What, exactly, is 'FTPS'? As Timothy alluded, there are a large number of solutions out there.
For example, TLS FTP is certificate based and does not pass log on credentials in the clear. It's free on z/os and easy to automate. The downside is certificate management. SSH seems to be PCI acceptable, but may have issues in that it may store its keys in the clear. There is a SSH port for z/os, also free. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Cebell, David Sent: Wednesday, April 01, 2009 8:54 AM To: [email protected] Subject: Re: secure file transfer FROM z/OS The person who supports file transfer in our shop reports this. "Further, we concluded that FTPS does not satisfy PCI encryption requirements because there is no alternative to passing clear-text passwords for authentication during batch processing. The sftp protocol provided in ssh-Tectia addresses this requirement." Is this true od is there a workaround? -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Timothy Sipples Sent: Wednesday, April 01, 2009 12:37 AM To: [email protected] Subject: Re: secure file transfer FROM z/OS Kirk has some good information on file transfer options using common protocols. I've got some more nominees which may be appropriate if you have long running, targeted file transfer needs -- such as a small number of particular servers that need to stay more-or-less permanently attached and transfer a lot of files. Basically the other options would all be file sharing (NFS, CIFS/SMB, etc.) over an IPSec connection (encrypted connection). z/OS supports IPSec and also supports common network file systems like NFS, CIFS/SMB, etc. As Kirk alluded to, there are also numerous private protocol file transfer products, and they do have advantages in many missions. By the way, "secure file transfer" is a misnomer when used as we're using it here. To be more accurate for the (business-oriented/risk-analyzing) boss I would call this "encrypted transfer of raw files without custodial controls." (That name is unwieldy, but it's much closer to the truth. Perhaps someone has a shorter name that still gets the point across.) The file itself could (and usually does) contain extremely sensitive information -- things like customer records, credit card numbers, etc. Once each record is transmitted it leaves the security zone of its parent. To use an analogy, if you have the launch codes for nuclear missiles, yes, it's a good idea if you have to communicate that information to use an encrypted pipe. That's necessary but not sufficient. (The only thing encryption does is prevent somebody from intercepting the file data "over the wire.") You better be completely sure both sender and receiver apply appropriate security protocols to such sensitive information. Which is why launch codes don't get spread around a lot, nor should credit card numbers and much other financial information, medical patient records, corporate accounting (in any business), product design secrets, etc. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
