Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.accellion.com/blog/
and update your bookmarks.

Wednesday, December 27, 2006

What customers are saying about Accellion SFTA and a Happy 2007

Summary: What is driving the demand for Accellion secure file transfer appliance? What are the experiences for users and IT once SFTA is installed? These are snippets of what customers have told us.


-----

Secure File Transfer is an universal need for all industries and organizational sizes. So, as you get ready for 2007, check if any of these typical customer comments ring true and consider if there should be an Accellion SFTA on your 2007 to-get list.

(Okay. Okay. I admit it. ACA Guy's handler is out on vacation. So, I have turned to customers for content. As always, names have been withheld to protect the not always innocent.)


***

Ouch! We have to fix this.

A few weeks ago an employee set up an FTP account for company X. People at X turned around and gave a whole bunch of people outside of X access to the FTP account unbeknownst to us. As we were exchanging data and information through that FTP account, unauthorized people were getting confidential and competitive data that they shouldn’t have seen.

Global Advertising Agency


***

Because secure file transfer is important for our clients

We have many high profile clients and securing file transfer in a way that our attorneys can easily use is important for all transactions.

Global Law Firm


***

See the Gain (usage) Without the Pain (support calls)

I initially handed out access to a few people who were regularly sending 60MB PPT files and refusing to use anything other than email. Demand for access grew virally as new users hear about and ask for this new tool.

What closed the deal for me is that as user count "takes off", the user support hotline remains dormant.

Medical Research Foundation


***

Get your own SFTA!

[SFTA] is being used by ALL sorts of people - documentation, clinical, marketing and sales, field engineers. I am getting constant calls from people who want to have access to the system immediately.

While I will probably give access to other divisions on a limited basis, this box is for our division and they'll have to buy their own.

Medical Device Company


***

Happy Users = Happy IT

I used to get lots of complaints about ad hoc large file transfer from doctors. But, since its [Accellion SFTA] installation, I have gotten zero complaints.

Healthcare Institution


***

And, regardless of where you are on the secure file transfer readiness scale, the Best Wishes for a Joyful and Successful 2007 from the entire Accellion team.

ACA Guy

Wednesday, December 20, 2006

Using Exchange/Outlook and Domino/Notes with Accellion Secure File Transfer Appliance

Summary: Offered as an integrated plug-in for Exchange/Outlook and Domino/Notes, Accellion SFTA allows users to send whatever size files without leaving the comfort of email. What does this mean for the IT Support Ticket count?

-----

Maybe you are like me. The very first thing and the very last thing I do in the office involves starting and closing my email client application.

And, between these two points, just about everything I do has an email component - requesting additional information, explaining the latest proposal, following up with people on their action items, and sending files as attachments.

The good news about a ubiquitous tool like email is that users, like yours truly, would happily take advantage of features like the ability to send file attachments. Conversely, the bad news is that if you force users to leave their email comfort zone for things like sending large files, say via FTP or CD/DVD, there will be confusion and a lot of IT support calls.

This is why Accellion has taken great care to develop the hooks necessary to integrate with the two most popular email solutions: Microsoft Exchange/Outlook and Lotus Domino/Notes. By using the Accellion email client plug-in, users can access the enterprise secure file transfer solution from within the productivity tool most intimate to the majority of business processes – the email system.

Once the Accellion plug-in has been installed on the email client, Accellion SFTA becomes a smart icon for the end users. (Click here to see an example of the how it appears on the end user's email client.) In other words, from a user’s perspective, there is no need to exit the email application or start another application to transfer a large file; it’s all streamlined. And the easier the process it is for the user, the fewer support tickets IT has to resolve.

Beyond the obvious end user process advantage, the email-integrated Accellion SFTA still works in parallel to the email system by offloading file attachments and managing the file life cycle through the policy-based mechanism. Namely, all the features that makes IT's life easy are there.

As best as I can tell, Accellion is the only company that offers this kind of Outlook and Lotus Notes email integration for an enterprise secure file transfer solution. And we bring a lot of integration experience to the table. While doing the setup is not a complicated process, it is good to know that Accellion can help you troubleshoot and resolve issues in hours instead of days, weeks, or longer.

What about when a user is out of his office, without access to his email? We’ve got it covered there, too. The secure file transfer appliance can be accessed via the web, so even when access to email is not available, you can still send files to your heart's content.

Sweet!

ACA Guy - YF Juan

Wednesday, December 13, 2006

Supporting Global Multi-Office Secure File Transfer Needs - The Six Factors to Consider

Summary: Accellion has been deploying global multi-office secure file transfer solution for enterprise users for years. How does your need compare to some of our typical deployments? What are the issues to keep in mind when designing a global multi-office secure file transfer framework? Accellion's ACA Guy tells all.

-----

Question: Can Accellion Courier Secure File transfer Appliance (SFTA) solution scale to meet large enterprise demands on a global basis?

Answer 1: There are more than 13,000 registered users on a deployment consisting of 40% internal users and 60% external users worldwide for one Accellion customer.

Answer 2: The largest Accellion installation supports over 70 offices around the world with SFTA clusters and satellites as part of the customer's global network.

Answer 3: A global media company regularly exchanges more than one terabyte (1TB or 1,000 GB) of data every month and the usage is still growing.

While setting up an SFTA is just three easy steps away, it is equally true that Accellion SFTA has been designed as an enterprise solution that allows appliances to be linked together to provide a global secure file transfer infrastructure.

Being a highly scalable solution, you can start with one appliance to service your current needs. And, as the usage and company expands, just keep adding to the SFTA network to meet the new demands.

A second advantage is that, since Accellion has customers in North America, Europe, and Asia deploying SFTA on a global enterprise basis, we know as much about how to implement a global multi-office secure file transfer infrastructure as we know about what not to do.

***

So, what are the key considerations for a multi-office secure file transfer architectural framework? There are six.

1. Access Control: How to ensure and automate the process in which only authorized users can access the correct file/data.

2. Security: How to ensure file transfer security both technically, such as file encryption, and business process-wise, such as file tracking.

3. High Availability: How to ensure constant availability in light of potential hardware, location, and connectivity failures.

4. Storage Management: How to ensure efficient file storage to maximize system wide capacity.

5. Right Speed for Users: How to ensure timely file/data delivery without significant capital investment.

6. Ease of Enterprise Integration: How to make the secure file transfer process integrate with existing enterprise usage.

I won't inundate you with the whole eight pages worth of data and analysis. So, click here for the whitepaper on the six factors on how to implement a global multi-office secure file transfer infrastructure [registration required].

Whether your organization needs to support a handful of file transfer users or tens of thousands, Accellion can help you achieve it.

And, the best part of it, none of it has to hurt!

ACA Guy

Wednesday, December 06, 2006

What is the largest file attachment that you can send via Exchange and a few related incidents for the ACA Guy

Summary: Setting attachment size limit is the right thing. But, what is the biggest file that you can send via Exchange theoretically? And, see how ACA Guy sent a 6.5GB folder.

-----

There is no denying that Microsoft Exchange is a highly successful product. With more than 115 million seats (users) worldwide, this email solution has become an integral part of many organizations and it is difficult to fathom how business processes get completed without it today!

(And, in the interests of equal time, the same applies to Lotus Notes and GroupWise users.)

All the same, even a "killer app" like Exchange has its limitations, such as sending large file attachments. Exchange and its related desktop client products, Outlook and Outlook Web Access (OWA) all have limits on the size of files that can be sent and received.

In a prior discussion on MSFT Exchange/Outlook attachment size best practices, it was noted that, out of the box, the Exchange 2003 sets the default file size at 10MB. Email administrators can adjust these limits higher or lower. Setting higher file size limits allows end users to send or receive large files, but these higher limits can result in performance degradation of the overall system. And, from talking with email administrators, setting file size limits in the range of 5MB to 10MB seems sufficient for the majority of email users and business processes. Moreover, it helps to control email performance issues which impact the entire organization.

(So, why is ACA Guy so up to snuff on Exchange/Outlook? Many Accellion customers come for SFTA's ability to integrate with Exchange/Outlook so that large file transfer capability becomes a seamless process for their Outlook users. But, that is, as the saying goes, another story for another time.)

Looking at the size limit issue from the other side, for the sake of argument, what is the biggest file that an user can send under the Exchange/Outlook regime? For this, let's turn to the official MSFT Exchange team blog.

In the posting about Controlling attachment size in Exchange Server 2007 Outlook Web Access (OWA), Raj Mukherjee noted there is a default file size limit of 30 MB. Raj also provided instructions for email administrators who want to change that file size limit, and the instructions are, shall we say, non-trivial.

On the question of the hard limit, Raj discussed OWA's 60 minutes time out for file uploads and downloads which cannot be changed even by an email administrator.

So, it kind of got me thinking. Since one hour is a decent chunk of time, if you take the trouble to send a very large file, I cannot think of a worse fate than having the job abruptly terminated mid-session when the clock strikes the 61st minute.

Oh, beyond self-loathing from the terminated job, did I mention how you would also get the evil eyes from all the people whose email comes to a crawl because you attached large file in the email?

***

Afterthoughts

Never one to shirk from controversies, ACA Guy was drawn into a war of words in the comment section for the Exchange blog posting. It is a shame that "Mr/Ms Anonymous" left the party. Nevertheless, here is a Digg entry if you want to keep the flame alive.

Finally, for the record, ACA Guy's biggest file transfer job was a 6.5GB folder with one click through an Accellion SFTA box.

Just thought you would like to know.

ACA Guy

Wednesday, November 29, 2006

Ideals and Realities - Who is Responsible for Ensuring Security and Compliance for Files Transfer?

Summary: How is enterprise files transfer conducted in the trenches? Simply put, not pretty. But, instead of pointing fingers at each other, IT and end users are really looking for the same thing. And, this makes selecting the best solution possible.


-----

In most business processes today, information and data in the form of files are handed off from one person to another for processing and review, either within the organization or to parties outside the organization. This begs the question: when a file is "in motion," who is responsible for its security and ensuring compliance with business policy and government regulations?

The simple and official answer is that both the business user and the IT department have a fiduciary responsibility to ensure that information is protected and handled properly when it is transferred from one person to another (no matter if it is internal or external).

But, if you look closer in the trenches, things do not always work that way.


***
An end user often thinks more in terms of ease of use than security and compliance when it comes to how to get his job done in a way that he can control. Applying this truism to file transfer, this usually means attaching a file to an email, or a distant second choice would be burning a CD/DVD – whatever is the most expedient to meet the needs of the work process. Unfortunately, neither process is very secure. Nor would these processes meet regulatory compliance guidelines.

This does not make the end user a bad person - this simply means that he does not have a tool that meets all his needs, which includes fulfilling the security and compliance requirements.

Being responsible as well as accountable for providing the tools, guidelines, and training to ensure the security and compliance of the data, there is more awareness of issues surrounding security and compliance in business process systems and solutions amongst the IT departments. On the other hand, while the IT team works hard to manage risks via appropriate security controls and compliance procedures, what can get lost in the process is the "ease of use" requirement. In practice, this often means that the controls and procedures can become so cumbersome as to impede adoption of a system solution by the end users.

This does not make the IT guy a bad person - this simply means that he does not have a tool that meets all his needs while fulfilling the security and compliance requirements.

Wait! Did I just say that both end users and IT are looking for the same thing!?

Indeed, instead of IT blaming end users for non-compliance of security procedures and end users blaming IT for erecting cumbersome hurdles in getting the job done, what everyone needs is a solution that is easy for the end users and meets all the security and compliance needs as set out by IT.

***

While the specific security and compliance needs differ amongst organizations -- for example HIPAA is of overriding concern for a healthcare practice whereas SOX is what a public firm must follow -- most IT and security people can clearly articulate the key attributes for secure file transfer capabilities as:

• The file is accessible to the sender and the recipient, and no one else in between.
• The file should be encrypted while in motion.
• The file in motion should be checked to see if it has been corrupted by viruses or other malware.
• The file transfer process must document who and when a file in motion is accessed and provide an auditable record of the transaction.

Similarly, what most end users would clearly articulate in terms of the preferred file transfer procedure is to follow a process that is as close to sending email attachments as possible, without all the email attachment problems, of course. Because sending an email attachment is a well understood and accepted process for most end users, an email-like solution would ensure rapid adoption instead of resistance.

So, the conundrum has been solved! The best way to ensure security and compliance in the file transfer process for business needs is to adopt a solution that behaves like email for the end users while transparently running various encryption and auditing capabilities on the backend.

Oh, don't forget to ask for easy to administer and maintain features like automatic user account creation and global file life-cycle policy while you're at it!


***

BTW, did I mention that ease-of-use, security, control, and more, is exactly what an Accellion Courier Secure File Transfer Appliance (SFTA) can do for your IT department and users?

Or, as the IT director of an advertising customer told me recently, he could "feel the love from end users" when he announced Accellion solution.

Shouldn't you feel that love too?

ACA Guy

Wednesday, November 22, 2006

What FTP access you can get with US$10,000 and other ACA Guy FTP hubris

Summary: "Moral outrage" was the sentiment the otherwise stoic ACA Guy felt when the reporting on an eBay auction for FTP access to a .gov domain surfaced. And, a few other incidents highlighting ACA Guy's FTP hubris quickly followed.

-----

I thought I had seen it all but my jaw dropped when I read the posting about selling FTP access to a .gov domain server.

To quickly recap, there was an auction on eBay for access to "parasitic host" files on a .gov domain with a winning bid of nearly US$10,000.

What is in it for the buyer? You see, in the wild world of SEO/SEM (search engine optimization/search engine marketing), having your information/files addressed in a .gov domain name is like putting your SEO/SEM effort on a super steroid that nobody else can get. And, as a US$10 Billion industry that did not exist just a couple of years ago, there are plenty of SEO/SEM players who will do anything to get that extra edge.

And, this, what I can only presume to be unauthorized, "service" is rendered by sending the seller your files and the seller FTP'ing your files to the destination .gov domain. In other words, a legitimate web server, owned and operated by a government agency, will soon be playing host to unauthorized and unknown files. All because someone left an FTP access that is (I can only hope) unintentionally open.

Like a really good scary story, this is extra spooky precisely because everything makes sense and it could as easily happen to you and me.

ACA Guy's FTP hubris #1: I thought my FTP ghost story was good. But, monetizing unauthorized FTP access is, what can I say, wow!

While we are talking how human users can behave badly around FTP, here is another one as reported by Computer World. The gist of the story is that an employee uploaded a copy of Windows 2000 Professional OS onto a public-access FTP server that is frequently used to download software patches and the like. Needless to say it was not a legal distribution of the copyrighted software. Furthermore, this incident was only discovered after a product marketing person who just happened to notice the "odd" software image on the server. Let's not even speculate on the potential legal liability for the company.

ACA Guy's FTP hubris #2: I am reminded of that saying about firearms and crimals, and I thought - FTP does not kill, users do.

Looking for more ways to scare yourself on FTP? In the world of viruses and other malware, Panda Labs reported that the top ranking malicious code most frequently detected in October 2006 (and in fact, throughout 2006) is Sdbot.ftp which is a script used by the Sdbot family of worms to download themselves via FTP.

ACA Guy's FTP hubris #3: I thought, erroneously, FTP is relatively secure vis-a-vis email as the most prevalent target of virus and malware.

To be fair, FTP has a long and illustrious history in the world of scripted and machine-to-machine file transfers.

But, given the prospect of having somebody making off with US$10,000 in pure profit to insert unauthorized info onto my domain, I would much rather invest $3,500 on an Accellion Secure File Transfer Appliance (SFTA) to have secure control over internal and external file transfer access or, better yet, spend the whole US$10,000 for a beefy SFTA appliance and let your security and compliance officer have a thanksgiving day.

On that note, Happy Thanksgiving to all the gentle readers of ACA Guy based in the U.S. And, a most pleasant rest of the week for everyone else.

ACA Guy

Wednesday, November 15, 2006

Secure File Transfer for Architecture, Engineering and Construction Users

Summary: Architecture, Engineering and Construction (AEC) firms are increasing looking to Accellion SFTA as a solution that allows end users to easily and securely send large files and folders without requiring IT intervention.

-----

To state the obvious, enterprise users need to send and receive large files to and from people both inside and outside the organization. As transferring large files among work colleagues become de rigueur for many business processes, proactive IT teams have abandoned their FTP servers and added a secure file transfer appliance to make sure their users have the right tools to get those critical business files to the right person, at the right time, securely.

Since this is a Horizontal Business Process Improvement Opportunity, at Accellion, we have found that many industries have a clearly articulated need for solutions like SFTA. The legal industry, as well as healthcare, are two industries I have previously highlighted in this blog.

Architecture, Engineering and Construction, otherwise known as AEC, is another industry where we are seeing a surging demand for a solution that lets end users easily and securely transfer large files and folders. Given the nature of AEC, most of the works are collaborative across organizational and geographic boundaries and they have some pretty hefty files to send around.

For instance, take a civil engineering firm that is designing a freeway overpass. This firm would produce a series of CAD (computer-aided design) drawings for the construction firm that is going to build the bridge. Because industrial CAD files can easily get to the range of hundreds of megabytes in size, this isn’t something you can simply email from one person to another. (Not without getting the evil eye from the email administrator and your fellow co-workers because you just completely choked the email system, anyway.) So, traditionally, this transfer is done either by an FTP server, which usually requires IT intervention, or by overnight delivery service of a CD/DVD, which is costly in transit time.

So, when AEC companies like Bigge Crane & Rigging Company find a solution like Accellion SFTA that allows end users to operate within the familiar email interface while sending large files and folders of any size without impacting the email server, it is a Eureka moment.

Or, as somebody has not so delicately put it, size matters. (When it comes to large files, that is.)

ACA Guy

Wednesday, November 08, 2006

3 Easy Steps to Secure File Transfer Nirvana - a.k.a. why IT and users love appliance solutions

Summary: Like the humble toasters, a dedicated appliance solution like Accellion Secure File Transfer Appliance can be installed and deployed in three simple steps that would allow IT and users to get on with their lives.
-----

I enjoy all aspects of culinary arts. I can regale you about the Atlantic spiny lobster in Spain as discussed on eGullet or the results of the Dim Sum Civil War in the San Francisco bay area instigated by ChowHounds and I have been known to take three months to prepare a dish (duck confit, in case you are wondering).

But, truth be told, the tool that I use most frequently in the kitchen is the humble toaster. Just press down on the handle and, by the time table is set, crunchy and golden toasts are ready.

I’m convinced that most people prefer simple appliances that do exactly what you need them to do, with practically no setup and intervention. Just press and watch it work.

It’s the same in the IT world. Technology buyers prefer solutions that do exactly what you expect them to do - requiring minimum setup and as little on-going IT intervention as possible.

End users, they want the technical equivalent of a toaster too, because they want to get a job done without getting a second degree in IT support.

In this light, it is only appropriate that the "A" in Accellion's SFTA stands for Appliance (as in Secure File Transfer Appliance). Unlike FTP/SFTP servers or email attachments that require extensive initial setup and vigilant on-going monitoring, you plug in an SFTA and it works.

Toaster for IT Administrators

To prove that I'm not overstating the easy plug-and-play nature of this appliance, I want to share the gist of the installation guide that I got from the Accellion Field Support team. Or, as I like to think, these instructions are the "three steps to secure file transfer nirvana for IT administrators":

Step 1: Pre-installation
- Configure your firewall to allow access to and from the appliance.

Step 2: Physical installation
- Rack mount the server and connect the cables (monitor, keyboard, Ethernet, and power)

Step 3: Configuration
- Specify network settings (host name, IP/subnet mask, DNS, and gateway)
- Choose a notification email address

All told, these instructions should take a prepared IT professional less than half an hour to have an SFTA up and running. When was the last time you had a complete IT solution available to all users in that short amount of time?

Toaster for End users

For an end user to send a large dataset:

a) Select the recipient’s email address
b) Select file/folder(s) to send
c) Add a personal note if desired
d) Press 'Send'

No complicated steps. No long URL strings to copy/paste. No extra settings to worry about. Like Dr John Halamka, CIO of Harvard Medical School, said, "[SFTA] is exceptional because the numerous emails about ad hoc large file transfer have vanished since its installation."

End users like SFTA for their secure file transfer needs. Sort of like making toast with a toaster.

ACA Guy

Wednesday, November 01, 2006

What Network World and Gartner are saying about Secure File Transfer

Summary: What a difference two years make. What leading publications and analyst firms, such as Network World and Gartner, are saying about secure file transfer and its expanding applications.
-----

Like most information technology vendors, I have my ambivalence about industry analysts. For example, how can anyone not clearly see that Accellion Secure File Transfer Appliance is the best thing since sliced bread? Honestly. On the other hand, it is gratifying to see analyst reports on market growth and feature diversification matching up with experiences on the ground.

In a 2005 Network World review: Learn to love e-mail attachments again, Linda Musthaler, an IT industry analyst, outlined the concerns on "large e-mail attachments several megabytes in size often fail to make it to the intended recipients" and "[FTP], too, has its shortcomings, including lack of security, burdensome administration, lack of document versioning and tracking, and non-compliance with government regulations for certain documents."

Bingo.

When Accellion first rolled out the Courier Secure File Transfer Appliance SFTA solution in late 2004, it was an uphill battle to convince people that SFTA is not only a better technical solution but would make both the end users and the IT support personnel happy.

The typical objection we would hear was that FTP/SFTP and email attachments, while not perfect, were serviceable solutions that both end users and IT departments are willing to put up with.

While we worked with early adopters to overcome these objections, we also began to hear murmurs on the increasing number of FTP/SFTP and email infrastructures that were buckling under the growing volume of information exchanged. Slowly but surely, across industries and business functions, both IT professionals and end users were coming to the realization that secure file transfer is a core business process that cannot be ignored.

Gartner’s 2006 report Replacing FTP With Managed File Transfer: Not All MFT Suites Are Equal states that "Gartner previously defined the MFT suite market as a combination of internal and external technology that enables users to manage all aspects of file transfer. Increasingly, however, we've noticed that there are multiple, disparate deployment scenarios with regard to MFT suites. "

Bingo. Bingo.

Instead of a monolithic and FTP-centric view where only machines need to exchange large files, the market place has embraced and demanded secure file transfer solutions that are user-centric. In other words, machine-to-machine file transfer has become a sub-segment to a much larger market where users need the ability to securely communicate and collaborate with external partners and organizations on an ad-hoc basis with files of any size.

As a result, the market place for MFT solutions deepens and widens to include additional processes and usage behaviors, and we are seeing a surge from proactive IT departments inquiring about the Accellion SFTA solution. This is chiefly driven by the desire to treat secure file transfer as a horizontal business process improvement opportunity. Similarly, instead of us educating the buyers about FTP/SFTP and email attachment issues, we are hearing from them on how FTP means Failure To Protect and what kind of strange maneuvers on Microsoft Exchange/Outlook Attachment Size that they no longer wish to engage in.

Equally important, this need is not confined to a niche industry or function. Many knowledge workers of disparate fields -- ranging from hospitals, research institutions, law firms, to advertising agencies -- are now wondering aloud how they ever lived without Accellion SFTA at their fingertip.

Back at the ranch, Accellion has grown its SFTA customer base from single digit to triple digits in the space of six quarters! In many ways, this feels like we have just passed the early adopter stage and are now on the cusp of an emerging solution that is about to go mainstream for every user and IT professional.

But, more importantly, Accellion pledges to continue to make file transfer easy and secure for end users and IT alike. It’s our belief that the easier we make it, the more it will be used, and the more productive it will make people. And isn’t that the main reason why anyone installs new technology in the first place?

ACA Guy

Wednesday, October 25, 2006

Comparing the costs of FTP/SFTP, Email, and SFTA for Secure File Transfer Needs

Summary: Why "industry standard" is often wrong, 20 years ago and today. And, a closer examine of the comparative costs of Accellion SFTA, FTP/SFTP, and Email for file transfer needs.
-----

We all know how to make "apple to apple" comparisons. But, the reality is that "apple to orange" comparisons are far more common in the business world. I guess that's what makes our jobs more interesting. If all of our choices were "apple to apple," the decision process would get pretty obvious.

Why am I going off on a seemingly "fruitful" tangent? You see, I was having a chin-wag with a respected IT veteran and was told of the time when she was tasked to recommend whether her employer should go with leasing a word processing solution on a Wang Labs mini-computer and terminals vs purchasing and installing PCs with word processing software and connecting them by LAN.

(I realize that this may seem like an obvious decision today. However, 20 years ago, when PCs were considered marginally smarter than a dumb terminal and everyone you would meet on a professional basis considered the Wang Labs solution as the industry standard for enterprise word processing, the decision was anything but.)

The point is, it’s often difficult to do a direct comparison of two things because features and costs often do not line up one-for-one. On the other hand, her instinct that the PCs' capabilities were equally or more important than cost was right on. The LAN would usher in a new era of business process enablement where engineers were more productive because they could process their own documents whenever and however they wanted. And, instead of typing letters and files, secretaries could move into higher level roles (e.g. administrative assistants) and added more value to business processes new and old.

And, naturally, this recommendation launched our heroine to the better and brighter future that eventually let to our chitchat as related above.

Fast forward 20 years and compare FTP/SFTP or email attachment to a secure file transfer appliance from Accellion. IT teams are coming to Accellion for SFTA because, even though FTP/SFTP is a free utility on most server operating systems and email attachment is a standard capability of the email system that has already been paid for, SFTA is a Horizontal Business Process Improvement Opportunity. It's just like how installing PC and LAN can give you so much more than the "industry standard" word processing solution could 20 years ago.

How about the costs? SFTA is not free and how does the cost measure up against the "business process improvement opportunity"?

The costs of an SFTA include:
    * The purchase price of the appliance(s) for your organization
    * The annual maintenance agreement, which covers updates and support
    * The IT department’s implementation time, which is about an hour
    * Eliminating an overwhelming majority of support requests on secure file transfer needs

In dollar terms, there is a one-time purchase cost followed by the cost of less than one (<1)> headcount for an experienced IT person going forward because support and maintenance are largely automated and do NOT increase as the organization ramps up with SFTA usage.

The costs of FTP include:

    * The purchase of hardware for a dedicated FTP server and the time to setup the software to run ftp
    * The on-going time for administering FTP services, such as adding and deleting users, maintaining files, managing directories
    * User training and support as FTP is notorious for being user unfriendly.

In dollar terms, there is an one time hardware purchasing and software setup cost followed by one headcount for an experienced FTP administrator. And, as usage ramp up, there will need to be proportional increase in FTP staff for support. And, in extreme cases where the end users have tight deadlines, such as law firms and other professional service firms, the FTP support staff need to be available 24/7.

The costs of Email attachments includes:
    * The cost of increased storage capacity for the email system to process and store large attachment files
    * User time spent clearing out or archiving email messages when storage limits are hit
    * Monitoring and contingency procedures when an user inevitably decides to send a 50MB file to 20 recipients (and create a 1GB surge on the email server with a single click)
    * The nights and weekends spent in recovering from crashed email servers when that 1GB surge was not caught in time
In dollar terms, the hardware cost is often hidden as part of the overall email upgrade. However, the headcount cost for email administrator and IT support will increase as the usage spread in the organization. This is partly to monitor and prevent those attachment surges. And, you would expect to add more email administrators after the first email crash.

As you can plainly see, and please pardon the "buzz word", SFTA provides a Scalable secure file transfer process that lowers its usage cost as users adopt it. Whereas the traditional FTP/SFTP and email attachment processes are Not Scalable and requires more feeding and caring as more users come on-line.

So, the question is not unlike what our heroine faced 20 years ago. Do you go with the accepted "industry standards" with FTP/SFTP and email attachment for file transfer process or go with SFTA that has been proven in the field to lower the cost of same transaction while making the whole organization more productive?

ACA Guy

Wednesday, October 18, 2006

Horizontal Business Process Improvement Opportunity: Complement the Email Infrastructure with Secure File Transfer Appliance

Summary: A horizontal business process improvement opportunity cuts across departments and functions. If done correctly, such as implementing a secure file transfer appliance in support of the enterprise email infrastructure, you can realize and sustain the benefits quickly.

-----

CIO Insight just released some results of a "Research study on business process improvement (BPI)." There were basically two main findings:

Finding 1: Improving business processes is the top priority for many IT executives, especially at small and midsize companies.

Finding 2: Although process improvement is a priority, the pace of change is moderate.

Why is BPI so important? Here is what CIO Insight writes on the topic: One of the most important lessons from the last 25 years of business computing is that you can't throw technology at a problem and expect it to go away, or fling a system at an opportunity and expect the dollars to rain down.

Other than nodding in agreement, I think it is important to note that business process improvement opportunities come in two flavors. There is the vertical process that involves a specific set of data and people, e.g. inventory control for a just-in-time production. Then, there are the horizontal processes that are less visible but no less vital for an organization's everyday operation -- processes such as sending large files securely; for example, engineers send blue prints, marketers send collateral, sales people send product quotes, finance people send consolidated accounts, and so on.

While the horizontal processes are less visible, the CIO Insight article observation applies equally -- that throwing money and technology at them does not solve anything. Thoughtful implementation of a solution that makes sense from the end users' perspective is what will drive the success of a technical solution for a horizontal process.

The good thing about the horizontal process improvement solution, however, is that it is easier to realize and sustain its benefits because it usually does not involve significant re-engineering of the existing processes in a manner that causes resistance from users.

For instance, exchanging information with people inside and outside is a (horizontal) business process common to most departments. In the early days, we did this by physically sending and receiving memos, letters and printed documents. The process to send something could take days. If we wanted to improve productivity (i.e., reduce the time involved), we paid extra money to use a courier service to speed up delivery.

Then, the horizontal business process solution, email, came along. We address our communication to one or more people, include the information we want them to have, and send it along its way. Only now the bits travel at the speed of electrons instead of the speed of the mail carrier. Email is so entrenched in virtually every business and every department today that we can’t imagine doing without it even though it has not been in wide use for more than two decades.

So, what is the next horizontal business process improvement opportunity? Put simply, what is the most common complaint about email for both IT and end users? I’m talking about email attachments.

Email systems were not architected to send large files; rather, these systems were designed for sending short messages that are just a few kilobytes in size. As a result, none of the major email systems in use today were developed with the notion of attaching large files (i.e., those that are 5 megabytes or larger) in mind.

Yet business processes have evolved from the days of simple text in email to sending the ever burgeoning files and documents as part of the routine email communication. Contracts, proposals, drawings, photographs, blue prints, and so on. They are all a critical part of the business process today.

Given the acrobatic moves required of end users and IT to send large files securely as attachments for the daily business needs, I would submit to you that this is as much of a horizontal business process improvement opportunity as email was back then. Does this mean that there is a miracle email system re-architected to handle large attachments? Unfortunately, no. Like most successful legacy systems, email vendors have too large of an install base to risk making that kind of departure.

Fortunately, secure file transfer appliance is available today. It offloads the large attachments from the email system, and still allows the business users to use the beloved email as a normal business process. As discussed in No Pain is Gain - What email focused VAR partners are doing for email size limits, there is no need to change how people work, how work is organized, and how work flows that often pose as obstacles in realizing the benefits of a business process improvement opportunity as argued by CIO Insight.

Don't take my word for it. What do the IT team and users from BIDMC (teaching hospital affiliated with Harvard medical school) , Foley & Lardner (US law firm with 1,000+ attorneys), Millward Brown (global leader in market research) have in common? They all recognized that sending large files securely is a core business process and none of their highly trained (a.k.a. demanding) users want a compromised solution that forces them to deviate from getting their job done.

Come to think of it, you and I deserve no less, too!

ACA Guy

Wednesday, October 11, 2006

Cutting Total Cost of Ownership by 50% with a true Enterprise Plug-n-Play at the expense of good ID-Ten-T stories

Summary: When analyzing the total cost of ownership (TCO), it is important to keep in mind that more than 50% of IT cost and resources are usually devoted to support and maintenance. So, an enterprise "plug-n-play" SFTA appliance that eliminates the bulk of support and maintenance expenditures can do magic to your performance numbers!

-----

When an IT manager thinks about implementing a new solution, he takes into account the cost of the entire life cycle – the total cost of ownership (TCO), in other words. There’s the obvious cost of the purchase price to start, but that cost is often dwarfed by support and maintenance expenditures. What’s more, there are often hidden support overhead costs that the IT department does not consider when calculating the TCO of a solution.

According to a Gartner analysis, these hidden costs – for example, non-technical, non-IS personnel attempting to resolve end user computing problems -- can be as much as 24 percent of the entire IS budget. Furthermore, the cost of new technology is not limited to the IT organization because the same report states that end-user time spent on non-job-related PC activities accounts for more than 40 percent of a PC's total cost and more than 50 percent of IT-related expenses are incurred outside the IS organization.

One classic example of a "waste of time” that costs a company money is user time spent freeing up disk space, such as when his email storage has reached its limit and the person must delete or archive messages to be able to use the application again.

Given the extra costs of support, it’s a wonder that companies choose to install new IT solutions at all!

I mention all of these issues with support costs because just the other day, an Accellion customer – the CIO at a large teaching hospital – said he has virtually no support costs associated with the implementation of the Accellion SFTA solution. Ad hoc secure file transfer of very large files used to be a constant source of complaint from his users, but, with SFTA, his Help Desk gets no calls from end users needing to send large files. With the lessened burden on his organization, this is a true case of saving money by spending money.

If you think this is unusual, I will tell you that we hear the same thing regularly from other Accellion customers. For example, Daniel G. Rhodes, IT Director at the law firm of Foley & Lardner, has implemented SFTA to help lawyers and clients exchange files securely without IT intervention, as outlined in this announcement. (And, we all know how time-pressed and hard-to-please attorneys can be.)

With practically no need for technical support, can it be that the Accellion Secure File Transfer Appliance is the first true enterprise "plug and play" solution?

Our customers tell us that they install the appliances, integrate the interface with their directory services, and away they go! Training requirements are minimum, if any, because the solution user interface is intuitive. Support for SFTA has almost become a sinecure because end users don't have questions. I suppose the major drawback of deploying an SFTA is the virtual elimination of good ID-Ten-T errors war stories!

Sorry.

ACA Guy

Wednesday, October 04, 2006

Secure and Compliant File Transfer = Technology + Human Behavior

Summary: Meeting security and compliance requirements for secure file transfer as a core business process requires both technology and human behavior for its success.
-----

File Transfer in the context of security and compliance is hot these days. Vendors, Accellion included, offer technology solutions that would address various requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA) as discussed in "Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?".

What is often lost in the discussion, however, is a higher level recognition that file transfer for security and compliance is really a process requirement and it takes both technology and human behavior to fulfill the mission. In other words, there has to be a holistic approach on providing a technical solution that would seamlessly integrate and support the organizational flows so that users will readily accept it.

Typical is this discussion from Dr Dobb's. Breaking down the security requirements into layers from Application, SSL, IPSec, to Link Layer is a very robust approach on setting up a secure infrastructure, technically. However, what is the impact to the end users, and how would they incorporate the infrastructure into their daily business processes are the real questions, in my mind, that would determine the ultimate success of a deployment meant to address security and compliance needs.

One could argue, with some validity, that it is a question of level. The technical details are for the network manager to worry about whereas the CIO/CTO should address the holistic/business process angles.

But, I would submit that this is a short-sighted approach. As we all know, most CIOs/CTOs rely on the recommendations of the IT department in the solution selection process. If the network manager's mind set is narrowly focused on the technical protocols like SSL and IPSec, the organization often will get a solution that looks great on paper because of its technical capabilities without really addressing the end users' needs. This type of technically focused selection usually comes back to haunt the IT team in the form of unhappy users and increased IT support needs since the new process cannot be easily integrated into the users' natural work flow.

In the context of secure file transfer, we often see this type of dichotomy with FTP/SFTP for ad hoc file transfer, where users would rather burn a CD and send it overnight than have to deal with IT support. Alternatively, a close second favorite method for users is to cut down the size of one large file into multiple pieces and send each as an email attachment to be re-assembled by the recipient. If you can think of a way to circumvent the official file transfer method (FTP/SFTP or Email attachment), I probably have heard about it from end users.

I suppose everyone, IT and end users alike, would agree that whatever solution is used, it should be user-friendly. But, politically correct answer aside, I think the real $64 question is why users are circumventing some solutions and whole heartily embracing others.

From talking with customers and prospects, it always boils down to this very simple insight for me - users (non-IT people) just want to have a sense of control over their own destiny.

Requesting FTP/SFTP access and waiting for IT to show up around 2:30pm tomorrow is just a drag. On the other hand, if I can burn a CD, I can see the progress bar to know that it will take 15 more minutes to finish. If I send it via FedEx, I can track it to see where it is and get an automated notice when it gets to the destination.

If you think of these two processes rationally, FTP/SFTP probably takes significantly less total time - say 20 minutes over 24 hours to get the job done, whereas burn-n-send probably takes 1-2 hours over 48 hours. But, users are happier with burn-n-send, an inferior solution, because they feel that they are in control.

End users just want to get the job done and move on to the next thing. Rationality has nothing to do with it.

So, are you looking to implement a secure file transfer solution that will meet the organizational security and compliance requirements? Yes, you would still want to meet the technical standards such as encryption and management reports on who sends and receives what. That is the basic requirement. But, what will determine the success of the deployment is a secure file transfer solution that fits easily into the human processes, so that end users will embrace it.

Why? Like most users, because a USB thumb drive with 2GB capacity always sits in my drawer...

ACA Guy

Wednesday, September 27, 2006

FTP (Failure To Protect) and an early Halloween ghost story

Summary: According to Microsoft TechNet, FTP fails to protect the data and file that it transfers. And, find out if your FTP/SFTP servers are haunted too.


-----

When I talk with perspective customers about their current file transfer solutions, FTP (file transfer protocol) is a common one, but the insecurity of the service scares them.

As it should.

You don’t need to be an information technology guru to understand the business implications of the shortcomings of FTP as the following passage from Microsoft TechNet describes:

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plain text. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plain text credentials is that someone other than the intended users could log on to FTP and download the files you have placed there.

In other words, don’t put anything on your FTP server that you wouldn’t feel comfortable publishing in a press release – that’s how wide open your data can be. This is especially true today when everything imaginable and unimaginable are being indexed by search engines and as I have noted in FTP (In) Security in the Google Age.

Of course, there are ways to add security to FTP. It generally involves some kind of additional wrapper around the FTP server. It can be an encrypted channel such as a VPN (Virtual Private Network) through IPSec (Secure Internet Protocol). Alternatively, you can utilize some flavor of encryption such as SSL (Secure Sockets Layer) to scramble the traffic.

The problem is that now you’re talking about adding significant complexity and cost, just to be able to transfer files. This level of overhead may have made sense in the old days when a majority of the file transfer were done via scripts and schedulers with minimum human input required. But, given the increasing importance of secure file transfer in the day-to-day business processes by non-IT users for things like multimedia presentations and legal electronic discovery, FTP and SFTP bring unpleasant memories to IT and end-users alike.

***


I recently heard this FTP ghost story about a haunted server.

A contract employee was given access to an FTP server where files pertaining to his project were stored. (As a standard IT procedure, the FTP administrator would provision access for any user who showed a valid need, and this contractor proved his need.)

But then the contractor finished the project and left. (Naturally) the FTP administrator didn’t know this and thus didn't de-provision the user. In other words, the contractor still had the ability to view everything on the FTP server. Unbeknownst to everyone within the organization, this contractor paid a few more visits to the FTP server to download files - after all, no one canceled his access to the FTP server.

And, since this is a process issue, even if the server had been running secure FTP (SFTP) instead, the same haunted scenario could still be played out. So, have you ever wondered what kind of unauthorized FTP/SFTP access is happening in your organization? It is more common than you think! A major vendor is selling a tool that claims to catch exactly this type of detection as noted in my posting Much Ado About Tumbleweed and FTP Security.

So, this could be a fun thing to do to your security officer.

First, tell him about the importance of securing file transfer processes as part of SOX/HIPAA/GLBA compliance - feel free to use my posting Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply? as a cheat sheet.

Then, tell him this FTP/SFTP ghost story.

Booooooo!

And, before the security officer faints, tell him to pay Accellion a visit because Secure File Transfer Appliance SFTA can solve all of these problems and headaches.

ACA Guy

Wednesday, September 20, 2006

Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?

Summary: How to secure file transfer processes in the face of government regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA)? Proactive IT shops are looking for these key capabilities offered by Accellion SFTA.


-----

At Accellion, we say "Accellion Courier Secure File Transfer Appliance (SFTA) offers a key component in implementing secure and auditable file transfer processes required for meeting IP security needs and compliance mandates..." Just what does that mean? How will this product help you with your compliance mandates?

Most large enterprises operate under at least one of the legislative mandates for the protection and validation of private information. For instance, under HIPAA (Health Insurance Portability and Accountability Act), healthcare providers must safeguard the privacy of their patients' medical records. While observing GLBA (Graham-Leach-Bliley Act), financial institutions are required to hold consumers' financial information in strict confidence. Under SOX (Sarbanes-Oxley), public companies must prove that they have adequate internal controls over business procedures and financial information.

Though the legislation can get complicated when examined closely, it really boils down to common sense. Borrowing from the good ole' "do unto others" Golden Rule we all learned as children, think of the (secure) file transfer portion of these compliance mandates at their core as the "Golden Rule for Data Handling." In other words, treat other people's private data as you would want to have your own private data treated.

Common sense aside, since nefarious means such as spyware, IP spoofing, and interception of non-secure wireless traffic abound, there are several key capabilities that growing numbers of proactive IT teams are looking for in order to secure email attachments and other file transfer processes while meeting the regulatory compliance requirements for their respective industries. Many of our customers have come to Accellion to fulfill this duo objectives with SFTA because of these considerations below.

(Hint: The words in italics relate directly to specifications of the legislative mandates we have been talking about.)
  • Automated download receipt - When a recipient downloads the file, a return receipt is generated to the sender. The recipient cannot turn the return receipt off. Users can review and track files sent and their download status.

  • End to end file security - Files are encrypted, uploaded, stored, and downloaded through secure links and recipients are authenticated ensuring only the intended recipients can access the file.

  • File management - File life cycle management is automated so when the prescribed time comes, the file will be deleted to manage the life cycle of files centrally per corporate retention policies. This means neither user nor administrators have to worry about having unattended errant sensitive information.

  • Directory services authentication - LDAP and Microsoft Active Directory are used for authentication and to minimize setup efforts. By allowing users to send large files securely using the same email id and password, this significantly improved the process flow.

  • File transfer auditing and tracking - Auditable records from third party on when recipients download attachments that can be summarized by individual recipient, file name, time and date.
The good news is that government mandates have clearly articulated the needs for securing business processes -- processes which often include the transfer of data from one hand to another. The better news is that encryption, audit trails, recipient authentication, and secure links, to name a few, are the common sense way to handle files securely. And, the best news is that all these are standard features in the field proven Accellion SFTA.

You can read more about how Accellion Courier Secure File Transfer Appliance works for security and compliance here.

ACA Guy

Wednesday, September 13, 2006

Secure File Transfer for Teaching Hospitals and Research Institutions

Summary: Teaching and research hospitals are finding the Accellion secure file transfer solution helps them conduct critical work more efficiently.


-----

Secure transfer of very large file is an universal issue for most organizations. So, in addition to supporting law firms (read Secure File Transfer for Law Firm Attorneys, Counsels, and Clients), Accellion also has a sizable number of installations in teaching/research hospitals throughout the country.

Beyond providing a first class solution to meet users' needs, we do take special pride in supporting these institutions because their Accellion secure file transfer appliances, as part of their everyday workflow, contribute in their own way to improving healthcare and medical research for cancer patients in Boston and children care in Memphis.

It is a karma thing.

Feel good sentiment aside, what these organizations need to address is very similar to most professional organizations that trade in knowledge -- how to exchange very large amounts of information securely and easily with internal and external users.

Researchers at most of these institutions work on projects that draw on resources and knowledge across a number of organizational boundaries to solve life and death questions. A study of avian flu may be conducted in Memphis but the field experts on N5H1 outbreaks with the most current data are in Asia. Or, a less dramatic, but equally pressing, issue for researchers is the ability to share grant data with collaborators on a timely basis because financial support from these grants is what makes most of these works possible.

In these scenarios, the problems are myriad:

  • 1. There may be attachment size limits (within email) so that the sender cannot send the data to the research facility.

  • 2. A recipient may have an incoming attachment size limit so that the email attachment is rejected.

  • 3. An external sender may have an attachment size limit preventing the the data to come back.
The traditional answer is to use a flavor of FTP/SFTP for file transfer. But, end users -- typically brilliant Ph.D.'s and medical doctors -- often find the FTP/SFTP interface confusing and cumbersome to use. (Read When it Absolutely, Positively Has To Get There and Back, Right Now.) So, time can be wasted on IT issues instead of the research at hand.

Worse yet, with FTP/SFTP and its common directory structure, there is a real chance of picking up the wrong data files. Imagine spending a whole week conducting analysis on file "09072006-114B" instead of "09072006-114C". Oh, and as we’ve pointed out in Virus, via Email File Attachment, FTP/SFTP, or Website Download, is still a Virus, FTP is insecure and the research dataset may even get infected with a computer virus, rendering it useless.

So, the real solution is a secure file transfer appliance designed to handle very large files that not only complies with various regulations like HIPAA but also allows users from different organizations to easily share the dataset and grant proposals.

Equally important, with Accellion SFTA's self-provisioning capability for external users, researchers are no longer at the mercy of IT administrators as part of their work flow. And, frankly, from what all the IT people that I have talked with have told me, they too love to get out of the business of setting up FTP/SFTP access for users.

Like my fellow bow-tie collector and Senior Director and Chief Security Officer of Cornell University's Weill Medical College, Dr. Steve Erde, said, "The [Accellion Courier Secure File Transfer] appliance alleviates the concerns associated with file transfers that have troubled our users for many years, and does so in a very cost-effective manner.”

Read the announcement on the Cornell WMC deployment.

Find out more about how Cornell University Weill Medical College uses Accellion SFTA by clicking here.

Yes, folks, we’re all about getting the files from "here" to "there" and "back" quickly, securely, and cost-effectively. And if Accellion happens to help in the race to make your life better, it is all in a day's work.

ACA Guy

Wednesday, September 06, 2006

Secure File Transfer for Law Firm Attorneys, Counsels, and Clients

Summary: Lawyers cannot afford to wait for FTP/SFTP access setup to send large files securely to clients. Accellion meets law firms secure file transfer needs while keeping both attorneys and IT happy.

-----

There are many reasons that people come to Accellion for their secure file transfer needs. Because each industry has its own quirks and specific requirements that may not be obvious to the less nimble vendors, Accellion has built up experiences and insight for a wide spectrum of industry verticals.

The legal space is one of those verticals where Accellion is seeing quite a bit of adoption of our solution.

How does secure file transfer fit into law firms?

It is somewhat of a no-brainer to say that law firms deal in sensitive documents. Traditionally, these documents are in physical forms. With the digitization of the legal practice and proliferation of email as a common communication tool, the focus has shifted to how to best transmit the same information electronically.

So far so good.

What has changed with the digital age, however, is one of expectation. In the old days, the physical transfer of documents could take days, and it's not just accepted, but expected. However, today, when it takes more than 10 seconds for the email attachment to get over to the client, somebody (like those in IT) will have to pay. With billable hours and productivity a major measurement for most attorneys, any delay is no longer acceptable.

Email attachment with its size limits (see my posting on No Pain is Gain - What email focused VAR partners are doing for email size limits) can cause issues on two fronts. One is the internal limit where an attorney would complain that he cannot attach a critical document to send over to the client outside because IT is blocking it. Conversely, some IT departments may have intentionally set no size limit to avoid internal complaint, but the recipient's email infrastructure can have its own incoming email and attachment size limits. So, the same attorney may very well complain about the inability to get that critical document to the client because it is being rejected by the client's email system.

So, it's no surprise that law firms look for an alternative means to transfer digital files and FTP is a typical technology these firms try. The IT team at a law firm regularly has to fulfill requests to provide "FTP" access. FTP (file transfer protocol) is the conventional technical solution for sharing large files. While it does the job well enough, it is a major no-no for law practices because FTP is highly insecure (FTP's security hole is well documented, see my posting FTP (In) Security in the Google Age on the latest twist on the FTP security issues.) So, instead, the IT department has to set up Secure FTP (SFTP) access. And, the problem for SFTP is that its setup and administration are much more cumbersome and time consuming as a result of its additional security components.

And, let's not forget that, in the meantime, the less experienced and anxious legal types are breathing down IT's neck and wondering aloud why it takes so long since sending a file via email takes no more than one click!

Oh, right. Have I mentioned the fact that attorneys, depending on what transaction they are working on, may request "FTP" access any time of the day and any day of the week? Pity be the lone IT support dude on that 1am-9am New Year's Eve watch.

What we are seeing more and more of are proactive IT departments in law firms coming to the realization that bulking up the support infrastructure for these types of ad hoc file transfers is a game that IT can never win. Instead, the strategic insight points to giving users like attorneys and paralegals the ability to control their own secure file transfer process. This not only gets the "SFTP setup" monkey off IT's back, it also makes attorneys happier because their billable hours and client transaction destiny are no longer controlled by IT.

Talk about a win-win solution.

Typical is what Foley & Mansfield, a national law firm, found out. As Adam Pugh, Foley & Mansfield's Director of Information Services & Technology said, "We were looking for a self contained and easy to use secure electronic file transfer solution... our users, other counsel, and clients are busy people... Now, we can send and receive very large files within minutes."

And, the result? Pugh added "since the [Accellion] SFTA deployment, we have been receiving compliments from users inside and outside the firm about our enhanced secure file transfer capability for its ease of use and the time it saves."

Read more about Foley & Mansfield's perspective here.

So, the question for law firms is not whether to move away from SFTP/FTP, but whether Accellion Courier SFTA is the right choice for you. On this point, just like picking an attorney with the right kind of experiences and knowledge for your legal counsel, you should retain Accellion as your secure file transfer counsel because we have been there and done that many times over.

ACA Guy

Wednesday, August 30, 2006

Hosted File Transfer Solutions - the four hurdles for enterprise users

Summary: How important is secure file transfer for you business needs? When considering a hosted solution vs a solution installed inside the IT infrastructure, factors such as convenience, security, performance and cost are the key concerns for adopting hosted solutions.
----------
To rent, or not to rent, that is the question. Whether 'tis nobler in the mind to suffer the slings and arrows of outraged users, or to take arms against a sea of large file attachments.

(With profuse apologies to The Bard of Avon, the saddest part of it is that ACA Guy isn't the first nor the last to have the urge to get his own bastardized rendition of the famous soliloquy out of his system.)

But it is a serious question for users who are looking for an enterprise secure file transfer solution. There are three categories of solutions. One is to install a dedicated solution such as Accellion Courier Secure File Transfer Appliance SFTA as part of the IT infrastructure. The second one is to build an in-house solution based on a variant of the FTP platform which, as noted in FTP, Email, HTTPS, and BitTorrent? A historic perspective on sending large files/attachments securely for enterprise users, is going out of favor for user-unfriendliness and security reasons. And, the third is to "rent" the service from a hosted file transfer solution provider.

Generally, if secure file transfer is a low business priority because you rarely need to send a large file through the network or security is not a concern, then a hosted solution is more than adequate.

However, if sending large data set and design files is a regular part of the business process, or if securing the information is important, enterprise users that I have talked with have a lot of reservations about hosted file transfer solutions for the following four criteria: convenience, security, performance and cost.

Convenience

Because this is to address a business process need where end users are involved, the solution needs to be non-techie friendly for both the sender and recipient.

Can a hosted file transfer solution do that? Well, with difficulty. Most would force users to go through a web site to upload and download files. Some require client software to be installed on the desktop, which the end user can find confusing and IT people are loathe to support. Worse yet, some hosted solution vendors require the recipients to also install software so that the IT team needs to ensure that not just the internal user has the right software installed and configured but the external recipient also has done the same.

Not exactly a shining example of user convenience in these days of Web 2.0!

Security

Security/privacy requirements come from two needs. One is to protect your digital assets because those vital data have taken years to accumulate, and protecting them makes your boss and clients happy. The other is that there are specific regulations such as HIPAA or Sarbanes-Oxley that may require compliance on your part. The key thing about security/privacy is that, as a process, it is only as good as its weakest link.

And speaking of the weakest link, asking a hosted file transfer vendor to safeguard your data and ensure compliance to your precise and granular business process requirements seems almost unreasonable. After all, they also have to support the needs of other users on the same platform, and, like it or not, your needs might conflict with what others want.

It's important to understand that not all files and secure file transfer processes are created equal. Many enterprises have needs like:

  • The ability to control the lifecycle of a file -- some files need to be removed within 48 hours and others should be accessible for years.

  • The ability to control the level of file access -- sometimes by person, sometimes by organizations, and at other times it does not matter.

  • Easy access to a detailed audit management report -- it is important to know who is using the file transfer system, what files are being sent and to whom, and when they are retrieved and by whom.
In the world of "one size fits all" with hosted solutions, these business process level requirements can make it very painful to adopt a third party hosted file transfer solution.

Performance

Then there is the issue of performance. When you rent a service, you have absolutely no control over performance; you are at the mercy of the infrastructure that someone else provides. It is bad enough that you cannot "tune" performance to take advantage of your infrastructure investment or to eliminate bottlenecks that can occur during peak usage. But, what happens when the hosted solution goes AWOL on you?

Let me share a personal story with you. Back at the Accellion ranch, we use a hosted CRM solution. A few months back, there were some intermittent connection outage issues. During those few days, I saw way too many sales people puttering around in misery as a result of the disruption. The hosted solution provider has since fixed the problem, but my own company has had to come up with contingency plans should it happen again. Suffice it to say that it was an unpleasant experience all around.

Trust me -- you don't want to be left so vulnerable when a key business service is down, and it's out of your hands to get it up and running again. Imagine telling the CEO that a large key document cannot be sent to a client because the hosted file transfer solution is not available!

Cost

This is usually the main reason most IT teams would even consider a hosted solution; the acquisition cost is usually the lowest. But, if you consider the total lifetime costs, hosted file transfer solution expenses can sneak up on you.

Because secure file transfer is a common need for most business users, what often happens is that more users end up requesting this service than originally projected. In the context of hosted solution, this also means that instead of achieving the cost benefit of scale with a solution inside the IT infrastructure as more users come online, the cost will grow proportionally or even spike as the demand grows. On top of that, there may be unanticipated seasonality in usage pattern which can easily blow out the bandwidth threshold for surcharges in a busy day.

When this happens, there are basically two unpleasant choices. One is to go hat-in-hand to the finance people for more money and explain why the initial usage projection was inaccurate. The other is to start restricting access to this tool and incur user sneers.

So, the ironic verdict is that, for most secure file transfer processes that enterprise users engage in, a hosted file transfer solution is a good standby if you don't really need it.

As for what was once (almost) said, "To rent, or not to rent." I think we’ve answered that question, dear Hamlet!

ACA Guy

Friday, August 18, 2006

Enterprise File Transfer Hurdles for BitTorrent and other Consumer oriented Technologies

Summary: BitTorrent is a hot new peer-to-peer technology for sending large files over the Internet. Teens use it to (often illegally) trade music and movies. Could the technology be harnessed for business users who want to send files to each other? If the current incarnation is any guide, the answer is a definite No because it poses great risks to your information assets.

---

With a glass of ice tea in hand, ACA Guy continues the musing on BitTorrent where he left off last week...

***

The way I see it, BitTorrent provides a very robust tool for consumer level digital proliferation. For example, for those niche, aka long tail, digital products, BitTorrent removes the burden of central administration of hosting a dedicated server to host file transfers, which was the standard operating procedure of the Web 1.0 yesteryear. What is cool about the BitTorrent technology is that there is no longer a throughput issue, even if the demand for the file transfer service grows. As a matter of fact, if demands grows, with the multiplying effects of "peers" (i.e., PCs) within "the swarm" (i.e., the network of participating PCs) to send "torrents" (i.e., pieces of your file), the performance benefit actually snowballs instead of drags. See this posting for a quick note on how BitTorrent works.

That is the good news.

But the question that ACA Guy is trying to answer is, does BitTorrent work within an enterprise file transfer context? The answer, to the best of my knowledge, is a resounding NO with the current incarnation.

Unlike the grandparents in Hoboken, New Jersey, who are anxious to see the latest pictures of their darling grandchild snapped by proud new parents in Palo Alto, California, enterprise usage has a lot more requirements beyond proliferation speed that are legally required and/or demanded by business users like you and me.

For example, since bits and pieces of the information travel through different peers, how does the enterprise ensure privacy protection? Similarly, would you let the company's confidential information, such as R&D results that have taken one year to compile, travel through some unknown peer computers? An analogy is to think of delivering your financial statements to your advisor down the street by passing parts of them through other neighbors’ houses. What is to prevent each neighbor from reading the pieces before delivering them to the intended recipient?

Furthermore, these peer computers may intentionally or accidentally tag on undesired payload in the transmission. It could be in the name of "national security" or a common place virus targeted at BitTorrent, but, as I have argued here, whatever the route, malware is still an unwanted payload.

It is with these reservations in mind that I read the Wall Street Journal columnist Walt Mossberg's review of Pando Networks's BitTorrent file transfer solution. In fairness, Pando is targeted to consumer usage and it seems to offer a new P2P perspective. At the same time, its implementation also points to the key fault lines between consumer and enterprise file transfer solutions.

The key difference between consumer and enterprise solutions for file transfer, beyond the minor privacy and security concerns noted above, are things like the ability to create detailed audit trails for review, the ability to configure a solution to meet specific process needs, and, for good or ill, the ability to monitor/prevent users from engaging in unwanted activities. Just like this comment from James Musto noted: firms have been telling users to NOT install P2P software for years. A BitTorrent-based solution is probably an even bigger no-no because it allows users to forward files whilst these files are being received.

I can already imagine the cry of agony if enterprise users were to start trafficking company information in BitTorrent.

People! Be nice (to IT)!

ACA Guy

Friday, August 11, 2006

FTP, Email, HTTPS, and BitTorrent? A historic perspective on sending large files/attachments securely for enterprise users

Summary: For enterprise users, FTP was the first dominant solution for file transfer. Email attachment teased the non-technical masses with a taste of what is possible. HTTPS and Web 2.0 is now the de rigour technology for secure file transfer. The question is, would BitTorrent be the next thing?

------------

Being a lazy summer day, ACA Guy's attention (naturally) shifts to the evolution of sending large files securely by enterprise users, from FTP in the 70's, to the rise of email throughout the 80's and 90's, and the current competing crop of file transfer solutions from HTTPS to BitTorrent.

***

What makes the information technology (IT) industry interesting is its constantly shifting benchmarks and non-stop sprinting by all concerned just to keep up with what is technically adequate because no one wants to find himself being the last man using the wrong technology. The trouble is that only hindsight is 20-20. New technology and protocols are being introduced by vendors and adopted by users, with or without the approval and support of the IT department. Any semblance of IT clairvoyance is only possible with a combination of business perspective and technical acumen tempered by a long-term view.

FTP: the first file transfer solution

The first dominant technology for file transfer was FTP, or file transfer protocol, as first described in the 1971 RFC114 document. In its basic form, as described by Wikipedia's FTP section:

The FTP server listens for connection requests. The client computer initiates a connection to the server. Once connected, the client can do a number of file manipulation operations such as uploading files to the server, download files from the server, rename or delete files on the server and so on.

Since it was designed by and for technical users, FTP has earned the notoriety of being a technically powerful but end-user unfriendly solution. Many vendors have tried to put pretty user interface wrappers around it to enhance the usability, but its legacy status continues to both haunt its wider adoption as a business tool and make it a deeply entrenched tool in many IT shops.

As a business tool for file transfer, FTP also suffers on the security and privacy side. For example, I have noted concerns over Google indexing FTP servers and a major managed file transfer vendor admitting the need to monitor FTP activities.

Email: file transfer for the rest of us

In the late 80's and early 90's, email started to emerge as a new dominant solution for sending files while FTP began the process of becoming a mostly machine-to-machine niche solution using its scripting capabilities.

With the proliferation of PCs in the 80's and Internet in the 90's, email has become a universal business communication tool. More importantly, in the context of this missive, there is just no easier way than email attachment to send files.

The trouble with email attachments as a file transfer solution started as purely a performance issue. Email is not designed as a file transport solution, so when the CEO wants to share a 5MB presentation with 200 key people around the globe, he has just pumped about 1GB worth of data (5MB x 200 recipients) through the system with one click and, if he is really unlucky, crashed the email server. In response, IT departments started to impose increasingly stringent email attachment size limits which I have addressed in more detail here.

But the headache with email attachment does not stop there. With its near universal popularity, email has also become the main target for cyber crime and pranks. And, with the payload carrying ability of attachments, email attachment is the most common conduit in which computer infections spread. Yes, there is a whole industry focused on addressing this problem with lots of chatter, including yours truly in this posting, surrounding it. But, the net net of it is that IT administrators are, wisely, putting in additional constraints on email attachments to lock down the cage and protect one of the most visible corporate processes.

In short, sending data and large files through email attachment has become increasingly difficult or simply disallowed in many enterprise environments.

HTTPS, XML, and Web 2.0: secure file transfer pretenders

The irony is that as email is being locked down, we are entering a hyper-collaborative world where most business processes involve some sort of information exchange with both internal and external senders and recipients. Exacerbating the issue further, the IT industry has enabled users to generate more data, larger files, and bulkier presentations with greater ease and less time than just a few years back.

With an increasing number of people who require the ability to easily, quickly, and securely exchange large sets of information, the issue of secure file transfer has elevated beyond a technical consideration and become a core business process issue.

The truth is, business users just want the ability to send a 20MB PowerPoint presentation to 100 recipients with a single click, because that is what they need to do to get the job done. Finance/compliance people just want to have a process where information/data/file gets from user A to user B in a secure and auditable manner. And, IT folks just want to be left alone.

The current pretender to meet the user's secure file transfer needs come from the family of web technology, XML, HTTPS, etc., whose acronyms we have grown accustomed to in the late-90's. Amongst its many merits, web technology offers a compelling combination of features for enterprise users as a file transfer tool such as:


  • It does not require any specialized software beyond a browser which is free and, overwhelmingly, preinstalled on every computer.

  • It can enforce security through various encryption methods which are considered highly robust.

  • Its basic architectural capability is such that it can push a file to the recipient without involving FTP or impacting email servers.
Of course, there are the issues of Web 2.0 and AJAX (which Accellion has implemented) as well as the browser imposed file size barrier of 2GB (which Accellion also broke through). But, these are details.

Within the context of HTTPS and other web protocols, there is a wide selection of vendors whose products range from letting you upload and download files from a website on a pay-per-use basis to Accellion, which offers a dedicated secure file transfer appliance. This appliance, by the way, sits within the enterprise IT infrastructure to provide extensive IT administrative capability as well as integration into Exchange/Outlook and Domino/Notes.

Think of these as field tested and crusty veterans in the current incarnation of secure file transfer solutions for enterprise usage.

BitTorrent: is it ready for enterprise secure file transfer prime time?

Then there’s BitTorrent, the newest kid on the large file transfer block. As a P2P (peer-to-peer) file sharing protocol, it is mostly mentioned in the context of teenagers exchanging (pirated) files with each other. At its most basic level, unlike the classic approach of sending a file from user A to user B through a dedicated connection, BitTorrent breaks up the file and passes the pieces through peer computers via a swarm from the sender to the recipient. Because a swarm can have many peers, the performance of sending a large file can be improved as a distributed grid design. Furthermore, with each peer machine having bits and pieces of the file at any one time, it also removes the bottleneck of the origination sender for a file's proliferation.

I can definitely see the process advantages BitTorrent offers in the P2P and consumer context as its creator Bram Cohen argued. But, what ACA Guy wants to know is, would it work for enterprise file transfer and what form would it take?

***

Let me know what you think while I fetch a glass of iced tea.

ACA Guy