In our June blog I wrote on the topic of Encrypting Data At Rest on the IBM i. I think it is fair to say that there are very robust capabilities available on this operating system to ensure that sensitive data is kept secure – even from those who may have managed to find a way to access the data in the first place.
It is not a great leap of thought for security minded folks, once they have got their head around securing their data at rest, to then ask questions about securing data in motion – that data (files) travelling between their systems, between their employees, and between themselves and their trading partners.
Moving Beyond FTP Scripts
Many of us, particularly those with a technical background, will be familiar with using File Transfer Protocol to move files. It is a simple to use tool, particularly for ad hoc transfers, and as such is very widely used by many organisation around the world – whether by issuing command line instructions (e.g. FTP get, etc) directly, or using free FTP desktop tools. It is an approach to file transfer that is, however, fraught with problems.
First off, while initially having your highly talented technical staff create FTP scripts to manage a few ad hoc transfers might be feasible for a while, it generally does not take long before the number of such scripts being created runs into the 10s, and even 100s or more, making the management and tracking of them increasingly difficult and time consuming, and ultimately costing your business a lot more money than it should.
Secondly, FTP is not a secure protocol. Your data, including your FTP user IDs and passwords, are all passed around the network in the clear. This reminds me of a story that a nervous IT manager from a major finance company told me some years back – he had just been visited by a security consultant who had, with just 30 minutes access inside their office, come back to him with a list of FTP user IDs and passwords and the contents of some of the files that were being passed within the company using FTP. It was a sobering moment for him.
To offload some of the file transfer work to end users, some companies allow their staff to download free desktop FTP solutions. Such tools can be problematic in that they require a lot of human intervention and are error prone (for example, users selecting incorrect files for sending). What is more, such tools have very simple, if any, security features, let alone auditing and reporting capabilities.
Secure Managed File Transfer Solutions
Organisations serious about their file transfer processing should move away from ad hoc FTP scripting and free/cheap PC desktop tools to, what are known as, Secured Managed File Transfer, or simply Managed File Transfer (MFT), solutions.
In brief, MFT solutions bring all the requirements that you are likely to need for file transfer processing under a single umbrella solution, and with no scripting required by the users:- automated file selection, data encryption, options for SQL data extraction, file sending and receiving using secure channels, processing of file/data before and after sending, triggers, auditing and reporting, … the list goes on.
The benefits of using an MFT solution are tremendous, and I honestly believe that all IBM i organisations should look into them. The following points highlight some of the ROI that can be delivered by such tools:
1. MFT Solutions save time
With a single function FTP tool or FTP scripting, the administrator/user alone is responsible for ensuring the success of the transfer. If something goes wrong with the transfer, it is their responsibility to; first, be aware that the transfer has failed; then second, to do something to address the problem (invariably to re-establish the connection and try the send again). A good MFT solution will automate the entire process of the transfer, including the handling of connection breaks by re-establishing the connection and picking up the transfer again where it left off (thus saving additional time by not having to re-start the transfer from scratch).
Coming back to the case of FTP scripting. As mentioned, it might be a fine idea for a small number of file transfers, but once you get into the 10s or 100s, the management of it all becomes problematic. The situation is further compounded when the staff who created the script leave the organisation and it becomes the responsibility of someone new to figure out mess of these unmanaged scripts (that are possibly sitting undocumented on different servers or PCs). An MFT solution overcomes these problems by centralising all file transfer activities into one location. Such an approach provides significantly greater visibility and, therefore, improved efficiencies in the management of all the organisation’s file transfers.
2. Cost Effective Security
In this day and age, organisations should not allow for the transfer of unsecured files. This should be the case whether data is moving between companies, organisations, or offices, or within offices – remember, some of the biggest security risks come from internal staff (the recent Capital One breach being a case in point) so proper measures need to be put in place to guard against this. As mentioned, if you are using FTP at the moment then you are very exposed and need to move to more secure protocols such as SFTP, FTPS, AS2, and HTTPS. In many cases SFTP will be your go to protocol, but whichever you use will often be dependant upon compliance requirements or the dictations of your trading partners. A comprehensive MFT solution will provide you with all the protocols that you are likely to need, and will also shield you from the complexity of implementing them.
Furthermore, a proper MFT solution will enable role-based controls, that will limit access to the functionality and servers according to job requirements, and provide appropriate levels of auditing and reporting on who is doing what.
3. Clustering
As your file transfer needs become more numerous, complex, and critical, you are going to become more concerned with ensuring the reliability (that is, the uptime) of the systems running such processing. This is another weak point of FTP scripting and free/cheap PC-based FTP tools. A complete MFT solution will provide clustering capabilities, and allow for the provision of a distributed environment for handling file transfer services for the enterprise. Two significant advantages which clustering offers are greater high availability (with true “active-active” support) and load balancing by allowing workloads to be distributed across multiple systems.
4. Automation & Productivity
MFT solutions speed up the entire process of putting in place file transfer processes. They do this in a number of ways. Firstly, they remove the need to manually write scripts (and to know the scripting code). In addition to this, they provide tools to build workflows around your file transfers – thus automating the end-to-end processing required. In a basic file transfer example, you may simply want to monitor a directory for the creation of a file by the core application, then trigger the transfer of that file via SFTP to a trading partner. However, an MFT solution can provide far more sophisticated processing than that – for example, receiving an encrypted file (an order, for example) from a trading partner, decrypt it, extract the data, load the data in a staging file, trigger a function/application in an ERP, banking, or other application to process the order (or whatever the file contained).
Not only will a comprehensive MFT solution enable you to build an entire workflow “project” around such step-by-step processes in a quick and efficient fashion, once it is set up it will enable you to automate the entire process, improving productivity by by-passing steps that are currently handled to some degree of human intervention.
And, of course, automation can be further enhanced in a number of ways by the use of triggers, or by your core applications being able to make calls to kick off the MFT projects, or visa versa.
5. Compliance, Auditing, Reporting, and Alerting
How did I get this far into this blog before touching on this topic? Maybe sometimes you simply need to save the best wine until the end? I am not going bang the drum on compliance and auditing. If you have got this far into reading this blog, then you are very likely serious enough about security and compliance to appreciate the importance of this area.
Needless to say, perhaps one of the biggest advantages of a solid MFT solution will be its tracking and recording of file transfer activity, and the resultant alerting and reporting capabilities from that data. Such solutions will be able to alert senders and recipients of files as to the success or failure of their transactions (via emails, text messages, etc) – something especially important when dealing with time-critical secure transfers. Then of course, the collection of audit logs enables you to meet your internal and external auditing and compliance requirements. … And there is significant ROI in that alone!
Secure MFT and the IBM Power i
You may ask “well, what has this really got to do with the IBM i?” That is a valid question – file transfer is more concerned with networks, LANs, WANs, and the internet and not really restricted to any platform perse, and they should be able to communicate with any server. However, file transfers have to be triggered from a server and, while there are a number of MFT solutions available in the market, there is only one (in my knowledge) that is capable of being deployed to the IBM i platform. While this solution, produced by one of Joule Tech’s partner companies, can also be deployed to Windows, AIX, UNIX, LINUX, and Mac OS, for organisations that use the IBM i, the option to deploy be able to deploy it to this secure and robust operating system should be of significant interest.
In addition to some of the standard MFT capabilities mentioned above, the solution we carry includes additional attractive features, including:
- Security for email and attachments (including the handling of very large files)
- More secure, corporate focused, alternatives to file sharing apps like Dropbox
- File transfer acceleration protocol capabilities to speed up the sending of large files
Want More Information On Securing Data-In-Motion?
There is far more to MFT solutions than I have been able to articulate in this short blog. If you have not already, then it is an area that you should explore further. Do contact us using the form below and we’d be delighted to email, call, or meet with you to discuss further.