Thoughts about the “Study: Frequent password changes are useless” article on Yahoo News

17 04 2010

I recently read the article Frequent password changes are useless

After giving this some thought, a couple of things struck me as being very important but easily overlooked. Both are related to this paragraph,

“Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.”

The article says “frequent password changes are simply a waste of time” and it does not define frequent. By frequent do they mean daily, weekly, monthly? I would not think that changing passwords once a quarter would qualify as frequent.

Note that that $16 billion is not for each company! It’s for the national aggregate. If your company only looses $1 million, that’s simply a small piece of the aggregate pie; but, for many companies, it could mean bankruptcy or, potentially, years of expensive, personal data breach litigation. If memory serves correctly, defense against this type of litigation depends heavily on having taken every ‘reasonable’ precaution. If one of those reasonable precautions is deemed to be frequent changes of passwords, then never changing passwords or changing them only once per year could mean additional loss of millions in court battles. Oh, one must also remember the fines and penalties if data protection laws are violated and loss of credibility in the market place when it’s your company that gets compromised.

Something to think about.


Why Tax Day and MFT Depend on You

14 04 2010

Tomorrow (4/15)  is tax day in the United States.  Thus, there will be plenty of checks running through the mail, all destined to reach their respective IRS offices.  This entire process is a parallel to the managed file transfer process.  Sure, I don’t want to have to send out a bunch of money either, but if I have to, then I should hope that it gets into the proper hands.

It all starts with the end in mind.  Destination address scrawled across the front of your envelope, you’re ready to “click the send button” and drop it into the mailbox.  Here is where the important part starts.  If your bank is keeping you secure, then your check should be safe; encrypted in a sense.  Sure, someone could manage to get to your check (it’s not a steel envelope after all), but that check then must be “hacked.”  With proper encryption, attempts will be futile.

Assuming that your check reaches its final destination, the IRS then has the password to open your check: permission.  This same concept is used in ad-hoc managed file transfer solutions by ensuring that only those who need access to the file will have it in the form of password protection and user verification.

As you drop your check into the mailbox on tomorrow’s tax deadline (you daredevil, you!), remember this analogy and notice that your role never changes.  As users, we are still responsible for ensuring that files are being sent to the proper destinations and through the proper methods.  Without you, security is merely something we wish we had.  Tax day and managed file transfer: both depend on you!  Who knew you were such a hero?

Best of Breed B2B: One Size Does Not Fit All Anymore

11 03 2010

The IT industry has a long history that provides valuable perspectives for technology buyers.  As George Santayana noted in 1905, “Those who cannot remember the past are condemned to repeat it.”  The IT applications industry has moved alternatively since the mid-1970s between preferring best-of-breed solutions to preferring integrated suites.  In 2010, there has been a distinct shift to preferring best-of-breed B2B solutions that purchasers should consider when selecting a new application.

In the 1970s, best-of-breed players like Cullinet, McCormack & Dodge and Management Sciences of America dominated the enterprise software market.  It was not uncommon for a company to own a general ledger system from one vendor and an accounts receivable system from another.  Professional services firms or contractors were often used to supplement a company’s IT staff to handle the integration between multiple vendors’ solutions.  Companies preferred the best-of-breed approach since a specific vendor’s package features and functions would closely reflect its existing business processes and work flows.

With the advent of personal computers and client/server computing in the 1980s, the pendulum began to shift towards integrated suite solutions provided by large vendors like Oracle, PeopleSoft and SAP.  The cost of upgrading multiple point solutions as well as maintaining the customized integrations began to become a major cost and resource issue for Global 2000 organizations.  This trend continued into the 1990s.  Even as Internet applications began to show explosive growth in the late 1990s and early 2000s, Global 2000 organizations stuck with their strong preference for integrated suites.  Y2K represented the peak of adoption of integrated suite solutions.  To meet Y2K compliance requirements, large-scale enterprises flocked to ‘one size fits all’ integrated suites.  In 2010, this pattern has changed.  The rise of low cost, subscription pricing-based Software as a Service solutions has begun to significantly erode the prominence of classic integrated suite offerings. and Google Apps are two excellent examples of this trend.

To read the rest of this article, click here.

FTP and SFTP vs. MFT for OS/400, IBM i, platforms

8 03 2010

Over the past few weeks, I have seen a lot of news group chatter regarding FTP, FTPS and SFTP relating to the IBM System i, i/OS. Although FTP(S) and SFTP provide workable options when limited file transfers are need, they lack the functionality and usability of a mature Managed File Transfer (MFT) solution. Let’s look at some of the advantages provided by a good MFT product verses FTP.

For the purpose of this post, the term OS/400 also refers to i5/OS, i/OS and IBM i.

Under OS/400, SFTP is provided via the PASE and its use is described in this IBM Systems magazine article.

FTP(S)/SFTP vs. MFT functionality

Transferring nested directories is time consuming without a good GUI interface. MFT solutions provide simple and easy-to-use methods for transferring nested directories.
FTP(S)/SFTP only provides two party transfers. MFT allows three party transfers. In a two party transfer, files are transferred between the server and the client. In a three party transfer, the client sets up transfers between two servers so that an intermediate transfer is not necessary.
With FTP(S)/SFTP, controlling end-of-line can be tricky at best. MFT provides straight forward means by which to specify the character or character sequence wanted for end-of-line.
Using OS/400 FTP(S)/SFTP, you may have to create files before doing the transfer to get the correct file settings. An advanced MFT product allows the user to set file appropriate attributes before the transfer or detect those attributes in an OS/400 to OS/400 file transfer. Also, a good product provides one or more methods for automated file creation for save files and database files requiring DDS.
FTP only provides basic scripting. Advanced MFT products provide a full fledged scripting language allowing automation of even the most sophisticated transfer processes.
FTP on OS/400 allows execution of simple commands. Modern, full function MFT products provide the ability, possibly via add-on technology, to not only execute OS/400 commands, but also commands on other systems. A really advanced product also provides logging and control options for the remote system.
OS/400 FTP allows setting a CCSID when opening the FTP session. MFT products go beyond initial CCSID settings by detecting and automatically setting the CCSID for each file transferred during a multiple file transfer whether transferring from the QSYS or IFS file system. A really great MFT product will also adjust end-of-line settings based on ASCII vs. EBCDIC file type.
SFTP only provides binary transfers. FTP supports Single Byte Character Set, SBCS, code pages and some FTP products support UTF-8 code pages. Cutting edge MFT products may support all of the Unicode variants as well as Double Byte Character Set code pages. Although the author knows of none, MFT products that fully supports Mixed Byte Character Sets may exist.
FTP(S) and SFTP provide limited, if any, fault tolerance. MFT products provide network fault tolerance allowing transfer completion following network connection failure and recovery. They may also provide manager fault tolerance for remote command execution whereby remote commands may complete during network outages. Following network recovery, output from reconnected processes is transferred back to the initiating system.

The above information primarily addresses MFT functionality; however, all of the functionality potentially included in an MFT product is not covered. Look for such things as the ability to move files as opposed to only copying files and the ability to list files to name only a couple of items. Security options are referred to but not discussed in detail since they are limited in regard to FTP. The issue of data integrity was not discussed and should be carefully considered before purchasing an MFT product.

The Business Case for Managed File Transfer

1 03 2010

In a recent study conducted by the Ponemom Institute, “Business Case for Data Protection: Study of CEOs and other C-level Executives,” they learned that C-level executives believe good data protection practices can support important organizational goals such as compliance, reputation management and customer trust. Conversely, the study found that the majority of respondents are not confident in their ability to safeguard sensitive and confidential information. The statistics continue to be staggering:

  • 82 percent of C-level executives surveyed report that their organization has experienced a data breach and many are not confident that they can prevent future breaches.
  • 94 percent of respondents report that they have had their data attacked in the last six months.
  • 79 percent of respondents report that ONE person is considered to be in charge of data protection and is most likely the CIO.

Your Company's and Clients' Information

When asked whether a coherent or comprehensive enterprise data protection program increases the organization’s value, 83 percent of CEOs and 64 percent of other C-level executives say it reduces or mitigates risk of data loss or theft. However, the study goes on to illustrate that more than 90 percent of respondents only spend 5 percent of their data protection budget for “enabling technology.” So where is the disconnect? While there are many data protection tools out there, how can these breaches still be occurring at an increasing rate?

Without the proper data protection tools, companies will continue to face internal or external data breaches. Whether you are a small firm or large, global organization, can your reputation take that kind of hit?

Healthcare and Managed File Transfer

23 02 2010

With sensitive and confidential data being sent internally and externally to outsourced providers, insurance companies, laboratories or other physicians – email, FTP and standard mail are no longer viable solutions. Managed File Transfer (MFT) solutions are ideal for large healthcare organizations that need to secure file transfer throughout their entire IT infrastructure due to the large amount of transfers that are processed on a daily basis.

How Do You Secure Your Healthcare Information?

Most large healthcare organizations are riddled with file transfer products, tools and utilities that cannot interoperate. This makes securing data enterprise-wide difficult and cost prohibitive. With the amount of data transferred by healthcare organizations increasing everyday, it is imperative you implement a modern, cost-effective solution that adheres to current security requirements in the industry.

From an IT standpoint, a Managed File Transfer provides the enterprise-wide level of data security needed for the efficient flow of secure data transfer within the organization and for B2B transfers. You are able to streamline the audit process and access audit information from a central point, saving your organization time and money. A Managed File Transfer solution integrates with platforms enterprise-wide to increase automation and reduce the need for specialized staff. This allows your staff to follow all elements of a file transfer and determine the impact of potential problems before they become a business-critical issue.

Is the IBM i secure or irrelevant? Intrusion detection and prevention

18 02 2010

Platform insecurity renders Managed File Transfer security meaningless. No matter how good your internal architecture your administrator requires protection policies and tools to detect, identify, isolate and mitigate or stop attacks.

Rather than cover what IBM Systems Magazine has well documented, I refer to the following two articles. The first is titled “Intrusion Detection on System i” with the introduction: “Hackers, crackers, intruders, oh my! And each with their pride at stake, But rest assured with a System i, You’ll have a host that they can’t break.” This August 2007 article by Jim Coon and Yessong Johng points our potential methods of intrusion and what to do about them.

The second article, “Intrusion Detection and Prevention on IBM i” written in March of 2009 by Jim Coon and Lindsay Avers, addresses how to set up detection and deal with intrusion, even on a real time basis.

As attackers become more inventive and pervasive, IBM i provides the ability to push back and defend your valuable resources.