Managed File Transfer

,

Managed File Transfer (MFT)

In simplest terms, Managed File Transfer (MFT) refers to software and hardware technologies that enable "secure and reliable exchange of documents between organizations." [Schroth, C: "Loosening the Hierarchy of Cross-Company Electronic Collaboration", page 573, "Information Systems and e-Business Technologies: 2nd International United Information Systems Conference, UNISCON 2008, Klagenfurt, Austria, April 2008, Proceedings", Kaschek, R et al., Eds., Springer-Verlag Berlin Heidelberg, 2008.] In broader terms, Managed File Transfer "suites" enable organizations to automate, manage and secure the exchange of large volumes of data between two or more entities, including applications and operating systems. [Kenney, LF: "Managed File Transfer Suites: Technology Overview", page 3, Gartner Research Publication ID Number G00127191, 8 April, 2005.] The majority of these technologies are based on established FTP protocols, re-architected to deliver varying measures of security, control and reporting features.

Background

From its inception on top of TCP/IP in 1980, the File Transfer Protocol (FTP) has allowed companies to move large volumes of bulk data between any two entities, including file servers, applications and trading partners. However, FTP (and other communication protocols such as HTTP and SMTP) do not, on their own, provide a way to secure or manage the payload or the transmission. Yet regardless of the lack of security and management capabilities, many companies have continued to transport large batches of structured and unstructured data "in the clear" using these protocols. But this practice is changing. According to Gartner Research: "Numerous factors cause companies to re-examine how they manage the movement of information from system to system, partner to partner and person to person. FTP alone is not a viable option to give [organizations] the insight, security, performance and, ultimately, the risk mitigation necessary to "responsibly conduct business"." [Kenney, LF et al.: "Magic Quadrant for Managed File Transfer", page 2, Gartner Research Publication ID Number G00157614, 23 June, 2008.]

In the highly regulated financial, healthcare, telecom, and government sectors, the need to transmit large volumes of sensitive data and remain in legal and corporate compliance has spurred the development of a range of MFT technologies. And as data-exchange methods in these sectors have become the model for best practices across industries, many types of organizations are investing in MFT technologies in order to spur business productivity, enhance data security, automate and manage bulk data exchange, and ensure regulatory compliance. Gartner's most recent analysis of top Managed File Transfer providers places vendors Axway and Tumbleweed Communications in the Leaders Quadrant.

Characteristics

MFT technologies enable companies to secure and manage all aspects of data exchange between any two entities, including transfer of data between an organization and its customers or partners, and exchange of high value or sensitive data such as financial instruments, purchase orders, confidential customer information, and various types of intellectual property. According to a recent article in "eWeek Magazine":

Businesses that need to securely transmit timely and proprietary data need to execute a straightforward security strategy. Here are a few important steps to implementing this strategy:

1) Deploy a top-notch MFT infrastructure and be sure it does what it says it can do.
2) Customize the solution to meet your unique business needs, and then stay on top of upgrades.
3) Embed your MFT infrastructure at a level of transparency that makes it the fabric through which all essential data must travel.

The right solution will be robust and straightforward to implement and own. It will be able to function as the "invisible axis" of your organization's business-critical data exchange. [Foley, M: [http://www.eweek.com/c/a/Knowledge-Center/How-We-Bank-on-Transparent-ManagedFile-Transfer-at-New-York-Life/ "How We Bank On Transparent Managed File Transfer at New York Life"] , "eWeek Magazine", 19 May, 2008.]

Applications supported by MFT products are typically mission-critical to the enterprise, and as a result must meet complex requirements across the following categories:

Secure Communications. Solid MFT offerings offer a range of commonly used protocols and technologies for transporting and ensuring the authentication, privacy, non-repudiation and authorization of data between two or more entities. Encryption protocols commonly supported include HTTPS (SSL), secure FTP/s (RFC 2228), AS2 (S/MIME), and SSH. Some of the security issues that must be addressed by MFT technologies include:
• Support for multiple encryption protocols
• Support for multiple transport protocols
• Secure deployment in DMZ environments and across multiple firewalls
• Support of enterprise authentication and access control systems

Enterprise Relationship Management. For companies seeking to monitor and control data throughout the file transfer process — as well as manage and support multiple file transfer applications across departments and between organizations — management requirements include some or all of the following:
• Functionality that can manage multiple file transfer “applications”
• Functionality that can manage the profiles of the sending and receiving parties
• Functionality that can analyze, track and report any attributes of the data being transferred
• Functionality that ensures compliance with regulatory and corporate mandates such as [http://www.hhs.gov/ocr/hipaa/ HIPAA] , SOX, [http://64.233.169.104/search?q=cache:C9-lFGUkT0gJ:www.occ.treas.gov/ftp/bulletin/2001-35a.pdf+GLBA+compliance&hl=en&ct=clnk&cd=5&gl=us GLBA] , and [http://www.pcicomplianceguide.org/aboutpcicompliance.html PCI]
• Functionality that supports automation of file transfers
• Checkpoint/restart capability that enables file transfer to be resumed if a transfer is interrupted, rather than restarting the transfer from the beginning
• Integration functionality to automate transfer of data into or out of an enterprise’s back office applications

Multi-Enterprise Capabilities. MFT products are intended to support mission-critical businessapplications within and between organizations — in the banking industry, for instance, this might be electronic funds transfers (ACH and SWIFT); in the insurance industry, claims or enrollment processing; in federal and state government, electronic regulatory filings. Whatever the industry, reliable deployment and scalability are key, including:
• High availability and load-balanced deployments
• Automation at both client and server ends
• Integration with existing legacy systems, middleware, and networks
• Comprehensive logging and auditing
• Broad platform/operating system support across both client and server platforms
• Support for open standard protocols and clients

Technical Considerations

Technical evaluation criteria for organizations looking to adopt a Managed File Transfer solution include:
• File Transfer Functionality — manual file transfer, automated and scheduled file transfer, folder monitoring, guaranteed delivery, mid-file recovery, file integrity checking (MD5 hash, CRC), compressed transfers, antivirus scanning, email notification of transfer failure.
• Multiple Transport Protocols — FTP, FTP/S, HTTP, HTTPS, AS2, SSH, proprietary protocols.
• Security — SSL encryption (HTTPS, FTP/SSL), S/MIME encryption (AS2), SSH2 encryption (SSH, SFTP), PGP encryption, application proxy with data streaming across the DMZ, support for multi-tiered security architectures, repository encryption, firewall-friendly protocol options, ability to use non-standard I/O ports for added security, hardened appliance platform, FIPS-140 security certifications.
• Authentication and Access Control — userid/password, digital certificates, smartcard-based authentication, built-in user management, enterprise authentication via Active Directory and LDAP, extensible authentication framework, role- and policy-based access controls, resource-based access control for documents and directories.
• Management, Administration, and Auditability — secure remote administration via a Web-based console, command line interface, admin dashboard, access and error logging, transfer logging, logging for all event-driven processing, client-side logs for access, transfers, and errors, server usage monitor, views into historical and scheduled transfers, support for ad-hoc reporting, ability to define/manage different classes of users, signed audit records (MDN receipts).
• Integration and Automation — file routing, email notifications, event-driven pre- and post-processing, custom scripting/agents, custom file routing and transformation actions, custom error handling, event-driven APIs for back-end integration, messaging via SOAP, messaging via IBM MQ-based event notifications.
• Multiple Deployment Architectures — single-box server, load balanced across multiple servers, failover, high availability, clustered, two-tier security architectures, multi-tier security architectures.
• Multiple Platforms — server appliance, Windows, Linux, Solaris, AIX, and other platforms.

References