Home » Publications & Resources » Article Library » 2007-08 » Securing Data In Transit

Publications & Resources

September/October 2008
Focus: Technology

Securing Data In Transit

By Brad Johnson

Email communication is an essential tool in today’s business environment. Exchanging data via an email attachment is generally accepted as a simple, convenient way to move files and information. However, when sending data containing sensitive information, extra precautions must be taken to ensure that the information is protected. If proper procedures are not followed, the data may be transferred without being secured.

Financial institutions realize that risk is present when using email to send sensitive data. This risk not only exists with customers but with other parties, such as accountants, lawyers, consultants, business partners and subsidiaries. If data is not properly secured and gets into the wrong hands, it could be used for criminal activities, such as fraud or identity theft.

Legislation, such as the Gramm-Leach-Bliley Act, requires financial institutions to ensure that customer data remains protected and is not shared with improper recipients. The same care and concern used to ensure that information is not voluntarily shared with third parties should also be taken to ensure that information is not involuntarily shared with unintended third parties. Moreover, as privacy and data security concerns continue to proliferate, regulators are giving this topic increased attention. 

Secure Data Transfer Options
Several secure data transfer options exist in today’s marketplace. The best solution for your environment depends upon the dynamics and business practices of the organization. What are your needs? How many employees are involved with sending or receiving data containing sensitive information? Is your concern primarily with business partners, or do you need to address email attachments being sent to customers? Below are some options to consider.

File Encryption: Encryption is a readily accepted method of securing an email attachment. Many companies, including banks, currently mandate all data be encrypted before being emailed to customers or business partners. This approach poses challenges as an enterprise-wide solution because the receiving party must have software to decrypt the file, and both parties must understand the procedures necessary to utilize the software. 

File Transfer Protocol (FTP): Companies have used FTP for years, and it works well for transferring data between business partners. Because FTP requires a certain level of technical expertise, it does not represent a good solution for end-users throughout the enterprise who are initiating data transfers. Maintaining an FTP site for communication with customers also requires diligence in securely maintaining the site.

Secure Internet File Transfer: This data sharing option is an Internet-based secure file transfer. Using this method, the sender logs on to a secure file transfer server and files are transported via an Internet browser in an encrypted mode (using SSL) to the secure file transfer server. Recipients can be notified via email when a file is available for them. The recipient then logs on to the secure file transfer server and retrieves the file through their Internet browser over a secure, encrypted connection. The benefits of this approach are that the Internet browser is used to transfer the file (no special software), and the file is automatically encrypted during transmission. This architecture works well for transferring data to anyone with access to the Internet, including both customers and business partners. 

Secure Internet Data Transfer Systems
Below is a list of considerations to evaluate when selecting a secure data transfer system. 

Data Control: Each transfer should be automatically encrypted while in transit. Additionally, a transfer system should incorporate virus protection as well as controls for valid file extensions. If needed, users should have the ability to “recall” a file if the recipient has not yet retrieved the item.

Management Control: User access should be controlled by a secure login and all activity should be audited. Audit reporting enables administrators to monitor activity. To simplify password management, integration with active directory or other user databases may be considered. The system should also include the ability to define data size limits.

User Acceptance: Simplicity and ease of use are important considerations when selecting a solution. Systems that utilize tools that both employees and customers are familiar with, such as an Internet browser, will be easily adapted and widely accepted. 

Standard Technology: Although the technical configuration will vary, all vendors will likely utilize the standard Internet security protocol (https), which is the same technology used in Internet banking applications.

In conclusion, financial institutions must take a close look at how sensitive data is currently being exchanged and identify risks and vulnerabilities. The selected system should be one that meets the needs of your institution and minimizes or eliminates these concerns. Once a solution is identified, data security policies and audit procedures should be implemented to ensure compliance.

Brad Johnson is director of business development for Centrix Solutions, Inc. (www.centrixsolutions.com) in Lincoln, Neb. He can be reached at bjohnson@centrixsolutions.com.

---

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.

© 2012 Western Independent Bankers, All Rights Reserved.