Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.accellion.com/blog/
and update your bookmarks.

Wednesday, August 30, 2006

Hosted File Transfer Solutions - the four hurdles for enterprise users

Summary: How important is secure file transfer for you business needs? When considering a hosted solution vs a solution installed inside the IT infrastructure, factors such as convenience, security, performance and cost are the key concerns for adopting hosted solutions.
----------
To rent, or not to rent, that is the question. Whether 'tis nobler in the mind to suffer the slings and arrows of outraged users, or to take arms against a sea of large file attachments.

(With profuse apologies to The Bard of Avon, the saddest part of it is that ACA Guy isn't the first nor the last to have the urge to get his own bastardized rendition of the famous soliloquy out of his system.)

But it is a serious question for users who are looking for an enterprise secure file transfer solution. There are three categories of solutions. One is to install a dedicated solution such as Accellion Courier Secure File Transfer Appliance SFTA as part of the IT infrastructure. The second one is to build an in-house solution based on a variant of the FTP platform which, as noted in FTP, Email, HTTPS, and BitTorrent? A historic perspective on sending large files/attachments securely for enterprise users, is going out of favor for user-unfriendliness and security reasons. And, the third is to "rent" the service from a hosted file transfer solution provider.

Generally, if secure file transfer is a low business priority because you rarely need to send a large file through the network or security is not a concern, then a hosted solution is more than adequate.

However, if sending large data set and design files is a regular part of the business process, or if securing the information is important, enterprise users that I have talked with have a lot of reservations about hosted file transfer solutions for the following four criteria: convenience, security, performance and cost.

Convenience

Because this is to address a business process need where end users are involved, the solution needs to be non-techie friendly for both the sender and recipient.

Can a hosted file transfer solution do that? Well, with difficulty. Most would force users to go through a web site to upload and download files. Some require client software to be installed on the desktop, which the end user can find confusing and IT people are loathe to support. Worse yet, some hosted solution vendors require the recipients to also install software so that the IT team needs to ensure that not just the internal user has the right software installed and configured but the external recipient also has done the same.

Not exactly a shining example of user convenience in these days of Web 2.0!

Security

Security/privacy requirements come from two needs. One is to protect your digital assets because those vital data have taken years to accumulate, and protecting them makes your boss and clients happy. The other is that there are specific regulations such as HIPAA or Sarbanes-Oxley that may require compliance on your part. The key thing about security/privacy is that, as a process, it is only as good as its weakest link.

And speaking of the weakest link, asking a hosted file transfer vendor to safeguard your data and ensure compliance to your precise and granular business process requirements seems almost unreasonable. After all, they also have to support the needs of other users on the same platform, and, like it or not, your needs might conflict with what others want.

It's important to understand that not all files and secure file transfer processes are created equal. Many enterprises have needs like:

  • The ability to control the lifecycle of a file -- some files need to be removed within 48 hours and others should be accessible for years.

  • The ability to control the level of file access -- sometimes by person, sometimes by organizations, and at other times it does not matter.

  • Easy access to a detailed audit management report -- it is important to know who is using the file transfer system, what files are being sent and to whom, and when they are retrieved and by whom.
In the world of "one size fits all" with hosted solutions, these business process level requirements can make it very painful to adopt a third party hosted file transfer solution.

Performance

Then there is the issue of performance. When you rent a service, you have absolutely no control over performance; you are at the mercy of the infrastructure that someone else provides. It is bad enough that you cannot "tune" performance to take advantage of your infrastructure investment or to eliminate bottlenecks that can occur during peak usage. But, what happens when the hosted solution goes AWOL on you?

Let me share a personal story with you. Back at the Accellion ranch, we use a hosted CRM solution. A few months back, there were some intermittent connection outage issues. During those few days, I saw way too many sales people puttering around in misery as a result of the disruption. The hosted solution provider has since fixed the problem, but my own company has had to come up with contingency plans should it happen again. Suffice it to say that it was an unpleasant experience all around.

Trust me -- you don't want to be left so vulnerable when a key business service is down, and it's out of your hands to get it up and running again. Imagine telling the CEO that a large key document cannot be sent to a client because the hosted file transfer solution is not available!

Cost

This is usually the main reason most IT teams would even consider a hosted solution; the acquisition cost is usually the lowest. But, if you consider the total lifetime costs, hosted file transfer solution expenses can sneak up on you.

Because secure file transfer is a common need for most business users, what often happens is that more users end up requesting this service than originally projected. In the context of hosted solution, this also means that instead of achieving the cost benefit of scale with a solution inside the IT infrastructure as more users come online, the cost will grow proportionally or even spike as the demand grows. On top of that, there may be unanticipated seasonality in usage pattern which can easily blow out the bandwidth threshold for surcharges in a busy day.

When this happens, there are basically two unpleasant choices. One is to go hat-in-hand to the finance people for more money and explain why the initial usage projection was inaccurate. The other is to start restricting access to this tool and incur user sneers.

So, the ironic verdict is that, for most secure file transfer processes that enterprise users engage in, a hosted file transfer solution is a good standby if you don't really need it.

As for what was once (almost) said, "To rent, or not to rent." I think we’ve answered that question, dear Hamlet!

ACA Guy

Friday, August 18, 2006

Enterprise File Transfer Hurdles for BitTorrent and other Consumer oriented Technologies

Summary: BitTorrent is a hot new peer-to-peer technology for sending large files over the Internet. Teens use it to (often illegally) trade music and movies. Could the technology be harnessed for business users who want to send files to each other? If the current incarnation is any guide, the answer is a definite No because it poses great risks to your information assets.

---

With a glass of ice tea in hand, ACA Guy continues the musing on BitTorrent where he left off last week...

***

The way I see it, BitTorrent provides a very robust tool for consumer level digital proliferation. For example, for those niche, aka long tail, digital products, BitTorrent removes the burden of central administration of hosting a dedicated server to host file transfers, which was the standard operating procedure of the Web 1.0 yesteryear. What is cool about the BitTorrent technology is that there is no longer a throughput issue, even if the demand for the file transfer service grows. As a matter of fact, if demands grows, with the multiplying effects of "peers" (i.e., PCs) within "the swarm" (i.e., the network of participating PCs) to send "torrents" (i.e., pieces of your file), the performance benefit actually snowballs instead of drags. See this posting for a quick note on how BitTorrent works.

That is the good news.

But the question that ACA Guy is trying to answer is, does BitTorrent work within an enterprise file transfer context? The answer, to the best of my knowledge, is a resounding NO with the current incarnation.

Unlike the grandparents in Hoboken, New Jersey, who are anxious to see the latest pictures of their darling grandchild snapped by proud new parents in Palo Alto, California, enterprise usage has a lot more requirements beyond proliferation speed that are legally required and/or demanded by business users like you and me.

For example, since bits and pieces of the information travel through different peers, how does the enterprise ensure privacy protection? Similarly, would you let the company's confidential information, such as R&D results that have taken one year to compile, travel through some unknown peer computers? An analogy is to think of delivering your financial statements to your advisor down the street by passing parts of them through other neighbors’ houses. What is to prevent each neighbor from reading the pieces before delivering them to the intended recipient?

Furthermore, these peer computers may intentionally or accidentally tag on undesired payload in the transmission. It could be in the name of "national security" or a common place virus targeted at BitTorrent, but, as I have argued here, whatever the route, malware is still an unwanted payload.

It is with these reservations in mind that I read the Wall Street Journal columnist Walt Mossberg's review of Pando Networks's BitTorrent file transfer solution. In fairness, Pando is targeted to consumer usage and it seems to offer a new P2P perspective. At the same time, its implementation also points to the key fault lines between consumer and enterprise file transfer solutions.

The key difference between consumer and enterprise solutions for file transfer, beyond the minor privacy and security concerns noted above, are things like the ability to create detailed audit trails for review, the ability to configure a solution to meet specific process needs, and, for good or ill, the ability to monitor/prevent users from engaging in unwanted activities. Just like this comment from James Musto noted: firms have been telling users to NOT install P2P software for years. A BitTorrent-based solution is probably an even bigger no-no because it allows users to forward files whilst these files are being received.

I can already imagine the cry of agony if enterprise users were to start trafficking company information in BitTorrent.

People! Be nice (to IT)!

ACA Guy

Friday, August 11, 2006

FTP, Email, HTTPS, and BitTorrent? A historic perspective on sending large files/attachments securely for enterprise users

Summary: For enterprise users, FTP was the first dominant solution for file transfer. Email attachment teased the non-technical masses with a taste of what is possible. HTTPS and Web 2.0 is now the de rigour technology for secure file transfer. The question is, would BitTorrent be the next thing?

------------

Being a lazy summer day, ACA Guy's attention (naturally) shifts to the evolution of sending large files securely by enterprise users, from FTP in the 70's, to the rise of email throughout the 80's and 90's, and the current competing crop of file transfer solutions from HTTPS to BitTorrent.

***

What makes the information technology (IT) industry interesting is its constantly shifting benchmarks and non-stop sprinting by all concerned just to keep up with what is technically adequate because no one wants to find himself being the last man using the wrong technology. The trouble is that only hindsight is 20-20. New technology and protocols are being introduced by vendors and adopted by users, with or without the approval and support of the IT department. Any semblance of IT clairvoyance is only possible with a combination of business perspective and technical acumen tempered by a long-term view.

FTP: the first file transfer solution

The first dominant technology for file transfer was FTP, or file transfer protocol, as first described in the 1971 RFC114 document. In its basic form, as described by Wikipedia's FTP section:

The FTP server listens for connection requests. The client computer initiates a connection to the server. Once connected, the client can do a number of file manipulation operations such as uploading files to the server, download files from the server, rename or delete files on the server and so on.

Since it was designed by and for technical users, FTP has earned the notoriety of being a technically powerful but end-user unfriendly solution. Many vendors have tried to put pretty user interface wrappers around it to enhance the usability, but its legacy status continues to both haunt its wider adoption as a business tool and make it a deeply entrenched tool in many IT shops.

As a business tool for file transfer, FTP also suffers on the security and privacy side. For example, I have noted concerns over Google indexing FTP servers and a major managed file transfer vendor admitting the need to monitor FTP activities.

Email: file transfer for the rest of us

In the late 80's and early 90's, email started to emerge as a new dominant solution for sending files while FTP began the process of becoming a mostly machine-to-machine niche solution using its scripting capabilities.

With the proliferation of PCs in the 80's and Internet in the 90's, email has become a universal business communication tool. More importantly, in the context of this missive, there is just no easier way than email attachment to send files.

The trouble with email attachments as a file transfer solution started as purely a performance issue. Email is not designed as a file transport solution, so when the CEO wants to share a 5MB presentation with 200 key people around the globe, he has just pumped about 1GB worth of data (5MB x 200 recipients) through the system with one click and, if he is really unlucky, crashed the email server. In response, IT departments started to impose increasingly stringent email attachment size limits which I have addressed in more detail here.

But the headache with email attachment does not stop there. With its near universal popularity, email has also become the main target for cyber crime and pranks. And, with the payload carrying ability of attachments, email attachment is the most common conduit in which computer infections spread. Yes, there is a whole industry focused on addressing this problem with lots of chatter, including yours truly in this posting, surrounding it. But, the net net of it is that IT administrators are, wisely, putting in additional constraints on email attachments to lock down the cage and protect one of the most visible corporate processes.

In short, sending data and large files through email attachment has become increasingly difficult or simply disallowed in many enterprise environments.

HTTPS, XML, and Web 2.0: secure file transfer pretenders

The irony is that as email is being locked down, we are entering a hyper-collaborative world where most business processes involve some sort of information exchange with both internal and external senders and recipients. Exacerbating the issue further, the IT industry has enabled users to generate more data, larger files, and bulkier presentations with greater ease and less time than just a few years back.

With an increasing number of people who require the ability to easily, quickly, and securely exchange large sets of information, the issue of secure file transfer has elevated beyond a technical consideration and become a core business process issue.

The truth is, business users just want the ability to send a 20MB PowerPoint presentation to 100 recipients with a single click, because that is what they need to do to get the job done. Finance/compliance people just want to have a process where information/data/file gets from user A to user B in a secure and auditable manner. And, IT folks just want to be left alone.

The current pretender to meet the user's secure file transfer needs come from the family of web technology, XML, HTTPS, etc., whose acronyms we have grown accustomed to in the late-90's. Amongst its many merits, web technology offers a compelling combination of features for enterprise users as a file transfer tool such as:


  • It does not require any specialized software beyond a browser which is free and, overwhelmingly, preinstalled on every computer.

  • It can enforce security through various encryption methods which are considered highly robust.

  • Its basic architectural capability is such that it can push a file to the recipient without involving FTP or impacting email servers.
Of course, there are the issues of Web 2.0 and AJAX (which Accellion has implemented) as well as the browser imposed file size barrier of 2GB (which Accellion also broke through). But, these are details.

Within the context of HTTPS and other web protocols, there is a wide selection of vendors whose products range from letting you upload and download files from a website on a pay-per-use basis to Accellion, which offers a dedicated secure file transfer appliance. This appliance, by the way, sits within the enterprise IT infrastructure to provide extensive IT administrative capability as well as integration into Exchange/Outlook and Domino/Notes.

Think of these as field tested and crusty veterans in the current incarnation of secure file transfer solutions for enterprise usage.

BitTorrent: is it ready for enterprise secure file transfer prime time?

Then there’s BitTorrent, the newest kid on the large file transfer block. As a P2P (peer-to-peer) file sharing protocol, it is mostly mentioned in the context of teenagers exchanging (pirated) files with each other. At its most basic level, unlike the classic approach of sending a file from user A to user B through a dedicated connection, BitTorrent breaks up the file and passes the pieces through peer computers via a swarm from the sender to the recipient. Because a swarm can have many peers, the performance of sending a large file can be improved as a distributed grid design. Furthermore, with each peer machine having bits and pieces of the file at any one time, it also removes the bottleneck of the origination sender for a file's proliferation.

I can definitely see the process advantages BitTorrent offers in the P2P and consumer context as its creator Bram Cohen argued. But, what ACA Guy wants to know is, would it work for enterprise file transfer and what form would it take?

***

Let me know what you think while I fetch a glass of iced tea.

ACA Guy

Friday, August 04, 2006

Virus, via Email File Attachment, FTP/SFTP, or Website Download, is still a Virus

Summary: Virus and malware can find their way into your infrastructure via infected file attachments by ways of email, FTP/SFTP, and file hosting websites. A dedicated secure file transfer appliance with anti-virus option is a highly effective solution in addressing these concerns.


-------
Virus/malware spreading through email attachment may be old news, but it is nevertheless real and particularly devastating if you are the victim. For this reason, there are a number of tools that email administrators utilize to check and block infected attachments such as dangerous attachment blocking offered by Microsoft. But, email is not built for virus/malware detection, so the onus is on the IT team and individual users to keep these bugs away by practicing safe hex.

Ideally, there are three layers of virus protection in a corporate IT infrastructure:

1. A virus checking and blocking box before the email server
2. A virus checking and blocking software plug-in installed onto the email server
3. A virus checking and blocking client on the user's desktop

Admittedly, when a brand new virus not yet recognized by the anti-virus solutions knocks on the door, you can only count on luck and common sense to keep yourself out of trouble -- but that is a pretty low probability in an enterprise context.

Well, what is the problem then, you might ask?

First of all, the ideal anti-virus regimen does not often exist. For example, most small to medium operations expect end users to check for viruses with their desktop anti-virus solution. Say the marketing department is working with an outside graphic designer on a big PowerPoint presentation. Lo and behold, the graphic designer picked up a PowerPoint virus unknowingly and sent it along as an attachment to the good folks at marketing who are most anxious to review the work. Ask yourself, how many marketeers will remember to check the attachment for a virus before opening it? Simple answer: it's not going to happen unless the scanning is automatic.

How about attachment size limits and ways of bypassing these limits? As discussed in prior posting, there is a time and place for attachment size limits, but users still need to send large files and attachments for everyday business processes. This is traditionally done via FTP/SFTP servers or file hosting websites which opens up additional channels for picking up a virus, amongst other things.

FTP/SFTP servers usually do not have an elaborate anti-virus scheme installed like email servers since the usage frequency is lower. So, if an external user --say it's our unfortunate graphic designer -- places an infected file onto the FTP server, internal users can unknowingly pick up digital cooties that way. And, there is already a reporting of virus designed for FTP.

Similar problem exists with file hosting websites, which act as a purely transitory storage unit. An infected file on the website is not a problem until the user downloads and try to use (activate) it.

So, having anti-virus for email and desktop are both important but insufficient conditions to prevent malware from finding its way into the enterprise IT infrastructure if FTP servers and website transfer is not closely monitored and controlled.

On the other hand, instead of putting patches around these processes and having sleepless nights on what other innovative ways infected files can sneak in, it seems a lot easier to get a dedicated secure file transfer appliance that comes with anti-virus options.

By centralizing the file/attachment transfer capability into a dedicated SFTA appliance, there is a cage to check files for virus and malware on upload and download regardless whether the sender and the recipient are external or internal users. In other words, there is no more concern about if external users are practicing safe hex and there are no more loopholes, like FTP or file hosting websites, in which infected files can sneak their way into the environment.

The Accellion Courier SFTA comes with the F-Secure virus scanning bundle. When you send a file via the appliance, or receive a file sent to you via the appliance, F-Secure can watch your back. I say “can” because virus scanning is optional, although highly recommended. The appliance administrator can choose no scanning, scanning only on upload, scanning only on download, or scanning on both upload and download. In other words, choose the mode that suits your business practices the best.

ACA Guy