Carl Weinschenk spoke with Arne Johnson, senior vice president at Proginet.
Weinschenk: What is the file transfer protocol?
Johnson: FTP is a very simple way to transfer information over the Internet. FTP servers are in almost every operating system and are very easy to set up and use. For years, it has been one of the most common ways of transferring files from one computer to another.
Weinschenk: So now there is a security problem?
Johnson: I'm an analogy person. Think of automobiles. They were around for a long time before people started to think of safety. Legislation did not come in one day for protection. It came slowly over the years. FTP is the same way. It is like a car without seatbelts, offering nothing beyond the basic transportation of the data. Now, of course, as people start to recognize the issue, probably the first thing to do is encryption of the data. The problem with this is not the encryption, it's what you do with the keys. One way or another, you have to [send keys] in clear text. In FTP, the easiest way is to put the key in the header. It is sort of secure, but it really is not. Anyone with half a brain looks at the first record and the key is pretty easy to decrypt.
Weinschenk: Is the problem of insecure FTP growing?
Johnson: Recently I saw an AP investigative report on government Web sites from which people were easily able to obtain plans for fuel depots in Iraq, where they are putting guard shacks, etc. It's not that people are unaware or are taking that sort of thing lightly. But they are pretty unaware that anyone can find an FTP site and can find ways to download files in its library.
Last year, Dell Computer basically lost the design for three of its new laptops because the designs were files associated with an FTP site that Google picked up, and it got into their search engine. There is a lot of evidence FTP is being accessed all over the place and used for bad things. I don't think we really know how bad it is yet. If you can get into someone's network and download information, most of time they don't know it. The only time they realize they are compromised is when bad things are happening with the data. The other day there was another case of a laptop being stolen. It was there, now it is not there. At least you have a chance of doing something with data before it is put to bad use. In FTP, you don't know who got it. You never know what it is being used for until something bad happens.
Weinschenk: Are people starting to take note of this?
Johnson: The Gartner Group in July put out a hype cycle report for application middleware and file transfer. They put FTP at beginning of the hype cycle and said the technology will totally change in the next five to 10 years to what they basically are calling managed file transfer. It is at the beginning of the hype cycle.
Weinschenk: What is the idea behind managed file transfer?
Johnson: It's a good thing. What all of the managed file transfer solutions create is absolutely full control of what is going out of a company or coming into a company on file transfer. With anything going out, there is authentication and authorization technology to make sure anyone who wants a file is authorized to get it. Also, some of the more advanced technologies leave the information where it is inside a network. The theory is that the DMZ is sort of unsafe - the more advanced FTP put a proxy inside the corporate network and send information through to another proxy at other company's DMZ. The other thing is that the more advanced solutions are integrated into the data center. People are not standing there transferring files. It is integrated into the work flow of business processes. You normally are moving information for a purpose. If you are a chain of stores, you may need to move information in the evening about all sales. You are probably sending it at one time. Managed file transfers do all of that automatically.
Weinschenk: Does this rely on new technology, or new harnessing of things that exist?
Johnson: There's no earth-shattering new technology here. We are talking about encryption technology, talking about how to protect keys, authentication processes and putting it together in one holistic package. There is no new little chip that magically does this.
Weinschenk: So encryption with better key management is an important part of this.
Johnson: We never pass keys in the clear. We do multiple levels of encryption, exchange certificates. The user opens the certificate, decrypts the key, the file then comes and they use the key. Nothing is ever exposed. It's something that exists. File transfer of very, very large files puts an overhead encryption and can slow a process down a lot. We have taken great pains to keep speed up by doing things like in-stream encryption. Let's say I am transferring a file. That file is compressed and encrypted on a packet-by-packet basis. You decrypt it on a packet-by-packet basis. It's all software. There's going to be some degradation, but it is minimized by doing it in-stream. It is more time consuming to do it with interim storage. We code at the lowest level possible that has the least amount of overhead.
Weinschenk: Can secure FTP approaches be retrofitted on existing infrastructures, or are new systems required?
Johnson: I think it's a replacement of the existing technology. It doesn't have to be a total replacement all at once. We have the capability to interface with [older FTP systems] There will be companies that do not have that level of security, so we have to interface with their FTP servers. Down the road, it won't be a problem because everyone will have changed it. I think it is a big problem that others are starting to expose, which I think is a really good thing.