Moving large files to external parties proves a tricky task in which there are no clear best practices. Mechanisms can be made internally or we can shop the field for a solution. Identifying the best solution starts with identifying the requirements.
In my post last month on Secure File Exchange, many TechRepublic members came back with a mixed bag of opinions on the topic. TechRepublic member flhtc and darksidegeek outline how they have invested time and effort into crafting a homegrown solution of sorts based on scripting, front-end interfaces, and URL obfuscation. While they will definitely get points for software purchase cost control, there are questions of how well these services will scale and how friendly the interface is for users who are not IT pros. Smaller shops may be able to craft solutions that work well for the occasional large file transfer. On the opposite side of this, if a large enterprise has a Web development team available internally, this type of of solution could be made with a high degree of quality instead of a collection of scripts copied and pasted off of the Internet. Also in the post, TechRepublic member Jason_Mcc sums up my perspective well. Quoting Jason:
There is no shortage of tools or various ways of accomplishing this task, if your users are sufficiently capable or you are just doing it yourself.
My point is that the technology is available. Most solutions, large or small, will involve an SSL-encrypted session or enhanced FTP service like SFTP. But the root problem is management of these services. My stance is that I am a fan of self-service for all skill levels. So, for the marketing employee who needs to get a 2 GB-compressed file to the advertisement agency every day for the next few weeks as new company commercials are edited and produced, a one-timer IT service can get old very quickly.
Various IT operations will have a wide range of secure file transfer requirements. Topics such as file types, restricted content, bandwidth usage, cost, access control, delegation, storage requirements, backup requirements, and other factors are a starting point for determining the best way to approach a solution. Smaller shops may be able to stand up a small Web server with externally facing access and manage one-at-a-time large transfers.
Larger enterprises will spend more time identifying the requirements and management policies so that the solution becomes a user-friendly tool. That is important, because if the mechanism is not user friendly, users will find another way to transfer content. This can include costly or insecure mechanisms.
What, then, is the nirvana of large, secure file transfer? It would be a service that meets the following requirements:
- Is easy to use for non-IT employees as a tool that is part of their job
- No involvement of IT, except for installation, upgrades, and policy definition
- Is easily accessible for external parties from an invitation from authorized internal person
- Has robust logging of transfer and access of content
- Active Directory integration
- Application and storage both hosted internally
- Policy and delegation for management
- Compliance requirements maintained
Ideally, IT would use a solution that would be internally administered and provided like other "commodity" items such as e-mail and Web access. The requirements listed above is my short list of requirements for a secure file exchange implementation.
In my initial research, I had pointed out four commercial solutions that can provide solutions for this need. I am inclined to look first at the Accellion Managed File Transfer for an enterprise solution. Remember that everyone's needs may vary, and the use case for large, external file transfer may vary widely from organization to organization. What have you done to identify your requirements for secure file transfer? Share your comments below on what you have learned along the way.