The majority of companies exchange essential and non-essential files using FTP (File Transfer Protocol), which has inherent security risks.
The reason FTP has been used in all of these applications is because of its availability -- FTP exists for all operating systems from mainframes down to PCs and it is routinely included in many commercial and open source applications.
Wide availability is a liability
However, this wide availability is also a liability. Because FTP is supported on numerous systems, there is a greater knowledge of the protocol, its operation, and implementations. For example, some companies never change the default passwords of FTP software so their FTP servers are subject to easy manipulation. Careless processes and human error provide an unintentional open door to malicious users who frequently hack into FTP servers and steal data.
In fact, the Sterling Commerce MFT solutions, which Connect:Direct is part of, have never been breached. This ensures information will be protected when a company does business electronically.
Maintaining and patching problem
Since FTP is available on many platforms, many operating systems and with many applications, companies must be particularly vigilant to ensure that security is airtight for all of the impacted servers and applications. They must respond quickly to any newly discovered vulnerabilities and make certain that they are rapidly patched. Since a company may not have control over all of the systems that come into play and might not be able to ensure that all systems meet security mandates, hackers have multiple points of attack to compromise data on scattered FTP servers.
Connect:Direct as a proprietary protocol is not so publicaly known and easy to hack at all.
Encryption and security
Another vulnerability of FTP is that alone it does not provide encryption. Files are sent as is and the content and FTP usernames and passwords are transmitted in clear text, all of which can be intercepted by someone eavesdropping on a communications link.
As security concerns are not a part of the FTP model and a client must supply an ID and password upon opening the connection to the server, this security information is transmitted in open text.
The Connect: products offer multiple choices, ranging from securing FTP traffic to robust security, that allow the data movement operation to fit naturally within enterprise security policies. If support of FTP traffic is required, the data flow can be encrypted. If higher security levels are required, proxy-based security, coupled with authentication and configurable encryption, can be implemented within the Connect: deployment.
The Connect:Direct Secure+ Option for Windows application provides enhanced security for Connect:Direct and is available as a separate component. It uses cryptography to secure data during transmission.
Cryptography provides information security as follows:
- Authentication verifies that the entity on the other end of a communications link is the intended recipient of a transmission.
- Non-repudiation provides undeniable proof of origin of transmitted data.
- Data integrity ensures that information is not altered during transmission.
- Data confidentiality ensures that data remains private during transmission.
Management, tracking, logging and auditing
Furthermore, as FTP use grows, management, tracking and auditing burdens also grow. Most often, file transfers are part of a larger workflow where completion of a task is predicated on the receipt of a file and then some action being taken on the information in that file. Lacking suitable tracking and auditing tools, an IT manager or corporate executive would be hard pressed to determine whether a transaction was completed or why one failed.
The statistics file stores information about all events that take place within the Connect:Direct server for a specific period of time. Each record within the statistics file consists of fields that contain general information about the record and a field that contains the statistics or audit information to log.
Handling movement workload (Queuing and scheduling capabilities)
FTP provides no way to control critical data movement or balance it against lower-priority work that can impact processing windows. Massive, unmanaged data movement can delay and slow critical deliveries. FTP places all control in the hands of the client, and the first job usually wins. FTP also lacks the ability to create an enforceable policy for workload execution. Over time, this frequently results in chaos.
Connect:Direct gives each process a work-queue priority and a session class. Priorities are used to determine when processes run, and session classes are used to reserve transmission channels for critical transfers. These can be set up and enforced in accordance with business requirements. Users’ requests are always accepted, but the actual operation of the request is scheduled according to the business policy that drives the priority and class structure.
This accomplishes the goals of the user as well as those of the business.
Without queuing, scheduling and management capabilities, it is impossible to control the data movement workload.
As Connect:Direct Processes are submitted, they are placed in one of the four TCQ logical queues: Execution, Wait, Timer, and Hold. As sessions are available, the TCQ releases Processes to begin execution according to the Process class and priority.
Connect:Direct Processes could be scheduled to execute in the future.
Notification
In addition to consistent management, organizations need a structured level of notification that enables real-time adjustments to the data movement infrastructure. The enterprise requirements for notification are:
- Instantaneous notification of critical exception and error conditions
- Flexibility in the routing of notifications
- Integration of data movement notification with the Enterprise Systems Management (ESM) structure
- Historical logging of data movement activities
Connect: answers all these requirements by providing notification and logging as a natural part of the data movement operation. Notification can be routed, using a variety of platform capabilities, to operation and monitoring staff. Alerts represented by SNMP traps can be directed to ESM systems for proactive action at the network level. And all Connect: activity, including finely grained operational detail, is logged continuously.
FTP provides none of these capabilities. It is very difficult, if not impossible, to determine previous FTP activity. Any action that is required must be performed by the client/user. This makes for an inconsistent and unresponsive data movement infrastructure. Therefore, the cost associated with the use of FTP must include the inherent delays in exception discovery.
Connect:Direct for Windows provides two notification methods:
- NT Broadcast—NT Broadcast notification is performed using the Windows net send command.
- SMTP—E-Mail notification is performed using Simple Mail Transfer Protocol (SMTP) notification, a simple ASCII protocol.
Recovery
FTP does not provide an automated way to recover from network errors. Any outage that occurs with FTP operations must first be discovered and then handled manually. This generally means restarting the failed operation from the beginning.
The costs associated with FTP recovery are:
- Retransmission due to networking resource failure. On average, FTP will need to retransmit half the overall data movement volume per failure. Connect: recovers the network connection and requires no retransmission.
- During a network-resource failure, FTP use requires discovery of the failure. This delay in restart represents cost. Connect: will automatically sense network failures and retry the operation. In most cases the recovery will be automatic. In the case of a permanent outage, notification is provided to enable rapid resolution.
Several facilities are provided for Connect:Direct process recovery after a system malfunction. The purpose of Process recovery is to resume execution as quickly as possible and to minimize redundant data transmission after a system failure. The following Connect:Direct facilities are available to enable Process recovery:
- Process step restart
- Automatic session retry
- Checkpoint/restart – resume for check point
- Intelligent session restart -permits a session retry on only the first Process (others ar eplaced in Timer queue) submitted
- Short-term and long-term retry – restart in specific time periods
Automation
Through the use of scripting, scheduling, and application integration, automation can ensure that proven business processes can continue to be successful by eliminating human error. With processes that require human interaction, errors and unintended activity can be introduced into a process flow. Many times such an error will not be discovered until much time has passed.
The cost involved with the lack of FTP automation include:
- Operations that complete successfully but are not usable since there is no way to validate user selected (or defaulted) options.
- No central control of scheduled activities. Clients can initiate FTP activity regardless of its importance or impact on schedule.
Connect:Direct File Agent provides monitoring and detection capabilities that enhance the
automation you accomplish with Connect:Direct Processes.
