The Challenges of Moving Information Securely How to move information securely, reliably and affordably while avoiding the expensive headaches of building and operating an internal file-transfer infrastructure. Inovis White Paper May 2009 www.inovis.com 2009 Inovis, Inc. Page 1
The Challenges of Moving Information Securely It's a given that every enterprise today must be able to move information around, both internally and with other companies. That process is relatively fast and simple when the information is in the form of structured transactions such as orders, shipping notices and invoices. Increasingly, however, the information is contained in complex, often enormous files such as blueprints, media content and product specifications, none of which fits neatly into standard interbusiness transactions. The size and complexity of those files, plus corporate obligations to comply with stringent data-privacy regulations, demand a file-transfer solution that is secure, reliable and easily managed. Equally important, a managed-file-transfer (MFT) solution, if it is to be truly effective, must offer maximum visibility, that is, it must be able to show on demand every aspect of every file's journey from origin to destination. It also must offer onboarding, the ability to handle, quickly and easily, an ever-expanding pool of authorized users, and it must support a broad range of communications protocols. On top of all this, it must save the company money and time, relative to alternative file-transfer solutions. This white paper describes an innovative and comprehensive approach to the many challenges of transferring files: MFT as a Service. A flexible, shared-service solution, MFT as a Service enables companies to move information securely, reliably and affordably while avoiding the expensive headaches of building and operating their own filetransfer infrastructures. FTP alone is not a viable option to give you the insight, security, performance and, ultimately, the risk mitigation necessary to responsibly conduct business. - Gartner, Inc., 2008 The Make or Buy? MFT Decision MFT basically is the next generation of file transfer protocol (FTP) capabilities, and that evolution is critical because today's business requirements clearly demand more security and control than FTP can deliver. As Gartner analysts L. Frank Kenney and James Lennard put it in their June 2008 research note Magic Quadrant for Managed File Transfer, FTP alone "is not a viable option to give you the insight, security, performance and, ultimately, the risk mitigation necessary to responsibly conduct business." 1 To obtain a solution that provides all the MFT functionalities required in the current business environment, a company has two choices: it can build the solution itself, or it can buy a managed MFT service from a provider. In making that decision, company executives must consider several factors. 1 Gartner, Inc., Magic Quadrant for Managed File Transfer, 2008 2009 Inovis, Inc. Page 1
A Do-It-Yourself MFT Solution is One Possibility An enterprise organization that opts to construct its own MFT solution must select, buy, assemble, operate, maintain and update the various components needed to deliver the required functions. Basic building blocks of an effective MFT solution: A data center - Hosting mission-critical servers and computer systems, the data center should be designed with fault-tolerance for network storage, environmental management systems and the security infrastructure. The necessary software/intellectual property - This infrastructure, deployed behind the corporate firewall, must be capable of onboarding users; scaling to accommodate readily an ever-expanding pool of users; and adapting quickly to a diversity of protocols and protocol changes, including encryption. To provide visibility into the application itself, it also must be able to capture all information related to file transfers, along with reporting, auditability and governance features. Do We Really Want to Go that Way? When a company opts to build its own solution to the MFT challenge, that means the IT department, in addition to its regular responsibilities, now must build the data center(s); install the software; maintain the servers and software; and then offer front-end MFT service to authorized users. IT staff members also have to build and run the MFT solution in such a way as to give users maximum visibility into the application--a requirement that is extremely difficult to satisfy with a company-built solution. So, when deciding whether to take this do-it-yourself route to MFT, company executives must ask themselves four basic questions: 1. Does the company have--or can it put in place--those necessary MFT building blocks? 2. Does the company want to take on the significant capital and operating expenditures incurred in licensing and maintaining the required infrastructure--the software and intellectual property? 3. Can the company achieve as much long-term value as it can with an outsourced service solution? and 4. Does building and running an MFT application fall within the company's core competency? 2009 Inovis, Inc. Page 2
It makes more economic sense to turn over to an experienced provider the costs and responsibilities for file transfer processes. Buy an MFT-as-a-Service Solution While some companies have decided to put together their own inhouse MFT solutions, more and more leading businesses now are choosing to obtain MFT as a Service from a provider that specializes in delivering shared services. They have decided that it makes more economic and operational sense for them to turn over to an experienced provider the costs and responsibilities for file transfer processes. They prefer to leverage for their own benefits all the value inherent with that service provider's existing infrastructure, software/intellectual property and deep-visibility tools. That value, in the form of a comprehensive service, translates into security, reliability, regulatory compliance--and the avoidance of all the costs and headaches that come with a homegrown MFT solution. How to Choose an MFT Service Provider When it comes to selecting an outside provider of MFT as a Service, leading business organizations look for a partner that can eliminate the multiple systems, manual processes, complexities and costs of an inhouse MFT solution. They want a provider that offers a purpose-built MFT-as-a-Service platform, not one that merely re-markets its valueadded network. Specifically, if they are to entrust the transfer of their files--and the associated security and regulatory responsibilities--to someone other than their own people, that someone must bring to the table a proven track record in five critical areas. The Five Must-Haves for Providers of MFT as a Service Communications Connectivity If a service provider is to deliver the kind of MFT as a Service that business organizations demand, it clearly must have a flexible communications infrastructure. That means a "Swiss Army Knife, I- can-connect-anything-to-anything" capability, including support for any-protocol-to-any protocol communications and any encryption technique. Visibility As mentioned earlier, visibility involves capturing all the relevant information about a given file transfer and presenting it to users. With such in-depth visibility, users can determine at any time the status of a given file transfer: What is its originating location? What is its destination location? Did it arrive? If not, where is it now? Did it fail somewhere along the way? If it did fail, what is the current state of the file--corrupted, still valid, or backed up in a queue? With this kind of 2009 Inovis, Inc. Page 3
visibility, users can, if necessary, respond immediately, for example, by re-sending a failed file. A crucial aspect of visibility is auditability. With access to all information about the transfer of any file, a company can readily demonstrate everything that occurred with the file as it traveled from point A to B. Another crucial aspect of visibility is governmental/corporate auditability. With access to all information about the transfer of any file, a company can readily demonstrate, for example, the success of every file transfer between Points A and B during a given period of time, as well as everything that occurred within its system that could possibly help the organization solve other audit issues. Further, with the system of record visibility provided by MFT as a Service, a company also can provide for auditing purposes the actual documents that were sent. The depth of this visibility is particularly important in terms of transactions between/among different companies. While it may not be difficult to track down the fate of a document transferred internally, it often is quite a challenge to do so when a document moves from one company to another. With MFT as a Service, companies get visibility all the way from a file's originating point to its intended destination and confirmation that the transfer succeeded, or, if it wasn't received, where it is and what happened to it. Basically, a company can incorporate its own specific reporting rules, track and consolidate the information relevant to any file transfer and then obtain a customized view of that end-to-end transfer. Onboarding MFT as a Service expands the familiar concept of onboarding, a program typically used by an organization when, for example, sharing spreadsheets or sticky notes across its existing trading-partner community. This level of onboarding centers on establishing connectivity via notification, validation and remediation functions-- among trading partners. Onboarding within MFT as a Service basically assumes connectivity already is established and thus begins at a different point, that is, with transaction or functionality onboarding. Through fast, easy workflows, i.e., point-and-click onboarding and validation, the provider of MFT as a Service offers each user selfservice access to the application. Based on the user's particular business unit and location, etc., the MFT as a Service: collects the necessary user information validates it automatically configures the proposed file transfer executes an auto-test and provides instructions for transmitting documents. 2009 Inovis, Inc. Page 4
That employee now enters into the MFT as a Service portal a list of individuals with whom he/she wishes to exchange documents. The portal then automatically notifies each of those individuals, and each clicks through a similar list of options for auto-configuration and testing. The result? Everyone is onboarded and can easily send secure files, with each transfer automatically visible, subject to the appropriate governance/auditability controls. Although the MFT as a Service application is automated, it does include exception paths to handle any problems that may crop up. That means a user can contact someone on a Help Desk to walk him/her through the process. In addition, as the number of trading partners and file transfers increases, the service provider's system collects the information necessary for billing each user's business unit within each trading partner. Automated exception management eliminates the need for dozens of exception management employees to watch log files all day long. Exception Management While visibility enables the company to see what happens with every step of a file transfer, the company also needs to be notified when something happens that isn't supposed to happen, or vice versa, so that someone can take the necessary corrective action. MFT as a Service provides automated exception management in the form of 1) recognizing file-transfer anomalies and 2) triggering the appropriate level of remediation. This automatic capability eliminates the significant costs, in terms of human resources, time and effort, in traditional MFT solutions. There is no longer a need for dozens of exception-management employees to watch log files all day long. Ultra-reliable Infrastructure The foundation of all the above-listed capabilities is a robust infrastructure, i.e., a Tier-4 data center. As defined by the Telecommunications Industry Association (TIA) Data Center Standard 942, the Tier 4 specification, with more rigorous requirements than the Tier 1-3 categories, ensures 99.995 percent availability. Designed to host mission-critical servers and computer systems, a Tier-4 data center has fully fault-tolerant components, including uplinks, storage, chillers, HVAC systems and servers. Each component is dual-powered, and all subsystems--cooling, power, network links and storage--are fully redundant. Further, a Tier-4 data center is divided into separate security zones, with access to each zone controlled by biometric methods. A Shared MFT as a Service Means Shared Benefits, Too The concept of MFT as a Service falls within the general category of shared services, meaning that the application and all the benefits that come with it are always available to each business unit within a company, as well as each company within a trading-partner 2009 Inovis, Inc. Page 5
community. The benefits of MFT as a Service are the same as those companies achieve from any shared application: Reduced costs - available from the economies of scale that only a shared service can achieve; Improved quality of service - through the service provider's breadth and depth of expertise, experience in the marketplace and 24x7x365 support; and The freeing up of employees' time, so they can focus on the company's core business which, chances are, has nothing to do with managed file transfer. Just as so many business organizations rely on FedEx to take a package and deliver it safely and securely to its destination, more and more leading enterprises now rely on MFT as a Service, obtained from an experienced provider, to take their files and deliver them safely and securely to their destinations. About Inovis Inovis offers software and services that enable companies to do business electronically across their entire trading community. Each day, over 20,000 companies across the globe rely on Inovis to reliably send and receive purchase orders, synchronize data and manage exceptions in order to lower supply chain costs and get products to customers faster. Founded in 1983, the company is based in Atlanta, Georgia and has offices across the United States, the United Kingdom and Hong Kong. For more information, please visit www.inovis.com or email info@inovis.com. 2009 Inovis, Inc. Page 6