Securing e-mail but not large file transfers? Not smart

Securing e-mail but not securing large file transfers is as safe as locking the front door and leaving the backdoor wide open

Current Job Listings

Do you know how frustrating it is to send an e-mail to someone and have it rejected because it is too large? My latest e-book, "Windows 7 Unveiled," comes in at 11MB. In my mind, that is nothing in terms of size, but it is constantly getting blocked by incoming and outgoing e-mail limitations. The limits imposed (typically 10MB) are not large enough to accommodate the needs of the modern user. I know that the reason for the limitation is to keep a lid on network bandwidth and storage concerns on the e-mail server. But there's a security breach risk created by the limitation.

Joe User wants to send an 11MB file but is blockied due to the e-mail policy that prevents large file attachments. Joe User becomes creative and finds a P2P file-sharing alternative. Or maybe he puts in on a USB drive or a CD, or he uses an FTP product. Is Joe User concerned about the security of that file (which may be personal -- or may be sensitive company information)? Not at all. Joe User is concerned about getting his job done or meeting a deadline (or sending out his new e-book). Unfortunately files sent via P2P, IM, CDs, or FTP are a data breach waiting to happen.

[ Keep up with security trends and strategies with InfoWorld's weekly Security Central newsletter.]

Corporations and government agencies alike have made headline news for exposing sensitive information using unsecure file transfer. President Obama's new helicopter plans were exposed because of P2P file-sharing software. For corporations, the financial consequences of a data breach can be significant. Recently, three HSBC firms were fined more than $4.9 million by the U.K.'s Financial Services Authority for failing to protect customers' confidential information. The blame for the failures is being placed on the lack of training in the firms because large amounts of unencrypted data were sent to third parties.

As an IT administrator or a decision maker for the security elements of your organization, you need to find ways to plug up the gaping hole that is created by a restrictive e-mail policy. That isn't to say you should alter the policy. You raise it to 15MB, and a user comes along with a 20MB file. Raise it to 20MB, someone will want to send a 50MB PowerPoint with lots of pictures. A line has to be drawn. But if you have an attachment-heavy company (where users typically need to send, for example, CAD drawings, MPEG files, or tech specifications, and so forth), you have to prevent the creative, sharing minds from forming a security hole. E-mail security needs to include consideration of file transfer security.

So what should you do? Prevent USB devices and CD burning on the systems using Windows Server's Group Policy? Perhaps. Or maybe block the ability to go to certain sites for media uploading. (I use MediaFire personally. It's free and gives me plenty of upload space for document transfer. That is what I had to do to send my book out to folks that wanted a copy. Attachmore is an alternative you might consider.)

If you aren't convinced just yet of the risks involved in file transfers, there are some free webcasts that Accellion (a managed transfer vendor) offers to help educate businesses. The series of security webcasts (some upcoming, some on-demand) focus exclusively on the topic of how to avoid the perils of unsecure file transfer. (To learn more about Accellion's file-transfer security product, read InfoWorld's story "Hand's-on preview: Accellion virtual appliance.")

Increasingly, organizations are implementing managed file-transfer products as an effective strategy to ensure that confidential information is not exposed. To choose the right security and compliance product, businesses must consider several goals:

  • Ensure ease-of-use. If a product is not simple to operate, employees will find alternative ways to share large files. Ideally the file-transfer product should be integrated directly with your e-mail application to provide the ease-of-use of e-mail without the size restrictions. For example, if you are using Microsoft Outlook or Lotus Notes, look for a file-transfer product that offers e-mail plug-ins for those applications. Users shouldn't have to learn much -- if anything -- new; file transfer should be as easy as clicking a link, and the file-transfer product should work behind the scenes to manage the secure transfer of the file.
  • Understand your requirements. Consumer offerings rarely provide the level of security that businesses require. Enterprise features to look for include secure transmission over SSL, file encryption, auditable logs and reports, file lifecycle management, and recipient authentication.
  • Be compliant. Don't wait until you fail a security audit to implement an enterprise file-transfer product. Pick a product that allows for complete auditing and tracking of information entering or leaving your organization. Your corporate file-transfer products should provide comprehensive auditable logs and reports that track every file entering and leaving the company.
  • Secure your data. Enterprise file-transfer products comes with a wide range of security features, so use them. For example, automatic encryption and authentication checkpoints that validate recipients ensure that confidential information has not been shared and exposed.
  • Avoid IT overload. Pick a product that easily integrates into your existing environment and requires minimal IT administration. Automated account creation using LDAP/Active Directory integration eliminates IT overhead and time delays traditionally associated with getting employees and external recipients registered as users. File lifecycle management tools are essential to keep IT administration for file transfer to a minimum and to ensure that files do not sit around indefinitely waiting for a data breach to happen.

I've been scouring the Internet looking for the best and brightest products available to address this issue of backdoor file-transfer security holes. What are you using to keep your company safe yet functional?