Optimizing Managed File Transfer (MFT): Dos and don’ts

Discourage data leaks, standardize and optimize file transfer—that’s the ambition of Managed File Transfer (MFT) products. Here, experts offer practical advice on using these tools.

Learn about features and selection criteria in the companion article Automating and securing file transfers: Key issues.

DON’T look for a quick hit, one-off solution. You may think you only need to quickly solve a single problem, such as how to secure files emailed between your law firm and its clients. But most organizations have much more complex, large-scale file-transfer requirements and should take a long-term view of their needs.

“It’s all about taking a holistic view of all your connections and risk and [how to] shut the door to new scripts, FTP servers, which created the problem in first place,” says Chuck DePalma, CISO for Volkswagen Group of America. “If you just jump in and replace this one FTP server, companies wind up with five or six managed file-transfer products across the organization. You wind up with better tools, but no central governance.”

DO use MFT as part of an overall data management program. It’s critical to classify your data, know how it’s used within the organization and in transactions with other businesses, customers, auditors, and so on, so you can apply appropriate policies and controls to various file-transfer use cases.

See dos and don’ts for using protocol analyzers | SIEM | IT GRC

Volkswagen, for example, wrote data usage and governance policy when it moved from its five-year-old Tumbleweed MFT to a newer version from Axway (which purchased Tumbleweed). Says DePalma, “The policy covers the proper way to manage the data and everything associated with it—data security, transmission, usage and sharing, vendor usage, employee usage, ownership rights to data, and who can do what and how to transfer it.”

DePalma says VW learned a lot from its initial deployment in 2003.

“The easy-to-understand data was automatically put up [on the MFT systems],” says DePalma. “What followed was five years in process. We should have done a more rigorous process around data usage and governance ahead of time.”

DO Look for data loss prevention (DLP) capabilities. In addition to being deployed as a standalone product, DLP is increasingly being integrated into other systems, including MFT. DLP enables companies to enforce policy on the movement of sensitive data, whether it’s intellectual property, business plans or customer information. If this is important to your organization, look for built-in DLP or native support for third-party DLP.

DO consider cloud services. Some vendors are offering managed file-transfer as a service in the cloud as an alternative or complement to on-premise software or appliances. Cloud gives companies tremendous flexibility to pay as they go and accommodate fluctuating demand for file transfers, and, of course, reduces capital expenditure and technical support. The sticking point is security.

“How much do you trust your external provider with your data?” says Thomas Skybakmoen, Gartner senior research analyst. “Most companies are fine using cloud for things like financial transactions, transactions that include purchasing orders—normal B2B activity—but prefer to keep sensitive data on-premise.”

And, in some cases, on-premise MFT may be cheaper, depending on volume. If a company is paying per megabyte or gigabyte for cloud services handling millions of files averaging 30MB or 50MB each, it’s probably cheaper to keep managed file-transfer internal.

Companies also have the option of creating a private cloud to serve internal customers. “Enterprises can use a [virtual machine] to deploy MFT in a private cloud,” says Paula Skokowski, Accellion chief marketing officer. “Public cloud can get you up and running quickly, but organizations have to follow very strict rules about where sensitive data can be stored, and they usually opt for a hybrid or private cloud.”

DON’T make managed file-transfer an IT project. It’s a business project, with IT providing support. The line of business owner should take the leadership role, because the primary aim is to enable existing business processes to be more efficient and roll out new business quickly.

“The line of business manager is key and probably needs to manage process,” says Andre Bakken, Ipswitch File Transfer director of product management. “It’s not just an IT project. Large-scale transfers are about generating additional revenues and unit sales.”

In addition to IT and security, key stakeholders include application owners, partners and even large customers. Compliance officers should also be involved, depending on the industry.

“Finance is also very key,” says Bakken. “Depending on how you are set up, MFT may be the system of record, and that gets to SOX compliance.”

DO include collaboration systems. You may not think of SharePoint or less-formal file-sharing mechanisms as file transfers, but collaboration is just as much about exchanging files as email or FTP is. Data governance for sharing files for work collaboration is every bit as important, especially if they’re sent over the Internet to other offices, remote users and partners. Take a close look at how an MFT product supports your collaboration environment.

“It’s about the whole nature by which people are sharing information, becoming more collaborative,” says Skokowski. “Sharing, sending and syncing files all involve the exchange of information between internal and external people, and all have potential security and compliance risks.