Secure file transfer applications are becoming the preferred mode for securely exchanging data. What should you consider when buying SFT apps?
By Bill Ho, Biscom
File transfer protocol (FTP) was developed in the early 1970s when security concerns and usability were less important than getting data from one place to another. Most end users were Department of Defense or university researchers exchanging data across a very limited network and user population, where security was less of an issue.
FTP hasn’t changed much in over 40 years. While this is a testament to the original design, today’s world has new concerns and requirements that didn’t exist back then. Security, ease of use for the less technical users, and reporting requirements have made FTP a less-than-ideal solution for many organizations. The administration and IT involvement needed to send a file is a manual, tedious and error-prone process. If not set up correctly, people may have access to files that were not intended for them.
Like any new system or process introduced into a company’s technology infrastructure, secure file transfer (SFT) applications must work well with existing applications and support integration with legacy applications. They should also adhere to existing security designs, scale to support small departments to large or organization-wide deployments, and leverage existing infrastructure when possible, such as virtualized environments, enterprise storage systems and Web components already in place.
When evaluating SFT applications, prospective buyers should look at five main categories: security, architecture, features and ease of use, reporting, and licensing and total cost of ownership.
Because data exiting an organization’s boundaries may contain sensitive or confidential information, locking down this data and being able to identify and ensure that only intended recipients actually receive the information should be considered critical criteria. A security assessment involves multiple views into a product, including the overall architecture, storage and protection of data, user authentication, permissions and roles, policies that administrators can define, and even how well an application can be supported on the underlying platform and existing security configuration.
Also, testing for and actively protecting against common vulnerabilities such as SQL injection and cross site scripting are important for any public-facing application.
A solution’s overall architecture and design approach can tell a significant amount about the planning and forethought a vendor has put into its product. Good product developers build for today’s needs, but design in anticipation of tomorrow’s requirements. When reviewing any secure file transfer architecture, note how the vendor addresses encryption, flexibility, scalability, support for extremely large files, network interruptions and policies.
It is also important to consider the ease of integration and extension of existing applications, customizability, performance, user and system administration, platform support and programmatic interfaces (APIs) into the product. Is the application designed logically? Do components fit well with each other? Will the application fit into the existing infrastructure?
SFT Features and Ease of Use
A well thought out user interface is critical to the successful and effective adoption of any technology. The less intrusive and overbearing a system, the more likely it will be used. This applies to both internal senders as well as external recipients.
Important elements in a highly usable interface include clean and uncluttered screens, intuitive controls, thoughtful and meaningful text, and overall consistency in look and feel. This directly affects adoption, and the tools easiest to use will most likely receive the most acceptance from end users.
The two major aspects of administering a secure file transfer solution are user management and system configuration. Some user management imperatives to keep in mind are: minimize duplication of information (e.g., multiple user databases), leverage existing identity and access management databases, and automate when possible to have the SFT system run without constant IT intervention. Flexible system configuration and settings enable companies to more closely match and support existing policies and procedures.
Once a secure file transfer solution is in place, reporting becomes an important tool in understanding adoption, utilization, trends and auditing support. Compliance requirements may require report generation to satisfy state and federal regulations or to meet internal usage guidelines and corporate governance. Visibility into user activity and the ability to drill down into actual transactions that occur can help root out non-compliance or help identify processes that may need to be reined in or corrected to meet file sharing restrictions.
SFT Licensing and Total Cost of Ownership
Adding secure file transfer to an organization’s toolbox gives users new options to send sensitive files and data through a secure channel. While this functionality may fill the immediate needs of certain individuals or departments initially, SFT implementations often grow organically.
Ideally, SFT would be accessible to every individual in an organization, but budgetary constraints may limit usage to satisfy the most affected individuals and groups. Different licensing approaches exist, but look for the most cost effective ones without a penalty for growing or scaling the solution as adoption and demand grow. Also, from a financial standpoint, total cost of ownership should be calculated over a number of years to better compare vendor offerings.
Bill Ho brings more than 20 years of Internet and software experience to his position as president at Biscom. He received a BS in Computer Science from Stanford University, an MS in Computer Science from Harvard University and an MBA from MIT Sloan School of Management.