In 1971, when the File Transfer Protocol was initially developed, the world of connected computing was a very different place. At that time, computing was restricted to mainframes on tightly controlled networks. Cyber-security was more or less accomplished by making sure you locked the door on your way out of the computer room. The world was still a decade away from the first IBM Personal Computer, and Steve Jobs was still a long-haired high school student.
Over the past 40 years, a lot has changed. Unfortunately, some things haven’t changed at all. Too many supply chain companies are still using insecure methods to share data across the open internet. As of today, Chain.io is taking a step to move the industry forward.
Effective immediately, Chain.io will no longer provide unencrypted FTP hosting within our platform for new connections.
On January 1, 2021, we will require all customers who are currently using unencrypted FTP hosted by Chain.io to either switch to secure FTP (SFTP) or use an external FTP site outside of the Chain.io platform.
Chain.io will continue to support connecting to external FTP sites where required by our customers.
How we got here
When we created the Chain.io platform, we were immediately faced with the question of how to deal with requirements around insecure FTP. One of our core value propositions is enabling legacy systems to connect with the modern supply chain ecosystem. Many of these systems do not support more modern protocols, and FTP is the only option.
At the time, we decided on the following rules:
- All file transfer connections hosted on our files.chain.io platform would default to Secure FTP
- There would not be a way to downgrade the connection to insecure FTP via our screens. Users would need to contact support to have this done manually after they were advised about the risk.
- Any connections to external FTP servers would be clearly marked as “insecure” in our user interface.
We felt that these rules provided a good balance of encouraging responsible behaviour while also allowing customers with legacy constraints to make an informed decision around data security.
Why we’re changing now
Over the past few years, we’ve closely watched the usage of insecure connections decline and the awareness of cybersecurity in our industry climb. In July 2018, Google began labeling unencrypted web connections as “insecure” in Chrome. At the same time, supply chains have become an increasingly large target for cyber criminals whether through data siphoning or direct attacks on 3PLs and carriers.
More importantly, the number of companies interacting with shippers’ data is massively increasing. Robotic processing automation tools, hosted AI engines, optimization and planning tools, and other third party platforms are making data security decisions every day. Shippers are often 2 or 3 business relationships away from these decisions and may not even be aware that they are happening. Consider when you read in the news that some third party processor that you didn’t even know existed has lost your social security number. We are on the cusp of similar stories popping up about the company's supply chain data.
Given this evolving context, we’ve decided that we cannot be confident that the individuals choosing to use insecure technologies are close enough to the impacted parties to properly balance risk and reward.
Why we’re not killing FTP support completely
Eliminating any legacy technology is always a phased approach. In the first step, you provide both the legacy technology and the newer option as equal choices. The next step (where we’ve been), is to make the newer tech the default and provide a smooth path for falling back. Over time, you make the older tech less accessible until you are able to terminate it completely.
While we’d love to prevent any FTP communications today, this isn’t realistic for a small segment of our customers. By forcing trading partners to host sites outside of our network, we’re taking the next natural step by increasing the barrier to using the old technology.
I’m an existing Chain.io customer, what do I need to do today?
For the vast majority of our customers, this won’t have any impact at all. Most of our connectivity is already over secure channels.
If you are utilizing an insecure connection, your account team will reach out to you to help coordinate an alternative solution. This may be as simple as provisioning an account with a third party tool or working to upgrade your connection to something more secure. No matter what, we’ll make sure that your business operations are uninterrupted.
Chain.io connects to our insecure FTP site, do I need to do anything?
No. If your connection address doesn’t end in “chain.io”, then you don’t need to do anything.
If you have more questions…
Your account team is always available or you can reach out to us at email@example.com and we’ll be happy to help with any questions or concerns.