frank's vision in this blog posting but Frank's paper offers some interesting predictions at what's coming down the MFT road.
Biscom Delivery Server will definitely benefit from this new viewpoint -- we've always believed that tying into existing investments such as LDAP and Active Directory, SAN and NAS storage systems, and common clients like email and Web applications, are critical features of any MFT/SFT solution. And it's about time people looked at secure file transfer as not just a single, discrete function, but as an integrated enabling tool for sharing all sensitive information in this increasingly paranoid world. The demand is not just internal -- companies are feeling greater pressure from their own customers and partners who are wary of how they are sending their personal and confidential data in.
There's a lot more to Frank's piece, so I recommend you request this paper if you're a Gartner client. I'm just scratching the surface of Frank's vision in this blog posting but Frank's paper offers some interesting predictions at what's coming down the MFT road.
Internal Threats -- The Hidden Side of Data Breaches
We're hosting a webinar with Derek Brink, VP and Resarch Director of IT Security at Aberdeen Group. Before joining Aberdeen, Derek was VP of Strategy at RSA, and has deep knowledge of security, encryption, and file transfer technologies. Derek will be discussing the growing threat of internal data breaches and what best in class companies are doing to prevent these problems.
So, mark you calendars for March 11th, 2009 from 1-2pm ET and register for this webinar. You'll have the opportunity to talk to Derek and also have access to one of Aberdeen's whitepapers on Secure File Transfer at the end of the webinar.
So, mark you calendars for March 11th, 2009 from 1-2pm ET and register for this webinar. You'll have the opportunity to talk to Derek and also have access to one of Aberdeen's whitepapers on Secure File Transfer at the end of the webinar.
Wednesday, February 11, 2009
$200 discount on AIIM 2009
I'll be speaking with Dave Brown from Rockland Trust (see previous blog entry) at the AIIM show in Philadelphia (March 30-April 2, 2009) and AIIM has been kind enough to provide a $200 discount for any new attendees. You can get the discount code here.
It's going to be a fun session -- Dave has a great story to tell, and I hope it helps others see the potential for a secure file transfer solution in their organization.
It's going to be a fun session -- Dave has a great story to tell, and I hope it helps others see the potential for a secure file transfer solution in their organization.
Tuesday, February 10, 2009
How to acquire a bank in the 21st century
Biscom Delivery Server is being used in a lot of different ways -- sending medical records and clinical data securely, sharing large multimedia files with design studios and PR agencies, distributing software to customers, and working with local, state and federal government agencies.
But one of our more interesting customers is Rockland Trust, a regional bank here in Massachusetts that is one of the few banks that is actually doing well and growing. Dave Brown, their AVP Information Risk/Security Architect, is what I'd call someone with vision. Or at least he saw the potential for BDS in his company. Dave and I are going to be co-presenting at the AIIM 2009 show in Philadelphia on April 1, 2009 on how Rockland Trust is using BDS to address multiple secure delivery projects internally as well as externally.
One of Dave's many hats involves handling the data transfers when Rockland Trust acquires another bank. These bank conversions involve moving all customer information, deposits, historicals, and balances so that the customers of the acquired bank can, for example, go to an ATM for either of the banks, and get cash out. It's also nice when the account balances are correct.
Dave's been doing bank conversions for 20 years, has executed hundreds of acquisitions, and I don't think I'm going out on a limb when I say he's pretty much an expert on this. So, I take his word when he says that before BDS, there was a lot more to worry about, including whether the magnetic tape backups would be delayed because an airport's snowed in (yes, this really happened!), or if the the tapes would arrive corrupted, or even if the reel to reel systems of the two banks would be compatible. There are a number of potential issues.
Dave used BDS in an acquisition recently and it apparently went so well, he's "rewritten the book" on bank conversions, and BDS is now part of Rockland's SOP. He now includes BDS in the project plans of all his acquisitions, and by doing so, the cut over is seamless for the bank's customers. Instead of closing on Friday, and re-opening Monday, the acquired bank can be open for business on Saturday morning. The ROI for that is something we're still trying to figure out, but think about this: no opportunity costs of a branch being closed for one or more days, customers don't have to wait several days before being able to access their accounts via ATM or online, and the increased confidence and trust customers will have with a bank where everything is handled quickly, efficiently, and smoothly.
So, if you're going to AIIM this April, you can hear Dave talk about how Rockland Trust is using BDS, not just for bank conversions, but also in all other parts of the organization.
But one of our more interesting customers is Rockland Trust, a regional bank here in Massachusetts that is one of the few banks that is actually doing well and growing. Dave Brown, their AVP Information Risk/Security Architect, is what I'd call someone with vision. Or at least he saw the potential for BDS in his company. Dave and I are going to be co-presenting at the AIIM 2009 show in Philadelphia on April 1, 2009 on how Rockland Trust is using BDS to address multiple secure delivery projects internally as well as externally.
One of Dave's many hats involves handling the data transfers when Rockland Trust acquires another bank. These bank conversions involve moving all customer information, deposits, historicals, and balances so that the customers of the acquired bank can, for example, go to an ATM for either of the banks, and get cash out. It's also nice when the account balances are correct.
Dave's been doing bank conversions for 20 years, has executed hundreds of acquisitions, and I don't think I'm going out on a limb when I say he's pretty much an expert on this. So, I take his word when he says that before BDS, there was a lot more to worry about, including whether the magnetic tape backups would be delayed because an airport's snowed in (yes, this really happened!), or if the the tapes would arrive corrupted, or even if the reel to reel systems of the two banks would be compatible. There are a number of potential issues.
Dave used BDS in an acquisition recently and it apparently went so well, he's "rewritten the book" on bank conversions, and BDS is now part of Rockland's SOP. He now includes BDS in the project plans of all his acquisitions, and by doing so, the cut over is seamless for the bank's customers. Instead of closing on Friday, and re-opening Monday, the acquired bank can be open for business on Saturday morning. The ROI for that is something we're still trying to figure out, but think about this: no opportunity costs of a branch being closed for one or more days, customers don't have to wait several days before being able to access their accounts via ATM or online, and the increased confidence and trust customers will have with a bank where everything is handled quickly, efficiently, and smoothly.
So, if you're going to AIIM this April, you can hear Dave talk about how Rockland Trust is using BDS, not just for bank conversions, but also in all other parts of the organization.
Tuesday, January 20, 2009
Web services really works
I got a nice surprise the other day from one of our support engineers. He's really getting into Ruby as a scripting language and has used it to automated several of his processes, like managing backups, upgrading multiple BDS instances at once, and other tedious system administration tasks.
But then he thought about using Ruby to script BDS. In the matter of a few hours, he was able to take the BDS web services API and generate the ruby methods using wsdl2ruby, and created a script to authenticate and start sending files securely through our production delivery server.
One of the big hopes of Web services when it was first developed, was to create a truly interoperable middleware technology for applications to share data. Because it's simply passing XML-based SOAP messages around, it's language neutral -- if you can read and write SOAP messages, you can leverage applications that support SOA with Web services interfaces, like Biscom Delivery Server. Luckily, more and more development environments are including built-in support for Web services, or at the very least, have pre-built libraries, tools, and other third-party add-ons to connect to Web services out in the cloud.
So, for all you programmers and scripting aficionados, see how you can extend your existing and legacy applications to support secure file transfer using our Web services API. If you have an idea or a question about integrating BDS capabilities into your organization, let us know -- we'll help you any way we can.
But then he thought about using Ruby to script BDS. In the matter of a few hours, he was able to take the BDS web services API and generate the ruby methods using wsdl2ruby, and created a script to authenticate and start sending files securely through our production delivery server.
One of the big hopes of Web services when it was first developed, was to create a truly interoperable middleware technology for applications to share data. Because it's simply passing XML-based SOAP messages around, it's language neutral -- if you can read and write SOAP messages, you can leverage applications that support SOA with Web services interfaces, like Biscom Delivery Server. Luckily, more and more development environments are including built-in support for Web services, or at the very least, have pre-built libraries, tools, and other third-party add-ons to connect to Web services out in the cloud.
So, for all you programmers and scripting aficionados, see how you can extend your existing and legacy applications to support secure file transfer using our Web services API. If you have an idea or a question about integrating BDS capabilities into your organization, let us know -- we'll help you any way we can.
Friday, January 16, 2009
Another information privacy law in Connecticut
During my research into the new MA law on data privacy, I also found this law (Public Act No. 08-167) which became effective on October 1, 2008. The act is aimed at protecting social security numbers. The interesting thing about this act is that it's not just businesses that are required to adhere -- individuals will be held responsible as well. Here's a quote from the actual act:
It's a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn't just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: "account number" -- is it just me or is that just a wee bit vague?
Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.
It's a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn't just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: "account number" -- is it just me or is that just a wee bit vague?
Wednesday, January 14, 2009
201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth
Catchy title? Well, maybe not, but it's a new privacy and security law in Massachusetts that takes effect May 1, 2009 (postponed from January 1, 2009).
The purpose and scope, as described on the Mass.gov site:
(a) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.(b) Scope
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.
While this sounds quite onerous for many companies, and has pretty far reaching implications on IT data management processes and procedures, it's a step in protecting against the increasing incidence of identity theft and other data leaks. Was this law spurred by the TJX breach of 45.7 million credit cards or when 4.2 million credit card numbers were nicked from Hannaford Foods in 2007? The cleanup efforts far outweigh the investment in security that might have prevented these data breaches (some estimates put TJX at $4.5 billion in accumulated costs in fines, legal fees, notification expenses, and brand damage).
I see stories like these, and dozens of other high profile breaches, as the tip of the iceberg. I doubt there's going to be any law or compliance legislation that will protect 100% of individual and company data from being lost or stolen, but it does make sense for companies to reassess their data storage and transmission policies to harden their defenses against this.
Companies must look holistically, however, and can't overlook the fact that data must be protected from many angles. In the introduction to the book Practical Cryptography, the authors, Niels Ferguson and Bruce Schneier, mention scores of companies obsessed with building robust and highly protected network security to foil hackers, but ignored internal concerns, both malicious and unintentional, akin to installing a huge steel front door in your house, but having an unlocked screen door in the back.
With this law, the pendulum has swung quite a bit in requiring companies to have implementations in place to protect personal data, but I hope solutions built for this have both the technical aggressiveness to maintain security, but provide it in a way that is not so complex and hard to use that individuals dismiss it and look for alternative methods that may compromise security.
Thursday, January 8, 2009
My first blog
My first blog and my first blog posting. Actually, Frank Kenney, Research Director at Gartner, paid us an onsite visit today, and suggested that it might be worthwhile for me to start a blog on managed file transfer (aka secure file transfer/intelligent file transfer) and to start evangelizing the concept. As someone who's been quietly evangelizing this for the last 8 years, I guess this is as good as any forum to share news, industry events, and other thoughts on the state of the SFT/MFT market (like the military, tech is full of acronyms).
Biscom Delivery Server (BDS for short, to remain true to the acronym-phillic technology community), is an enterprise Web-based secure file transfer application. (EWBSFTA?) BDS enables people (or machines/automated processes) to send files and messages to each other securely, while tracking every transaction that can later be used for reporting and auditing purposes (think regulatory or compliance requirements). Basically, if you have a file that contains sensitive or confidential information that you can't send over email because it's either too large or you're concerned about other people being able to view it, and FTP, PGP, and other security technologies are too complex for your end users, then you need our product. BDS, above all else, is easy to use!
In a nutshell, here's how it works.
Questions? Comments? I guess I'm opening myself up to the world now, so fire away!
Biscom Delivery Server (BDS for short, to remain true to the acronym-phillic technology community), is an enterprise Web-based secure file transfer application. (EWBSFTA?) BDS enables people (or machines/automated processes) to send files and messages to each other securely, while tracking every transaction that can later be used for reporting and auditing purposes (think regulatory or compliance requirements). Basically, if you have a file that contains sensitive or confidential information that you can't send over email because it's either too large or you're concerned about other people being able to view it, and FTP, PGP, and other security technologies are too complex for your end users, then you need our product. BDS, above all else, is easy to use!
In a nutshell, here's how it works.
Questions? Comments? I guess I'm opening myself up to the world now, so fire away!
Subscribe to:
Posts (Atom)
Posts
