How a Litigation Support Manager turns Accellion SFTA into a Competitive Advantage that Makes Clients Happy and Attorneys Glad

Summary: While an Accellion survey has shown that 70% of end users still routinely use CD/DVD as their "file transfer" method, the Litigation Support Manager of a major law firm breaks the routine and makes both the clients and internal users happier.

-----
Accellion commissioned a consultancy to conduct a survey. Being the secure file transfer solution provider that we are, I wanted to learn more about what methods companies use to send files to business associates.

Not surprisingly, sending files as email attachments was the most dominant method (74% of all responses). A bit surprising to me, though, is how many companies still burn CDs/DVDs and ship them via courier services - some 70% of the companies in the study said they still employ this method.

(A statistical side note: many of the respondents use multiple methods for file transfer. So, these percentages do not add up to 100%.)

The continuing prevalence of CD/DVD as a data transfer method is not exactly surprising. What these users are saying implicitly is that email is simply unsuitable for sending large files or folders, i.e. to maintain file hierarchy. So end users will turn to the second easiest method. In other words, that means burning files onto a CD/DVD and then shipping it overnight.

Why CD/DVD? Well, it is because a business user can burn a disc without the hassle of getting the IT department involved. Similarly, the recipient does not need to call in IT support to retrieve the files. So what if the process is time consuming and the shipping is costly? That’s just a cost of doing business, right?

Wrong!

I was talking with the Litigation Support Manager at a large law firm who has been using the Accellion SFTA solution. Her team is responsible for converting pertinent documents to PDF format and distributing them to all relevant parties such as clients, outside counsel, and consultants.

Prior to installing the SFTA solution, the Litigation Support team would process the information into PDF format, burn them onto a CD, and then use an overnight shipping service to distribute them. This shipping costs were simply passed on to clients as part of the legal overhead.
The department manager told me the team tried to use email attachments to send the documents, but this wasn’t practical because recipients' email servers routinely reject large attachments. What’s more, there is no simple mechanism to ascertain delivery of the document to the right person without exhaustive phone calls.

After installing Accellion SFTA, the Litigation Support team starts to send files via links to the document(s) in email. The recipient clicks on the URL link and downloads the document. The sender also gets a file download confirmation so that there is no additional tracking required. The whole process now takes minutes between the sender and recipients instead of the usual days, and there are no more of those multiple triage points.

Similarly, non-technical end users, i.e. attorneys, can send files or folders of any size from their own PCs on an ad hoc basis without begging IT for help. (And according to my anonymous high level IT source in another major law firm, IT is equally happy to not have to deal with attorneys who wanted to get the files over "yesterday already".)

So, with Accellion SFTA solution, the company is able to make both users and clients happy by reducing the process time from days to minutes. Furthermore, by eliminating the costs of delivery services as well as the overhead required to handle the physical delivery, the law firm is able to be more responsive while lowering its costs of business for itself and its clients.

The equation is simple:

Because
1. Accellion SFTA = (reduced time, reduced costs)
2. Reduced time = better service to users and clients
3. Reduced costs = lower fees passed on to clients
4. A better (law) firm that makes users and clients happy = Better service + lower fees

Therefore
Accellion SFTA = Better business results

Or, as my logic lecturer would have said, "this is intuitively obvious."

ACA Guy

Integrate Accellion SFTA with Email Client So End Users Do Not Have to Leave Email to Send Large Files Securely

Summary: Integrating Accellion SFTA with your enterprise messaging system makes life very easy for end users and email administrators alike. Steps and sample end user interface below.


-----
If you recall my rambling about Using Exchange/Outlook and Domino/Notes with Accellion Secure File Transfer Appliance, I said that it’s possible to embed an Accellion icon inside the email client so that a user can send an "attachment" via his email and still process the actual transfer through the secure file transfer appliance without clogging up the email server. In other words, this makes the secure file transfer process transparent to the end user.

For those IT admins from Missouri (the Show Me State - for those not familiar with this American colloquialism), the integration process is straightforward for both the end users and the email administrator as described below.

Let’s say your enterprise email environment is Exchange/Outlook and you want to let end users send files from within Outlook like they always do, but still process the transaction through the secure file transfer appliance.

First, you have to buy an SFTA box from Accellion.

Then, the Accellion installation team or the IT administrator would prepare the MSI installers and registry setting which contains the automated instructions for how the SFTA client agent will install on the end users' PCs. Next, the IT administrator would push out the instructions for a controlled roll-out through programs like Microsoft Active Directory Group Policy. The Group Policy program “pings” each desktop and installs the Accellion Outlook agent. So, the key, and only, thing that end users need to do is to make sure that their PCs are turned on and connected to the network. Even the CFO can handle that task without supervision.

The process is similar if your organization uses Lotus Domino and Notes for your enterprise messaging system.



Once the Accellion agent is installed on a user’s desktop, user will notice an extra “A” icon in his email application as shown above. (Outlooks client shown.)


Email administrators can set a threshold size for files that can be sent via email. If a file exceeds that threshold, the file is intercepted and sent via the secure file transfer appliance instead. This can be done automatically, or through a gentle reminder to the end user, telling him to use the file transfer appliance to send large attachments.

How about one-off installations, say for a new employee? In this case, the administrator sends the new user an invitation to install the software. The user clicks on a link to download the installer file, which installs the agent automatically. When the installation is done, the user starts his email client and enters his SFTA account information (same as the email information if AD/LDAP directory integration is used with SFTA). And that’s it.

OK, what if the end user is using a PC that is not configured with the agent? On a public computer, for example. Secure file transfer appliance is always available to authorized users through a web interface. So, even if a user is not at his normal PC, the secure file transfer process is not impeded or compromised in anyway. Or, as an IT director once told me about his end users roll-out, if you know how to use Yahoo Mail, you know how to use Accellion.

By the way, click here to get your SFTA from Accellion.

ACA Guy

Be like Tom Cruise (or Peter Graves) and Get Your Files to Self-Destruct Securely

Summary: Just like the messages that deliver ‘the mission’ to Ethan Hunt or Jim Phelps in the Mission Impossible series, files on the Accellion Secure File Transfer Appliance (SFTA) will ‘self-destruct’ when you say the time is up.

-----
Watching one of the Mission Impossible movies the other day, I got a kick out of how Tom Cruise’s character Ethan Hunt received his mission assignment through a pair of glasses. When he had all the details he needed, he tossed the glasses into the air and they blew up (cool!), preventing anyone else from accessing the vital mission information.

Alas, I am also old enough to recall the original Mission Impossible television series where Peter Graves’ character Jim Phelps received his mission via audio cassette. The tape would fizzle in a puff of smoke to self-destruct (cool!), again to protect the secret information.

This got me thinking about the life of files that are often left to languish in places such as FTP servers and email in-boxes. Unlike the self-destructing messages delivered to the Mission Impossible team, these real-life files hang around forever until someone takes the action to remove them. And the longer the files sit around, the more susceptible they are to prying eyes, including search engines like Google.

While state secrets may not be involved (and, in any case, the secretary shall disavow any knowledge), most business processes and senders would like to ensure that information doesn’t hang around any longer than need be. Accellion SFTA has a lifecycle management feature that allows an administrator to set global default limits for how long files remain on the appliance before they ‘self-destruct.’ Actually, they are merely deleted, so don’t worry about the appliance sending out puffs of smoke or exploding in the data center. Sorry.

Furthermore, while there is a global default, say 30 days, the default time length can be overwritten by an authorized sender. This user can specify whatever length of time he needs to keep the file on the appliance, say, one day or 12 months.

Finally, you wouldn’t want people putting files on the server indefinitely because they might use the appliance as a long-term storage medium. (Great for Accellion because people would need to buy more SFTA boxes, but integrating your Accellion SFTA with you SAN is probably a better ROI for your IT budget.) For this, the SFTA administrator holds the ultimate power of setting the maximum lifespan of files that no user can exceed. This could be an important part of your overall corporate electronic record retention policy.

So, what does this file lifecycle management tool mean? For end users, this means senders do not have to clean up the email attachments. (Don’t you hate when your email system tells you to delete or archive files to free up space? Your SFTA would never do this to you!)

Of course, the person who is most grateful for this lifecycle management feature is the system administrator. If he sets a reasonable global default time for files, and he allows authorized users to override that default as needed, then he is not the bad guy when files are automatically removed from the appliance. Users can’t complain about disappearing files when they know it is company policy to remove files after x number of days, weeks, or months. In addition, the system administrator does not need to spend his time wading through files to determine if they are ripe for removal from the appliance. This process will happen quite naturally and automatically. In short, there’s no impossible mission when it comes to lifecycle management with the Accellion SFTA.

And, the secretary shall never disavow your actions.

ACA Guy

Using SFTA to Manage IT Portfolio to Stay in the Race, Win the Race, and Change the Rules

Summary: Using the concept of IT Portfolio Management, the de rigour enterprise topic of the day, find out how Accellion Secure File Transfer Appliance allows the IT team to stay in the race, win the race, and change the rules.

-----
One of the hottest IT topics for large enterprises is portfolio management. It is the notion of managing IT projects as you would a financial portfolio. Similar to financial instruments of various flavors, some projects are very low risk but provide steady value to the organization while other projects are high-risk/high-return and, if done right, can catapult your business into a higher playing level. The key insight is to manage and balance a collection of IT capabilities like a portfolio so that you take care of immediate needs as well as sowing seeds for the future.

While the concept is fairly intuitive, just like managing financial portfolios, the challenge is knowing how to balance the portfolio with the right amount of “steady/value projects” and “high risk/high return projects.”

A recent article in The McKinsey Quarterly entitled Divide and Conquer: Rethinking IT Strategy” by David Craig and Ranjit Tinaikar (free registration required) provides advice on how to segment the projects in your IT portfolio.

The article classifies IT projects in terms of their value to an organization. The low risk, steady value projects are known as stay in the race projects. These are the kinds of things that you simply must do in order to remain competitive. Enterprise email system would be a banal but obvious example.

The next level of project is called win the race. This kind of project will place you ahead of competitors, at least until they manage to catch up. An example of such a project is a customer service tool that allows a service agent to immediately get a holistic view of a client's history.

Finally, the highest level of IT project is the change the rules type of project where you do business in an entirely different way. The end-to-end integrated inventory control system between Wal-Mart and its vendors that took nearly ten years to develop is a much feted example.

So, to borrow a financial jargon, what is the recommended asset allocation for the IT portfolio? The McKinsey report offers these guidelines for your IT budget:

Stay in the race projects: 30%-60%
Win the race projects: 10%-60%
Change the rules projects: 10%-40%

As the McKinsey report puts it, up to 60% of the IT budget “should focus on maintaining and enhancing basic IT services, including core business applications, systems to meet regulatory demands, e-mail, and Web services. These are low-risk functions necessary for staying in the race.”

Secure file transfer is just such a core application. Be it a security and compliance issue, a global multi-location collaboration and communication issue, or keeping virus and other digital cooties out issue, Accellion SFTA has been field-proven to be one of the favorite tools in the proactive IT's arsenal for meeting the Stay in the race needs.

But what if you want to push the envelope toward winning the race? Can SFTA help you do that as well? [Expletive deleted], Yes! As noted by customers in verticals such as Architecture, Engineering, and Construction (AEC), Healthcare and Research Institutions, and law firms, Accellion offers a solution that allows them to re-align their business processes to better meet customer needs and improve internal efficiencies.

As for the changing the rules capabilities, Accellion will soon offer API libraries that can integrate your secure file transfer processes into other enterprise applications and processes. Similar to the ability to quickly prototype and deliver services for innovative financial products as cited in the McKinsey report, I can already see an explosion of different collaborative processes within an organization and amongst multiple parties that has been nearly impossible before as a result of the API tools.

So, introducing a platform solution that helps to address your Stay in the race, Win the race, and Change the rules needs - Accellion Courier Secure File Transfer Appliance (SFTA). Say, maybe we not charging enough for these boxes...

ACA Guy

Are you Federal Rules of Civil Procedure - Rule 37 section (f) compliant? Accellion SFTA can help

Summary: Have you heard of Federal Rules of Civil Procedure - Rule 37 section (f), FRCP Rule 37(f)? How does it impact your organization's electronic record retention policy and how does Accellion's automated policy based file life cycle management tool help you?

-----
Unless you are a litigation lawyer or legal/IT consultant, you probably aren’t aware that new rules governing the use of electronic records in the federal court went into affect in December of 2006. Specifically, I am talking about Federal Rules of Civil Procedure - Rule 37 section (f), or FRCP Rule 37(f) if you are in the know, which addresses the issue of record retention.

But, before going any further, I do want to give the formal disclaimer: This posting is not to be considered legal advice, and you should seek competent legal counsel for your specific situation.

OK, with that out of the way, let’s get to the heart of the matter. The FRCP are long and detailed, but the one we are most interested in for today is Rule 37(f), which states:

(f) Electronically Stored Information
Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.

Don’t you just love legalese?! If your eyes, like mine, glazed over while reading the statement above, have a look at the Companies unprepared to comply with new electronic discovery rules article in Network World, which summarizes the issue nicely from an IT perspective.

What it comes down to is the need to preserve your electronic records, which includes email. How you preserve the records, and for how long, is up to you to decide. What the court is looking for is the fact that your organization has a consistent policy and a routine procedure for keeping and deleting electronic records. In other words, you can’t start to shred electronic records when it looks like you are headed to court like the infamous incident with Enron records at the now defunct Arthur Andersen.

Given that Accellion customers often use secure file transfer appliances as a complement to email attachments, the natural question is what the impact on the retention of attachments is, given the new procedures.

The first thing that you want to think about is what constitutes an electronic record. Is it just the text of an email message? Does it include the attachment? How about the audit trail that tells you who did what, and when? There's no definitive answer, so it's up to your company to set the definition. And, whatever you call a record, the onus is on you to be consistent in the way you define it and treat it.

If you decide to store your attachments as part of your electronic record, Accellion's automated policy-based file life-cycle management control can help. On one extreme, you can decide to keep a file on an SFTA for 10 years. Alternatively, I have heard cases where the retention policy is now moving toward no more than two weeks. Whatever the period, it is a simple setting in the Accellion SFTA. In other words, by using the automated file life-cycle tool for all the users, you are, by default, handling your files in a routine way, which satisfies the needs of FRCP Rule 37(f).

Because the new FRCP Rule 37(f) went into affect a few weeks ago, now is a good time to give serious thought to your retention policies. And, with the automated file life-cycle tool, Accellion SFTA provides a platform tool for an organization to create compliant processes without hiring a new army of administrators to meet the needs of the regulation.

ACA Guy

What customers are saying about Accellion SFTA and a Happy 2007

Summary: What is driving the demand for Accellion secure file transfer appliance? What are the experiences for users and IT once SFTA is installed? These are snippets of what customers have told us.


-----
Secure File Transfer is an universal need for all industries and organizational sizes. So, as you get ready for 2007, check if any of these typical customer comments ring true and consider if there should be an Accellion SFTA on your 2007 to-get list.

(Okay. Okay. I admit it. ACA Guy's handler is out on vacation. So, I have turned to customers for content. As always, names have been withheld to protect the not always innocent.)


***
Ouch! We have to fix this.

A few weeks ago an employee set up an FTP account for company X. People at X turned around and gave a whole bunch of people outside of X access to the FTP account unbeknownst to us. As we were exchanging data and information through that FTP account, unauthorized people were getting confidential and competitive data that they shouldn’t have seen.

Global Advertising Agency


***
Because secure file transfer is important for our clients

We have many high profile clients and securing file transfer in a way that our attorneys can easily use is important for all transactions.

Global Law Firm


***
See the Gain (usage) Without the Pain (support calls)

I initially handed out access to a few people who were regularly sending 60MB PPT files and refusing to use anything other than email. Demand for access grew virally as new users hear about and ask for this new tool.

What closed the deal for me is that as user count "takes off", the user support hotline remains dormant.

Medical Research Foundation


***
Get your own SFTA!

[SFTA] is being used by ALL sorts of people - documentation, clinical, marketing and sales, field engineers. I am getting constant calls from people who want to have access to the system immediately.

While I will probably give access to other divisions on a limited basis, this box is for our division and they'll have to buy their own.

Medical Device Company


***
Happy Users = Happy IT

I used to get lots of complaints about ad hoc large file transfer from doctors. But, since its [Accellion SFTA] installation, I have gotten zero complaints.

Healthcare Institution


***
And, regardless of where you are on the secure file transfer readiness scale, the Best Wishes for a Joyful and Successful 2007 from the entire Accellion team.

ACA Guy

Using Exchange/Outlook and Domino/Notes with Accellion Secure File Transfer Appliance

Summary: Offered as an integrated plug-in for Exchange/Outlook and Domino/Notes, Accellion SFTA allows users to send whatever size files without leaving the comfort of email. What does this mean for the IT Support Ticket count?

-----
Maybe you are like me. The very first thing and the very last thing I do in the office involves starting and closing my email client application.

And, between these two points, just about everything I do has an email component - requesting additional information, explaining the latest proposal, following up with people on their action items, and sending files as attachments.

The good news about a ubiquitous tool like email is that users, like yours truly, would happily take advantage of features like the ability to send file attachments. Conversely, the bad news is that if you force users to leave their email comfort zone for things like sending large files, say via FTP or CD/DVD, there will be confusion and a lot of IT support calls.

This is why Accellion has taken great care to develop the hooks necessary to integrate with the two most popular email solutions: Microsoft Exchange/Outlook and Lotus Domino/Notes. By using the Accellion email client plug-in, users can access the enterprise secure file transfer solution from within the productivity tool most intimate to the majority of business processes – the email system.

Once the Accellion plug-in has been installed on the email client, Accellion SFTA becomes a smart icon for the end users. (Click here to see an example of the how it appears on the end user's email client.) In other words, from a user’s perspective, there is no need to exit the email application or start another application to transfer a large file; it’s all streamlined. And the easier the process it is for the user, the fewer support tickets IT has to resolve.

Beyond the obvious end user process advantage, the email-integrated Accellion SFTA still works in parallel to the email system by offloading file attachments and managing the file life cycle through the policy-based mechanism. Namely, all the features that makes IT's life easy are there.

As best as I can tell, Accellion is the only company that offers this kind of Outlook and Lotus Notes email integration for an enterprise secure file transfer solution. And we bring a lot of integration experience to the table. While doing the setup is not a complicated process, it is good to know that Accellion can help you troubleshoot and resolve issues in hours instead of days, weeks, or longer.

What about when a user is out of his office, without access to his email? We’ve got it covered there, too. The secure file transfer appliance can be accessed via the web, so even when access to email is not available, you can still send files to your heart's content.

Sweet!

ACA Guy - YF Juan

Supporting Global Multi-Office Secure File Transfer Needs - The Six Factors to Consider

Summary: Accellion has been deploying global multi-office secure file transfer solution for enterprise users for years. How does your need compare to some of our typical deployments? What are the issues to keep in mind when designing a global multi-office secure file transfer framework? Accellion's ACA Guy tells all.

-----
Question: Can Accellion Courier Secure File transfer Appliance (SFTA) solution scale to meet large enterprise demands on a global basis?

Answer 1: There are more than 13,000 registered users on a deployment consisting of 40% internal users and 60% external users worldwide for one Accellion customer.

Answer 2: The largest Accellion installation supports over 70 offices around the world with SFTA clusters and satellites as part of the customer's global network.

Answer 3: A global media company regularly exchanges more than one terabyte (1TB or 1,000 GB) of data every month and the usage is still growing.

While setting up an SFTA is just three easy steps away, it is equally true that Accellion SFTA has been designed as an enterprise solution that allows appliances to be linked together to provide a global secure file transfer infrastructure.

Being a highly scalable solution, you can start with one appliance to service your current needs. And, as the usage and company expands, just keep adding to the SFTA network to meet the new demands.

A second advantage is that, since Accellion has customers in North America, Europe, and Asia deploying SFTA on a global enterprise basis, we know as much about how to implement a global multi-office secure file transfer infrastructure as we know about what not to do.

***
So, what are the key considerations for a multi-office secure file transfer architectural framework? There are six.

1. Access Control: How to ensure and automate the process in which only authorized users can access the correct file/data.

2. Security: How to ensure file transfer security both technically, such as file encryption, and business process-wise, such as file tracking.

3. High Availability: How to ensure constant availability in light of potential hardware, location, and connectivity failures.

4. Storage Management: How to ensure efficient file storage to maximize system wide capacity.

5. Right Speed for Users: How to ensure timely file/data delivery without significant capital investment.

6. Ease of Enterprise Integration: How to make the secure file transfer process integrate with existing enterprise usage.

I won't inundate you with the whole eight pages worth of data and analysis. So, click here for the whitepaper on the six factors on how to implement a global multi-office secure file transfer infrastructure [registration required].

Whether your organization needs to support a handful of file transfer users or tens of thousands, Accellion can help you achieve it.

And, the best part of it, none of it has to hurt!

ACA Guy

What is the largest file attachment that you can send via Exchange and a few related incidents for the ACA Guy

Summary: Setting attachment size limit is the right thing. But, what is the biggest file that you can send via Exchange theoretically? And, see how ACA Guy sent a 6.5GB folder.

-----
There is no denying that Microsoft Exchange is a highly successful product. With more than 115 million seats (users) worldwide, this email solution has become an integral part of many organizations and it is difficult to fathom how business processes get completed without it today!

(And, in the interests of equal time, the same applies to Lotus Notes and GroupWise users.)

All the same, even a "killer app" like Exchange has its limitations, such as sending large file attachments. Exchange and its related desktop client products, Outlook and Outlook Web Access (OWA) all have limits on the size of files that can be sent and received.

In a prior discussion on MSFT Exchange/Outlook attachment size best practices, it was noted that, out of the box, the Exchange 2003 sets the default file size at 10MB. Email administrators can adjust these limits higher or lower. Setting higher file size limits allows end users to send or receive large files, but these higher limits can result in performance degradation of the overall system. And, from talking with email administrators, setting file size limits in the range of 5MB to 10MB seems sufficient for the majority of email users and business processes. Moreover, it helps to control email performance issues which impact the entire organization.

(So, why is ACA Guy so up to snuff on Exchange/Outlook? Many Accellion customers come for SFTA's ability to integrate with Exchange/Outlook so that large file transfer capability becomes a seamless process for their Outlook users. But, that is, as the saying goes, another story for another time.)

Looking at the size limit issue from the other side, for the sake of argument, what is the biggest file that an user can send under the Exchange/Outlook regime? For this, let's turn to the official MSFT Exchange team blog.

In the posting about Controlling attachment size in Exchange Server 2007 Outlook Web Access (OWA), Raj Mukherjee noted there is a default file size limit of 30 MB. Raj also provided instructions for email administrators who want to change that file size limit, and the instructions are, shall we say, non-trivial.

On the question of the hard limit, Raj discussed OWA's 60 minutes time out for file uploads and downloads which cannot be changed even by an email administrator.

So, it kind of got me thinking. Since one hour is a decent chunk of time, if you take the trouble to send a very large file, I cannot think of a worse fate than having the job abruptly terminated mid-session when the clock strikes the 61st minute.

Oh, beyond self-loathing from the terminated job, did I mention how you would also get the evil eyes from all the people whose email comes to a crawl because you attached large file in the email?

***
Afterthoughts

Never one to shirk from controversies, ACA Guy was drawn into a war of words in the comment section for the Exchange blog posting. It is a shame that "Mr/Ms Anonymous" left the party. Nevertheless, here is a Digg entry if you want to keep the flame alive.

Finally, for the record, ACA Guy's biggest file transfer job was a 6.5GB folder with one click through an Accellion SFTA box.

Just thought you would like to know.

ACA Guy

Ideals and Realities - Who is Responsible for Ensuring Security and Compliance for Files Transfer?

Summary: How is enterprise files transfer conducted in the trenches? Simply put, not pretty. But, instead of pointing fingers at each other, IT and end users are really looking for the same thing. And, this makes selecting the best solution possible.


-----
In most business processes today, information and data in the form of files are handed off from one person to another for processing and review, either within the organization or to parties outside the organization. This begs the question: when a file is "in motion," who is responsible for its security and ensuring compliance with business policy and government regulations?

The simple and official answer is that both the business user and the IT department have a fiduciary responsibility to ensure that information is protected and handled properly when it is transferred from one person to another (no matter if it is internal or external).

But, if you look closer in the trenches, things do not always work that way.


***An end user often thinks more in terms of ease of use than security and compliance when it comes to how to get his job done in a way that he can control. Applying this truism to file transfer, this usually means attaching a file to an email, or a distant second choice would be burning a CD/DVD – whatever is the most expedient to meet the needs of the work process. Unfortunately, neither process is very secure. Nor would these processes meet regulatory compliance guidelines.

This does not make the end user a bad person - this simply means that he does not have a tool that meets all his needs, which includes fulfilling the security and compliance requirements.

Being responsible as well as accountable for providing the tools, guidelines, and training to ensure the security and compliance of the data, there is more awareness of issues surrounding security and compliance in business process systems and solutions amongst the IT departments. On the other hand, while the IT team works hard to manage risks via appropriate security controls and compliance procedures, what can get lost in the process is the "ease of use" requirement. In practice, this often means that the controls and procedures can become so cumbersome as to impede adoption of a system solution by the end users.

This does not make the IT guy a bad person - this simply means that he does not have a tool that meets all his needs while fulfilling the security and compliance requirements.

Wait! Did I just say that both end users and IT are looking for the same thing!?

Indeed, instead of IT blaming end users for non-compliance of security procedures and end users blaming IT for erecting cumbersome hurdles in getting the job done, what everyone needs is a solution that is easy for the end users and meets all the security and compliance needs as set out by IT.

***

While the specific security and compliance needs differ amongst organizations -- for example HIPAA is of overriding concern for a healthcare practice whereas SOX is what a public firm must follow -- most IT and security people can clearly articulate the key attributes for secure file transfer capabilities as:

• The file is accessible to the sender and the recipient, and no one else in between.
• The file should be encrypted while in motion.
• The file in motion should be checked to see if it has been corrupted by viruses or other malware.
• The file transfer process must document who and when a file in motion is accessed and provide an auditable record of the transaction.

Similarly, what most end users would clearly articulate in terms of the preferred file transfer procedure is to follow a process that is as close to sending email attachments as possible, without all the email attachment problems, of course. Because sending an email attachment is a well understood and accepted process for most end users, an email-like solution would ensure rapid adoption instead of resistance.

So, the conundrum has been solved! The best way to ensure security and compliance in the file transfer process for business needs is to adopt a solution that behaves like email for the end users while transparently running various encryption and auditing capabilities on the backend.

Oh, don't forget to ask for easy to administer and maintain features like automatic user account creation and global file life-cycle policy while you're at it!

***
BTW, did I mention that ease-of-use, security, control, and more, is exactly what an Accellion Courier Secure File Transfer Appliance (SFTA) can do for your IT department and users?

Or, as the IT director of an advertising customer told me recently, he could "feel the love from end users" when he announced Accellion solution.

Shouldn't you feel that love too?

ACA Guy

What FTP access you can get with US$10,000 and other ACA Guy FTP hubris

Summary: "Moral outrage" was the sentiment the otherwise stoic ACA Guy felt when the reporting on an eBay auction for FTP access to a .gov domain surfaced. And, a few other incidents highlighting ACA Guy's FTP hubris quickly followed.

-----
I thought I had seen it all but my jaw dropped when I read the posting about selling FTP access to a .gov domain server.

To quickly recap, there was an auction on eBay for access to "parasitic host" files on a .gov domain with a winning bid of nearly US$10,000.

What is in it for the buyer? You see, in the wild world of SEO/SEM (search engine optimization/search engine marketing), having your information/files addressed in a .gov domain name is like putting your SEO/SEM effort on a super steroid that nobody else can get. And, as a US$10 Billion industry that did not exist just a couple of years ago, there are plenty of SEO/SEM players who will do anything to get that extra edge.

And, this, what I can only presume to be unauthorized, "service" is rendered by sending the seller your files and the seller FTP'ing your files to the destination .gov domain. In other words, a legitimate web server, owned and operated by a government agency, will soon be playing host to unauthorized and unknown files. All because someone left an FTP access that is (I can only hope) unintentionally open.

Like a really good scary story, this is extra spooky precisely because everything makes sense and it could as easily happen to you and me.

ACA Guy's FTP hubris #1: I thought my FTP ghost story was good. But, monetizing unauthorized FTP access is, what can I say, wow!

While we are talking how human users can behave badly around FTP, here is another one as reported by Computer World. The gist of the story is that an employee uploaded a copy of Windows 2000 Professional OS onto a public-access FTP server that is frequently used to download software patches and the like. Needless to say it was not a legal distribution of the copyrighted software. Furthermore, this incident was only discovered after a product marketing person who just happened to notice the "odd" software image on the server. Let's not even speculate on the potential legal liability for the company.

ACA Guy's FTP hubris #2: I am reminded of that saying about firearms and crimals, and I thought - FTP does not kill, users do.

Looking for more ways to scare yourself on FTP? In the world of viruses and other malware, Panda Labs reported that the top ranking malicious code most frequently detected in October 2006 (and in fact, throughout 2006) is Sdbot.ftp which is a script used by the Sdbot family of worms to download themselves via FTP.

ACA Guy's FTP hubris #3: I thought, erroneously, FTP is relatively secure vis-a-vis email as the most prevalent target of virus and malware.

To be fair, FTP has a long and illustrious history in the world of scripted and machine-to-machine file transfers.

But, given the prospect of having somebody making off with US$10,000 in pure profit to insert unauthorized info onto my domain, I would much rather invest $3,500 on an Accellion Secure File Transfer Appliance (SFTA) to have secure control over internal and external file transfer access or, better yet, spend the whole US$10,000 for a beefy SFTA appliance and let your security and compliance officer have a thanksgiving day.

On that note, Happy Thanksgiving to all the gentle readers of ACA Guy based in the U.S. And, a most pleasant rest of the week for everyone else.

ACA Guy

Secure File Transfer for Architecture, Engineering and Construction Users

Summary: Architecture, Engineering and Construction (AEC) firms are increasing looking to Accellion SFTA as a solution that allows end users to easily and securely send large files and folders without requiring IT intervention.

-----
To state the obvious, enterprise users need to send and receive large files to and from people both inside and outside the organization. As transferring large files among work colleagues become de rigueur for many business processes, proactive IT teams have abandoned their FTP servers and added a secure file transfer appliance to make sure their users have the right tools to get those critical business files to the right person, at the right time, securely.

Since this is a Horizontal Business Process Improvement Opportunity, at Accellion, we have found that many industries have a clearly articulated need for solutions like SFTA. The legal industry, as well as healthcare, are two industries I have previously highlighted in this blog.

Architecture, Engineering and Construction, otherwise known as AEC, is another industry where we are seeing a surging demand for a solution that lets end users easily and securely transfer large files and folders. Given the nature of AEC, most of the works are collaborative across organizational and geographic boundaries and they have some pretty hefty files to send around.

For instance, take a civil engineering firm that is designing a freeway overpass. This firm would produce a series of CAD (computer-aided design) drawings for the construction firm that is going to build the bridge. Because industrial CAD files can easily get to the range of hundreds of megabytes in size, this isn’t something you can simply email from one person to another. (Not without getting the evil eye from the email administrator and your fellow co-workers because you just completely choked the email system, anyway.) So, traditionally, this transfer is done either by an FTP server, which usually requires IT intervention, or by overnight delivery service of a CD/DVD, which is costly in transit time.

So, when AEC companies like Bigge Crane & Rigging Company find a solution like Accellion SFTA that allows end users to operate within the familiar email interface while sending large files and folders of any size without impacting the email server, it is a Eureka moment.

Or, as somebody has not so delicately put it, size matters. (When it comes to large files, that is.)

ACA Guy

3 Easy Steps to Secure File Transfer Nirvana - a.k.a. why IT and users love appliance solutions

Summary: Like the humble toasters, a dedicated appliance solution like Accellion Secure File Transfer Appliance can be installed and deployed in three simple steps that would allow IT and users to get on with their lives.
-----
I enjoy all aspects of culinary arts. I can regale you about the Atlantic spiny lobster in Spain as discussed on eGullet or the results of the Dim Sum Civil War in the San Francisco bay area instigated by ChowHounds and I have been known to take three months to prepare a dish (duck confit, in case you are wondering).

But, truth be told, the tool that I use most frequently in the kitchen is the humble toaster. Just press down on the handle and, by the time table is set, crunchy and golden toasts are ready.

I’m convinced that most people prefer simple appliances that do exactly what you need them to do, with practically no setup and intervention. Just press and watch it work.

It’s the same in the IT world. Technology buyers prefer solutions that do exactly what you expect them to do - requiring minimum setup and as little on-going IT intervention as possible.

End users, they want the technical equivalent of a toaster too, because they want to get a job done without getting a second degree in IT support.

In this light, it is only appropriate that the "A" in Accellion's SFTA stands for Appliance (as in Secure File Transfer Appliance). Unlike FTP/SFTP servers or email attachments that require extensive initial setup and vigilant on-going monitoring, you plug in an SFTA and it works.

Toaster for IT Administrators

To prove that I'm not overstating the easy plug-and-play nature of this appliance, I want to share the gist of the installation guide that I got from the Accellion Field Support team. Or, as I like to think, these instructions are the "three steps to secure file transfer nirvana for IT administrators":

Step 1: Pre-installation
- Configure your firewall to allow access to and from the appliance.

Step 2: Physical installation
- Rack mount the server and connect the cables (monitor, keyboard, Ethernet, and power)

Step 3: Configuration
- Specify network settings (host name, IP/subnet mask, DNS, and gateway)
- Choose a notification email address

All told, these instructions should take a prepared IT professional less than half an hour to have an SFTA up and running. When was the last time you had a complete IT solution available to all users in that short amount of time?

Toaster for End users

For an end user to send a large dataset:

a) Select the recipient’s email address
b) Select file/folder(s) to send
c) Add a personal note if desired
d) Press 'Send'

No complicated steps. No long URL strings to copy/paste. No extra settings to worry about. Like Dr John Halamka, CIO of Harvard Medical School, said, "[SFTA] is exceptional because the numerous emails about ad hoc large file transfer have vanished since its installation."

End users like SFTA for their secure file transfer needs. Sort of like making toast with a toaster.

ACA Guy

What Network World and Gartner are saying about Secure File Transfer

Summary: What a difference two years make. What leading publications and analyst firms, such as Network World and Gartner, are saying about secure file transfer and its expanding applications.
-----
Like most information technology vendors, I have my ambivalence about industry analysts. For example, how can anyone not clearly see that Accellion Secure File Transfer Appliance is the best thing since sliced bread? Honestly. On the other hand, it is gratifying to see analyst reports on market growth and feature diversification matching up with experiences on the ground.

In a 2005 Network World review: Learn to love e-mail attachments again, Linda Musthaler, an IT industry analyst, outlined the concerns on "large e-mail attachments several megabytes in size often fail to make it to the intended recipients" and "[FTP], too, has its shortcomings, including lack of security, burdensome administration, lack of document versioning and tracking, and non-compliance with government regulations for certain documents."

Bingo.

When Accellion first rolled out the Courier Secure File Transfer Appliance SFTA solution in late 2004, it was an uphill battle to convince people that SFTA is not only a better technical solution but would make both the end users and the IT support personnel happy.

The typical objection we would hear was that FTP/SFTP and email attachments, while not perfect, were serviceable solutions that both end users and IT departments are willing to put up with.

While we worked with early adopters to overcome these objections, we also began to hear murmurs on the increasing number of FTP/SFTP and email infrastructures that were buckling under the growing volume of information exchanged. Slowly but surely, across industries and business functions, both IT professionals and end users were coming to the realization that secure file transfer is a core business process that cannot be ignored.

Gartner’s 2006 report Replacing FTP With Managed File Transfer: Not All MFT Suites Are Equal states that "Gartner previously defined the MFT suite market as a combination of internal and external technology that enables users to manage all aspects of file transfer. Increasingly, however, we've noticed that there are multiple, disparate deployment scenarios with regard to MFT suites. "

Bingo. Bingo.

Instead of a monolithic and FTP-centric view where only machines need to exchange large files, the market place has embraced and demanded secure file transfer solutions that are user-centric. In other words, machine-to-machine file transfer has become a sub-segment to a much larger market where users need the ability to securely communicate and collaborate with external partners and organizations on an ad-hoc basis with files of any size.

As a result, the market place for MFT solutions deepens and widens to include additional processes and usage behaviors, and we are seeing a surge from proactive IT departments inquiring about the Accellion SFTA solution. This is chiefly driven by the desire to treat secure file transfer as a horizontal business process improvement opportunity. Similarly, instead of us educating the buyers about FTP/SFTP and email attachment issues, we are hearing from them on how FTP means Failure To Protect and what kind of strange maneuvers on Microsoft Exchange/Outlook Attachment Size that they no longer wish to engage in.

Equally important, this need is not confined to a niche industry or function. Many knowledge workers of disparate fields -- ranging from hospitals, research institutions, law firms, to advertising agencies -- are now wondering aloud how they ever lived without Accellion SFTA at their fingertip.

Back at the ranch, Accellion has grown its SFTA customer base from single digit to triple digits in the space of six quarters! In many ways, this feels like we have just passed the early adopter stage and are now on the cusp of an emerging solution that is about to go mainstream for every user and IT professional.

But, more importantly, Accellion pledges to continue to make file transfer easy and secure for end users and IT alike. It’s our belief that the easier we make it, the more it will be used, and the more productive it will make people. And isn’t that the main reason why anyone installs new technology in the first place?

ACA Guy

Comparing the costs of FTP/SFTP, Email, and SFTA for Secure File Transfer Needs

Summary: Why "industry standard" is often wrong, 20 years ago and today. And, a closer examine of the comparative costs of Accellion SFTA, FTP/SFTP, and Email for file transfer needs.
-----
We all know how to make "apple to apple" comparisons. But, the reality is that "apple to orange" comparisons are far more common in the business world. I guess that's what makes our jobs more interesting. If all of our choices were "apple to apple," the decision process would get pretty obvious.

Why am I going off on a seemingly "fruitful" tangent? You see, I was having a chin-wag with a respected IT veteran and was told of the time when she was tasked to recommend whether her employer should go with leasing a word processing solution on a Wang Labs mini-computer and terminals vs purchasing and installing PCs with word processing software and connecting them by LAN.

(I realize that this may seem like an obvious decision today. However, 20 years ago, when PCs were considered marginally smarter than a dumb terminal and everyone you would meet on a professional basis considered the Wang Labs solution as the industry standard for enterprise word processing, the decision was anything but.)

The point is, it’s often difficult to do a direct comparison of two things because features and costs often do not line up one-for-one. On the other hand, her instinct that the PCs' capabilities were equally or more important than cost was right on. The LAN would usher in a new era of business process enablement where engineers were more productive because they could process their own documents whenever and however they wanted. And, instead of typing letters and files, secretaries could move into higher level roles (e.g. administrative assistants) and added more value to business processes new and old.

And, naturally, this recommendation launched our heroine to the better and brighter future that eventually let to our chitchat as related above.

Fast forward 20 years and compare FTP/SFTP or email attachment to a secure file transfer appliance from Accellion. IT teams are coming to Accellion for SFTA because, even though FTP/SFTP is a free utility on most server operating systems and email attachment is a standard capability of the email system that has already been paid for, SFTA is a Horizontal Business Process Improvement Opportunity. It's just like how installing PC and LAN can give you so much more than the "industry standard" word processing solution could 20 years ago.

How about the costs? SFTA is not free and how does the cost measure up against the "business process improvement opportunity"?

The costs of an SFTA include:

* The purchase price of the appliance(s) for your organization
* The annual maintenance agreement, which covers updates and support
* The IT department’s implementation time, which is about an hour
* Eliminating an overwhelming majority of support requests on secure file transfer needs

In dollar terms, there is a one-time purchase cost followed by the cost of less than one (<1)> headcount for an experienced IT person going forward because support and maintenance are largely automated and do NOT increase as the organization ramps up with SFTA usage.

The costs of FTP include:

* The purchase of hardware for a dedicated FTP server and the time to setup the software to run ftp
* The on-going time for administering FTP services, such as adding and deleting users, maintaining files, managing directories
* User training and support as FTP is notorious for being user unfriendly.

In dollar terms, there is an one time hardware purchasing and software setup cost followed by one headcount for an experienced FTP administrator. And, as usage ramp up, there will need to be proportional increase in FTP staff for support. And, in extreme cases where the end users have tight deadlines, such as law firms and other professional service firms, the FTP support staff need to be available 24/7.

The costs of Email attachments includes:

* The cost of increased storage capacity for the email system to process and store large attachment files
* User time spent clearing out or archiving email messages when storage limits are hit
* Monitoring and contingency procedures when an user inevitably decides to send a 50MB file to 20 recipients (and create a 1GB surge on the email server with a single click)
* The nights and weekends spent in recovering from crashed email servers when that 1GB surge was not caught in time

In dollar terms, the hardware cost is often hidden as part of the overall email upgrade. However, the headcount cost for email administrator and IT support will increase as the usage spread in the organization. This is partly to monitor and prevent those attachment surges. And, you would expect to add more email administrators after the first email crash.

As you can plainly see, and please pardon the "buzz word", SFTA provides a Scalable secure file transfer process that lowers its usage cost as users adopt it. Whereas the traditional FTP/SFTP and email attachment processes are Not Scalable and requires more feeding and caring as more users come on-line.

So, the question is not unlike what our heroine faced 20 years ago. Do you go with the accepted "industry standards" with FTP/SFTP and email attachment for file transfer process or go with SFTA that has been proven in the field to lower the cost of same transaction while making the whole organization more productive?

ACA Guy

Horizontal Business Process Improvement Opportunity: Complement the Email Infrastructure with Secure File Transfer Appliance

Summary: A horizontal business process improvement opportunity cuts across departments and functions. If done correctly, such as implementing a secure file transfer appliance in support of the enterprise email infrastructure, you can realize and sustain the benefits quickly.

-----

CIO Insight just released some results of a "Research study on business process improvement (BPI)." There were basically two main findings:

Finding 1: Improving business processes is the top priority for many IT executives, especially at small and midsize companies.

Finding 2: Although process improvement is a priority, the pace of change is moderate.

Why is BPI so important? Here is what CIO Insight writes on the topic: One of the most important lessons from the last 25 years of business computing is that you can't throw technology at a problem and expect it to go away, or fling a system at an opportunity and expect the dollars to rain down.

Other than nodding in agreement, I think it is important to note that business process improvement opportunities come in two flavors. There is the vertical process that involves a specific set of data and people, e.g. inventory control for a just-in-time production. Then, there are the horizontal processes that are less visible but no less vital for an organization's everyday operation -- processes such as sending large files securely; for example, engineers send blue prints, marketers send collateral, sales people send product quotes, finance people send consolidated accounts, and so on.

While the horizontal processes are less visible, the CIO Insight article observation applies equally -- that throwing money and technology at them does not solve anything. Thoughtful implementation of a solution that makes sense from the end users' perspective is what will drive the success of a technical solution for a horizontal process.

The good thing about the horizontal process improvement solution, however, is that it is easier to realize and sustain its benefits because it usually does not involve significant re-engineering of the existing processes in a manner that causes resistance from users.

For instance, exchanging information with people inside and outside is a (horizontal) business process common to most departments. In the early days, we did this by physically sending and receiving memos, letters and printed documents. The process to send something could take days. If we wanted to improve productivity (i.e., reduce the time involved), we paid extra money to use a courier service to speed up delivery.

Then, the horizontal business process solution, email, came along. We address our communication to one or more people, include the information we want them to have, and send it along its way. Only now the bits travel at the speed of electrons instead of the speed of the mail carrier. Email is so entrenched in virtually every business and every department today that we can’t imagine doing without it even though it has not been in wide use for more than two decades.

So, what is the next horizontal business process improvement opportunity? Put simply, what is the most common complaint about email for both IT and end users? I’m talking about email attachments.

Email systems were not architected to send large files; rather, these systems were designed for sending short messages that are just a few kilobytes in size. As a result, none of the major email systems in use today were developed with the notion of attaching large files (i.e., those that are 5 megabytes or larger) in mind.

Yet business processes have evolved from the days of simple text in email to sending the ever burgeoning files and documents as part of the routine email communication. Contracts, proposals, drawings, photographs, blue prints, and so on. They are all a critical part of the business process today.

Given the acrobatic moves required of end users and IT to send large files securely as attachments for the daily business needs, I would submit to you that this is as much of a horizontal business process improvement opportunity as email was back then. Does this mean that there is a miracle email system re-architected to handle large attachments? Unfortunately, no. Like most successful legacy systems, email vendors have too large of an install base to risk making that kind of departure.

Fortunately, secure file transfer appliance is available today. It offloads the large attachments from the email system, and still allows the business users to use the beloved email as a normal business process. As discussed in No Pain is Gain - What email focused VAR partners are doing for email size limits, there is no need to change how people work, how work is organized, and how work flows that often pose as obstacles in realizing the benefits of a business process improvement opportunity as argued by CIO Insight.

Don't take my word for it. What do the IT team and users from BIDMC (teaching hospital affiliated with Harvard medical school) , Foley & Lardner (US law firm with 1,000+ attorneys), Millward Brown (global leader in market research) have in common? They all recognized that sending large files securely is a core business process and none of their highly trained (a.k.a. demanding) users want a compromised solution that forces them to deviate from getting their job done.

Come to think of it, you and I deserve no less, too!

ACA Guy

Cutting Total Cost of Ownership by 50% with a true Enterprise Plug-n-Play at the expense of good ID-Ten-T stories

Summary: When analyzing the total cost of ownership (TCO), it is important to keep in mind that more than 50% of IT cost and resources are usually devoted to support and maintenance. So, an enterprise "plug-n-play" SFTA appliance that eliminates the bulk of support and maintenance expenditures can do magic to your performance numbers!

-----
When an IT manager thinks about implementing a new solution, he takes into account the cost of the entire life cycle – the total cost of ownership (TCO), in other words. There’s the obvious cost of the purchase price to start, but that cost is often dwarfed by support and maintenance expenditures. What’s more, there are often hidden support overhead costs that the IT department does not consider when calculating the TCO of a solution.

According to a Gartner analysis, these hidden costs – for example, non-technical, non-IS personnel attempting to resolve end user computing problems -- can be as much as 24 percent of the entire IS budget. Furthermore, the cost of new technology is not limited to the IT organization because the same report states that end-user time spent on non-job-related PC activities accounts for more than 40 percent of a PC's total cost and more than 50 percent of IT-related expenses are incurred outside the IS organization.

One classic example of a "waste of time” that costs a company money is user time spent freeing up disk space, such as when his email storage has reached its limit and the person must delete or archive messages to be able to use the application again.

Given the extra costs of support, it’s a wonder that companies choose to install new IT solutions at all!

I mention all of these issues with support costs because just the other day, an Accellion customer – the CIO at a large teaching hospital – said he has virtually no support costs associated with the implementation of the Accellion SFTA solution. Ad hoc secure file transfer of very large files used to be a constant source of complaint from his users, but, with SFTA, his Help Desk gets no calls from end users needing to send large files. With the lessened burden on his organization, this is a true case of saving money by spending money.

If you think this is unusual, I will tell you that we hear the same thing regularly from other Accellion customers. For example, Daniel G. Rhodes, IT Director at the law firm of Foley & Lardner, has implemented SFTA to help lawyers and clients exchange files securely without IT intervention, as outlined in this announcement. (And, we all know how time-pressed and hard-to-please attorneys can be.)

With practically no need for technical support, can it be that the Accellion Secure File Transfer Appliance is the first true enterprise "plug and play" solution?

Our customers tell us that they install the appliances, integrate the interface with their directory services, and away they go! Training requirements are minimum, if any, because the solution user interface is intuitive. Support for SFTA has almost become a sinecure because end users don't have questions. I suppose the major drawback of deploying an SFTA is the virtual elimination of good ID-Ten-T errors war stories!

Sorry.

ACA Guy

Secure and Compliant File Transfer = Technology + Human Behavior

Summary: Meeting security and compliance requirements for secure file transfer as a core business process requires both technology and human behavior for its success.
-----
File Transfer in the context of security and compliance is hot these days. Vendors, Accellion included, offer technology solutions that would address various requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA) as discussed in "Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?".

What is often lost in the discussion, however, is a higher level recognition that file transfer for security and compliance is really a process requirement and it takes both technology and human behavior to fulfill the mission. In other words, there has to be a holistic approach on providing a technical solution that would seamlessly integrate and support the organizational flows so that users will readily accept it.

Typical is this discussion from Dr Dobb's. Breaking down the security requirements into layers from Application, SSL, IPSec, to Link Layer is a very robust approach on setting up a secure infrastructure, technically. However, what is the impact to the end users, and how would they incorporate the infrastructure into their daily business processes are the real questions, in my mind, that would determine the ultimate success of a deployment meant to address security and compliance needs.

One could argue, with some validity, that it is a question of level. The technical details are for the network manager to worry about whereas the CIO/CTO should address the holistic/business process angles.

But, I would submit that this is a short-sighted approach. As we all know, most CIOs/CTOs rely on the recommendations of the IT department in the solution selection process. If the network manager's mind set is narrowly focused on the technical protocols like SSL and IPSec, the organization often will get a solution that looks great on paper because of its technical capabilities without really addressing the end users' needs. This type of technically focused selection usually comes back to haunt the IT team in the form of unhappy users and increased IT support needs since the new process cannot be easily integrated into the users' natural work flow.

In the context of secure file transfer, we often see this type of dichotomy with FTP/SFTP for ad hoc file transfer, where users would rather burn a CD and send it overnight than have to deal with IT support. Alternatively, a close second favorite method for users is to cut down the size of one large file into multiple pieces and send each as an email attachment to be re-assembled by the recipient. If you can think of a way to circumvent the official file transfer method (FTP/SFTP or Email attachment), I probably have heard about it from end users.

I suppose everyone, IT and end users alike, would agree that whatever solution is used, it should be user-friendly. But, politically correct answer aside, I think the real $64 question is why users are circumventing some solutions and whole heartily embracing others.

From talking with customers and prospects, it always boils down to this very simple insight for me - users (non-IT people) just want to have a sense of control over their own destiny.

Requesting FTP/SFTP access and waiting for IT to show up around 2:30pm tomorrow is just a drag. On the other hand, if I can burn a CD, I can see the progress bar to know that it will take 15 more minutes to finish. If I send it via FedEx, I can track it to see where it is and get an automated notice when it gets to the destination.

If you think of these two processes rationally, FTP/SFTP probably takes significantly less total time - say 20 minutes over 24 hours to get the job done, whereas burn-n-send probably takes 1-2 hours over 48 hours. But, users are happier with burn-n-send, an inferior solution, because they feel that they are in control.

End users just want to get the job done and move on to the next thing. Rationality has nothing to do with it.

So, are you looking to implement a secure file transfer solution that will meet the organizational security and compliance requirements? Yes, you would still want to meet the technical standards such as encryption and management reports on who sends and receives what. That is the basic requirement. But, what will determine the success of the deployment is a secure file transfer solution that fits easily into the human processes, so that end users will embrace it.

Why? Like most users, because a USB thumb drive with 2GB capacity always sits in my drawer...

ACA Guy

FTP (Failure To Protect) and an early Halloween ghost story

Summary: According to Microsoft TechNet, FTP fails to protect the data and file that it transfers. And, find out if your FTP/SFTP servers are haunted too.


-----

When I talk with perspective customers about their current file transfer solutions, FTP (file transfer protocol) is a common one, but the insecurity of the service scares them.

As it should.

You don’t need to be an information technology guru to understand the business implications of the shortcomings of FTP as the following passage from Microsoft TechNet describes:

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plain text. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plain text credentials is that someone other than the intended users could log on to FTP and download the files you have placed there.

In other words, don’t put anything on your FTP server that you wouldn’t feel comfortable publishing in a press release – that’s how wide open your data can be. This is especially true today when everything imaginable and unimaginable are being indexed by search engines and as I have noted in FTP (In) Security in the Google Age.

Of course, there are ways to add security to FTP. It generally involves some kind of additional wrapper around the FTP server. It can be an encrypted channel such as a VPN (Virtual Private Network) through IPSec (Secure Internet Protocol). Alternatively, you can utilize some flavor of encryption such as SSL (Secure Sockets Layer) to scramble the traffic.

The problem is that now you’re talking about adding significant complexity and cost, just to be able to transfer files. This level of overhead may have made sense in the old days when a majority of the file transfer were done via scripts and schedulers with minimum human input required. But, given the increasing importance of secure file transfer in the day-to-day business processes by non-IT users for things like multimedia presentations and legal electronic discovery, FTP and SFTP bring unpleasant memories to IT and end-users alike.

***

I recently heard this FTP ghost story about a haunted server.

A contract employee was given access to an FTP server where files pertaining to his project were stored. (As a standard IT procedure, the FTP administrator would provision access for any user who showed a valid need, and this contractor proved his need.)

But then the contractor finished the project and left. (Naturally) the FTP administrator didn’t know this and thus didn't de-provision the user. In other words, the contractor still had the ability to view everything on the FTP server. Unbeknownst to everyone within the organization, this contractor paid a few more visits to the FTP server to download files - after all, no one canceled his access to the FTP server.

And, since this is a process issue, even if the server had been running secure FTP (SFTP) instead, the same haunted scenario could still be played out. So, have you ever wondered what kind of unauthorized FTP/SFTP access is happening in your organization? It is more common than you think! A major vendor is selling a tool that claims to catch exactly this type of detection as noted in my posting Much Ado About Tumbleweed and FTP Security.

So, this could be a fun thing to do to your security officer.

First, tell him about the importance of securing file transfer processes as part of SOX/HIPAA/GLBA compliance - feel free to use my posting Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply? as a cheat sheet.

Then, tell him this FTP/SFTP ghost story.

Booooooo!

And, before the security officer faints, tell him to pay Accellion a visit because Secure File Transfer Appliance SFTA can solve all of these problems and headaches.

ACA Guy

Security and Auditability Legislative Mandates: Do Your File Transfer Processes Comply?

Summary: How to secure file transfer processes in the face of government regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley Act (GLBA)? Proactive IT shops are looking for these key capabilities offered by Accellion SFTA.


-----
At Accellion, we say "Accellion Courier Secure File Transfer Appliance (SFTA) offers a key component in implementing secure and auditable file transfer processes required for meeting IP security needs and compliance mandates..." Just what does that mean? How will this product help you with your compliance mandates?

Most large enterprises operate under at least one of the legislative mandates for the protection and validation of private information. For instance, under HIPAA (Health Insurance Portability and Accountability Act), healthcare providers must safeguard the privacy of their patients' medical records. While observing GLBA (Graham-Leach-Bliley Act), financial institutions are required to hold consumers' financial information in strict confidence. Under SOX (Sarbanes-Oxley), public companies must prove that they have adequate internal controls over business procedures and financial information.

Though the legislation can get complicated when examined closely, it really boils down to common sense. Borrowing from the good ole' "do unto others" Golden Rule we all learned as children, think of the (secure) file transfer portion of these compliance mandates at their core as the "Golden Rule for Data Handling." In other words, treat other people's private data as you would want to have your own private data treated.

Common sense aside, since nefarious means such as spyware, IP spoofing, and interception of non-secure wireless traffic abound, there are several key capabilities that growing numbers of proactive IT teams are looking for in order to secure email attachments and other file transfer processes while meeting the regulatory compliance requirements for their respective industries. Many of our customers have come to Accellion to fulfill this duo objectives with SFTA because of these considerations below.

(Hint: The words in italics relate directly to specifications of the legislative mandates we have been talking about.)

• Automated download receipt - When a recipient downloads the file, a return receipt is generated to the sender. The recipient cannot turn the return receipt off. Users can review and track files sent and their download status.


• End to end file security - Files are encrypted, uploaded, stored, and downloaded through secure links and recipients are authenticated ensuring only the intended recipients can access the file.


• File management - File life cycle management is automated so when the prescribed time comes, the file will be deleted to manage the life cycle of files centrally per corporate retention policies. This means neither user nor administrators have to worry about having unattended errant sensitive information.


• Directory services authentication - LDAP and Microsoft Active Directory are used for authentication and to minimize setup efforts. By allowing users to send large files securely using the same email id and password, this significantly improved the process flow.


• File transfer auditing and tracking - Auditable records from third party on when recipients download attachments that can be summarized by individual recipient, file name, time and date.

The good news is that government mandates have clearly articulated the needs for securing business processes -- processes which often include the transfer of data from one hand to another. The better news is that encryption, audit trails, recipient authentication, and secure links, to name a few, are the common sense way to handle files securely. And, the best news is that all these are standard features in the field proven Accellion SFTA.

You can read more about how Accellion Courier Secure File Transfer Appliance works for security and compliance here.

ACA Guy

Secure File Transfer for Teaching Hospitals and Research Institutions

Summary: Teaching and research hospitals are finding the Accellion secure file transfer solution helps them conduct critical work more efficiently.


-----
Secure transfer of very large file is an universal issue for most organizations. So, in addition to supporting law firms (read Secure File Transfer for Law Firm Attorneys, Counsels, and Clients), Accellion also has a sizable number of installations in teaching/research hospitals throughout the country.

Beyond providing a first class solution to meet users' needs, we do take special pride in supporting these institutions because their Accellion secure file transfer appliances, as part of their everyday workflow, contribute in their own way to improving healthcare and medical research for cancer patients in Boston and children care in Memphis.

It is a karma thing.

Feel good sentiment aside, what these organizations need to address is very similar to most professional organizations that trade in knowledge -- how to exchange very large amounts of information securely and easily with internal and external users.

Researchers at most of these institutions work on projects that draw on resources and knowledge across a number of organizational boundaries to solve life and death questions. A study of avian flu may be conducted in Memphis but the field experts on N5H1 outbreaks with the most current data are in Asia. Or, a less dramatic, but equally pressing, issue for researchers is the ability to share grant data with collaborators on a timely basis because financial support from these grants is what makes most of these works possible.

In these scenarios, the problems are myriad:

• 1. There may be attachment size limits (within email) so that the sender cannot send the data to the research facility.


• 2. A recipient may have an incoming attachment size limit so that the email attachment is rejected.


• 3. An external sender may have an attachment size limit preventing the the data to come back.

The traditional answer is to use a flavor of FTP/SFTP for file transfer. But, end users -- typically brilliant Ph.D.'s and medical doctors -- often find the FTP/SFTP interface confusing and cumbersome to use. (Read When it Absolutely, Positively Has To Get There and Back, Right Now.) So, time can be wasted on IT issues instead of the research at hand.

Worse yet, with FTP/SFTP and its common directory structure, there is a real chance of picking up the wrong data files. Imagine spending a whole week conducting analysis on file "09072006-114B" instead of "09072006-114C". Oh, and as we’ve pointed out in Virus, via Email File Attachment, FTP/SFTP, or Website Download, is still a Virus, FTP is insecure and the research dataset may even get infected with a computer virus, rendering it useless.

So, the real solution is a secure file transfer appliance designed to handle very large files that not only complies with various regulations like HIPAA but also allows users from different organizations to easily share the dataset and grant proposals.

Equally important, with Accellion SFTA's self-provisioning capability for external users, researchers are no longer at the mercy of IT administrators as part of their work flow. And, frankly, from what all the IT people that I have talked with have told me, they too love to get out of the business of setting up FTP/SFTP access for users.

Like my fellow bow-tie collector and Senior Director and Chief Security Officer of Cornell University's Weill Medical College, Dr. Steve Erde, said, "The [Accellion Courier Secure File Transfer] appliance alleviates the concerns associated with file transfers that have troubled our users for many years, and does so in a very cost-effective manner.”

Read the announcement on the Cornell WMC deployment.

Find out more about how Cornell University Weill Medical College uses Accellion SFTA by clicking here.

Yes, folks, we’re all about getting the files from "here" to "there" and "back" quickly, securely, and cost-effectively. And if Accellion happens to help in the race to make your life better, it is all in a day's work.

ACA Guy