Federal File Sharing Practices Need Some Work

June 15, 2010
By Rita Boland, SIGNAL Connections

U.S. government agencies fail to employ the policies that have been put into place to protect sensitive data when it is in transit, according to a recent survey of 200 government information technology (IT) and information security officials. Nearly three-quarters of IT professionals are concerned about file transfer security, but only just over half of them are monitoring file transfer protocol (FTP). However, subject matter experts state that by making a few changes and taking advantage of readily available technology, personnel could significantly enhance data security.

MeriTalk and Axway released the “Why Encrypt? Federal File Transfer Report” in May following a survey of government representatives the month before. The report examined federal file transfer practices and identified opportunities for process improvement. Of those interviewed, 44 percent are program or project managers, 38 percent are IT supervisors, specialists or engineers, and the remainder of the survey participants are either IT managers or top IT management officials. Sixty-one percent of those surveyed work for civilian agencies, 38 percent work in defense and the final 4 percent serve at an intelligence agency. "The people who actually were surveyed—they're pretty knowledgeable," says Dr. Taher Elgamal, chief security officer, Axway. "The government has really, really good security people."

However, other individuals working within government organizations know much less about security. The report found that 80 percent of information security officials believe their agencies have adequate policies to guide secure file transfers, but only 58 percent say personnel are aware of the policies. Even fewer, 43 percent, report that employees consistently follow them. Elgamal says these findings demonstrate that enhancing security "truly is an awareness and implementation task."

The unsafe file-transfer practices federal personnel employ include using physical media (66 percent), using FTP (60 percent) and sending files through personal e-mail accounts (52 percent). Elgamal explains that using FTP is a problem because this technology existed prior to the Internet and is inherently unsecure.

Discrepancy exists between the concerns federal IT professionals say they have about the file-transfer risks and the actions they take to mitigate them. Seventy-one percent responded that they are concerned with the current security of file transfers in the federal government, yet only 42 percent said they have taken all steps possible to enable secure file transfer. Elgamal points out that the report sheds light on a disconnect between increased federal cybersecurity spending (which peaked at $7.9 billion in 2009) and the level of accountability from federal agencies.

Not surprisingly, agencies with top management support are likely to make secure file transfer a priority. At agencies where management understands the threats, 53 percent of employees follow secure file transfer policies; at agencies where employees perceive that top management does not comprehend the threats that number plummets to 12 percent.

To mitigate dangers, the report lists recommendations including that organizations should develop and enforce governmentwide standards and educate management and users. Elgamal explains that this education must involve identifying solutions that best fit various environments, increasing awareness among employees so that they understand the importance of changing their practices and sharing existing opportunities for improvement. "Policy is a good starting point ... but it doesn't actually solve the issue," Elgamal says. Steps agencies are taking now to improve the security of file transfers include investing in secure connection solutions, secure payload solutions and secure access as well as collaborating with others on best practices and developing home-grown solutions. However, the study found that 64 percent of agencies are not discussing file transfer practices at all.

Congress has made a move to help remedy some of the problems. The House of Representatives passed the Secure Federal File Sharing Act in March, which, if made law by approval of the Senate and president, would require additional guidance for peer-to-peer file sharing software to prohibit personal use by government employees and for other purposes.

Elgamal emphasizes that only a small portion of the data the government transfers is classified; however, much of it is "sensitive" because it contains private information about citizens. To help protect this data, the government has multiple technology solution options. Several years ago, the financial industry realized that it had to enhance security to exchange personal information and took action to improve security, creating a market for this technology. "The good news for the government is that the tools to actually get the job done are available and mature," he says.
Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.

Share Your Thoughts:

It doesn't seem that hard to me to block all FTP access via firewall policy, block email attachments with any one of the handful of data leakage prevention solutions, then use encrypting flash drives that are locked down to specific systems so that they cannot be used outside the containment domain even if the user knows the password.

We know that people are the weakest link and it's not like the technology doesn't exist to prevent data leakage while still allowing employees to complete their mission.

Security is usually intentionally breached by otherwise good users when it gets in their way, or when the right tools are not provided to let them do their job. Of course, a good DLP infrastructure can help prevent rogue employees as well.

Hi RonL,

You bring up an excellent point. In many cases, the practices that people use, rather than the technology, result in security problems. I think the report referenced in the article reflects that concept. Many organizations have good policies and technologies, but not everyone is using them correctly.

Thank you for taking the time to share your ideas.



While technology does not hold all of the answers, there is enough of it around to create a pretty bullet-proof data leakage program, even if the users are not following procedures.

The SPYRUS Hydra Privacy Card Digital Attache is a secure USB flash drive designed specifically for data containment and secure data sharing among authorized users.

Since the device can only be unlocked on administrator-designated systems, it cannot 'accidentally' be used to carry data home or worse. Data sharing is done similarly to sending an encrypted email. The recipient sends a sharing certificate from their device to the sender, and the sender can then put the encrypted file ANYWHERE because it can only be decrypted by the sender and recipient when their flash drive is plugged in to an authorized machine.

You can lead the employee to water, but...