Page 20 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 20
Plan for End-of-Life
In August of 2020, Qlik announced that its RepliWeb file transfer software product would reach its end-
of-life on January 31, 2021, and support for the product would cease at that time. Qlik was open with its
customers about the implications of the decision, giving them ample time to prepare for that date and find
a replacement for the file transfer function many organizations rely on.
Mozilla is another example of a company that discontinued support for a popular technology when it
announced last year that it would no longer support file transfer protocol (FTP) in version 90 of the popular
Firefox browser. That move followed the same decision by Google in December 2020 when it ended FTP
support for Chrome version 88. For organizations not paying attention, the lack of support for FTP in
those browsers could have serious security consequences. According to a ZDNet article, while FTP
remains a popular option for moving files between computers, the protocol is “burdened by enough
security issues that browser makers are dropping support for the protocol.”
Among the issues, files transferred via FTP are sent unencrypted, and FTP has also been used as an
attack vector in malware campaigns according to a statement by Mozilla’s security team, which read,
“The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and
even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by
compromising FTP servers and downloading malware on an end user’s device using the FTP protocol.”
Don’t Risk DIY
These issues highlight the importance of managing technology’s use and lifecycle. It also means making
sure the right tool is being used for important business processes, rather than trying to make do with
“close enough” products, or engineering do-it-yourself solutions. After all, FTP is still used for many
legitimate business transactions, and for someone with the right skills FTP can be secured and
automated. But even if can write the scripts necessary to tackle those functions, knowledge of the
nuances that need to be addressed for compliance is vital.
The shortcomings of the DIY approach may not be evident until there’s a breakdown in the process, such
as a transfer that fails, an alert that is missed, a security issue occurs, or there is call for a feature that
wasn’t considered when the custom scripts were written. That’s when risks increase—along with costs.
When it comes to file transfers, the approach an organization chooses can have implications on data
lifecycle management. Through process automation, a secure, managed file transfer (MFT) platform can
be used to ensure files are encrypted before being moved, and also upon receipt. And the ability to
automatically document all the steps in the send, receive, store, and retrieve process goes a long way
toward affirming compliance with regulations like Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA),
the Health Insurance Portability and Accountability Act (HIPAA), Europe’s General Data Privacy
Regulation (GDPR), and other state, federal, and international laws.
20