Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
and update your bookmarks.

Wednesday, October 04, 2006

Secure and Compliant File Transfer = Technology + Human Behavior

Summary: Meeting security and compliance requirements for secure file transfer as a core business process requires both technology and human behavior for its success.

File Transfer in the context of security and compliance is hot these days. Vendors, Accellion included, offer technology solutions that would address various requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA) as discussed in "Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?".

What is often lost in the discussion, however, is a higher level recognition that file transfer for security and compliance is really a process requirement and it takes both technology and human behavior to fulfill the mission. In other words, there has to be a holistic approach on providing a technical solution that would seamlessly integrate and support the organizational flows so that users will readily accept it.

Typical is this discussion from Dr Dobb's. Breaking down the security requirements into layers from Application, SSL, IPSec, to Link Layer is a very robust approach on setting up a secure infrastructure, technically. However, what is the impact to the end users, and how would they incorporate the infrastructure into their daily business processes are the real questions, in my mind, that would determine the ultimate success of a deployment meant to address security and compliance needs.

One could argue, with some validity, that it is a question of level. The technical details are for the network manager to worry about whereas the CIO/CTO should address the holistic/business process angles.

But, I would submit that this is a short-sighted approach. As we all know, most CIOs/CTOs rely on the recommendations of the IT department in the solution selection process. If the network manager's mind set is narrowly focused on the technical protocols like SSL and IPSec, the organization often will get a solution that looks great on paper because of its technical capabilities without really addressing the end users' needs. This type of technically focused selection usually comes back to haunt the IT team in the form of unhappy users and increased IT support needs since the new process cannot be easily integrated into the users' natural work flow.

In the context of secure file transfer, we often see this type of dichotomy with FTP/SFTP for ad hoc file transfer, where users would rather burn a CD and send it overnight than have to deal with IT support. Alternatively, a close second favorite method for users is to cut down the size of one large file into multiple pieces and send each as an email attachment to be re-assembled by the recipient. If you can think of a way to circumvent the official file transfer method (FTP/SFTP or Email attachment), I probably have heard about it from end users.

I suppose everyone, IT and end users alike, would agree that whatever solution is used, it should be user-friendly. But, politically correct answer aside, I think the real $64 question is why users are circumventing some solutions and whole heartily embracing others.

From talking with customers and prospects, it always boils down to this very simple insight for me - users (non-IT people) just want to have a sense of control over their own destiny.

Requesting FTP/SFTP access and waiting for IT to show up around 2:30pm tomorrow is just a drag. On the other hand, if I can burn a CD, I can see the progress bar to know that it will take 15 more minutes to finish. If I send it via FedEx, I can track it to see where it is and get an automated notice when it gets to the destination.

If you think of these two processes rationally, FTP/SFTP probably takes significantly less total time - say 20 minutes over 24 hours to get the job done, whereas burn-n-send probably takes 1-2 hours over 48 hours. But, users are happier with burn-n-send, an inferior solution, because they feel that they are in control.

End users just want to get the job done and move on to the next thing. Rationality has nothing to do with it.

So, are you looking to implement a secure file transfer solution that will meet the organizational security and compliance requirements? Yes, you would still want to meet the technical standards such as encryption and management reports on who sends and receives what. That is the basic requirement. But, what will determine the success of the deployment is a secure file transfer solution that fits easily into the human processes, so that end users will embrace it.

Why? Like most users, because a USB thumb drive with 2GB capacity always sits in my drawer...


1 comment:

ACA Guy said...

An article discussing the organizational/process aspect of security and compliance.,289142,sid19_gci1220184,00.html