Accellion blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.accellion.com/blog/
and update your bookmarks.

Wednesday, October 25, 2006

Comparing the costs of FTP/SFTP, Email, and SFTA for Secure File Transfer Needs

Summary: Why "industry standard" is often wrong, 20 years ago and today. And, a closer examine of the comparative costs of Accellion SFTA, FTP/SFTP, and Email for file transfer needs.
-----

We all know how to make "apple to apple" comparisons. But, the reality is that "apple to orange" comparisons are far more common in the business world. I guess that's what makes our jobs more interesting. If all of our choices were "apple to apple," the decision process would get pretty obvious.

Why am I going off on a seemingly "fruitful" tangent? You see, I was having a chin-wag with a respected IT veteran and was told of the time when she was tasked to recommend whether her employer should go with leasing a word processing solution on a Wang Labs mini-computer and terminals vs purchasing and installing PCs with word processing software and connecting them by LAN.

(I realize that this may seem like an obvious decision today. However, 20 years ago, when PCs were considered marginally smarter than a dumb terminal and everyone you would meet on a professional basis considered the Wang Labs solution as the industry standard for enterprise word processing, the decision was anything but.)

The point is, it’s often difficult to do a direct comparison of two things because features and costs often do not line up one-for-one. On the other hand, her instinct that the PCs' capabilities were equally or more important than cost was right on. The LAN would usher in a new era of business process enablement where engineers were more productive because they could process their own documents whenever and however they wanted. And, instead of typing letters and files, secretaries could move into higher level roles (e.g. administrative assistants) and added more value to business processes new and old.

And, naturally, this recommendation launched our heroine to the better and brighter future that eventually let to our chitchat as related above.

Fast forward 20 years and compare FTP/SFTP or email attachment to a secure file transfer appliance from Accellion. IT teams are coming to Accellion for SFTA because, even though FTP/SFTP is a free utility on most server operating systems and email attachment is a standard capability of the email system that has already been paid for, SFTA is a Horizontal Business Process Improvement Opportunity. It's just like how installing PC and LAN can give you so much more than the "industry standard" word processing solution could 20 years ago.

How about the costs? SFTA is not free and how does the cost measure up against the "business process improvement opportunity"?

The costs of an SFTA include:
    * The purchase price of the appliance(s) for your organization
    * The annual maintenance agreement, which covers updates and support
    * The IT department’s implementation time, which is about an hour
    * Eliminating an overwhelming majority of support requests on secure file transfer needs

In dollar terms, there is a one-time purchase cost followed by the cost of less than one (<1)> headcount for an experienced IT person going forward because support and maintenance are largely automated and do NOT increase as the organization ramps up with SFTA usage.

The costs of FTP include:

    * The purchase of hardware for a dedicated FTP server and the time to setup the software to run ftp
    * The on-going time for administering FTP services, such as adding and deleting users, maintaining files, managing directories
    * User training and support as FTP is notorious for being user unfriendly.

In dollar terms, there is an one time hardware purchasing and software setup cost followed by one headcount for an experienced FTP administrator. And, as usage ramp up, there will need to be proportional increase in FTP staff for support. And, in extreme cases where the end users have tight deadlines, such as law firms and other professional service firms, the FTP support staff need to be available 24/7.

The costs of Email attachments includes:
    * The cost of increased storage capacity for the email system to process and store large attachment files
    * User time spent clearing out or archiving email messages when storage limits are hit
    * Monitoring and contingency procedures when an user inevitably decides to send a 50MB file to 20 recipients (and create a 1GB surge on the email server with a single click)
    * The nights and weekends spent in recovering from crashed email servers when that 1GB surge was not caught in time
In dollar terms, the hardware cost is often hidden as part of the overall email upgrade. However, the headcount cost for email administrator and IT support will increase as the usage spread in the organization. This is partly to monitor and prevent those attachment surges. And, you would expect to add more email administrators after the first email crash.

As you can plainly see, and please pardon the "buzz word", SFTA provides a Scalable secure file transfer process that lowers its usage cost as users adopt it. Whereas the traditional FTP/SFTP and email attachment processes are Not Scalable and requires more feeding and caring as more users come on-line.

So, the question is not unlike what our heroine faced 20 years ago. Do you go with the accepted "industry standards" with FTP/SFTP and email attachment for file transfer process or go with SFTA that has been proven in the field to lower the cost of same transaction while making the whole organization more productive?

ACA Guy

Wednesday, October 18, 2006

Horizontal Business Process Improvement Opportunity: Complement the Email Infrastructure with Secure File Transfer Appliance

Summary: A horizontal business process improvement opportunity cuts across departments and functions. If done correctly, such as implementing a secure file transfer appliance in support of the enterprise email infrastructure, you can realize and sustain the benefits quickly.

-----

CIO Insight just released some results of a "Research study on business process improvement (BPI)." There were basically two main findings:

Finding 1: Improving business processes is the top priority for many IT executives, especially at small and midsize companies.

Finding 2: Although process improvement is a priority, the pace of change is moderate.

Why is BPI so important? Here is what CIO Insight writes on the topic: One of the most important lessons from the last 25 years of business computing is that you can't throw technology at a problem and expect it to go away, or fling a system at an opportunity and expect the dollars to rain down.

Other than nodding in agreement, I think it is important to note that business process improvement opportunities come in two flavors. There is the vertical process that involves a specific set of data and people, e.g. inventory control for a just-in-time production. Then, there are the horizontal processes that are less visible but no less vital for an organization's everyday operation -- processes such as sending large files securely; for example, engineers send blue prints, marketers send collateral, sales people send product quotes, finance people send consolidated accounts, and so on.

While the horizontal processes are less visible, the CIO Insight article observation applies equally -- that throwing money and technology at them does not solve anything. Thoughtful implementation of a solution that makes sense from the end users' perspective is what will drive the success of a technical solution for a horizontal process.

The good thing about the horizontal process improvement solution, however, is that it is easier to realize and sustain its benefits because it usually does not involve significant re-engineering of the existing processes in a manner that causes resistance from users.

For instance, exchanging information with people inside and outside is a (horizontal) business process common to most departments. In the early days, we did this by physically sending and receiving memos, letters and printed documents. The process to send something could take days. If we wanted to improve productivity (i.e., reduce the time involved), we paid extra money to use a courier service to speed up delivery.

Then, the horizontal business process solution, email, came along. We address our communication to one or more people, include the information we want them to have, and send it along its way. Only now the bits travel at the speed of electrons instead of the speed of the mail carrier. Email is so entrenched in virtually every business and every department today that we can’t imagine doing without it even though it has not been in wide use for more than two decades.

So, what is the next horizontal business process improvement opportunity? Put simply, what is the most common complaint about email for both IT and end users? I’m talking about email attachments.

Email systems were not architected to send large files; rather, these systems were designed for sending short messages that are just a few kilobytes in size. As a result, none of the major email systems in use today were developed with the notion of attaching large files (i.e., those that are 5 megabytes or larger) in mind.

Yet business processes have evolved from the days of simple text in email to sending the ever burgeoning files and documents as part of the routine email communication. Contracts, proposals, drawings, photographs, blue prints, and so on. They are all a critical part of the business process today.

Given the acrobatic moves required of end users and IT to send large files securely as attachments for the daily business needs, I would submit to you that this is as much of a horizontal business process improvement opportunity as email was back then. Does this mean that there is a miracle email system re-architected to handle large attachments? Unfortunately, no. Like most successful legacy systems, email vendors have too large of an install base to risk making that kind of departure.

Fortunately, secure file transfer appliance is available today. It offloads the large attachments from the email system, and still allows the business users to use the beloved email as a normal business process. As discussed in No Pain is Gain - What email focused VAR partners are doing for email size limits, there is no need to change how people work, how work is organized, and how work flows that often pose as obstacles in realizing the benefits of a business process improvement opportunity as argued by CIO Insight.

Don't take my word for it. What do the IT team and users from BIDMC (teaching hospital affiliated with Harvard medical school) , Foley & Lardner (US law firm with 1,000+ attorneys), Millward Brown (global leader in market research) have in common? They all recognized that sending large files securely is a core business process and none of their highly trained (a.k.a. demanding) users want a compromised solution that forces them to deviate from getting their job done.

Come to think of it, you and I deserve no less, too!

ACA Guy

Wednesday, October 11, 2006

Cutting Total Cost of Ownership by 50% with a true Enterprise Plug-n-Play at the expense of good ID-Ten-T stories

Summary: When analyzing the total cost of ownership (TCO), it is important to keep in mind that more than 50% of IT cost and resources are usually devoted to support and maintenance. So, an enterprise "plug-n-play" SFTA appliance that eliminates the bulk of support and maintenance expenditures can do magic to your performance numbers!

-----

When an IT manager thinks about implementing a new solution, he takes into account the cost of the entire life cycle – the total cost of ownership (TCO), in other words. There’s the obvious cost of the purchase price to start, but that cost is often dwarfed by support and maintenance expenditures. What’s more, there are often hidden support overhead costs that the IT department does not consider when calculating the TCO of a solution.

According to a Gartner analysis, these hidden costs – for example, non-technical, non-IS personnel attempting to resolve end user computing problems -- can be as much as 24 percent of the entire IS budget. Furthermore, the cost of new technology is not limited to the IT organization because the same report states that end-user time spent on non-job-related PC activities accounts for more than 40 percent of a PC's total cost and more than 50 percent of IT-related expenses are incurred outside the IS organization.

One classic example of a "waste of time” that costs a company money is user time spent freeing up disk space, such as when his email storage has reached its limit and the person must delete or archive messages to be able to use the application again.

Given the extra costs of support, it’s a wonder that companies choose to install new IT solutions at all!

I mention all of these issues with support costs because just the other day, an Accellion customer – the CIO at a large teaching hospital – said he has virtually no support costs associated with the implementation of the Accellion SFTA solution. Ad hoc secure file transfer of very large files used to be a constant source of complaint from his users, but, with SFTA, his Help Desk gets no calls from end users needing to send large files. With the lessened burden on his organization, this is a true case of saving money by spending money.

If you think this is unusual, I will tell you that we hear the same thing regularly from other Accellion customers. For example, Daniel G. Rhodes, IT Director at the law firm of Foley & Lardner, has implemented SFTA to help lawyers and clients exchange files securely without IT intervention, as outlined in this announcement. (And, we all know how time-pressed and hard-to-please attorneys can be.)

With practically no need for technical support, can it be that the Accellion Secure File Transfer Appliance is the first true enterprise "plug and play" solution?

Our customers tell us that they install the appliances, integrate the interface with their directory services, and away they go! Training requirements are minimum, if any, because the solution user interface is intuitive. Support for SFTA has almost become a sinecure because end users don't have questions. I suppose the major drawback of deploying an SFTA is the virtual elimination of good ID-Ten-T errors war stories!

Sorry.

ACA Guy

Wednesday, October 04, 2006

Secure and Compliant File Transfer = Technology + Human Behavior

Summary: Meeting security and compliance requirements for secure file transfer as a core business process requires both technology and human behavior for its success.
-----

File Transfer in the context of security and compliance is hot these days. Vendors, Accellion included, offer technology solutions that would address various requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA) as discussed in "Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?".

What is often lost in the discussion, however, is a higher level recognition that file transfer for security and compliance is really a process requirement and it takes both technology and human behavior to fulfill the mission. In other words, there has to be a holistic approach on providing a technical solution that would seamlessly integrate and support the organizational flows so that users will readily accept it.

Typical is this discussion from Dr Dobb's. Breaking down the security requirements into layers from Application, SSL, IPSec, to Link Layer is a very robust approach on setting up a secure infrastructure, technically. However, what is the impact to the end users, and how would they incorporate the infrastructure into their daily business processes are the real questions, in my mind, that would determine the ultimate success of a deployment meant to address security and compliance needs.

One could argue, with some validity, that it is a question of level. The technical details are for the network manager to worry about whereas the CIO/CTO should address the holistic/business process angles.

But, I would submit that this is a short-sighted approach. As we all know, most CIOs/CTOs rely on the recommendations of the IT department in the solution selection process. If the network manager's mind set is narrowly focused on the technical protocols like SSL and IPSec, the organization often will get a solution that looks great on paper because of its technical capabilities without really addressing the end users' needs. This type of technically focused selection usually comes back to haunt the IT team in the form of unhappy users and increased IT support needs since the new process cannot be easily integrated into the users' natural work flow.

In the context of secure file transfer, we often see this type of dichotomy with FTP/SFTP for ad hoc file transfer, where users would rather burn a CD and send it overnight than have to deal with IT support. Alternatively, a close second favorite method for users is to cut down the size of one large file into multiple pieces and send each as an email attachment to be re-assembled by the recipient. If you can think of a way to circumvent the official file transfer method (FTP/SFTP or Email attachment), I probably have heard about it from end users.

I suppose everyone, IT and end users alike, would agree that whatever solution is used, it should be user-friendly. But, politically correct answer aside, I think the real $64 question is why users are circumventing some solutions and whole heartily embracing others.

From talking with customers and prospects, it always boils down to this very simple insight for me - users (non-IT people) just want to have a sense of control over their own destiny.

Requesting FTP/SFTP access and waiting for IT to show up around 2:30pm tomorrow is just a drag. On the other hand, if I can burn a CD, I can see the progress bar to know that it will take 15 more minutes to finish. If I send it via FedEx, I can track it to see where it is and get an automated notice when it gets to the destination.

If you think of these two processes rationally, FTP/SFTP probably takes significantly less total time - say 20 minutes over 24 hours to get the job done, whereas burn-n-send probably takes 1-2 hours over 48 hours. But, users are happier with burn-n-send, an inferior solution, because they feel that they are in control.

End users just want to get the job done and move on to the next thing. Rationality has nothing to do with it.

So, are you looking to implement a secure file transfer solution that will meet the organizational security and compliance requirements? Yes, you would still want to meet the technical standards such as encryption and management reports on who sends and receives what. That is the basic requirement. But, what will determine the success of the deployment is a secure file transfer solution that fits easily into the human processes, so that end users will embrace it.

Why? Like most users, because a USB thumb drive with 2GB capacity always sits in my drawer...

ACA Guy