Blog – MFT Nation

heading-img-1
Three Data Security Breaches and Everything was Fine(d)

Starting with the FTC vs. Wyndham case, bTrade’s MFT Nation blog has run a series of posts that we described as “case studies for what not-to-do” in the rapidly changing world of data security.  The latest in this series involves the University of Texas MD Anderson Cancer Center (“Anderson”).

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), investigated shutterstock_206667445AAnderson after learning of three separate data breaches involving the theft of unencrypted electronic protected health information (ePHI) of tens of thousands of individuals.  To Anderson’s credit, it had written encryption policies going as far back as 2006 and risk analysis performed by Anderson showed that the lack of device-level encryption posed a high risk to the security of ePHI.

The problem for Anderson, however, was its failure to implement the required encryption.  Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and it failed to encrypt its inventory of electronic devices containing ePHI until much later.

OCR imposed a $4.3 million penalty against Anderson for violating HIPAA’s Privacy and Security Rules.  The penalty was justified “given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that Anderson “not only recognized, but that it restated many times.”

Click here to read more on OCR’s website about the recent actions taken against Anderson.

If you want to speak with bTrade’s data security experts about implementing an enterprise-wide encryption solution to protect ePHI, or any other type of data, please contact us at info@btrade.com.

 
Should You Get Your Head Out Of The Cloud? (Follow-up #3)

Several recent MFT Nation posts have explored factors to consider when deciding between deploying your IT infrastructure on-premise (“on-prem”) or movingshutterstock_180624164A some or all of it to “the cloud.”  Our last post said we were sharing “one last bit of info” on the subject.  That was a bit premature because a lot of info is being published and we want to continue sharing for the benefit of our readers.

For example, Forbes wrote a good article titled With Cloud Security, The Devil’s In The Details.  The author, Ameesh Divatia, begins by highlighting the virtue of deploying some or all of your infrastructure in the cloud—it “simplifies IT and offers a lot of value for companies.”  But he continues the thought process by asking the question:  “Who’s responsible for cloud security?”  Mr. Divatia’s answer to the question imparts some food for thought, so to speak:

You, and virtually everyone else, will likely answer that the cloud provider (Microsoft, Amazon, etc.) is responsible. After all, it’s their cloud, right? But wait — dig a little into the details, and you’ll find that’s not the case. In all major cloud provider contracts and agreements, there’s a little devil of a detail: The cloud provider is responsible only for infrastructure security of the cloud — not for safeguarding the security, privacy or appropriate use of the data or information stored within it. And therein lies the rub.

The article is a good read for those of you concerned about #cloudsecurity.  The author offers some real-world, common-sense points to consider.

If you want to speak with bTrade’s data security experts about deployment models, please contact us at info@btrade.com.  If you want to keep updated on developments in the world of secure file transfer and data security, follow us on TwitterLinkedIn, and our blog MFT Nation.

 
Do I Need a Dropbox Alternative?

Beware of the “free” file sharing apps; often time you get what you pay for, so to speak:

LEARNFINAL

 
Should You Get Your Head Out Of The Cloud? (Follow-up #2)

MFT Nation wants to share on more last bit of info on #cloudsecurity, this time frshutterstock_156367061Aom a thoughtful article discussing how hackers prey upon the “mass movement of company and personal data to the cloud”: https://bit.ly/2seV1R2 .  Please contact us at info@btrade.com  to learn about using a bTrade MFT solution to protect ANY movement of data, to the cloud or ANYWHERE, whether internally or externally.

 
Should You Get Your Head Out Of The Cloud? (Follow-up)

In a recent post, bTrade’s MFT Nation explored two matters to consider when deciding between deploying your IT infrastructure on-premise (“on-prem”) or moving some or all of it to “the cloud.”  We said in that post that while cybersecurity considerations are “always vital,” some industry sectors generally do not trust cloud providers to safeguard their data.  Well, based on a recent report on CIO cloud perspectives, perhaps we should add the healthcare industry to the list of doubters.

The article, entitled “Healthcare Cloud Take-off: Waiting for the Fog to Clear,TDMedXchange2” summarizes the results of a survey taken at HIMSS18 Las Vegas conference of 175 healthcare IT professionals.  Although nearly 60% of respondents said their organizations have placed a priority on moving some IT to the cloud, only about 30% have devised a cloud migration strategy.  Why?  According to the survey, HIPAA compliance, security, and privacy worries are the main reasons why healthcare IT professionals are reluctant to use the cloud.  And around 50 percent of respondents cited security concerns as their primary worry associated with cloud migration.

The CEO of the company that produced the report offered this thought about the results:  “Although cloud hosting for healthcare has become mainstream, the understanding of and confidence in the cloud to meet the exacting standards of the highly regulated industry is still a major concern for healthcare systems.”  The report concluded with this observation:  “Healthcare organizations are not 100 percent convinced that cloud storage is safe for the protected health information (PHI) of their patients and therefore remain grounded for take-off.”

 
Should You Get Your Head Out Of The Cloud?

bTrade’s services team routinely deals with a wide array of issues in connection with each deployment of its managed file transfer software solutions.  One such issue, which affects organizations of all sizes, concerns how to structure all the hardware and software assets.

The discussion usually focuses on whether to deploy on-premise (“on-prem”) or move some or all of the IT infrastructure to “the cloud.”  The principal difference between the two is how each is deployed.  Cloud-based software is hosted on the vendor’s servers or a third party, whereas on-prem software is installed locally on an organization’s own computers and servers.

bTrade’s managed file transfer offerings are available for both on-prem and cloud deployments.  In fact, some bTrade customers have deployed a “hybrid” system that utilizes both on-prem and cloud.  For purposes of this post, MFT Nation will explore recent articles which touch upon two critical points to consider when deciding between on-prem and cloud, or some combination thereof.

Costs

When the push to the cloud began, the main reasons for moving were efficiency and cost savings.  Many articles like this one continue to trumpet the virtues of cloud in terms of cost savings and efficiency.  The author of the subject article pushes potential cost savings in a pitch of “pay less and get more.”  The author also touts the efficiency of cloud solutions he claims can be “put to work with relative ease.”  We need to temper the enthusiasm of the author, at least a bit, with a few IT realities.

The decision of whether and to what extent to move to the cloud is not done with “relative ease.”secureXchange Xi  It is a complex task with many variables.  And it is made all the more complicated by the overwhelming number of options, such as hybrid and multi-cloud approaches, which can blur the line between the cloud and on-prem deployment options.

As the number of cloud deployments has increased, so too have the related costs.  Expect costs to continuing increasing as the big boys—Amazon, Microsoft and Google, and to a lesser extent, Rackspace—dominate the market and limit competition.  As a result, a cottage industry has developed with products/services designed to cut cloud costs.  For example, one company touts its products’ ability to cut cloud costs “by up to 65% in a matter of minutes.”  This confirms that cloud costs are increasing if a vendor is able to eliminate 65% of waste, and accomplish the task “in a matter of minutes.”

As for the promise of increased efficiencies, you should know that resources will still be needed to manage your cloud or multi-cloud infrastructure, including tracking/controlling cloud costs, gaining visibility and control of multi-cloud infrastructure, and eliminating wasted spend by right-sizing resources and terminating idle resources.  And you may feel the need to invest a portion of your IT spend in products/services related to managing your cloud infrastructure.

Security

An article caught our eye because it claims “the future of cybersecurity is in the cloud.”  Really?  In our experience, customers choose on-prem systems when cybersecurity is the paramount concern.  Security considerations are always vital, but some industry sectors will not trust others with important data, such as the banking/financial services industry.  Also, some IT pros, regardless of industry sector, have the same type of adverse reaction when it comes to trusting cloud vendors to safeguard crucial data.

The article’s author recognizes that there are “many opponents” of cloud security.  He claims to be ex-FBI and says the FBI “feared the Internet so much that agency computers functioned solely on an isolated intranet connected via hard cables.”  The author also concedes that “not all cloud services are equal in their dedication to security,” and he lists specific security problems with cloud services that have led to data breaches, such as “poor configuration,” lack of “strong authentication, encryption (both in transit and at rest) and audit logging,” “[f]ailure to isolate a user’s data from other tenants in a cloud environment together with privacy controls that are not robust enough to control access,” and “[f]ailure to maintain and patch to ensure that known flaws are not exploited in the cloud service.”

So why, you might ask, is the author nonetheless pushing the cloud as the “future of cybersecurity”?  It should be noted that the author works for some type of cloud company, so we can assume he is biased in favor of the cloud.  But basically, he believes “[t]he cloud can leverage big data and instant analytics over a large swath of end users to instantly address known threats and predict threats that seek to overwhelm security.”  The article lacks any specifics about how this unidentified, nebulous super cloud will be able to accomplish the task of “predictive security.” And in any event, after all we’ve heard lately about the “Deep State” and how Facebook and other social media platforms are using (or misusing) customer data, we question whether anyone is excited about relying on some type of super cloud system to protect confidential data.

If you want to speak with bTrade’s data security experts about deployment models, please contact us at info@btrade.com.  If you want to keep updated on developments in the world of secure file transfer and data security, follow us on TwitterLinkedIn, and our blog MFT Nation.

 
Spring is a Good Time to Consider Cyber Hygiene

This is a clever, well-written piece proffering six common sense steps to maintain good cyber hygiene: https://ubm.io/2KsxcMW. Of course you can find the same type of, but more detailed cyber hygiene advice from free government sources, like this one: https://lnkd.in/gF3U5Wa. Here’s another good government source for cyber hygiene as it relates to small businesses: https://bit.ly/1Mimb9p.  

shutterstock_183272669A

 
Legal Industry: Slow Adopters of Cybersecurity Measures

It’s been widely reported that the legal industry has been a slow adopter of cybersecurity measures. This article by Law.com is further proof of how primitive the industry is when it comes to cybersecurity: https://bit.ly/2HYBm0E. The article merely lists and then discusses in a superficial manner certain “basic cybersecurity measures” (which is the phrase used in the article) like antivirus and the need for encryption.

Instead of creating lists of “basic” cybersecurity measures, Law.com should point all legals to informative sources like @usnistgov and its Cybersecurity Framework: https://bit.ly/2ePWDZM, or @FTC and its small businesses resources: https://bit.ly/2Hv3zsv. And instead of spouting superficial cybersecurity tips like using encryption to protect data, Law.com should provide legals with useful information about a comprehensive, “managed” file transfer software that can address many cybersecurity needs: https://bit.ly/2b6amgC.shutterstock_134319422A

 
 
 
 
Web Design BangladeshBangladesh Online Market