If you’re looking for a managed file transfer (MFT) solution, the number of options may be overwhelming. You want a vendor with mature technology, but you also need to be confident that the vendor you select is nimble and responsive to evolving security standards and new functionality requirements.
With the vast number of options available, it’s important to assure that you clearly understand the solution offerings, architecture and pricing.
Here are five things that you need to explore to ensure your MFT vendor doesn’t deliver a solution that results in:
1. Dangerous gaps in data encryption
Most vendors use Pretty Good Privacy (PGP) encryption to protect your files. The encryption process starts by sending a file to your server via a secure protocol. Then, it saves the original version—an unencrypted version of the file. In a second step, it creates a PGP-encrypted copy. This process leaves the unencrypted file for thousands of processor cycles. Once the encrypted file is created, the original file is marked as deleted, but the file image may still exist on the server.
Look for an MFT vendor who offers streaming PGP encryption. This process encrypts and writes the file in one step, ensuring that your data is never exposed.
2. Outdated architecture that doesn’t scale
Current computing architecture is 64-bit, but it may be an incorrect assumption that all server software is implemented as a native 64-bit application. While a solution may be 64-bit compliant, it is still designed as a 32-bit application.
This can create memory utilization problems that can degrade performance. A 32-bit application can realistically store about 2-3GB of information in memory at one time before it has to start swapping information to disk. 64-bit Windows can handle over 1 billion GB of information in memory. Running a 32-bit application on 64-bit Windows means the application can still only leverage 2-3GB of that 1 billion GB that Windows makes available. An application that is not native 64-bit creates a bottleneck that can limit the number of connections to the server, as well as the server performance.
Another archite
ctural consideration is clustering and failover configurations. This should also be fully explored to assure that the solution can grow without the addition of WAN file services applications or the resource-intensive process of replicating files across servers. Clustered servers should be able to access permissions from an Active Directory or LDAP authentication located anywhere on your network. Additionally, databases and document stores should be a single repository that can be accessed by all MFT servers in a cluster – even if the servers are in different geographic locations.
3. Rapidly accelerating costs
“Banding” is applied by some vendors as a method of increasing solution costs as you increase the number of users. There’s no additional functionality – just higher costs as you roll out the solution to more people. For example, a reverse proxy can be more than double the price due to more user connections. Clarify pricing around numbers of users and connections. Ideally, choose a vendor that doesn’t use banding to create increased costs for higher numbers of users or connections.
MFT pricing structures are often modular. This is great for implementations that require certain MFT solution capabilities and not others. It is important to understand what is included in the base MFT server and which add-on modules are required in order to meet your needs.
It is also important to understand the ongoing costs of technical support and product maintenance. Keeping your software up to date is one of the most important things that you can do to assure the security and performance of your solution. Your vendor should assure that these costs are controlled, so that you can easily and accurately budget for important updates and access to technical support.
4. Limited protection for your weakest link — your users
According to research from Ponemon Institute, insiders (i.e., employees) cause 67 percent of security incidents.
Most of these users don’t have malicious intent. They may expose your network when they open malware or visit a corrupt web page.
Assure that automated malware scanning is a standard feature of your chosen MFT solution. Uploaded files can go into quarantine until they are appropriately scanned. Endpoint protection should also be available to ensure that users don’t inadvertently introduce viruses or malware to your server.
Finally, users can be the weak points in access to your MFT server due to weak passwords. Your solution should offer complex password policies to assure that users create strong passwords that are not susceptible to password guessing attacks.
5. Antiquated security standards
Security standards are rapidly evolving and it’s important to understand your MFT vendor’s commitment to timely implementation of new standards. For example, secure file transfer is accomplished using a combination of hashing algorithms and encryption cyphers to secure and encrypt the data. As new hashing standards and encryption cyphers are developed, and existing standards are deprecated, it’s important for MFT vendors to be ready to implement the newest standards to guard against man-in-the-middle attacks or other exposure of data in transit. Vendors that currently use SHA-1 hashing are using a deprecated standard, while vendors using SHA-3 hashing algorithms are using the most recently approved standards of the NSA.
In addition, adding security technologies such as two-factor authentication (2FA) will make user access more secure. There are numerous types of 2FA, and your MFT vendor should be aware of existing and emerging technologies for 2FA. There should be a clear roadmap for the implementation of emerging 2FA and other security standards.
Make sure that your MFT vendor provides full disclosure about security and architecture. And make sure that you fully understand packaging and pricing – both for your initial purchase and ongoing operations. It’s up to you to know the right questions to ask.