Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
and update your bookmarks.

Wednesday, November 29, 2006

Ideals and Realities - Who is Responsible for Ensuring Security and Compliance for Files Transfer?

Summary: How is enterprise files transfer conducted in the trenches? Simply put, not pretty. But, instead of pointing fingers at each other, IT and end users are really looking for the same thing. And, this makes selecting the best solution possible.


In most business processes today, information and data in the form of files are handed off from one person to another for processing and review, either within the organization or to parties outside the organization. This begs the question: when a file is "in motion," who is responsible for its security and ensuring compliance with business policy and government regulations?

The simple and official answer is that both the business user and the IT department have a fiduciary responsibility to ensure that information is protected and handled properly when it is transferred from one person to another (no matter if it is internal or external).

But, if you look closer in the trenches, things do not always work that way.

An end user often thinks more in terms of ease of use than security and compliance when it comes to how to get his job done in a way that he can control. Applying this truism to file transfer, this usually means attaching a file to an email, or a distant second choice would be burning a CD/DVD – whatever is the most expedient to meet the needs of the work process. Unfortunately, neither process is very secure. Nor would these processes meet regulatory compliance guidelines.

This does not make the end user a bad person - this simply means that he does not have a tool that meets all his needs, which includes fulfilling the security and compliance requirements.

Being responsible as well as accountable for providing the tools, guidelines, and training to ensure the security and compliance of the data, there is more awareness of issues surrounding security and compliance in business process systems and solutions amongst the IT departments. On the other hand, while the IT team works hard to manage risks via appropriate security controls and compliance procedures, what can get lost in the process is the "ease of use" requirement. In practice, this often means that the controls and procedures can become so cumbersome as to impede adoption of a system solution by the end users.

This does not make the IT guy a bad person - this simply means that he does not have a tool that meets all his needs while fulfilling the security and compliance requirements.

Wait! Did I just say that both end users and IT are looking for the same thing!?

Indeed, instead of IT blaming end users for non-compliance of security procedures and end users blaming IT for erecting cumbersome hurdles in getting the job done, what everyone needs is a solution that is easy for the end users and meets all the security and compliance needs as set out by IT.


While the specific security and compliance needs differ amongst organizations -- for example HIPAA is of overriding concern for a healthcare practice whereas SOX is what a public firm must follow -- most IT and security people can clearly articulate the key attributes for secure file transfer capabilities as:

• The file is accessible to the sender and the recipient, and no one else in between.
• The file should be encrypted while in motion.
• The file in motion should be checked to see if it has been corrupted by viruses or other malware.
• The file transfer process must document who and when a file in motion is accessed and provide an auditable record of the transaction.

Similarly, what most end users would clearly articulate in terms of the preferred file transfer procedure is to follow a process that is as close to sending email attachments as possible, without all the email attachment problems, of course. Because sending an email attachment is a well understood and accepted process for most end users, an email-like solution would ensure rapid adoption instead of resistance.

So, the conundrum has been solved! The best way to ensure security and compliance in the file transfer process for business needs is to adopt a solution that behaves like email for the end users while transparently running various encryption and auditing capabilities on the backend.

Oh, don't forget to ask for easy to administer and maintain features like automatic user account creation and global file life-cycle policy while you're at it!


BTW, did I mention that ease-of-use, security, control, and more, is exactly what an Accellion Courier Secure File Transfer Appliance (SFTA) can do for your IT department and users?

Or, as the IT director of an advertising customer told me recently, he could "feel the love from end users" when he announced Accellion solution.

Shouldn't you feel that love too?


No comments: