cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Eli
Newcomer II

Using FTP for internal network

Hello,

 

Is it GDPR compliant to transfer personal data from a server to another server by FTP in internal network?

 

Thanks in advance.

 

Regards,

Eli

5 Replies
Jesse_Mundis
Newcomer III

GDPR is a much broader framework, than a specific set of technical "do's" and "don'ts".

 

Regardless of GDPR, I'd say ftp (or any unencrypted, plain text transfer protocol) should *not* be used, even on internal networks. It's just a bad idea in general.  If an attacker gets even limited read access on your network, you've just bypassed any sort of access controls on the data, by streaming it in the clear.

 

Even without GDPR concerns, I'd say this is pretty close to a violation of "due care" in handling sensitive data.

 

Not a lawyer, my opinions are my own.

 

 

Eli
Newcomer II

Thank you.
flyingboy
Newcomer III

GDPR specifies legal requirements than technology related mechanisms. The law sets expectations which may include "do's" like encryption, impact assessments.

 

When considering data transfers even on internal network, we will need to:

  1. assess the security of the transfer mechanism and the storage facility.
  2. assess if the data is to be transferred to a location outside of EU eg. office or data centre as some of our internal network is globally designed.
CISO-Italiano
Newcomer III

GDPR doesn't mandate specific technical methods, but if we consider that when dealing with Personal Data "appropriate technical and organisational measures" should be used, then I would say that SFTP is the minimum to be used. Probably you can get away in using FTP as well, but if your network is breached and Personal Data would be exfiltrated because of FTP (which is an unencrypted protocol), I would rather say that you will be in trouble as you were not using Defense-in-Depth (aka layered) defense and as well you would have not followed the Privacy by Design and Privacy by Default concepts contained in GDPR.  It's common to see companies willing to procrastinate (again!!) implementation of basic security standards, like for example, removal of FTP. I would expect some big fine to be handed to some companies after May 2018 to start convincing businesses in Europe that Information Security and Privacy needs to be taken seriously, as they could severely affect human rights, rather than just financial or business matters. Until we will see CISOs under CIOs or other C-Levels (thus not being considered 'enough--important' by CEOs) the situation won't change I the right direction. In USA this is many steps ahead already, EU is lagging back in terms of business awareness. On the other Hand GDPR shows that on Human Rights EU is the spearing edge in the world on legislative area. Let's see if that will remain just on paper or if we will see real enforcement in the very near future.

JoePete
Advocate I

I think you have received some good guidance regarding how GDPR does not speak to specifics. On the issue of FTP for internal use only, I think you are looking at the tip of the iceberg. While FTP rightly is a security concern due to its unencrypted nature, the same attack against it would apply to any unencrypted and open file sharing protocol (e.g. an open legacy SMB/Windows share), which is not unheard in a lot of places.