Archive for October, 2010
Let’s take a closer look at the perceived challenges of Managed File Transfer (MFT) that are identified on the Ziff Davis MFT survey.
A few related topics top the list: “Finding the right MFT solution”, the “Cost”, including ongoing maintenance and future upgrades, as well as “Employee training”, including satisfaction and acceptance.
A lot has to do with the partner you choose to do business with, as well as the complexity of the MFT solution and its ease of use. Take time to carefully research vendors and clearly understand the anticipated deployment timeline, required involvement and training of your IT staff, and if any professional services are needed.
You want a proven, reliable vendor that has a track record of successful long-term customer relationships and who is committed to bringing new technology to market as business needs continue to grow and evolve. Let’s just say that not all MFT vendors are created equal…So choose carefully.
“Cost” is always a sensitive subject. But with so many MFT solutions varying in complexity, sophistication, scalability, deployment options, and price, I strongly advise you to list key business requirements and make sure not to over (or under) purchase functionality.
For example, here at Ipswitch we offer a range of MFT solutions that span from basic secure file transfer products and services all the way to robust solutions proven to meet requirements for extreme volumes of data exchange with governance, data transformation and file life-cycle tracking. Our solutions have proven to be fast to deploy and easy to use, resulting in rapid time-to-value that greatly exceeds other vendor solutions.
Lastly, consider the ROI and “risk avoidance” aspects of MFT from a security perspective alone (which is only part of the story). In a recent blog post, I pointed out that the average cost of each compromised file is $204. So go ahead and estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment!
The Ziff Davis survey on Managed File Transfer did a nice job amplifying the aspects of currently deployed file transfer methods people think need the most improvement.
Checking in at #1 and #2 on the “improvements needed to my existing file transfer methods” list are SPEED and SECURITY. This only fuels the age-old debate of productivity versus security… But that’s a topic for another day! Needless to say, it’s not surprising that about half of survey respondents say that they need faster file transfers and roughly the same amount say they require stronger security.
Other items on the “improvements” wish list include: reliability, capacity, scalability, central management, workflow integration, IT infrastructure integration and compliance.
It’s validating to see in the graphic that areas where MFT solutions excel today closely map to those aspects of existing file transfer methods that people say require the most improvement — Reliability, speed, security, up-time and capacity round out the top five. Efficiency is a common theme with all these items, driven largely by time-sensitive business-critical processes and even SLAs depending on fast and highly available file transfer processes and workflows.
The last point I want to make about the “needs improvement” survey results is that no solution (MFT or other) will magically make a company compliant. There is no holy grail to achieving regulatory, regional, industry or corporate compliance. Rather, compliance is the end result of a strategically implemented, documented and monitored initiative that encompasses the entire arsenal of company-sanctioned policies, tools, and of course processes and employee actions.
Coming soon: I’ve got a few more musings about the survey that focus on deployment challenges as well as the business benefits of MFT.
Ziff Davis recently published a study on Managed File Transfer that heralds MFT solutions as “the unsung security and compliance solution”. Eric Lundquist sets the stage nicely:
“Everyone is talking about the need to collaborate more effectively and put employees closer to customers in a real time business environment.
But until you can assure the security, privacy, and compliance requirements of data transfer, the collaborative enterprise is just a good idea. MFT is one of those enabling technologies designed to make it a reality.”
The study found that security concerns about current file transfer methods include the usual suspects, such as: encryption; viruses, user authentication, backup, hacking, enforcing security policies, managing external users, auditing, reporting and defining security policies.
Not surprisingly, data from the study shows that many of those very security concerns that people had with their organizations current file transfer methods are actually strengths of today’s MFT solutions.
Keep in mind that many organizations still rely on homegrown scripts and point-to-point solutions, oftentimes using unencrypted FTP protocol for transport… And with very little visibility, management or policy enforcement. In addition to being time consuming and expensive to manage and maintain (and commonly built by developers that left the company years ago), many existing file transfer methods are insecure and introduce risk and inefficiency into an organization.
Plus, many companies haven’t even begun to crack the person-to-person nut of file transfer beyond relying on corporate email, unsanctioned personal email or file sharing websites, and even sneakernet!
In my next post, we’ll take a closer look at some of the areas where the study identified MFT solutions as being superior to many commonly used methods for file transfer.
I just returned from the PCI Security Standards Council . It was great to spend a couple of days talking tech and trends with other security experts.
The hottest trend this year in the payment security industry is “tokenization”. This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead. The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).
The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.). The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls. All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.
Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology. However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely. So far the working group has only provided a definition of the technology (essentially, the one I provided above). However, a draft recommendation from the Council with specifics is expected around the new year.
The real highlights for me at last week’s SecureWorld Expo were the attendees who visited Ipswitch’s tradeshow booth. From global enterprises to small business owners, public utilities to brand name consumer products companies, the people I met described challenging business problems and showed genuine interest in managing and protecting their data.
A couple of visitors jump to mind:
- The ex-Secret Service agent (Electronic Crimes Task Force), now an independent consultant, who came straight to SecureWorld after flying cross-country to attend another security conference in Atlanta. Her curiosity about managed file transfer solutions, and her breadth of knowledge about encryption methods and sources of risk I had never even considered, gave us lots to talk about.
- The Chief ISO from the CA Dept of Water Resources, one of at least 10 people I met from local environmental agencies or private utilities. I had no idea that the business of managing natural resources was so data intensive! They have a huge amount of traffic between and among state and county agencies, and send hundreds if not thousands of files per week to private businesses, citizen groups, and individual consumers. Many of these files contain sensitive information, making it an ideal scenario for Ipswitch’s managed file transfer solutions that can handle high volume data files sent programmatically to a wide number of recipients.
These two booth visitors highlight 2-days worth of insightful conversations I had with customers, prospects and fellow vendors. Needless to say, I’m very excited to dive into the MFT space and look forward to sharing more insights.