Tuesday 13 March 2007

SBS, ISA & Senstive Data Transmission Security?

Obviously we never made it to the TechNet event! :D

This morning, we fielded a call from one of our clients indicating that their payroll service software was unable to transmit a Record of Employment to the payroll service server.

It was a priority situation, as the ROE needed to be transmitted by today.

It took a few steps to clarify just where the transmission was breaking down.

The ISA client was installed and connected properly, so no issue there.

The IE settings were correct, and IE was browsing the Web fine via the SBS ISA proxy settings.

With the client computer connected via one RWW Remote Assistance session, and the SBS server via another RWW TS session (two monitors), I was able to watch the ISA activity log in real-time.

What I saw astounded me!

This particular payroll application was trying to FTP the information out to their own servers! Perhaps I am wrong here, but FTP? We are talking about transmitting usernames, passwords, and highly sensitive data via an open to the public protocol.

There is a reason why the outgoing FTP protocol is disabled on the default SBS install of ISA 2004!

Call me paranoid, but in this day and age of the need for transmission security, the least the payroll application creators could do is build on SFTP, or HTTPS/POST authenticated via their software for security purposes!

They could also build a VPN structure into their software as well. The options are there for them, they just need to apply them.

We will mention to our client our concerns regarding the security setup for the payroll service software, and then I am sure they will mention it to the payroll service provider.

We have worked with a number of other payroll services companies and their proprietary software. And, in our experience, there are those out there that have adopted SSL, SFTP, and/or other secure methods of moving data between their client and their own servers. Just not this particular one.

Something to keep in mind if there is a need to outsource payroll IMNSHO.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

No comments: