Web services really works

I got a nice surprise the other day from one of our support engineers. He’s really getting into Ruby as a scripting language and has used it to automated several of his processes, like managing backups, upgrading multiple BDS instances at once, and other tedious system administration tasks.

But then he thought about using Ruby to script BDS. In the matter of a few hours, he was able to take the BDS web services API and generate the ruby methods using wsdl2ruby, and created a script to authenticate and start sending files securely through our production delivery server.

One of the big hopes of Web services when it was first developed, was to create a truly interoperable middleware technology for applications to share data. Because it’s simply passing XML-based SOAP messages around, it’s language neutral — if you can read and write SOAP messages, you can leverage applications that support SOA with Web services interfaces, like Biscom Delivery Server. Luckily, more and more development environments are including built-in support for Web services, or at the very least, have pre-built libraries, tools, and other third-party add-ons to connect to Web services out in the cloud.

So, for all you programmers and scripting aficionados, see how you can extend your existing and legacy applications to support secure file transfer using our Web services API. If you have an idea or a question about integrating BDS capabilities into your organization, let us know — we’ll help you any way we can.

Another information privacy law in Connecticut

During my research into the new MA law on data privacy, I also found this law (Public Act No. 08-167) which became effective on October 1, 2008. The act is aimed at protecting social security numbers. The interesting thing about this act is that it’s not just businesses that are required to adhere — individuals will be held responsible as well. Here’s a quote from the actual act:

Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

It’s a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn’t just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: “account number” — is it just me or is that just a wee bit vague?

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth

Catchy title? Well, maybe not, but it’s a new privacy and security law in Massachusetts that takes effect May 1, 2009 (postponed from January 1, 2009).

The purpose and scope, as described on the Mass.gov site:

(a) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

(b) Scope
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

While this sounds quite onerous for many companies, and has pretty far reaching implications on IT data management processes and procedures, it’s a step in protecting against the increasing incidence of identity theft and other data leaks. Was this law spurred by the TJX breach of 45.7 million credit cards or when 4.2 million credit card numbers were nicked from Hannaford Foods in 2007? The cleanup efforts far outweigh the investment in security that might have prevented these data breaches (some estimates put TJX at $4.5 billion in accumulated costs in fines, legal fees, notification expenses, and brand damage).

I see stories like these, and dozens of other high profile breaches, as the tip of the iceberg. I doubt there’s going to be any law or compliance legislation that will protect 100% of individual and company data from being lost or stolen, but it does make sense for companies to reassess their data storage and transmission policies to harden their defenses against this.

Companies must look holistically, however, and can’t overlook the fact that data must be protected from many angles. In the introduction to the book Practical Cryptography, the authors, Niels Ferguson and Bruce Schneier, mention scores of companies obsessed with building robust and highly protected network security to foil hackers, but ignored internal concerns, both malicious and unintentional, akin to installing a huge steel front door in your house, but having an unlocked screen door in the back.

With this law, the pendulum has swung quite a bit in requiring companies to have implementations in place to protect personal data, but I hope solutions built for this have both the technical aggressiveness to maintain security, but provide it in a way that is not so complex and hard to use that individuals dismiss it and look for alternative methods that may compromise security.

My first blog

My first blog and my first blog posting. Actually, Frank Kenney, Research Director at Gartner, paid us an onsite visit today, and suggested that it might be worthwhile for me to start a blog on managed file transfer (aka secure file transfer/intelligent file transfer) and to start evangelizing the concept. As someone who’s been quietly evangelizing this for the last 8 years, I guess this is as good as any forum to share news, industry events, and other thoughts on the state of the SFT/MFT market (like the military, tech is full of acronyms).

Biscom Delivery Server (BDS for short, to remain true to the acronym-phillic technology community), is an enterprise Web-based secure file transfer application. (EWBSFTA?) BDS enables people (or machines/automated processes) to send files and messages to each other securely, while tracking every transaction that can later be used for reporting and auditing purposes (think regulatory or compliance requirements). Basically, if you have a file that contains sensitive or confidential information that you can’t send over email because it’s either too large or you’re concerned about other people being able to view it, and FTP, PGP, and other security technologies are too complex for your end users, then you need our product. BDS, above all else, is easy to use!

In a nutshell, here’s how it works.

Questions? Comments? I guess I’m opening myself up to the world now, so fire away!