Townsend Security Data Privacy Blog

Managed File Transfer is an easy way to meet business requirements and comply with data privacy regulations.  With a solution like Alliance FTP Manager, businesses can meet compliance regulations by securely transmitting files from their IBM i (AS/400) to their trading partners and customers. Additionally, a Managed File Transfer solution can help your organization save time and money by automating processes that traditionally have eaten into IT manpower. I recently sat down with Founder & CEO Patrick Townsend to discuss how Managed File Transfer can help businesses assure their customers and partners that their sensitive data is secure and in compliance with data privacy requirements such as PCI DSS, HIPAA/HITECH, FFIEC and other regulations.

Can you walk us through a typical business problem that Managed File Transfer Solves?

If you’re a mid-sized or large company, security is absolutely crucial in today’s environment. We all hear over and over again about data losses by large companies and the damage that causes to both the business and the reputation of those companies. Business executives around the world are trying to protect their data, their customer data, and supplier information so they can have the confidence to go forward with their business plans. A managed file transfer solution provides a start-to-finish mechanism for securing data in motion.

If you are using a Managed File Transfer solution like our Alliance FTP Manager, you can have the confidence that you are doing things right, that you are meeting best practices in the industry and that you are less likely to  wake up one day and find yourself in a headline in the New York Times about some large data loss.

Can you explain how a Managed File Transfer works?

Managed File Transfer solutions, like our Alliance FTP Manager, need to meet a number of core requirements. Obviously, they need to protect data in motion and we use SSL session encryption and PGP encryption, which are the industry standards. Automation is also very important. Most of our customers are transferring multiple files everyday to banks, trading partners and suppliers. You don’t want to burn resources by having someone manually transfer files any time it needs to be done.

Additionally, policy driven configuration and reporting by exception are extremely important. Some of our customers are sending tens of thousands of files every day to their trading partners, which can be a lot to manage. You need to be sure that you can manage by exception if there is a problem.

Finally, a Managed File Transfer Solution not only automatically picks up and transfer files, but provides additional controls to make the process efficient - not only from a human resource point of view, but also from a cost point of view. You don’t want to be spending valuable human resources, picking up files and processing them. This should all be an automatic process and that is really the core idea behind Managed File Transfer – automation and security. 

Download our podcast “Secure Managed File Transfer on the IBM i – An Introduction” for more information on how we can help your organization save time and money by securely automating your file transfers.

During our monthly webinars we receive some great questions that we like to share with our blog readers.  Our most recent webinar titled “Secure Managed File Transfers on the IBM i” discussed meeting compliance regulations, as well as how to automatically transfer files to trading partners using sFTP or SSL FTP.  While on the topic of secure transfers, one attendee asked the following question that Patrick Townsend, Founder & CTO, was able to answer:

A public/private key pair is needed for SSH/sFTP Transfers.  Does the Alliance FTP Manager exchange keys with the destination server?

Yes, SSH as a technology, implements a number of ways to secure and authenticate connections.  Public/Private Key or PKI implementation is a part of that.  Also password authentication is an option within the SSH world too.  Looking back over the last few years, public/private key based encryption has predominately been the rule with SSH and sFTP Transfers.

Recently, there has been an interesting migration with a trend of moving to a password-based authentication for sFTP sessions, and I understand why.  Many large institutions have a big task of managing all of their Public/Private key pairs.  If you are transferring just one file outside of the company, like to a bank, then there is not really much of a problem.  But some of our customers use thousands of keys within their IT environment, which becomes very difficult to manage. 

Alliance FTP Manager supports Public/Private key based authentication as well as “password based” authentication. Usually, your trading partner is choosing the authentication for you, but we do support both models.  

There is another aspect to this question and that is the key exchange, which can be a bit of an administrative nightmare.  We have really tried to help our customers by automatically pulling in a remote SSH severs Public Key into the proper files on the IBM i.  Additionally, we have developed utilities that make that a matter of selecting on option in a menu.  In some cases you still have to send a public key to your partner, but we have done a lot to help manage the PKI infrastructure exchange that needs to happen.  From an administrative perspective, you don’t want to be emailing keys around all over and we have done a lot to help make secure managed file transfers an easy process. 

View our webinar “Secure Managed File Transfers on the IBM i” for more information on automatically transferring files to business partners while meeting compliance regulations.

IBM i (AS/400, iSeries) users send a lot of sensitive information to their customers, vendors, and employees which needs to be protected with strong encryption.  Our customers today are using our PGP encryption solution to protect files. But there has been a big need to generate and protect information in common PC formats. With our managed file transfer solution, Alliance FTP Manager for IBM i, we stepped up our support with encrypted Zip files and encrypted PDF files.

Zip compression is very commonly used to send files via email. Not only does Zip compression make our email attachments smaller, but the most popular Zip compression programs now support 256-bit AES encryption of the contents. The ability to encrypt Zip files with AES provides a much better level of security than older Zip protection methods.  Alliance FTP File Manager for IBM i fully supports Zip encryption to the WinZip standard. This means that you can create and protect Zip files on your IBM i platform, and then use a variety of delivery methods to get the Zip files in the hands of your customers, vendors, and employees. This functionality gives IBM i customers a powerful tool to meet compliance regulations.

Encrypted Zip support in Alliance FTP Manager provides rich capabilities to IBM i users. You can create encrypted or un-encrypted Zip archives, include sub-directories, and use wild cards to select files.  When uncompressing and decrypting, you can specify any directory as the target for the files. This capability integrates with our automation facilities for processing received files. Lastly, we provide a Windows command line Zip application to help our customers who don’t already have a Zip application.  I’m confident that this capability will help customers achieve a better level of security.

Another security technology in FTP Manager for IBM i is our encrypted PDF support. In this implementation, our customers are able to create encrypted PDFs with their own content, and then use the automation facilities to distribute the PDFs via email, FTP, and other distribution methods. Encrypted PDF support includes the ability to set fonts and colors, embed watermark and graphic images, set headers and footers, and create tables and lists. The resulting encrypted PDF file is compatible with any PDF reader that supports the AES encryption standard for PDF. We’ve tested with a wide variety of PDF readers on PCs, Apple Macs, Blackberry, Linux desktops, and so forth. This gives our customers an additional tool to secure their sensitive data.

These technologies for the IBM i customer increases their abilities to meet compliance regulations and secure sensitive data. I hope you get the idea that we are dedicated to helping you protect your sensitive data and corporate assets. You are going to see a lot more of these types of capabilities as we go forward.  For more information on our managed file transfer solution, view our webcast "Secure Managed File Transfers on the IBM i."

Last week we held a well-attended webinar titled “Secure Managed File Transfers” Meeting Compliance Regulations.” The webinar covered meeting the data in motion requirements of PCI DSS, HIPAA/HITECH, and other regulatory compliance requirements with Alliance FTP Manager, our secure managed file transfer solution for the IBM i.  During the presentation we received several great questions that we’d like to share with you on our blog.  As always, if you have any additional questions, send them our way.

Is there a reason why I shouldn't use PGP on windows? I can just transfer my file from IBM i to windows and then PGP encrypt it there. Does this make sense?

Yes, I fully understand why customers would want to take that approach, however if you are under PCI DSS regulations you would be out of compliance. The transfer of sensitive data across a network and then landing unencrypted will take you out of compliance, even if you encrypt it later. There is no question about that. That is a situation we have been remedying for customers for a number of years. The security best practice standard is to encrypt at the source and decrypt at the destination. So you need to avoid the transfer of unprotected data through internal servers or across any network. You really want to make sure that the encryption is in place and that the data lands encrypted.

Can managed file transfer be used on just one side or do both sides of the transfer have to have the same software?

Good question, first off, I'd like to point out that managed file transfer is a term of art. There is no formal definition, no RFC, no NIST standard. So for this answer, you're going to get my opinion on this. In our managed file transfer solution there are absolutely no requirement that a recipient of an encrypted file or a secure transfer needs to have our software. Our solution is based on open standards and no customer ever needs to deploy software in order to process a transfer. Open standards give you many software choices and give your trading partners a lot of choices on what they want to use.

Regarding Open PGP implementation, which RFC or RFC's do you follow? 

Well there are a couple. There is an original RFC2448  and there is a later RFC4884. Our commercial PGP product from Symantec is compliant with all of those standards - so the original and newer PGP RFC's are fully supported in our commercial product. Therefore we stay well lined up with those particular standards. Of course, there are some capabilities in the commercial product that are not defined as a part of the open standard - they are an extension if you will. There are a number of capabilities in the commercial version that really help larger enterprises stay lined up with compliance requirements and meet best practices. Those are built on top of full compliance with open standards.

View a recording of our webinar Secure Managed File Transfers: Meeting Compliance Regulations for more information on meeting data in motion requirements of PCI DSS, HIPAA/HITECH, and other compliance requirements on your IBM i.

The modern enterprise runs on a variety of computing platforms. The concept of being "an IBM shop" has gone the way of the buggy whip. With cloud computing and virtual machine technology, you may not even know what your hardware base is. This has caused  those seeking to realize the benefits of standardization to shift their focus to the software.

Take, for example, the need for securely transferring files, both within the organization and between trading partners. In the UNIX-Linux-Windows world the de facto standard for secure file transfer is undoubtedly PGP. The technology is mature and it is implemented on every significant OS variant in common use. It is extensively documented and familiar to a very large number of programmers and administrators.

But while the IBM shop may have disappeared, IBM servers have not. The enterprise is often built around mainframes and mid-range servers. And these servers now need to inter-operate with not only desktop PCs, but mobile laptops and cell phones. This makes the ability to settle on a single secure file transfer standard for the entire company more important than ever.

Fortunately PGP has spread to both the mainframe and mid-range platforms; IBM series z and i. And not just in a quirky slapdash port to UNIX emulation environments, but as fully supported native z/OS applications integrated with RACF and controlled via JCL.

With PGP it is possible to have all the advantages of a uniform secure file transfer approach without sacrificing any of the security and scalability of enterprise level platforms.

If you would like to download a free 30-evaluation of PGP for the IBM i or IBM z, let us know.  We'd be happy to show you how easy it is to encrypt with PGP and transfer to your trading partner.

Earlier this month we released a comprehensive upgrade to our secure managed file transfer solution – Alliance FTP Manager. This latest release incorporates a number of existing Townsend Security products that were previously priced separately and features new capabilities. FTP Manager 5.2 brings together the existing products Alliance FTP Security, Alliance Cross Data, and Alliance All-Ways secure into a single product.

This is a really a big win for our existing customers as well as IBM i customers. Our existing Alliance FTP Manager customers automatically receive the upgrade to FTP Manager 5.2 and so do all of our existing Cross Data and All-Ways Secure customers. We know there are a variety of security challenges facing IBM i customers who send data over networks and FTP Manager 5.2 provides those customers with the most comprehensive and flexible Secure Managed File Transfer offering available.

Highlights of FTP Manager 5.2 include encrypted PDF and encrypted Zip functionality. The new encrypted PDF functionality allows customers to generate encrypted and un-encrypted PDF documents using a familiar interface. And now that FTP Manager 5.2 fully supports zip encryption to the WinZip standard it will provides IBM i customers with a new tool to meet compliance regulations. Users can create Zip files on the IBM i platform and then use a variety of delivery methods to send the Zip files to customers, vendors, and employees.

There are a lot of exciting things on the horizon for Townsend Security and our customers. This release of FTP Manager 5.2 is just the start…..October promises to be a month full of major accomplishments and milestones.