You might say that the entire point of a Managed File Transfer (MFT) system is to do exactly that: provide centralized management and control. For example, let’s say that your company is subject to the Payment Card Industry Data Security Standard (PCI DSS). Requirement 4 of PCI DSS is to “encrypt transmission of cardholder data and sensitive information across public networks,” such as the Internet. Let’s also say that you frequently need to transmit cardholder data to partner companies, such as vendors who will be fulfilling requests.

One option is to simply allow someone within your company to email that information, or to have an automated process do so. You’ll need to ensure that everyone remembers to encrypt those emails — you did remember to get digital certificates for everyone, correct? — every single time. If someone forgets, you’ve created the potential for a data breach, and it’s not going to look very good for your company on the evening news.

Another option is to automate the file transfer using an MFT solution. That solution can be centrally configured to always apply PGP‐based encryption to the file, to always require an FTP‐over‐SSL connection with the vendors’ FTP servers, and to always require 256‐bit AES encryption. You don’t have to remember those details beyond the initial configuration — it’s
centrally configured. Even if your users need to manually transfer something ad‐hoc — perhaps an additional emergency order during the Christmas rush — your MFT solution will “know the rules” and act accordingly. Your users’ lives become easier, your data stays protected, and everyone sleeps more soundly at night. This central control is often referred to as policy-based configuration because it’s typically configured in one spot and enforced — not just applied — to your entire MFT infrastructure, regardless of how many physical servers and clients you are running.
What’s the difference between enforced and applied? Making a configuration change is applying it. That doesn’t, of course, stop someone else from coming along behind you and applying a new configuration. The idea with policies is that they’re configured sort of on their own, and that they’re protected by a unique set of permissions that govern who can modify them—they’re not just wide‐open to the day‐to‐day administrators who maintain your servers. In many cases, a review/approve workflow may have to be followed to make a change to a policy. Once set, the policies are continually applied to manageable elements such as MFT client software and MFT servers. A server administrator can’t just re-configure a server, because the policy prevents it. The MFT solution ensures that your entire MFT infrastructure stays properly configured all the time.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

Possibly not. The Internet’s venerable File Transfer Protocol (FTP) is usually supported by Managed File Transfer (MFT) systems, which can typically use FTP as one of the ways in which data is physically moved from place to place. However, MFT essentially wraps a significant management and automation layer around FTP. Consider some of the things an MFT solution might provide above and beyond FTP itself—even if FTP was, in fact, being used for the actual transfer of data:

  • Most MFT solutions will offer a secure, encrypted variant of FTP as well as numerous other more‐secure file transfer options. Remember that FTP by itself doesn’t offer any form of transport level encryption (although you could obviously encrypt the file data itself before sending, and decrypt it upon receipt; doing so involves logistical complications like sharing passwords or certificates).
  • MFT solutions often provide guaranteed delivery, meaning they use file transfer protocols that give the sender a confirmation that the file was, in fact, correctly received by the recipient. This can be important in a number of business situations.
  • MFT solutions can provide automation for transfers, automatically transferring files that are placed into a given folder, transferring files at a certain time of day, and so forth.
  • MFT servers can also provide set‐up and clean‐up automation. For example, successfully‐transferred files might be securely wiped from the MFT server’s storage to help prevent unauthorized disclosure or additional transfers.
  • MFT servers may provide application programming interfaces (APIs) that make file transfer easier to integrate into your internal line‐of‐business applications.
  • MFT solutions commonly provide detailed audit logs of transfer activity, which can be useful for troubleshooting, security, compliance, and many other business purposes.
  • Enterprise‐class MFT solutions may provide options for automated failover and high availability, helping to ensure that your critical file transfers take place even in the event of certain kinds of software or hardware failures.

In short, FTP isn’t a bad file transfer protocol—although it doesn’t offer encryption. MFT isn’t a file transfer protocol at all; it’s a set of management services that wrap around file transfer protocols—like FTP, although that’s not the only choice—to provide better security, manageability, accountability, and automation.

In today’s business, FTP is rarely “enough.” Aside from its general lack of security—which can be partially addressed by using protocols such as SFTP or FTPS instead—FTP simply lacks manageability, integration, and accountability. Many businesses feel that they simply need to “get a file from one place to another,” but in reality they also need to:

  • Make sure the file isn’t disclosed to anyone else
  • Ensure, in a provable way, that the file got to its destination
  • Get the file from, or deliver a file to, other business systems (integration)

In some cases, the business might even need to translate or transform a file before sending it or after receiving it. For example, a file received in XML format may need to be translated to several CSV files before being fed to other business systems or databases—and an MFT solution can provide the functionality needed to make that happen.

Many organizations tend to look at MFT first for its security capabilities, which often revolve around a few basic themes:

  • Protecting data in‐transit (encryption)
  • Ensuring that only authorized individuals can access the MFT system (authorization and authentication)
  • Tracking transfer activity (auditing)
  • Reducing the spread of data (securely wiping temporary files after transfers are complete, and controlling the number of times a file can be transferred)

These are all things that a simple FTP server can’t provide. Having satisfied their security requirements, organizations then begin to take advantage of the manageability capabilities of MFT systems, including centralized control, tracking, automation, and so forth—again, features that an FTP server alone simply can’t give you.

– From The Tips and Tricks Guide to Managed File Transfer by Don Jones

To read more, check out the full eBook or stay tuned for more file transfer tips and tricks!

I’ve been back on the road visiting file transfer customers and there’s growing concern out there about the ability to track and predict failure against defined service level agreements (SLAs).  In general, I’m seeing most SLAs in our industry cleave to one or more of the following requirements:

1) Application Availability:  Did our service meet the 99.xxx% goal we set?  Most companies I’ve seen track this in minutes per month and year, and some track this by visibility to key customers.  For example, if the file transfer srvice was unexpectedly down at 3am but only 15 customers would have noticed, can we count it as an outage for only those 15?

2) Round-trip Response Time:  Does our service reliably return results from incoming submissions within X time?  This is big at data centers that self-identify as “item processors” or have an “EDI/transmissions” group.  This can also be further specified by class of customer or work (e.g., higher priority transactions) and time of day.

3) Expected Data Within Defined Transfer Window:  Did we receive (or send) the “right” files during the transmissions window from X:XX to Y:YY?  This one can be harder than it looks.  First, you often have “right files” definitions that have dependencies on control or summary files plus specific file formats, names and sizes.   Then there is the additional challenge of predicting which bundles are “running late” and the question of setting up warning alerts with 30 minutes or 15 minutes to go?

Even with these common requirements in the field, the nature of SLAs continues to evolve.   As we see additional trends develop we’ll continue to note them – please expect more information in the coming months.

Let’s take a closer look at the perceived challenges of Managed File Transfer (MFT) that are identified on the Ziff Davis MFT survey.

A few related topics top the list:  “Finding the right MFT solution”, the “Cost”, including ongoing maintenance and future upgrades, as well as “Employee training”, including satisfaction and acceptance.

A lot has to do with the partner you choose to do business with, as well as the complexity of the MFT solution and its ease of use.  Take time to carefully research vendors and clearly understand the anticipated deployment timeline, required involvement and training of your IT staff, and if any professional services are needed.

You want a proven, reliable vendor that has a track record of successful long-term customer relationships and who is committed to bringing new technology to market as business needs continue to grow and evolve.  Let’s just say that not all MFT vendors are created equal…So choose carefully.

“Cost” is always a sensitive subject. But with so many MFT solutions varying in complexity, sophistication, scalability, deployment options, and price,  I strongly advise you to list key business requirements and make sure not to over (or under) purchase functionality.

For example, here at Ipswitch we offer a range of MFT solutions that span from basic secure file transfer products and services all the way to robust solutions proven to meet requirements for extreme volumes of data exchange with governance, data transformation and file life-cycle tracking.  Our solutions have proven to be fast to deploy and easy to use, resulting in rapid time-to-value that greatly exceeds other vendor solutions.

Lastly, consider the ROI and “risk avoidance” aspects of MFT from a security perspective alone (which is only part of the story).  In a recent blog post, I pointed out that the average cost of each compromised file is $204.  So go ahead and estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204.  I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment!

I just returned from the PCI Security Standards Council .  It was great to spend a couple of days talking tech and trends with other security experts.

The hottest trend this year in the payment security industry is “tokenization”.   This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead.  The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).

The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.).  The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls.  All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.

Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology.  However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely.  So far the working group has only provided a definition of the technology (essentially, the one I provided above).   However, a draft recommendation from the Council with specifics is expected around the new year.

We’re two months into ownership of MessageWay and leading the organization through its second acquisition integration has been fun and challenging. It’s especially nice when we can announce a milestone in the integration process, and that will be coming soon with the release of a “translation connector” existing MOVEit Central customers can use to access the translation capabilities we acquired in the MessageWay software.

Development on the necessary integration components has wrapped up and the package has entered QA.  If you’re interested in a sneak preview, please contact your sales representative for a demonstration.  The screenshot below is from one such demo…

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

In a July 1, 2010 Register article entitled “the cloud’s impact on security“, Tony Lock provides a definition of “Cloud Escrow”:

“…if you are using external cloud resources, look at how the data and any intellectual property invested in the processing engines employed to manipulate data can be moved to other third party cloud providers, or back into the enterprise, if you need to do that. You could call this ‘Cloud Escrow’.”

This is exactly the benefit you enjoy today by selecting either a MOVEit DMZ on-premise or MOVEit DMZ Hosted Services solution.  We can migrate your data into our SaaS environment, we can migrate your data into your private data center.  It’s the same application but you choose what deployment model is best for your business.

As part of our acquisition of MessageWay Solutions I had the chance to sit down and talk with Architect Bob Cheal.  One of the things I didn’t expect to hear over dinner was our common roots in technology from Burroughs, a key mainframe middleware player in the late 1980s and 1990s, and technology through which much early EDI traffic flowed.

Standard Networks, the company I was acquired into Ipswitch with, got its start developing front-end processors (FEPs) to handle heavy transaction loads to Unisys mainframes and its (often) banking applications.  MessageWay Solutions, our newest acquisition, also had FEP roots in the HP (aka Tandem) NonStop systems.  Both companies’ technical experience in those markets drew directly from Burroughs and its focus on high uptime, accuracy and throughput.

From there Standard Networks’ MOVEit brand specialized in data transmission security, working its way into Fortune 50 enterprise deployments by providing solid answers to security and regulatory challenges.  MessageWay Solutions specialized in high volume/high performance B2B communications and data translation supporting a wide array of data formats  in the banking, healthcare and supply chain markets, working its way into Fortune 50 enterprise deployments by providing solid answers to governance challenges around file lifecycle and performance challenges on open platforms.

With acquisitions of both companies now complete, Ipswitch now has a potent combination of technologies and high-volume, mission-critical experience whose institutional memory stretches back to the 1980’s and beyond.  As our product portfolio evolves, we will be combining these capabilities to provide new and innovative solutions to our existing customers and to the MFT market place, as well as accelerating the development of certain core components that will extend our existing product capabilities to meet the ever changing needs of our customers.

Stay tuned and in touch with your account representatives for more information on this front, or to find out how our recent acquisition of MessageWay can help address your EDI, transformation or multi-platform challenges today.

Today the PCI Security Standards Council will announce that its three main publications will switch to a synchronized three year cycle.   There will still be a new PCI DSS coming out this October, but the next one will not come out until fall 2013.

This shows that the payment card industry, lately seen as a security leader in the financial space, is generally happy with its efforts to define what an appropriately secured and managed environment ought to be and expects future changes to come more slowly than they have in the past.

Over the weekend support manager Kevan Bard and his operations team successfully upgraded Ipswitch File Transfer’s MOVEit DMZ Hosted Services (that’s MOVEit DMZ software as a service) to version 7.0.  There were two highly-available setups one thousand files apart involved in the upgrade, and a significant banking customer on this infrastructure (with just over 500 users and 35GB online) was moved between data centers the same time.

The upgrade/migration of these systems and their thousands of active users was one of Ipswitch’s more complex operating challenges in recent years and was planned, tested, staged and executed with a high degree of success.  If your data deserves the white-glove treatment too, rest assured that the right people are in place to support your technology, whether on-premises or in one of our SaaS offerings.

Word of today’s public announcement that Ipswitch has acquired MessageWay Solutions is already starting to spread, and fast.  Whether you’re an Ipswitch customer or employee, industry expert, or just learning about the Managed File Transfer space one thing is clear – The MFT industry is evolving and growing worldwide, both in strategic importance and pure volume.

We’ve seen greater emphasis on managing and controlling file processing behind the firewall…. And witnessed customers and prospects describing their need for an MFT solution that includes some B2B and EDI attributes.

Ipswitch’s acquisition of MessageWay creates the industry’s most powerful and complete suite of Managed File Transfer solutions with robust, highly scalable advanced file services that continues where MFT has traditionally left off – at the edge of the network.

[youtube]http://www.youtube.com/watch?v=U06p6axECSY[/youtube]

read more “Advancing MFT Solutions”