The Tips and Tricks Guide to Managed File Transfer

by Don Jones


Too many businesses are trusting critical data and processes to home-grown, do-it-yourself, insecure, unreliable, and manual processes. When your company needs to move and process important information - and protect it while doing so — you need a business-class solution that has been specifically designed to meet those important business needs. That's what true Managed File Transfer is all about: Managing files as they transit your organization and your partners', managing those files through post-transfer processes, and securing and tracking those files to help you meet both internal and external security requirements. IT expert Don Jones introduces you to some of the key differentiators with Managed File Transfer, helps you understand core capabilities and subtle implementation variations, and shows you how to construct a shopping list of capabilities that you need for your environment.


Volume 1: Encryption, Person-to-person File Transfer, Compliance, Logging, and Central Management

Each volume of this Tips and Tricks Guide will present a series of tips, tricks, answers, and best practices around Managed File Transfer.

Tip, Trick, Technique 1: When transferring files, isn't all encryption the same?

Definitely not. To begin with, there are numerous kinds of encryption—some of which can actually be broken quite easily. One of the earlier common forms of encryption (around 1996) relied on encryption keys that were 40 bits in length; surprisingly, many technologies and products continue to use this older, weaker form of encryption. Although there are nearly a trillion possible encryption keys using this form of encryption, relatively little computing power is needed to break the encryption—a modern home computer can do so in just a few days, and a powerful supercomputer can do so in a few minutes.

So all encryption is definitely not the same. That said, the field of cryptography has become incredibly complex and technical in the past few years, and it has become very difficult for businesspeople and even information technology professionals to fully understand the various differences. There are different encryption algorithms—DES, AES, and so forth—as well as encryption keys of differing lengths. Rather than try to become a cryptographic expert, your business would do well to look at higher‐level performance standards.

One such standard comes under the US Federal Information Processing Standards. FIPS specifications are managed by the National Institute of Standards and Technology (NIST); FIPS 140‐2 is the standard that specifically applies to data encryption, and it is managed by NIST's Computer Security Division. In fact, FIPS 140‐2 is accepted by both the US and Canadian governments, and is used by almost all US government agencies, including the National Security Agency (NSA), and by many foreign ones. Although not mandated for private commercial use, the general feeling in the industry is that "if it's good enough for the paranoid folks at the NSA, it's good enough for us too."

(The rest of this tip is included in the book)

Volume 2: Business Processes, Central Control, FTP and Other Protocols, and Reducing Overhead

Each volume of this Tips and Tricks Guide will present a series of tips, tricks, answers, and best practices around Managed File Transfer.

Tip, Trick, Technique 8: How Does a Managed File Transfer System Integrate with My Other Business Processes?

File transfer—whether managed or not—often occurs at the beginning or end of a much more complex and involved business process. For example, if you receive a file from an external business partner, that file's receipt may kick off a business process that involved importing the file, updating databases, interacting with line of business (LOB) applications, and so forth. Companies traditionally hand off the data from something like a Managed File Transfer (MFT) server, and either use in‐house applications or scripts to coordinate the remainder of the business process, or they use commercial automation tools to coordinate the process. Figure 8.1 illustrates this, with an MFT server accepting an incoming file and a separate coordination application handling the file's import, database updates, or whatever.

Figure 8.1: Handing off a file for coordination within a larger business process.

There's nothing specifically wrong with this technique, although it can have a few weaknesses. To begin, this approach involves moving files across several boundaries: between the MFT server and whatever is doing the coordination, between that application and whatever systems it interacts with, and so forth. All of those boundaries can be observed by whatever's doing the coordinating, so it's able to log each interaction within the data's life cycle. The coordination component misses one significant boundary, though-the one between the MFT server and the external partner. Because that happens before the coordination element is introduced to the life cycle, that interaction will be captured in the MFT server's log. The upshot here is that you're not getting a consolidated log of the data's entire life cycle.

(The rest of this tip is included in the book)

Volume 3: Deployment Models, Integrating with SEIM Systems, What Auditors Will Like or Dislike, Why You Would Need MFT

Each volume of this Tips and Tricks Guide will present a series of tips, tricks, answers, and best practices around Managed File Transfer.

Tip, Trick, Technique 13: What Deployment Models Are Available for Managed File Transfer Solutions?

Managed File Transfer (MFT) systems are powerful, often complex applications—but they're ultimately just server applications. There's nothing especially magic about their deployment, and with readily-available high-bandwidth connections to employees' homes and to corporate offices, MFT can be deployed in a number of ways.


The most straightforward deployment model, conceptually, is a traditional on-premises deployment, as pictured in Figure 13.1. Here, the MFT solution lives on a server in your own data center.

Figure 13.1: On-premises deployment.

There are obviously numerous advantages to this model:

  • You're in full control of the MFT assets.
  • You can build out options such as high availability to whatever degree you require.
  • You're absolutely assured of the security and integrity of the system because it's completely under your control.
  • You have the option to combine the MFT software with other server functions on a single physical machine or to virtualize the MFT solution as you see fit.
  • Most of your hard costs are up-front, meaning that once you pay for the hardware and software, there are no additional cash flow needs—apart perhaps from software maintenance fees, which are usually annual and predictable.

Volume 4: Where File Transfer Will Help, Secure Transfer, Free FTP/SFTP Server vs MFT, Comparing Solutions, Why to Consider Integrated MFT

Each volume of this Tips and Tricks Guide will present a series of tips, tricks, answers, and best practices around Managed File Transfer.

Tip, Trick, Technique 19: How Can I Identify Areas Where Managed File Transfer Can Help My Company?

As I've written in prior tips for this book, most companies adopt a Managed File Transfer (MFT) solution in response to a specific project or immediate business need. I've seen a lot of companies pick a solution based only on immediate needs, only to pick another system when some new need comes along, then another system to support the next project, and so on—until they have a whole array of different, competing solutions that all require their own maintenance, have their own overhead, and so on. In the end, the companies spend more money acquiring and supporting point solutions than they would have if they'd just bought one really flexible system in the first place. So with that lesson in mind, it pays to think about the different places an MFT solution might fit in eventually, if not today. That way, you can select a solution that can grow as your needs evolve.

Why MFT Is Traditionally Deployed

As Figure 19.1 shows, the traditional first use of MFT within an organization is often to transfer files between the organization and an external system, such as a business partner.

Figure 19.1: Transferring data between business systems.

Volume 5: Different Approaches to MFT, Threats When Using MFT Solution, Downsides to Multiple File Transfer Solutions, MFT with EDI, Ensuring Clean Data

Each volume of this Tips and Tricks Guide will present a series of tips, tricks, answers, and best practices around Managed File Transfer.

Tip, Trick, Technique 24: How Have Different Organizations Approached Managed File Transfer? How Have They Used It?

The answer to those questions varies with different levels of sophistication within different organizations. In other words, there are several levels to which I see Managed File Transfer (MFT) being used within organizations. Each successive level encompasses, or is a superset of, the one before. I've named these five levels operational, automated, integrated, serviceoriented, and proactive. They're a great illustration of how your most immediate file transfer needs can lead to a more agile, responsive business.

See where your organization fits in. It should probably go without saying, but I'll say it anyway: The more sophisticated your company, the more flexible and complete an MFT solution you're going to need in order to really fulfill your company's expectations and requirements.