Townsend Security Data Privacy Blog

OpenSSH on the IBM i and Your Security

Posted by Patrick Townsend on Jan 3, 2017 7:45:48 AM

Lately I’ve seen some criticism of the OpenSSH implementation on the IBM i platform which seems to imply that using a third-party implementation of the Secure Shell (SSH) file transfer application is better without the IBM no-charge licensed OpenSSH implementation. I disagree with that opinion and think there are good security and implementation reasons to stick with the IBM OpenSSH implementation.

Here are some reasons why I like OpenSSH:

OpenSSH is supported by an global open source community

Tatu Ylönen founded SSH Communications in 1995 and produced the first versions of an open source SSH implementation. Since 1999 the OpenSSH application has been maintained by the OpenBSD Project which is funded by the OpenBSD foundation and managed by Theo de Raadt. OpenSSH is available on a wide variety of operating systems including the IBM i where it is deployed as a no-charge licensed product and maintained by IBM.  OpenSSH continues to be actively developed and new encryption algorithms have been added recently.

OpenSSH is a widely used by large and small organizations

By some estimates the OpenSSH implementation of the SSH protocol and applications commands a 97 percent market share for SSH implementations. This means that OpenSSH is in wide use by large and small organizations to securely manage their eCommerce needs. This also means that OpenSSH receives a lot of scrutiny by compliance and security experts. Widely deployed solutions tend to get more scrutiny from security experts, and this is true for OpenSSH.

OpenSSH is secure

No application is immune to security challenges. However, OpenBSD and the OpenSSH application in particular have a stellar record for security. With security products, deep expertise and commitment matter. OpenSSH started with security as a leading goal by its developers and it shows. Over the last few years there have been fewer than a dozen security issues, and most were unlikely to be exploited and all were patched rapidly through updates by IBM. The OpenBSD set of applications that include OpenSSH have a great record on security. If you think the IBM i platform has a good security record, take a look at OpenSSH.

IBM provides technical support for OpenSSH

We have all developed a deep appreciation for IBM’s commitment to security over the years. It is one of great values of the IBM i platform. As new vulnerabilities are discovered you need to have a reliable and timely source of patches and enhancements and IBM has stood behind this critical application. Security notifications are managed by IBM so that you know when you need to do an update. By making OpenSSH a no-charge licensed program IBM i customers get patches through the normal PTF update process. Do you know any third-party IBM i vendor with an equal commitment to notification, maintenance and patching? IBM has earned our trust through this process.

OpenSSH is PCI compliant

PCI Qualified Security Assessors (QSAs) like Coalfire, TrustWave and others recognize that a properly patched implementation of OpenSSH meets PCI Data Security Standards (PCI-DSS) compliance, and IBM also tracks OpenSSH for PCI compliance. This again reflects IBM’s and OpenBSD’s commitment to security. If you are using a third-party IBM i solution for SSH how well is it tracked by the PCI audit community?

SSH is a complex protocol

Bruce Schneier said “Complexity is the enemy of security.” SSH is a complex protocol and this means that extra care needs to be taken in its development, deployment and maintenance. No third-party SSH solution rises to the level of care taken by the OpenSSH community and by IBM. Almost every business depends on secure file transfer for daily business operations. Deploying the most secure SSH solution is a critical security step.

OpenSSH does not use OpenSSL or Java JSSE

We’ve read a lot over the last few months about security issues in OpenSSL and Java. Many IBM i customers are confused about the relationship between OpenSSH and OpenSSL. In fact, OpenSSH does not use the OpenSSL library for communications. This means that OpenSSH was not subject to the HeartBleed and other OpenSSL vulnerabilities. We are all also now painfully aware of the security issues in Java. Most browsers no longer allow Java plugins for this reason. Third-party SSH products may or may not use OpenSSL or Java for communications. If you are running a third-party IBM i SSH solution, do you know if it uses OpenSSL or Java?

Third-party SSH solutions provide no significant advantage over OpenSSH

OpenSSH is a secure, reliable, and resilient implementation of SSH for secure data transfer that is backed by IBM and a worldwide community of users and developers. Our Alliance FTP Manager solution fully integrates with the IBM i OpenSSH application for secure, automated and managed file transfer. Our solution automates the OpenSSH transfer of hundreds of thousands of file transfers every day without compromising security.

My opinion? You probably don’t need more IT risk in your life. Stick with OpenSSH for your security needs. You will be in good company.

Patrick

Webinar: Secure Managed File Transfer on IBM i

Topics: IBM i, Secure Managed File Transfer

Managed FTP Services on the IBM i – Look for These 8 Features

Posted by Patrick Townsend on Aug 8, 2016 1:03:03 PM

In a previous blog I talked about the security features that you should find in a Managed FTP solution. Of course, we look for the security components first as we want to be very sure that our data is protected in transit and at rest when it arrives at its destination. But with the high volume of FTP transfer activity in the modern organization; we also want to find a number of automation and management features in our Managed FTP solution. That’s the focus of today’s blog.

Secure Managed File Transfer for IBM i Here are the eight main elements of a Managed FTP solution for the IBM i (iSeries, AS/400) platform:

  1. Automation

  2. Scheduling

  3. Application integration

  4. Diagnostic logging

  5. Notification and Exception handling

  6. Resource management

  7. File system support (DB2, IFS, etc.)

  8. Commands and APIs

Let’s take these areas one at a time.

Automation: By its nature FTP is a manual process. This is one of the original protocols of the Internet and it was designed as a command line facility. But our modern IT systems need a solution that is hands-off and lights-out. A good Managed FTP solution should allow you to fully automate both inbound and outbound file transfers. And because our IBM i servers are often located inside the firewall, we need to be able to detect and pull files that are available on remote and external servers. We sometimes call this the automatic scan of remote servers and it is a critical automation component. Your Managed FTP solution should allow you to automate every aspect of sending and receiving files, including encryption of files you are sending and decryption of files that you receive.

Scheduling: Many file transfers have to happen at a certain time of day. This means that your Managed FTP solution should provide for intelligent scheduling of file transfers. Scheduled transfers might happen hourly, once a day, once a week, or once a month. But the scheduling facility should accommodate your transfer needs. Additionally, the ability to schedule a transfer through a third party scheduling application should be fully supported.

Application integration: When you receive a file via FTP it should be possible to automatically decrypt the file and automatically process it into your applications. This level of automation removes the need for human intervention and provides data in a timely fashion to your applications and ultimately to your users. Look for your Managed FTP solution to provide callable exit points, library and IFS directory scan facilities, and plenty of sample programs that you can use to start your automation projects.

Diagnostic logging: It is easy to underestimate the importance of built-in diagnostic logging in a Managed FTP solution. When you are processing many files every day, and when you are processing time critical files (think payroll files), you have to be able to identify the cause of a transfer problem very quickly. A diagnostic log should be available for every transfer and should clearly identify the causes of failures. FTP sessions can fail for a wide variety of reasons including network outages, password changes, remote configuration changes, expired certificates and keys, and many other issues. The presence of diagnostic logging means the difference between a long night hunched over a terminal or a leisurely trip to the pub!

Exception handling: A good Managed FTP solution will tell you when things go wrong. From my point of view this is both a good thing AND a bad thing. We have customers who run our solutions for years and forget that they are there! But this is what you want. A Managed FTP solution should tell you when a transfer failed and give you some clues on the resolution. In our Managed FTP solution notifications are done by email and you have a lot of choices – you can get notified on failure, notified on successful transfer, or notified on all activity. But it is the ability to get notified on failure that is so critical.  Exception handling should also include automatically retrying a failed transfer operation. Look for the ability of your Managed FTP solution to retry a transfer at least three times before reporting a problem!

Resource management: We don’t think of FTP as a CPU or disk intensive operation, and that is generally true. But imagine what it might be like to transfer several thousand files a day!  Those small individual file transfers start to add up in terms of resource utilization pretty fast.  Your IBM i Managed FTP solution should allow you to manage job priorities, schedule transfers during off hours of light usage, manage CPU time slice and pool allocations, and many other aspects of resource management.

File system support: As IBM i users we have a lot of data stored in DB2 files and tables. But we also may have a lot of information stored in the Integrated File System (IFS). A Managed FTP solution should support these file systems for both inbound and outbound transfers. Also consider those special file system requirements. Can you manage file transfers in a Windows network shared folder? Or a Linux/Unix NFS mounted volume? Or in a mounted drive for a remote IBM i server through the File400 folder? These can be important features for an IBM i solution.

Commands and APIs: Last but not least, there are always things we can’t do with the ready-to-use features of a Managed FTP solution. We will want to have access to IBM i commands and APIs to help us handle those special situations. In our Alliance FTP Manager solution we give you access to every single FTP operation directly from your RPG and CL applications. You can perform every aspect of an FTP session under program control, and know if it was success or failed, and why. And of course, command interfaces make it easy to put or get a single file. You might not initially miss the rich set of APIs, but the day will come when you need them!

In this blog I’ve tried to give you a feel for the basic set of features that you should find in a Managed FTP solution. You can learn more about our Alliance FTP Manager solution for the IBM i platform here.

Patrick

Secure Managed File Transfer for IBM i

Topics: Managed File Transfer, Secure Managed File Transfer, FTP Manager for IBM i

Secure and Managed FTP on the IBM i (AS400) Platform

Posted by Patrick Townsend on Jul 7, 2016 3:39:40 PM

The File Transfer Protocol (FTP) has been with us since the dawn of the Internet. Amazingly it is still a critical component of electronic commerce and all large organizations use FTP for integration with their customers and vendors. As a critical part of your electronic commerce infrastructure you want to make sure that your FTP solution is reliable, secure, automated, and manageable. That’s where Managed FTP solutions come into play. Our Alliance FTP Manager falls into this category and helps IBM i (AS/400, iSeries) customers meet this critical need.

Click to view Secure Managed File Transfer Webinar for IBM i users In this blog I want to look at just the security components of a Managed FTP solution. In a future blog we’ll look at the management components in more detail. But let’s start with security!

Secure Transfer Methods

Of course, we need to be sure that we are securing all of our FTP operations with strong encryption. Older FTP protocols did not encrypt FTP sessions and left organizations exposed to data loss both inside and outside of the corporate network. All of that is changed now. There are two types of secure, encrypted FTP methods in wide use:

  • Secure Sockets Layer FTP (SSL FTP, or sometimes FTPS)

  • Secure Shell FTP (SFTP)

SSL FTP is an extension of the original FTP protocol and is an Internet standard. As the need for secure eCommerce increased in the early 2000s the SSL FTP transfer method gained traction and large organizations transitioned to this secure and encrypted transfer method. Unfortunately, SSL FTP was difficult to implement in typical corporate networks and required modifications to firewall configurations. The complexity of the SSL FTP method made it difficult and expensive to implement and manage.

Secure Shell FTP, or SFTP, is a part of the Unix and Linux Secure Shell set of applications. While originally a Unix application, Secure Shell is now available on a wide set of operating systems and platforms. SFTP provides a secure implementation of file transfer and is much more friendly to the corporate network and network administrators. For this reason most organizations have transitioned to SFTP for their secure and encrypted file transfer needs.

While other open and proprietary solutions exist to transfer files, SSL FTP and SFTP remain the dominant methods of secure file transfer for ecommerce.

Additional Security Requirements

In addition to secure and encrypted transfer of files, a good managed FTP solution provides additional security controls. Let’s take a look at the ones you should find in a managed FTP solution:

File encryption: Many people are surprised to learn that encrypting a file transfer session is not an adequate level of security. When a file arrives at its destination it should also be protected at rest. This means encrypting the file before it is transferred with SFTP or SSL FTP. But doesn’t this mean the data is doubly encrypted? Yes it does. But protecting the file after it is transferred is crucial to a security strategy. Most organizations use Pretty Good Privacy (PGP) to encrypt a file before transfer, and to decrypt files that are received. Your Managed FTP solution should natively integrate PGP encryption into file transfers.

Configuration access control: Configuring managed FTP transfers involves setting local and remote configuration parameters, encryption parameters, and many other aspects of file transfer operation. Your managed FTP solution should implement configuration access controls and notify you of an attempted violation.

Two Factor Authentication (2FA): Control over the administrative functions of a Managed FTP solution should include Two Factor Authentication. This is now a requirement for administrative access to payment card systems by the PCI Data Security Standard (PCI-DSS), but is also a security best practice for any critical system. Be sure your Managed FTP solution provides for 2FA or that you implement 2FA on the IBM i system level.

Compliance audit: Sending and receiving files that contain sensitive data requires that you retain a clear file transfer history. This is a minimal level of audit reporting and you will want to be sure your Managed FTP solution provides clear and easy to read audit trails.

System logging: Actively monitoring your system is a critical security control. On the IBM i server it means monitoring security events and transferring them in real time to a log collection server, or better yet, to a SIEM solution. FTP is often the mechanism by which cyber criminals steal information from your system, so a Managed FTP solution should be logging file transfers to the IBM security audit journal QAUDJRN. The security audit journal provides an un-modifiable repository of security events, and your file transfer information should be recorded there. Look for this feature in your Managed FTP solution.

Software updates and patching: Secure FTP protocols are periodically subject to the need for security patching. A recent security flaw in the SFTP protocol required updates for all systems that implement this Secure Shell protocol. Fortunately, on the IBM i platform IBM provides the SSH implementation as a no-charge licensed product, and updates are available through normal system patching procedures. Be sure that your Managed FTP solution integrates with the IBM solution, or that the Managed FTP vendor has an adequate strategy to provide you with security updates.

Backup and Recovery: As the new EU General Data Protection Regulation (EU GDPR) correctly points out, backup and recovery is a part of your security strategy. If you can’t recover from a system failure in a reasonable period of time you risk losing data that is critical for your customers and employees. We hold that data in trust for them, and protecting it also means resiliency in the event of system failures. Be sure your Managed FTP solution fits into your backup and recovery strategy for the IBM i platform.

These are critical security components of a Managed FTP solution. Some organizations we work with transfer thousands of files every day. I believe we’ve addressed the core security requirements in our own Alliance FTP Manager solution and we continue to invest in R&D to make these features better going forward. I will address other aspects of Managed FTP in future blogs.

Patrick

Webinar: Secure Managed File Transfer on IBM i

Topics: Managed File Transfer, IBM i, Secure Managed File Transfer, FTP Manager for IBM i

Q&A: Secure Managed File Transfer and PGP Encryption

Posted by Michelle Larson on Nov 22, 2013 11:26:00 AM

Great Q&A session from the latest webinar from Townsend Security!

As we discussed in the blog on Secure Managed File Transfer and PGP Encryption, using the core components of a total encryption strategy can help you meet compliance requirements, and improve your data security posture! Click to view Secure Managed File Transfer Webinar for IBM i users

Hopefully you were able to watch the webinar resource provided (if not, you can request it HERE). After the webinar, we had a number of questions asked by attendees and answered by security expert Patrick Townsend.  Here is a recap of that Q&A session:

Q: Is there any reason why I can’t just transfer my file from my IBM i platform to Windows and then PGP encrypt it there.

Patrick: That is a great compliance question.  Transferring unencrypted data from your IBM i to a Windows platform and then encrypting it and moving it from there will put you out of compliance for PCI DSS.  You should not transfer unprotected data to any system or across any network that’s not fully protected.  If you move it from the IBM i platform to Windows platform, it’s going to land in an unencrypted format and that will put you out of compliance.  That kind of unprotected transfer will also put you out of best practices alignment in terms of just pure security.  The security principle here that comes into play is always encrypt at the source, decrypt at the target or the destination, and don’t let the data be unprotected in-between.  Remember, data should never be moved “in the clear”.

Q: Can manage file transfer software be used on just one side, or do all sides of the transfer have to have the same software?

Patrick:  Partners/customers would certainly want a managed file transfer solution to be based on open standards.  You would not want to install proprietary software to process file transfers and then expect your partners to have to install it as well.  We base all of our secure transfer encryption components on open standards like a SSL FTP and Secure Shell sFTP and PGP encryption.  This means is that right out-of-the-box you will interoperate with all the major financial institutions and insurance agencies.  

Q: Does the Alliance FTP Manager solution run on the IBM i or Windows server?

Patrick:  Alliance FTP Manager is a fully native IBM i application.  It runs strictly on the IBM i platform and uses industry standard protocols. So there is no proprietary component on Alliance FTP Manager where you would have to distribute special software to someone who is receiving the files in order to process them.  We use industry standard pipeline encryption SSL FTP and Secure Shell sFTP.  No matter who you’re transferring data to, whether its Windows, Linux, UNIX ,or IBM Mainframe, there are multiple readily available solutions that support those secure file transfer protocols.  The commercial PGP that we provide is fully compatible with industry standards, it interoperates seamlessly, and we test it against multiple other PGP solutions as well as open PGP solutions.  Your customers and vendors (the people you’re transferring the data to) will appreciate that they do not need special software to process PGP encrypted files or your Alliance FTP Manager transfers.

Q: We occasionally need to create encrypted zip files to transfer files to our customers, can FTP manager do this?

Patrick:  We certainly do provide a command based zip file encryption and zip file decryption (compression and decompression) that implements 256-bit AES encryption.  It will process with wildcards and so if you have multiple files in an IFS directory you can compress all those into one zip archive.  Our directory scan automation component will automatically process data right into your application. So yes, there is an implementation of secure encrypted zip in FTP Manager.  

Q: A public/private key pair is needed for SSH and sFTP transfers. Does FTP Manager exchange keys with the destination server?

Patrick:  Secure Shell sFTP supports a number of authentication and privacy mechanisms, the most common is using a public and private key pair.  You do have to execute a key exchange with your training partner/bank before exchanging encrypted data. We have developed utilities and interactive options to help you load your trading partners public key on the IBM i platform.  For example, a menu option will allow you to put in the DNS name for that particular server, then it will find, retrieve, and install that key in your system.  Normally these steps are time and labor intensive, but we have automated the exchange to simplify that particular administrative setup function.
Very important: Typically sFTP transfers use public and private keys, just be sure that the solution you choose can also handle password authentication. Alliance FTP Manager CAN do that!

To learn more, view the complete webinar - Secure Managed File Transfer on the IBM I -which examines the security principles, compliance requirements, and technical challenges for secure FTP transfers on the IBM i platform with the following objectives:

  • Automatically transfer files using Secure Shell sFTP or Secure SSL FTP
  • Protect data using strong PGP encryption
  • Review your total encryption strategy
Webinar: Secure Managed File Transfer on IBM i

 

If you have further questions, please list them here in the comment section and we will be sure to get you an answer!

Topics: Encryption, Alliance FTP Manager, Key Management, Secure Managed File Transfer, FTP Manager for IBM i, SFTP

Secure Managed File Transfer and PGP Encryption

Posted by Michelle Larson on Nov 19, 2013 3:15:00 PM

Core Components of a Total Encryption Strategy

One of the easiest things to do to improve your data security posture is make sure that all of the transfers moving in and out of your organization are encrypted. The core components of any secure managed file transfer solution are the ability to protect and secure transfers as they move off of your system or as transfers move into your system using strong encryption. Webinar: Secure Managed File Transfer on the IBM i

The two main transfer mechanisms are:

  • SSL FTP, File Transfer Protocol that has been updated to support encrypted sessions

Implemented based on industry standards and integrated with the IBM i Digital Certificate Manager (DCM), new IBM i platforms have DCM installed by default. Our own solution, Alliance FTP Manager adds things like intelligent firewall negotiation and proxy server support which make those connections easier to deploy, as well as integrated logging to make sure that the sessions are properly logged for compliance regulations and compliance audits.

  • Secure Shell sFTP, which is a Linux and UNIX facility also exists in the IBM i platform and secure FTP gives you the ability to implement encrypted transfers to and from your IBM i platform

Secure Shell sFTP, based on how it encrypts, establishes, and maintains sessions is easier to manage from a firewall point of view than SSL FTP. We fully support password-based Secure Shell sFTP in batch mode and are the only vendor who fully implements that according to the standard.

Pretty Good Privacy (PGP) file encryption is the third critical component of a total encryption strategy.  PGP encryption protects data at rest, so when you move data securely across the internal network or across the Internet, you need to be sure that it's properly encrypted at it’s destination.  SSL FTP and sFTP encrypted sessions are great at protecting data when in transit however, when that data lands on an FTP server, it may not be inside a firewall and could be exposed. PGP is the most commonly used and widely deployed encryption in retail, banking, medical, insurance, and other industries to protect data and a fundamental part of a managed file transfer solution.

The commercial version of PGP, created by the original developers and now supported by Symantec, is fully implemented in our Alliance FTP Manager solution. Commercial PGP also offers features important to enterprise clients:

  • Additional decryption keys support (ADK) - allows you to encrypt a file and send it to multiple people without using the same key. You can actually encrypt the file and add your own decryption key which would allow you to recover that data as part of a discovery process to prove what data was actually sent to a recipient.
  • PGP implements key server support in addition to local PGP encrypted key stores on the IBM i platform and for z/OS Mainframe.
  • Support for Self-Decrypting Archives (SDA) for multiple platforms.
  • Commercial PGP product has been through multiple rounds of FIPS 140-2 certification over the years. Both the source code and the application has been fully vetted by independent security professionals multiple times and that code has been open for public review.

Beyond those three core components, you also need some other things to confirm that the encryption being used is defensible and has been reviewed by security professionals:

  • Good audit trails
  • Real time system logging integrated with the IBM security audit journal (QAUDJRN)
  • Certifications through NIST and  FIPS 140-2

For an indepth look at a total encryption strategy, security expert Patrick Townsend presents a 30-minute webinar discussing how compliance regulations such as PCI, HIPAA, Sarbanes-Oxley, and new state/federal laws affect your company.  He also covers real-life examples of how others are meeting these challenges with Alliance FTP Manager and the new PGP solutions.

Webinar: Secure Managed File Transfer on IBM i

Topics: Alliance FTP Manager, PGP Encryption, Secure Managed File Transfer, SFTP, Webinar

Secure Managed File Transfer on the IBM i webinar - Part 2

Posted by Michelle Larson on Sep 13, 2013 10:21:00 AM

As we discussed in the blog Secure Managed File Transfer on the IBM I – Part 1 protecting sensitive data on the IBM i (AS/400) can help you meet compliance requirements, and it can help you stop a data breach before it happens! Click to view Secure Managed File Transfer Webinar for IBM i users  Hopefully you were able to watch the webinar resource provided (if not, you can request it HERE).  After the webinar, we had a number of questions asked by attendees and answered by security expert Patrick Townsend.  
Here is a recap of that Q&A session:

Q: Is there any reason why I shouldn’t use PGP on Windows? I can just transfer the file from my IBM i to Windows and then PGP encrypt it there.

Patrick: That is a great compliance question. Transferring unencrypted data to a Windows platform and then encrypting it and moving it from there will put you out of compliance for PCI DSS. You should not transfer unprotected data to any system or across any network that’s not fully protected. If you move it from the IBM i platform to Windows platform, it’s going to land in an unencrypted format and that will put you out of compliance. That kind of unprotected transfer will also put you out of best practices alignment in terms of just pure security. The security principle here that comes into play is always encrypt at the source, decrypt at the target or the destination, and don’t let the data be unprotected in-between.

Q: Does the FTP Manager solution run on the IBM i  or Windows server?

Patrick: FTP Manager is a fully native IBM i application. It runs strictly on the IBM i platform and uses industry standard protocols. So there is no proprietary component on FTP Manager where you would have to distribute special software to someone who is receiving the files in order to process them. We use industry standard pipeline encryption SSL FTP and Secure Shell sFTP. No matter who you’re transferring this to, whether its Windows, Linux, UNIX ,or IBM Mainframe, there are multiple readily available solutions that support those file transfer secure protocols. The PGP that we provide is fully compatible with industry standards, it interoperates seamlessly, and we test it against multiple other PGP solutions as well as open PGP solutions.  Your customers and vendors (the people you’re transferring the data to) will appreciate that they do not need special software to process PGP encrypted files or your FTP Manager transfers.

Q: We occasionally need to create encrypted zip files on our IBM i and then transfer the files to our customers. Can FTP Manager do this?

Patrick:  There are commands in the product to zip with or without 256-bit AES encryption and unzip the same way. It can handle multiple files and multiple directories and it is all command based if you want to do that via commands. So yes, there is an implementation of secure encrypted zip in FTP Manager.

Q: A public/private key pair is needed for SSH and sFTP transfers. Does FTP Manager exchange keys with the destination server?

Patrick: SSH and sFTP implement a number of authentication mechanisms for transferring files. Public/private key structure is typical for secure sFTP transfers. We add utilities into FTP Manager to make the generation and exchange of those keys very easy to do. For example: as you’re setting up a new sFTP transfer we have utilities that will go out and pull the public key for that remote server down into your IBM i platform and add it to the appropriate key file. Additionally, Secure Shell sFTP does support a password type of authentication. It’s not used a lot, most people feel that public private key authentication and protection is the best mechanism. We know at least one major commercial bank that uses passwords as an authentication mechanism with sFTP. This is a real challenge for a command line facility that is being automated in batch, and we’ve solved that problem for our customers. There is architecture within sFTP that allows for password authentication. We found a way to make this fully work with these large commercial banks so that you can use password authentication with our sFTP product. It’s a big challenge. Very important: your first sFTP transfer may use public and private keys, which is probably more typical. But be sure that the solution can also handle password authentication. FTP Manager CAN do that.

To learn more, view the complete webinar "Secure Managed File Transfer on the IBM I" which examines the security principles, compliance requirements, and technical challenges for secure sFTP transfers on the IBM i platform with the following objectives:

  • Automatically transfer files using Secure Shell sFTP or Secure SSL FTP
  • Send your first encrypted file in an hour
  • Review detailed audit trails of all transfer activity
     
REQUEST WEBINAR DOWNLOAD: Secure Managed File Transfer

If you have further questions, please list them here in the comment section and we will be sure to get you an answer!

Topics: Alliance FTP Manager, Secure Managed File Transfer, FTP Manager for IBM i, SFTP, Webinar

Secure Managed File Transfer on the IBM i - Part 1

Posted by Michelle Larson on Aug 15, 2013 6:00:00 AM

Easily Meet Compliance Requirements...
...with Secure Managed File Transfer

We did a survey almost a year ago of IBM i customers and just about half of them said “yes, we’re transferring data”...
“no, we’re not protecting it”... “yes, we know we have a problem”! Click to view Secure Managed File Transfer Webinar for IBM i users

One of the easiest ways for an organization to have a Big Security Win is to secure sensitive data using secure managed file transfers. When unencrypted sensitive data moves off your IBM i to internal servers, public networks, or service providers via the Internet, the data is vulnerable to malware and other attacks. Unencrypted data (also called “data-in-motion”) is extremely vulnerable to a breach. This is a critical issue for companies that must transfer sensitive data such as credit card numbers, financial information, and other personally identifiable information (PII). Sensitive data is covered under industry and many state data security regulations and any organization, no matter the size, collecting and transferring data is required to protect that information.

According to compliance regulations such as the Payment Card Industry (PCI-DSS version 2.0 Section 4), organizations must always encrypt credit card numbers as they are transferred from one location to another. PCI DSS applies to everyone - both public and private companies (large and small) - that accepts credit card payments.  PCI-DSS version 3.0 will be released this fall, and we will be talking about that more as that time approaches. While PCI-DSS applies to credit card information, other regulations cover different elements of PII.  HIPAA/HITECH Act addresses protected health information (PHI), but while it does not mandate encryption, it does state that the only safe harbor from data breach notification and severe penalties & fines is to protect PHI with encryption. Sarbanes-Oxley (SOX) applies to all publicly traded companies in the US and has a component (section 404) that applies to IT systems and best practices around protecting data. The Federal Trade Commission (FTC) has also been active in the area of data breaches where it applies to published privacy statements. They consider it an aspect of consumer fraud if companies are not following their published guidance around privacy.

So what are the “must-haves” for meeting compliance around securing sensitive data that will stand up to scrutiny in terms of any kind of outside audit, challenge, or data breach?  PGP (Pretty Good Privacy) encryption is the industry standard for encrypting data-in-motion. Secure file transfer protocol, also known as SSL FTP or SSH sFTP, is often combined with PGP whole file encryption as part of a core solution to ensure that the data-in-motion is encrypted and remains encrypted after being transferred to trading partners. While data is transferred via secure SSL connection, keep in mind it is important that the sensitive data lands encrypted at its final destination. For a much more technical look at all of these components, I’m sharing a recently recorded webinar on Secure Managed File Transfer with you, and as always, please post any additional questions you may have here in the comment section!

Specifically for IBM i users, the following webinar will cover how easy it can be to meet compliance regulations with a Secure Managed File Transfer solution. You can also learn more about how PCI-DSS, HIPAA, Sarbanes-Oxley, and new state/federal laws affect your company and discover real-life examples of how others are meeting these challenges with Alliance FTP Manager and the PGP solutions.

During this 45-minute webinar, Patrick Townsend will also discuss core components of a total encryption strategy and show you how to:

  • Automatically transfer files using Secure Shell sFTP or Secure SSL FTP
  • Send your first encrypted file in an hour
  • Review detailed audit trails of all transfer activity

REQUEST WEBINAR DOWNLOAD: Secure Managed File Transfer  

… just a reminder on our special offer in August:

For the remainder of the month of August, Townsend Security will provide additional help to our new customers, or customers licensing new modules of Alliance FTP Manager, by implementing their first secure FTP project.  This means our team of security experts will help you fully implement your first secure transfer.  Working with your IT team on your IBM i platform, we will help you do the configurations, do the transfer, set up DCM if that is required, and sFTP and SSL FTP configurations. This full set up will get your first transfer done very quickly and you will be able to see the success right away!

Contact us about how to take advantage of this limited time offer: Just fill in the fields below, click the blue button... and Ken will contact you!


Topics: Alliance FTP Manager, Secure Managed File Transfer, FTP Manager for IBM i, Webinar

Secure Managed File Transfer: Selecting a Vendor

Posted by Luke Probasco on Apr 9, 2012 1:23:00 PM

Download Podcast

Podcast

Download podcast "Secure Managed File Transfer - An Introduction"

Click Here to Download Now

Your CIO told you that you need to meet compliance regulations around data in motion on your IBM i (AS/400).  It’s not just a good idea, but customers and trading partners are starting to demand it.  So what do you look for when selecting which Managed File Transfer vendor to trust your sensitive data to?  What separates one solution from another?  I recently sat down with Patrick Townsend, Founder & CEO, to discuss what to look for when selecting a Managed File Transfer vendor.  Here is what he had to say:

There are some common business issues that I would look at when selecting a Managed File Transfer product. First, look at the providence of the vendor you are buying from. Have they been around for a substantial amount of time? Are they committed to security? If security is not their core mission, it’s very likely that they are NOT going to get it right, and a Managed File Transfer solution really has to get security right.

I think that looking for solutions that are committed to independent certification of their products is paramount. For example, our commercial PGP product, which in partnership with Symantec, has been through multiple certifications. As a company, we have been through NIST certifications many times. We have a FIPS 140-2 certified encryption key manager as well. If I were looking for a Managed File Transfer solution, I would really want the confidence of knowing that the vendor knows security, is committed to security, and is comfortable with putting their product out there for independent review. That is how I would look at this from a business point of view.

Managed File Transfer and security in general is about building confidence so that your company can move forward, start new initiatives and build confidence with new customers and trading partners. You want to be sure you are deploying a solution from an established security company committed to NIST standards. Looking at a vendor or a solution, I would look deeper than the feature set of the particular Managed File Transfer product and ask myself, am I comfortable with this companies’ security posture and their mission, and do their actions really support what they say is their mission.

Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how your organization can save time and money by securely automating file transfers.

Click me

Topics: Alliance FTP Manager, Managed File Transfer, Secure Managed File Transfer, FTP Manager for IBM i, Podcast

Meeting Compliance Regulations with Secure Managed File Transfer

Posted by Luke Probasco on Mar 29, 2012 9:46:00 AM

managed file transfer complianceIn today’s environment, most organizations fall under multiple compliance regulations. If you are taking credit cards, you need to meet PCI data security standards. If you are in the health care industry, you have HIPAA and HITECH to work on. If you are in the banking industry or any financial segment, you have the Graham Leech Bliley Act (GLBA) and FFIEC requirements to meet. All of us have to deal with state and federal privacy regulations about protecting data.

A secure Managed File Transfer solution with NIST validated PGP encryption can help meet compliance regulations for securing data in motion.

Compliance regulations come full bore on all of us - whether you are in the business, Federal, or non-profit world. PCI DSS and a number of other regulations require encryption of data in motion. Townsend Security has partnered with Symantec to offer the only commercial and fully supported version of PGP encryption on the IBM i (AS/400).

Maintaining proper audit trails is also a very clearly defined requirement of compliance regulations. I think as we see compliance regulations evolve, making sure that your Managed File Transfer solution is based on well accepted standards is very important. For example, the commercial version of PGP encryption that we offer has been through multiple certifications with the National Institute of Standards and Technology (NIST). We have seen fines given to companies using non-standard implementations, so having those certifications and having the confidence that you’re using a solution that provably meets industry standard is really important.

Compliance regulations are still evolving and we continue to see new regulations being brought forward. For example there is a new federal data privacy regulation coming through Congress. There is also a clear evolution of compliance regulations requiring solutions to meet defined industry standards (such as NIST). I know our certifications give our customers confidence that they are meeting compliance regulations and that they are using the right kind of encryption.

Townsend Security’s FTP Manager has been helping IBM i (AS/400) users meet compliance regulations by securing and automating their data in motion to trading partners, customers, employees, and internal systems. Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how we can help your organization save time and money by securely automating your file transfers.


Click me

Topics: Alliance FTP Manager, IBM i, Secure Managed File Transfer, FTP Manager for IBM i, Podcast

Secure Managed File Transfer on IBM i (AS/400): 4 Core Components

Posted by Luke Probasco on Mar 16, 2012 8:26:00 AM

secure managed file transferAs more and more organizations are falling under compliance regulations, IT managers are being tasked with finding a secure Managed File Transfer solution to secure and automate data in motion with their trading partners, customers, employees and internal systems.  There are a few out there, but how do you decide which is the best for your organization?  I recently sat down with Patrick Townsend, Founder & CEO to learn more about the core components of a Managed File Transfer solution.  Here is what he has to say:

First, you must have security built-in with your solution. Our Alliance FTP Manager uses a number of secure encrypted mechanisms for transferring files. We use SSL FTP, Secure Shell sFTP, PGP encryption and decryption. That security component is absolutely crucial to the product. I’m really happy with our security, and we have a great partnership with Symantec around their PGP product. Our enterprise customers really expect the highest level of solution when it comes to encryption. We have partnered with Symantec on the PGP product and it carries the proper certification and the depth of support that customers want.

Automation is another core component. If you are dealing with a lot of files, you need to have automation to be efficient. You don’t want to have to do a lot of manual intervention. There should also be a centralized management environment so that configurations can be set up and managed from a central location.

Additionally, notification is another core component. For example you may have files that you’re sending to a customer or your bank. You may only do that transfer once a month, but wouldn’t it be nice if after you transferred the file you sent the customer an email telling them your file is transferred and is ready for processing. With Alliance FTP Manager, we can notify your customer or an entire email list of recipients when a file transfer is complete. Or if there is a failure in a transfer, maybe a customer turned off their FTP server, we can notify that too.  We can do both success and failure notifications in our Managed File Transfer product.

Finally, to meet compliance regulations, you need to have full audit capabilities. We can create audit trails of all the transfers, which is really important from a compliance point of view.

View a recording of our webinar Secure Managed File Transfers: Meeting Compliance Regulations for more information on meeting data in motion requirements of PCI DSS, HIPAA/HITECH, and other compliance requirements on your IBM i.

Click me

Topics: Alliance FTP Manager, Managed File Transfer, IBM i, Secure Managed File Transfer, FTP Manager for IBM i, Webinar