If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Inovis provides a
Managed File Transfer (MFT) platform that is backed by our Tier IV Data Center which offers the highest accredited service level in the industry."
Source: Inovis
Managed File Transfer: The Need for a Strategic Approach
File Transfer Management is also known as :
File Transfer Management,
Secure Managed File Transfer,
Managed File Transfer MFT,
FTP File Transfer,
File Transfer Accelerator,
File Transfer Protocol,
Secure File Transfer,
Business File Transfers,
File Transfer Server,
Strategic Approach Data Transfer,
File Transfer Solution Improves Business Process,
Evolution File Transfer ,
Tools File Exchange,
Secure File Exchange,
File Exchange Protocol FXP,
Centralized Exchange ,
File Recipient FTP ,
File Transfer Comprehensive ,
Secure FTP Server,
Secure File Transfer Management,
SSH Secure File Transfer,
Secure FTP Transfer,
Secure File Transfer Appliance,
Secure File Transfer Protocol.
Introduction
The exchange of goods and services defines trading partner relationships, but the
exchange of information makes it happen. Simply passing data back and forth can be
complex enough when dealing with hundreds or possibly thousands of trading
partners, but the issues that companies must deal with extend beyond the mechanics of
transferring data from one place to another.
When considering the need to exchange information with trading partners, structured
transactions'orders, acknowledgements, shipping notices, invoices and so on'first come
to mind. Entrenched protocols, such as EDI, deal well with this structured data, but the
requirements don't stop there. Business relationships often rely on complex documents'
contracts, product specifications, blueprints, 401K plans, etc.'that don't fit neatly into
standard inter-business transactions.
Various transport mechanisms, such as email, instant messaging and FTP, have been used
to share these types of files between and within companies, but the traditional
communication methods suffer from glaring security, manageability and auditing gaps. In a
business environment governed by increasingly stringent regulations and consumer
demands for privacy, bridging those gaps, while still ensuring the necessary flow of
information among trading partners and within the organization, has become critically
important. In addition to examining these business requirements, this white paper discusses
a way to fulfill them that usually goes by the name of Managed File Transfer (MFT).
The topics included in this whitepaper are:
- More Data + More Regulations + More Partners = More Challenges
- The Evolution of File Transfer
- Comprehensive, Controlled, Centralized Information Exchange
- Leveraging the Trading Hub
More Data + More Regulations + More Partners
= More Challenges
The nature and volume of the business data transferred
between trading partners and within the organization is
changing. For one thing, companies recognize that the old
paper-based information transport processes were slow
and error-prone. Electronic data interchange (EDI)
resolved some of these issues, but only for the structured
data included in standard EDI transactions.
Yet, much of the information that passes between trading
partners and between departments and geographically
dispersed departments within the organization, such as
contracts, product photos, legal documents, financial
statements and so on, is unstructured. At one time, the
post office or a courier was the primary mover of this type
of information. However, just as companies have, in the
interest of speed and efficiency, moved and are continuing
to move to make transactions all-electronic, they are now
also transferring larger, unstructured documents digitally.
Not only is the nature of data evolving, but the number and variety of people with whom
companies exchange information is also changing. For example, to achieve economies,
many companies outsource processes that they used to perform in-house. Furthermore,
thanks to globalization, these suppliers may now be much farther afield. For instance,
companies that used to reduce the complexity of their supply chain management processes
by depending primarily on local suppliers might now strive to minimize expenditures by
using low-cost suppliers on the other side of the planet.
The challenges arising from the growing number and size
of electronically transmitted files and the expanding
number and dispersal of the people with whom those files
are exchanged are compounded by the demands of
prudent business practices. Unlike the information content
in, say, an individual sales order or a shipping notice, the
information in a rich media file containing, for example, a
blueprint or a strategic plan, may contain intellectual
property of an exceptionally high value. As such, securing
those files, whether they reside on an internal corporate
disk drive, they are in transit between employees in
different locations or they are being sent to trusted trading
partners, is a critical requirement.
The importance of securing electronic documents can not
be overstated. According to a BusinessWeek article, 80
percent of an organization's intellectual property is
typically contained in digital assets. Thus, the threat is
enormous. What's more, the cost of failing to secure this
intellectual property is real and equally large. The same article states that more than $50
billion dollars worth of intellectual property is lost every year.
Prudent business practices demand the securing of key digital assets and the ability to audit
the exchange of those assets both within the company and externally. Increasingly,
regulations demand the same thing'and more. Examples abound. The Sarbanes-Oxley Act
(SOX) requires trading partner certification, data center validation and information
transparency auditing. The Health Insurance Portability and
Accountability Act (HIPAA) insists on the stringent
protection of health information privacy. And, Gramm-
Leach-Bliley (GLM) dictates that the privacy of individuals'
financial information must be protected.
Due to the advent of these rigorous regulations, companies
must now not only follow good information management
practices, they must also be able to prove that they have
done so. For example, they need to be able to prove that
they did, indeed, send information that was legally required
to be sent to a government body or trading partner; they
need to be able to prove that they protected that
information while it was stored internally or in transit; and
they need to be able to prove that they have the means to
recover information that is lost or accidentally destroyed.
The regulatory burden on the IT department is not likely to
become any lighter in the immediate future. A May 2006
Gartner, Inc. report titled What IT Managers Should Do
About Compliance states that there is a 70% probability
that the number of regulations directly affecting IT
operations will double by 2012.
Coincident with the increase in the volume of regulations, the nature of information that
companies are required to make available when they are involved in a legal suit is broad
and expanding. According to a May 2007 AMR Research, Inc. report titled New Federal Rules
of Civil Procedure: Reducing Your Risk, "The new rules make electronic information that
anyone in the organization produces, shares, collects or communicates, or any trace or
artifact of that communication discoverable as evidence in lawsuits. Any distinction between
a ‘record' and ‘information' is quickly disappearing, as is any excuse for failing to provide it
to the courts when called upon."
The legal risk for most organizations is high. According to The Radicati Group, a technology
market research firm, 80% of content exchange is unmanaged and represents a compliance
risk. Yet, the need for regulatory and legal compliance is now widely recognized. According
to a report by Ernst & Young, 56% of organizations are driving information security
strategies and investments based on compliance requirements. If anything, it is surprising
that this number is not higher as the fines and legal fees attached to noncompliance can be
millions of dollars per incident.
The Evolution of File Transfer
The electronic exchange of large files is not new, but the methods have evolved over the
years. While standards have evolved to ensure that data exchanged in discrete, well defined
transactions are, as business and regulatory requirements demand, secure, auditable and
private, the same is typically not true for the exchange of large, unstructured data files. In
addition, as the volume of these types of exchanges grows, the question of the scalability of
the exchange processes becomes a critical issue.
Email
At first, email was the primary transport mechanism, with large files being sent as
attachments. While still a popular medium for file transfer, email suffers from a number of
liabilities when put to this purpose, including problems related to security, reliability and
traceability.
In the area of security, email encryption exists, but its use is not yet widespread. What's
more, it is often left to senders to specify that a particular email is to be encrypted, leaving
email and their attachments vulnerable to a careless or forgetful employee.
Even when it is secure, email delivery of large files is not reliable. A small percentage of
email disappears without a trace because of technical glitches along the way. Other email
messages don't end up in the intended recipient's inbox because they were misaddressed.
And an even greater number of emails with attachments get blocked because they aren't
allowed through the company's firewall.
There are a number of reasons why an administrator might block emails with large
attachments. For one, the usual method of attaching files to an email, MIME, is very
inefficient. A MIME attachment is typically much larger than the raw file being attached.
Hence, an administrator might bar large attachments to enforce the use of more efficient
means of file transfers.
Large attachments might also be blocked in order to discourage the sharing of videos and
pictures that are not business-related, a practice that hogs considerable bandwidth as the
frivolous attachments pass from the Internet and into the company's internal networks.
In addition, administrators often block large attachments for security reasons: Email
attachments are one of the most common carriers of viruses.
For all of these reasons, the deliverability of large files via email is far from assured. That
raises the final issue: traceability. Some regulations, such as SOX, make it important to be
able to prove that certain types of information were sent to the required corporate
executives and/or regulators in order to defend the company's actions should the need
arise. This is proof is normally not available when using email. You can show that the
message and the attached file are in your sent emails folder but, unless the recipient opens
the message and sends an automated or manual receipt acknowledgement, there is no way
to prove that delivery was successful.
As reported in a July 2007 research report titled Revisiting the Managed File Transfer Market
and Vendors That Support It, Gartner, Inc. sees a decline of the use of email as a file
transport mechanism in the future. The report states that there is an 80% probability that
by 2010 40% of companies now using email will switch to alternative means for sending
attachments of any size.
Instant Messaging (IM)
To overcome the restrictions that administrators have placed on email attachments, some
people use IM to exchange files. In many respects, this made matters even worse.
Reliability is improved because the sender and receiver are connected in real-time and,
therefore, the sender can immediately resend a file that does not arrive successfully, but IM
is even weaker than email in the areas of security and traceability.
In addition, the fact that sender and receiver can immediately verify that the file was
received might be a benefit, but it also points to drawback of IM: To initiate the transfer,
the sender and receiver must both be online simultaneously with an IM connection
initiated before the file can be sent.
File Transfer Protocol (FTP)
FTP has, for the most part, become the method of choice for transferring large files. There
are a number of reasons for this, including the following:
- Files transmitted via FTP are smaller than when the same file is sent as an MIME
email attachment.
- It is possible to verify whether the file made it into the recipient's FTP server.
- Although its use is far from universal, FTP over SSL provides a high level of security.
- It is reasonably easy to automate file transfers through the use of FTP scripts.
Despite being a significant step up from email and IM, FTP is still not optimal. For one thing,
traceability extends only so far. You can check that the file made it onto the recipient's FTP
server, but there is no way to verify that the intended recipient downloaded it from the
server. Furthermore, there is no audit trail of file usage that you can refer to should
regulatory issues arise.
Another problem with FTP is that it doesn't inherently guarantee delivery. If a file transfer
fails, the FTP process does not automatically restart at the point of failure. Checking that
the file successfully arrived on the FTP server and reinitiating the transfer if it didn't is,
therefore, primarily a manual process.
Third-Party Solutions
The next stage in the evolution of file transfer was third-party providers. These firms were
agents that handled personal and sensitive data, offering the security appropriate to such
data, while also managing access control and data visibility issues. This approach usually
eliminates the problems inherent with the earlier, unmanaged file transfer methods, but it
normally does not address the full spectrum of information that is exchanged among trading
partners.
Internal Solutions
A parallel track to third-party solutions were file transfer programs that were developed inhouse
by the IT department. They tended to solve the same problems that third-party
solutions solved, but they had the same drawback of typically not being comprehensive.
Furthermore, developing, monitoring, managing and maintaining an internal solution
necessitates the hiring or training of skills that may not otherwise be needed by the
organization. The required skills are extensive because the in-house developers must
address all of the critical issues discussed in the More Data + More Regulations + More
Partners = More Challenges section above and illustrated below.
As noted above, all of the traditional file transfer
methods suffer shortcomings, shortcomings that have
been magnified in today's more regulated industries
and more complex trading partner communities.
Because of these liabilities, a next-generation file
transfer technology is required to handle large file
sizes, growing classes of data, larger trading partner
communities and ever-changing security and
compliance requirements. These next generation
facilities most often go by the name of Managed File
Transfer (MFT).
It should be noted that MFT is more than just secure
document exchange. An April 2005 Gartner, Inc.
report titled Managed File Transfer Suites: Technology
Overview identifies the primary difference between
the two: "While ‘secure file transfer' solutions are
adequate for some data transmissions, MFT suites
address security protections, but also tackle a
company's internal and external audibility,
accountability and data control requirements."
Comprehensive, Controlled,
Centralized Information Exchange
The optimal MFT solution is not hardware, software
nor networks. It is a combination of all three along
with an overarching strategy that encompasses all of
the organization's information flows. The ultimate goal
is information flows that are tightly managed to
provide the required security, privacy and auditing
capabilities, while also being transparent to endusers.
The practical result is a highly productive
community of trading partners that benefit from the
seamless transfer of information as an inherent
byproduct of the community's business activities. This
objective can be achieved only through the
implementation of a managed, centralized trading
hub.
If a centralized information exchange facility is not
already a part of your business community
management efforts, it should be because the more
disjointed alternatives are cumbersome, inefficient,
unreliable, insecure, lacking in audit capabilities or a
combination of two or more of these attributes.
An effective centralized business-to-business
information gateway manages the secure exchange of
documents, reconciles differing communication
protocols, synchronizes necessary information among trading partners and streamlines the
exchange of information inside and outside the organization.
An optimal centralized MFT facility will offer the following:
- Security: The MFT facility should secure data within the organization and in transit,
protect the privacy and integrity of consumer data, provide multiple levels of
encryption, and support all common security protocols.
- Central Point of Control: A single solution, with a single point of control, should
manage all file transfer processes for the entire enterprise through to the DMZ.
- Compliance: The MFT facility should provide the auditing and control facilities
necessary to meet the requirements of: Sarbanes-Oxley 404, internal auditing
standards and the organization's contractual and regulatory obligations. It does this
by providing: identity management; process workflow automation; an audit trail for
all transactions, including a record of who accessed which documents, when they
were accessed, and where they were accessed; and archives and journals that are
readily available whenever needed to respond to legal issues.
- Visibility, Control and Access: The MFT facility should make all relevant
information'structured and unstructured'easily visible to everyone who needs it,
but only to those who need it.
- Reliability: The MFT facility should provide checkpoint/restart functionality so that
transmissions can be restarted'preferably automatically'should they be interrupted
as a result of an operator error or a hardware, software or network failure.
- Scalability: Your centralized MFT facility must be capable of growing with your
business. This includes supporting all future growth in the number and variety of
trading partners, file sizes, file types and traffic volumes.
- Support: Once an MFT solution is adopted, many of your business processes will
succeed or fail based on its success. The MFT facility should, therefore, be a proven
solution that is fully supported and maintained. It must also be upgraded regularly to
provide new features and to support new protocols as they become available.
Leveraging the Trading Hub
The good news is that if you already use a centralized trading hub for exchanging
transaction data using, for example, EDI, you may have the basic building blocks for a
centralized MFT facility. And because employees and trading partners are already familiar
with its use and your systems are already linked to it, the trading hub is the most efficient
and effective place for MFT functionality.
Better yet, if the hub'which typically has security, control, monitoring and auditing facilities
built into the core technology'is capable of moving large files securely, it may simply be a
matter of starting to use the facility.
Questions to Ask MFT Suppliers
There are similarities among the various MFT solutions available on the market, but there
are also many important differences. When evaluating MFT suppliers ask for answers to the
following questions about their solution:
Does it include an easy-to-use graphical interface that can be used to configure and
administer user profiles?
Does it simplify administration with automated wizards that can assist with user access
control?
Does it offer flexible security protocol support that can accommodate all types and
sizes of files and partners? And, is the security of the product certified by an
independent evaluator such as Drummond?
Does it offer automated checkpoint and recovery facilities to optimize the reliability of
the MFT processes, with mid-file recovery facilities that can reduce bandwidth
requirements by eliminating the need to resend whole files after a transmission
interruption?
Does it provide automated compliance reports for each business partner?
About Inovis
Inovis is a leading provider of on-demand Business Community Management solutions that
empower companies to transact, collaborate and optimize communications with their entire
trading community. By standardizing and automating mission-critical business interactions,
companies can dramatically reduce the complexity and cost of supply chain communication.
This foundation of high-quality, reliable and secure connectivity provides real-time visibility
across the order-to-payment lifecycle. The resulting actionable intelligence enables users to
proactively address supply chain issues before they impact profitability, shortening cycle
times, improving productivity and increasing customer satisfaction.
With more than 20 years of expertise, Inovis delivers its products and services to more than
20,000 companies over a wide range of industries and markets across the globe.
Inovis' BizManager B2B gateway solution includes secure document management exchange
capabilities along with its standard transaction exchange management features. Whether
you're sending personnel information, sensitive CAD drawings, EDI documents, payroll
information, intellectual property or other sensitive data, BizManager will ensure your
documents are transmitted securely and efficiently. It will also provide the auditable
tracking information you need for any regulatory compliance questions. Web-based, it
leverages the latest industry standards and provides for direct, secure document exchange.
It can also reduce the time, cost and effort of fulfilling electronic communication
requirements.
Inovis Global Headquarters
11720 AmberPark Drive
Alpharetta, GA 30004
USA
Main +1 404.467.3000
Toll-free +1 877.446.6847
Fax +1 404.467.3730
Email: info@inovis.com
Website: www.inovis.com
Table of Contents
- Introduction
- More Data + More Regulations + More Partners = More Challenge
- The Evolution of File Transfer
- Comprehensive, Controlled, Centralized Information Exchange
- Leveraging the Trading Hub
- Questions to Ask MFT Suppliers
- About Inovis