In today's highly competitive business climate, companies must ensure secure, reliable and integrated communications.
Editor's Note: This article introduces both a white paper titled "Best Practices in Managed File Transfer Solutions" and a Webcast titled "nuBridges Exchange i—10 Minutes to a Whole New World of Managed File Transfer for IBM i." They are available free from the MC Press White Paper and Webcast Centers.
Globalization, increased competition, and compliance demands are creating new challenges for enterprises. To meet these challenges and gain competitive advantage, today's enterprise must be collaborative, responsive, and agile. This requires secure, reliable, and integrated communication among the people, systems, and applications that enterprises rely on to create, use and move business-critical, sensitive and regulated information.
Fortunately, we are entering a new era for MFT solutions. These solutions are improving real-time collaboration in secure, high-availability environments, enabling integration with critical business applications and reducing the cost and complexity of moving large volumes of information. Whether or not you agree with some experts who categorize this new breed of MFT as "disruptive innovation," there is little doubt that implementing a best-in-class MFT solution will eliminate the file-transfer challenges that enterprises have grappled with in the past.
To help enterprises analyze the solutions that are currently available, nuBridges presents an in-depth look at the key best practices that define best-in-class MFT solutions.
Best practices call for MFT solutions to be secure, protocol- and platform-neutral, integrated with critical business processes, centrally managed, auditable, and usable by business users without IT handholding. The foundation for these best practices is a single, integrated MFT solution—centrally managed and controlled from a Web-based interface—versus the jumbled, do-it-yourself file transfer methods that have challenged enterprises for decades.
The best practices presented in the white paper titled "Best Practices in Managed File Transfer Solutions" effectively meet the file transfer challenges faced by today's enterprises:
- Transfer information faster, store it on more devices, share it with more partners, and protect it like never before
- Meet compliance and governance requirements
- Control costs and mitigate risk
- Standardize on a single integrated file transfer solution for internal and external data exchanges that is platform-, vendor-, and application-neutral
- Maintain visibility in real-time into all file movements
- Leverage open standards
- Support legacy infrastructures
Top Best Practices to Look for in MFT Solutions
Lifecycle Data Protection
Data in motion should never exist in clear-text. This requires that all communication channels be encrypted. As soon as incoming files are written to a disk in the DMZ, they become data at rest and are no longer protected by transfer protocols. This problem is easily solved by using an MFT solution that provides secure streaming so that no data ever touches the iron in the DMZ. Under this scenario, when files are streamed through the DMZ, they continue to be protected using the same secure file transfer protocols and/or encryption by which they were transferred.
Encryption, Tokenization, Key Management
Strong encryption is traditionally used to protect data at rest. But now there's a new data security model gaining traction: tokenization. Unlike traditional encryption methods, where the encrypted data or cipher text is stored in databases and applications throughout the enterprise, tokenization substitutes a token, or surrogate value, in place of the original data. Tokens can then be passed around the network between applications, databases and business processes safely while leaving the encrypted data it represents securely stored in a central data vault.
With respect to keys, they should be centrally managed in an encrypted state of the file system. Public metadata, such as key expiration, is stored in the database so that information on keys can be easily reported. Keys can be stored on the same main server that other MFT components reside on or any other server that the customer prefers.
Tokenization is effective in protecting entire document files as well as payment card information, any type of personal identifiable information and business-critical information stored in databases. What's more, because it takes systems and applications out of audit scope for Payment Card Industry Data Security Standard (PCI DSS) compliance, it simplifies compliance management for data security standards and privacy laws.
Streaming files through the DMZ also has the added benefit of moving large files faster, since they are never "set down" and "picked back up." It is always recommended to select an MFT solution that supports all secure protocols and encryption methods to maximize ease of interoperability with new trading partners.
The most secure MFT solutions put trading partner verification and authorization in the DMZ and prevent the need for inbound holes in firewalls. The portion of the MFT solution behind the firewall opens an outbound hole in the inner firewall to receive incoming files into the enterprise. The MFT solution then receives the data and manages the movement between business partners and internal end points. The DMZ proxy has three main operations: identify the sender and receiver, apply cached routing rules and mediate protocols as necessary. Administration is server-side, and all rules and profiles are cached in memory.
Ad Hoc File Transfers
On-demand file transfers are standard operating procedure in many enterprises. Best-in-class MFT solutions should handle these ad hoc transfers as securely as scheduled and event-driven transfers. Although ad hoc transfers are outside the parameters set for scheduled and event-drive transactions, best practices call for these transfers to be equally secure.
MFT solutions should provide cross-platform protection to secure the whole enterprise, not just part of it. In other words, enterprises must protect all data, whether on Windows, Linux or IBM i.
A best-in-class MFT solution provides a host of workflow automation features including SOA interface, intelligent routing, transaction chaining, business activity monitoring (BAM), and business process management (BPM).
Compliance and Auditability
To meet best practices, MFT solutions must have the ability to track all actions so that they can be audited at any time and must maintain the ability to search for desired transactions based on specific criteria. Detailed business-activity tracking is built into the journaling systems so even multi-step activities are recorded. A log file contains information that describes when each file was sent, where it was sent, to whom it was sent and who initiated the transfer. The information is visible locally but managed centrally.
Trading Partner Management
Best practice calls for MFT solutions to maintain up-to-date trading partner information including profiles of individual users, departments and companies. With a GUI interface, users can view contact information, protocol preferences, security requirements, user roles and access privileges. Self-provisioning of partners from this user interface is an important feature in the on-boarding process. What's more, critical business activities can be easily performed by business users, without the need for IT support.
Intelligent routing of transactions within the enterprise ensures that documents coming in from trading partners are delivered directly to the intended end point, bypassing intermediate servers and remaining in their secure wrappers all the way to their final destination or multiple destinations. An additional benefit of intelligent routing is that application servers do not have to request files from an intermediate server, where they may be sitting unprotected in clear-text unless a data protection application is used to automatically encrypt the files when they are writing to disk. This eliminates another layer of security management and removes the need for those servers to have an FTP client installed and for scripts to be written requesting and directing files.
Intelligent routing also includes a method to chain these transactions together based on file characteristics. The benefits are numerous, including the ability for security methods to be automatically changed—for example, from PGP to SSH. Files can be intelligently routed to multiple application destinations or even routed based on the metadata of the file itself. For example, a file can be sent to an external trading partner and the internal finance department on two separate application servers. The result is fewer points to manage and fewer users for whom to grant access. And the payoff for the enterprise is significantly reduced security risks.
Business Activity Monitoring (BAM)
Business activity monitoring, which automatically captures information to streamline business processes and improve enterprise productivity, is a key component of best-in-class MFT solutions. BAM allows partners to track and monitor all transactions centrally and view near-real-time status of all transactions—internal or external, regardless of the transport of document type. And not just current activities, but historical ones as well. For example, activity logs allow users to review multi-step business activities in context and in sequence and to drill down to trade exceptions. Users can view transactions—and any scheduled activities related to them—by type, batch, sender or recipient -- at a glance. Since logs are searchable by data, priority, category, and description, retrieval is speedy and accurate.
Business Process Management (BPM)
To eliminate manual document routing and scheduling, further enhancing productivity and streamlining operations, MFT solutions should include business process management (BPM). The routing component of BPM provides the intelligence to look at a transaction and intuitively know how to route a file to the proper destination. When sending and receiving documents internally, it means reviewing the document routing information and, based on the user profile, routing it to the proper storage location within the network. For external documents, it means sending them using the correct protocol, based on the business partner profile, and receiving to the proper internal storage location, application and/or user. Scheduling defines tasks on a one-time or recurring basis within sequencing parameters.
To find out more about these best practices, download the white paper titled "Best Practices in Managed File Transfer Solutions" and the Webcast titled "nuBridges Exchange i—10 Minutes to a Whole New World of Managed File Transfer for IBM i." They are available free from the MC Press White Paper and Webcast Centers.