Government's Use of Secure File Transfer Could Help Prevent Embarrassing Data Leaks

(26/06/2009)

Over the past decade, the UK Government has increasingly used online technology to deliver and improve public services, whilst seeking to limit public spending. This strategy has enabled many departments to provide a wider range of services in many more formats, assisting people to access Government more easily and effectively. However, there have been some unwelcome consequences, as witnessed by the spate of high profile Government data losses and security breaches. The UK Government could mitigate these kinds of risks by integrating secure, file transfer capabilities into its core processes - allowing data to be transferred safely and prevent further data leaks and loss of personal, confidential information.

In all aspects of the public and private sector, the transition of data from a physical to digital format has been rapid and widespread. Once business and Government exchanged folders, paper and CDs, now they send electronic files online. Communication, data, correspondence, images, texts and archives are now “digital assets” created and maintained electronically; making life easier and data transportation faster and more accurate.

Whilst switching to digital communication has improved speed and efficiency, it has highlighted concerns about the security of data transfer. The value, confidentiality and importance of data in a digital format is exactly the same as physical data. The UK media’s ongoing reports of data breaches demonstrate that the Government has not fully grasped the need to secure digital assets with the same degree of protection given to safeguarding physical assets. Since the start of this year, the UK’s Information Commissioners Office (ICO) has highlighted more than 140 data security breaches in the NHS alone, with four separate NHS Trusts found to have breached the 1988 Data Protection Act. The Ministry of Defence lost a laptop containing 600,000 records of UK residents, whilst the most high profile data breach of all was the Government’s loss of CDs containing personal information on 25 million recipients of Child Benefit in December 2007.

For Government looking to improve services and limit public spending, the Internet is a highly attractive option. As a result, Government has encouraged and facilitated the development and implementation of online systems to deliver services in ways which were unimaginable only a decade ago. Many people now opt to pay taxes, file returns, apply for benefits and manage their personal affairs online using their laptops, PCs, mobile phones and BlackBerrys. Government has always had access to confidential, personal information but until relatively recently, this was mostly paper based. The rise of Internet has seen much more data being transferred electronically using a variety of devices, many of which are not secure. As a result, Government data security systems have sometimes left personal, confidential data more vulnerable to interception, loss and theft.

The UK Government is addressing many of these issues with its Code of Connection (CoCo) Compliance. This defines the minimum standards and processes that Local Authorities must comply with, before they can connect to Government’s national communications extranet, which gives them secure communication with other local authorities and organisations.

Achieving compliance to the CoCo requires local authorities to provide a compliance statement and supporting comment against a number of security control measures. CoCo compliant local authorities have access to the Government’s secure intranet, through which they can communicate securely with central government departments, other local authorities and other partner organisations.

Until ‘Government Connect’, the UK Government’s national secure network infrastructure is fully implemented, many Departments will continue to use email combined with file transfer protocol systems to transfer data.

Whilst this is an effective solution for some organisations, its security features do not provide the degree of data protection and audit trails which Government Departments need to meet compliance and audit legislation. FTP users have also become adept at circumventing its security features, often sharing a single user-name and password amongst multiple users. This represents a considerable threat the data being transferred. Enhanced FTP systems (such as SFTP, FTPS and EFTP) offer genuine improvements over conventional FTP, but they require specialist programs to be installed on users’ desktops. This means additional equipment costs, as well as management overheads for IT departments and inconvenience for users.

Data management over FTP can also be problematic: files are uploaded to FTP directories are rarely deleted, as this requires manual intervention. As a result, FTP systems often contain multiple directories holding hundreds of files, but few have any information about when they should be deleted. The directories represent a valuable digital asset, but they are often ignored or left unused for long periods. As such, they are a soft target for unscrupulous users and a represent a potential security threat.

Traditional solutions like FTP now struggle as adequate tools for secure and large file transfers. With data confidentiality such high profile issue, Government needs to consider a dedicated solution which offers embedded security. Data encryption is essential, and systems should be capable of authenticating the recipient and managing each file and account lifecycle automatically. This would mean that no confidential information is left exposed and no unauthorised user access takes place.

Technologies such as Accellion’s managed file transfer solution have emerged to meet the need for on-demand and automated, multi-site, secure file transfer. In the US, many national, federal and local Government organisations have implemented Accellion’s solution. This has included the US Department of Health & Human Resources, which is the primary Government healthcare provider, as well as the National Institute of Health, the Government agency responsible for medical research. These and other US Department have deployed the managed service to deliver the security, authentication, encryption, file tracking and reporting capabilities they need to meet their obligations on data and information security, such as the Department of Defence Directive 8500.1 and the Health Insurance Portability and Accountability Act (HIPAA).

The Accellion solution eliminates the risk of data breaches by fully encrypting all files, in addition to controlling access to individual documents. It can securely send and receive files and folders up to 50GB lost on a memory stick by NHS Trust late last year. It is easy to use, can be installed in less than an hour and has minimal impact on IT resources.

The UK Government is currently running a number of pilot projects to assess Accellion’s solution. In the US, it is already being used by Government organisations such as NASA, the Port of Los Angeles, Florida’s Department of Transport and the Securities and Exchanges Commission (SEC).

As services move increasingly online, the Government’s focus must be securing personal data to bolster users’ confidence and prevent further damaging data leaks. Secure, managed file transfer has already proven itself an efficient and cost effective solution for Government departments in the United States and Canada. As a sophisticated, effective and unobtrusive solution, it could become a core process, enabling the UK Government to communicate effectively and securely; making embarrassing data breaches a thing of the past.

Related topics:  Authentication and identity management   Data management and data security   Encryption   Knowledgebase   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources