Managed File

Transfer
Insights & Best
Practices
David Butcher, PMP CSDP
Sr. Systems Engineer
Agenda

 Axway/Tumbleweed Snapshot
 File Transfer Overview
 Evolution
 Challenges & Drivers
 What is Managed File Transfer?
 Best Practices
 Q&A

© 2008 Axway Inc.

 Tumbleweed Communications
Company Products Customers
• Founded in 1993, HQ in Secure Multi-Nationals
Redwood City, CA Transport™
• Focused purely on secure
content delivery Secures all data exchanges
between organizations with
• Global leader in managed secure managed file transfer
file transfer & email
encryption Fortune 500

• Over 3,200 customers

Secure
• Strengths in ease of use & Messenger™
flexible integration
• Offices in the US, Europe, Encrypt email at the gateway
Asia or desktop, automatically or
Government
manually
• Leaders Quadrant: Gartner
Managed File Transfer
Magic Quadrant
• Leaders Quadrant: Gartner MailGate™
Email Encryption Financial Services
Magic Quadrant Protects email with
comprehensive inbound
and outbound security

© 2008 Axway Inc.

 File Transfer – The Evolution

 Early Connectivity
 Dial-up connections – Async, Bisync
 Dedicated links – FrameRelay
 Value Added Networks - VANs
 Enter the Internet
 FTP becomes the de facto standard for file transfer
 Available on every platform, easy to code into scripts
 The tool of choice for application-to-application connectivity
 Evolving Solutions
 Variety of enhanced secure file transfer products
 Open standards / open protocols
 FTP, HTTP, SSL/TLS, SSH, PGP, S/MIME, EDIINT AS2 and AS3.
 Managed File Transfer Solutions

4 © 2008 Axway Inc.

FTP – The De Facto Standard

• Most Common Internet File Transfer Method

• Client / Server Architecture
 Client initiates all connections
• Many Variations Of FTP, (Vendor Customizations)
• FTP Problems
 No Encryption
 User Names and Passwords Are In The Clear
 No Integrity Checking
 No Checkpoint Restart
 No Tracking
 No Management
 FTP Scripting
© 2008 Axway Inc.
 Homegrown FTP
The DMZ Issue

Exterior Interior
Users Pick-up
Firewall Firewall
Files Staged in
the DMZ DMZ Have to Stage
files to the DMZ
DMZ FTP FTP server

Internet Internal FTP

User Credentials
Users Drop-off Have to Retrieve
Data Files
Files in the DMZ the files from the
DMZ FTP server

• Often uses two FTP servers

• User credentials and files stored in the DMZ
• Files maybe left unprotected for long periods of time
• Scripted jobs move the files between FTP servers
• Coordination nightmare
© 2008 Axway Inc.
 File Transfer – Other Tools

 FTP/S
 FTP over SSL/TLS
 SSH – Secure Shell
 SFTP – SSH File Transfer Protocol or Secure FTP
 SCP – SSH protected remote copy
 Leverages SSH Protocol
 Encryption and Authentication
 AS2
 AS2 - Applicability Statement 2
 HTTP Based, Can Use SSL
 Encryption, Data Integrity, Signatures, Receipts
 Server initiates all connections
 Associated With EDIINT – Can Send Any Data

7 © 2008 Axway Inc.

 Why Business Likes File Transfer

 Paper-based processes are

inadequate
 Desire to eliminate physical
media shipments
 Regulatory mandates are
increasing
 Markets are moving faster
 Desire to reduce costs
 Streamline operations
 Fewer systems to manage
 Internet perceived as ―free‖
 Expand business community
 Access to many trading partners
 Trade worldwide
 Accommodate partner technology

© 2008 Axway Inc.

 File Transfer Drivers

Data Protection Regulations and

and Security Compliance
File
Exchange with
Customers & Partners

Outgrown/Limited
Existing Systems
© 2008 Axway Inc.
 File Transfer Drivers
Data Protection & Security

Disney subcontractor caught

selling customer data
T.J. Maxx hack exposes consumer data
Stolen credit card numbers and other account
computers hacked, putting shoppers at risk of identity fraud
information sold January 2007 — CNET news
July 2007, Computer World
Western Union reveals customer data theft
Thousands of customers' personal information
was stolen by hackers.
July, 2007 Earth Times
Data Theft Affected Most in Military
Stolen information included data on
Merrill Lynch ID Theft May 2.2 million active troops
Affect 33,000 Employees June, 2006 — Washington Post

August, 2007 — CNBC

Credit agency suffers 'misappropriation' of 2.3 million

Payroll hole exposes dozens
consumer records of companies
July, 2007 CNET News February, 2005 — CNET News.com

Johns Hopkins Loses Data On

135,000 Patients, Employees
February, 2007 Network World
47 percent of financial firms reported their
network or data is targeted by organized
criminals.
SC Magazine Jan 2008
© 2008 Axway Inc.
 File Transfer Drivers
Regulations & Compliance

HIPAA
GLBA SEC 17a-4 &
NASD 3010

SOX External regulations

driving some need for file
transfer, but… CA SB 1386

FDA 21 CFR
Part 11
Payment Card
Industry (PCI) Data
USA Patriot Act Security Standard
© 2008 Axway Inc.
 File Transfer Drivers
Outgrown Existing/Limited Systems

 Existing file transfer infrastructure constructed of too

many ―fragile‖ components
 Complex with little visibility
 Too many moving parts
 Expensive, proprietary legacy systems
 Inadequate security and confidentiality
 Rampant ―rogue‖ (unmanaged) FTP
 Risk management issues
 Need to support auditing, SOX compliance
 Inflexible – inability to address future needs
 Speed of business continually increasing
 Larger files, more frequently, to more partners in shorter
timeframes
 Variable Scalability, Reliability, Performance

© 2008 Axway Inc.

 Internal Constituents & Partners
Driving Need for MFT
Internal
 Increasing scrutiny from
Chief Security Officer
(CSO)
 Facilitates need to
prove data exchange
activity/ security with
reporting, logging and
auditing
 Physical medium file
transfers are gone
 Corporate reputation –
remember TJX
 Enforcement of
corporate policies
 Each business unit
deploying point solutions
 Efficiency – savings
achieved through
automation &
consolidation
Partners
 Partners and customers
require electronic
transfers
 SLA enforcement
 Did our partner/vendor
deliver the data on
schedule?
 67% of CIOs surveyed
reported more than
20% of their file
transfers are tied to
SLAs – SC Magazine
(Jan. 2008)
© 2008 Axway Inc.
 Managed File Transfer ( MFT )
According to Gartner

 The Gartner ―Managed File Transfer Suites: Technology

Overview‖ report identifies a managed file transfer suite
as having the following functionality:
 Secure Communications: This entails a collection of
commonly used protocols and technologies used for
transporting and ensuring the authentication, privacy, non-
repudiation and authorization of data between two or more
entities.
 Management: This is the ability to monitor and control the
data (regardless of size) throughout the file transfer.
 Integration functionality: Adapters or exposed
application programming interfaces.
 Streaming input /output: This capability enables the MFT
Suites to overcome physical hardware limitations and
operating environment limitations.
 Checkpoint/restart capabilities: This capability lets the
user resume incomplete file transfers as a result of
interrupted transmissions, accidental or otherwise.

© 2008 Axway Inc.

 Best Practices
Understanding the File Transfer Needs

 Know your stakeholders and their file transfer roles

 Information Technology
 Owners of IT policy
 Caretakers of IT systems
 Corporate Security
 Charged with protecting data, knowing what is leaving the enterprise
and if it is authorized and secure
 Business Units
 Owners of the data being transferred
 Partners
 Understand your stakeholders file transfer needs and
requirements
 Implement the security architecture to meet these
needs/requirements
 Answer key questions
 Consider security architect best practices
 Investigate MFT solutions

© 2008 Axway Inc.

 Best Practices
File Transfer Needs – Key Questions

 What are you currently using for File Transfer?

 Does your file transfer environment have many
components that have evolved over time?
 Are you planning to leverage the Internet for your file
transfers?
 What protocols do you currently use to communicate with
your trading partners?
 Do you feel pressure to comply with regulatory
requirements for your file transfers?
 Do you stage or store data in your DMZ? Is it stored in
plain text?
 Do you have HA requirements for your business critical file
transfers?
 Do you have trading partners with PGP encryption
requirements?
 Do you have very large files you need to transfer? Would a
checkpoint restart capability be of interest?
 Are delivery receipts with non-repudiation important to
you?
 Do you have file transfer integration requirements?

© 2008 Axway Inc.

 Best Practices
Flexible Protocol Support

 Support multiple protocols – avoid client side changes

 HTTP/HTTPS – browser clients
 FTP/FTPS
 SFTP/SCP
 AS2
 Proprietary – Large files (checkpoint restart, integrity)

FTPS Clients FTPS

• RFC2228-Compliant Internet
• Windows, Unix,
AS/400, z/OS, etc.
SFTP Internet MFT Server
SCP Firewall
SSH Clients
• SFTP Protocol
• SCP Protocol AS2 HTTPS
AS2 Servers
• EDI Trading Partners Standard Web Browser
• Signing/Encryption • Universal
• Easy Setup
• Customizable UI

© 2008 Axway Inc.

 Best Practices
Automation Support

 Back end automation – getting the data to the systems that are
consuming it and from the systems that produce it
 File moves and copies
 File level encryption
 PGP during transport
 Encrypted file system during storage
 Email notifications on successful transfers and failures
 Framework for custom transforms – event drive

Send Email
File Dropped off Notification of Encrypt file and
PGP Decrypt File
At the Server File Arriving Store to Disk
Successfully

File
Notifications Repository

© 2008 Axway Inc.

 Best Practices
MFT Enterprise Gateway

External Enterprise
Partners

DMZ
`

Internal User
FTP Server
HTTP(S), FTP(S)
SFTP, SCP, AS2
MFT Server

`
Application
User Servers

• All file movement is centralized through the MFT server

• Firewalls are locked down to prevent circumventing the server
© 2008 Axway Inc.
 Best Practices
Two Tier Deployment

External Enterprise
Partners

DMZ `

Internal User
FTP
Server HTTP(S), FTP(S)
SFTP, SCP, AS2

MFT MFT
` Proxy Server
Application
User
Servers

• Nothing stored in the DMZ

• No user data or credentials
• Eliminates data staging and retrieval issues

© 2008 Axway Inc.

 Best Practices
High Availability

Internal
MFT User
Proxy MFT
DMZ ` Server
External
`
User

Shared
File
HTTP(S), FTP(S) Storage
SFTP, SCP, AS2
Load Load
Balancer Balancer MFT
Remote Server
MFT
File Proxy
Transfer Application
Server Enterprise Servers

• Avoid Single Points of Failure

• Need for Scalability and Failover Support
© 2008 Axway Inc.
 Best Practices
Multiple Authentication Methods

 Authentication
 Single factor
 Passwords
 Certificates
 Multi factor
 Authentication database local to solution
 Integrating with existing authentication databases
(LDAP/AD/SSO)

Client User ID / Password

`

X.509 Certificate
MFT
SSH Key
Client Server
` User ID / Password

Client
Two Factor
`

© 2008 Axway Inc.

 Best Practices
Record Keeping

 Logging
 Granular
 All file transfers recorded – who, what and
when
 All access recorded
 Integrity
 Protected from outsiders – out of the DMZ
 Protected from insiders – digitally signed

Access
Log
`

HTTP(S), FTP(S) Transaction

SFTP, SCP, AS2 Log

MFT MFT
Audit
Proxy Server Log

© 2008 Axway Inc.

Best Practices
Investigate MFT Solutions

 Ask your trading partners what solutions they are

using with their other vendors
 Seek third-party recommendations on MFT solutions
 Gartner
 SC Magazine
 Etc.
 Go to the source
 Explore MFT vendor websites
 Review informative white papers, webinars, etc.
 Request a demo / eval
 Ask for references

© 2008 Axway Inc.

Questions/Discussion

© 2008 Axway Inc.

For More Information

www.tumbleweed.com
www.axway.com
[email protected]
877 282-7390

© 2008 Axway Inc.