A Tough Road

John Wilson, Director of Solution Enablement – FSI, Axway

“In recent times, regulatory pressures have grown dramatically. With the Financial Services Modernization Act, or, as it’s more commonly known, Gramm–Leach–Bliley, and the more recent Dodd–Frank Act, stricter rules are being enforced on the industry. A major focus has been around the area of risk management. As part of these new acts, new visions are being created, specifically to monitor risk and enforce safeguards for data. It’s going to be adding a lot more oversight to this area. As noted in a recent whitepaper by JWG, they highlight the fact that the minimalistic approach to risk architecture that many financial institutions have taken so far is not even enough to cover current regulations.”

It Must Come with Enabling Tools: A commentary on the Bloomberg BusinessWeek article “The Age of Data Privacy”

Taher Elgamal, CSO, Axway

To read the original Bloomberg BusinessWeek article, click here.

It’s Not Enough to Be Compliant

Axway CSO Taher Elgamal comments on CNET’s Q&A with Bob Russo, general manager of the PCI Security Standards Council.

Three Words to Say to C-Level Management About Complete MFT Data Security (Pt. 1)

by Shawn Ryan
VP Technology Marketing & Chief Architect

Cost, risk and brand.

In other times, the first on the list in terms of drivers is obvious: revenue. But now, three words at the top of mind are cost, risk and brand.

First, cost. Cost and benefits associated with consolidation are essential drivers to surviving and thriving. In any organization, various one-off solutions handle file transfers. Various solutions stay nailed down and in place just because they are there. They arrive when a project demands a fast solution where one does not exist. They arrive due to mergers and acquisitions. They arrive because “files” were not thought to be strategic, because “files” have not had the sizzle, and thus “files” are neither the focus of SOA projects nor the focus of technology that could bring them into a services oriented approach. But times are different, and with files representing eighty-plus percent of an organization’s data, it’s time to gain control. Various one-off solutions are costly to an organization and filled with security flaws, just as Swiss cheese is filled with holes.

By focusing managed file transfer and transmissions through a single service oriented framework, MFT consolidates the overhead of one-off services and reduces costs—a concern of all C-level management.  While cost creates a convincing argument for complete MFT data security, unified governance across the different types of interaction patterns that comprise managed file transfer brings in security and controls and is simply the best way to go.

The second point: risk. More specifically: governance, risk and compliance. GRC. Cybercrime is a trillion-dollar industry. That alone should be enough to wake C-level management up and seriously consider data security. Add compliance mandates to that, breach notification laws with safe harbors for encrypted data, and now encryption mandates like HITECH and the Massachusetts state laws coming on line, and a response is not only wise, it’s mandatory. Massachusetts 201 CMR 17, like California SB1386, is a precedent-setting mandate. It states that any data containing personally identifiable information of a resident of Massachusetts must be encrypted. A challenge like this is a formidable one that your company must not take lightly.

Third, brand. Closely paired with the topic of risk, but it deserves a front-row seat in the discussion. Data is the lifeblood of your business. Anytime you have a breach, your company makes headlines for a terrible reason, thanks to the 45-plus states that have notification laws in place. What do you want to be known for? You must protect your brand.

Complete MFT data security is essential. The only answer is to look for a complete solution that can cover all interaction patterns. Sure, start where you feel the most risk, but stop to be sure you will address the risk strategically, and have a plan to cover the entire spectrum of interaction patterns. Sure, cybercrime is on the rise, but internal jobs account for eighty-plus percent of publicized breaches. Are you just going to cover B2B? Human interactions? Portal based? You must cover them all.

But which interaction patterns demand complete MFT data security?

(To be continued.)

A Different Kind of Immunization

by Ruby Raley
Director, Healthcare Solutions

Have you heard about ARRA and the HITECH Act?

A little background. The HITECH Act is a 400-page piece of legislation and part of the American Recovery and Reinvestment Act (ARRA), and its purpose is to provide grants, incentives and penalties to improve the healthcare infrastructure within doctor’s offices, hospitals, and state and federal agencies.

The government hopes to foster the adoption of e-medical records and e-health records (eMR and eHR) with this act, and they plan to pay doctors and hospitals a certain amount for the next three to five years to foster that adoption. Then, after that period, the government will impose penalties or reduced Medicare payments if doctors and hospitals don’t have the technology necessary to comply.

So what does this mean to doctors and hospitals?

Imagine a hospital with subcontractor doctors. All their anesthesiologists are in a group practice, and, in fact, a number of specialists are in group practices. The hospital also has doctors that work directly for them as employees and don’t work outside the hospital. It has relationships with labs and other satellite clinics. It has relationships with family providers all around town. It has relationships with certain payers, like insurance companies.

How is this hospital going to actually accommodate all of these providers who now get to decide which vendor they’re going to select for eMR and eHR? How is this hospital going to satisfy HIPAA privacy protection requirements? After all, the government enhanced the requirements for HIPAA privacy protection because they felt that if people didn’t believe that their data–their personal private data–was safe, they wouldn’t support doctors sharing it with others through an electronic system.

This sentiment is easy to understand. If you went to a doctor, gave your social security number, disclosed the fact that your family has a history of cancer, and then realized that that information was going to become public information, that that information could stop you from getting future medical coverage or that that information could be used to steal your identity, you would be outraged.

The government got this. They decided that they had to put more pressure on HIPAA, which ushered in new rules.

The new rules demand that data must be encrypted whenever it’s moving, and that data at rest must be encrypted or destroyed.

Which brings us to where we’re at today.

To accommodate these new rules, doctors and hospitals need the right tools to protect patient data, to safely move data from one vendor of eMR to another vendor of eHR, and to enable themselves to work with and submit data to any of the state-supported portals (i.e., Health Information Exchanges). Doctors and hospitals must solve interoperability, privacy, compliance, and protection problems, have their infrastructure assessed, and determine what they need to satisfy these new demands.

Anything short of that will, very soon, put doctors and hospitals at risk of the aforementioned imposed penalties or reduced Medicare payments, and what was once a non-issue for medical practitioners will become an extraordinarily critical issue. As an industry well acquainted with the importance of immunization, healthcare should understand that the sting of a data privacy vaccination is necessary to prevent serious harm in eHR exchange in the years ahead.

(Photo by robertdx: http://www.flickr.com/photos/robertdx/ / CC BY 2.0)

The Next Frontier in Content Filtering: Large Files

by Willy Leichter
Director, Product & Solutions Marketing

While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall. Which brings us to what is often an IT black hole: FTP.

While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall. Which brings us to what is often an IT black hole: FTP.

It’s pretty well established that corporate email should have some types of content filters. Everybody uses them for inbound spam, and despite those who cry “Big Brother!”, there are many important (and legal) reasons that organizations need control over outbound content. For example, if your company deals with credit cards or social security numbers, you have an obligation to make sure they are not casually, or accidentally, sent unencrypted or to the wrong recipients.

Most organizations also have a legal responsibility to prevent harassment claims by keeping employees from surfing inappropriate or dangerous websites. While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall.

Which brings us to what is often an IT black hole: FTP. Many organizations allow completely unmonitored FTP, and quite frankly, those organizations don’t know what’s going on with the files leaving their networks, since even legitimate traffic can be a conduit for sensitive information or malware.

For instance, large files are regularly sent for business purposes between banks and partners with lots of personally identifiable information, and often banks will send more information than necessary. When going through FTP or other file transfer protocols, there is typically no visibility into file content.

My company was involved with a project with one of the largest banks in the world, and they were specifically concerned about PCI compliance. They needed to make sure that credit card numbers or social security numbers were not included as part of large file transfers. But, more importantly, they absolutely did not want traffic to be stopped if there was a possible violation. With all these security issues, stopping traffic, a move security purists are hasty to advocate, even for the most righteous of reasons, will make heads roll.

To solve this we developed a system to strip out specific, personally identifiable information from files, on the fly, based on policy rules, without stopping the entire file transfer process. While this type of filtering has become an accepted best practice for email, applying this technology to file transfers is groundbreaking.

The next time you consider content filters and whether your company is using them in the most efficient, holistic manner, ask yourself: are the filters just looking at the subject lines and bodies of emails, are they simply comparing a URL to a blacklist and making a quick decision? Or are they taking everything into account—the content of the attachments to the emails and the data within the files being transferred? Whatever solution you choose, it must be practical, keep business flowing, and protect you against liability.

(Photo by thebadastronomer: http://www.flickr.com/photos/badastronomy/ / CC BY-SA 2.0)

There’s More to Life Than Saving Money

by Antoine Rizk
VP, B2B Program, Product and Solutions Marketing

New requirements constantly emerge for additional standards that are not yet supported (e.g., new networks, protocols, formats, etc.). Infrastructures that are too rigid simply break like the tall oak in the wind and need to be replaced.

New requirements constantly emerge for additional standards that are not yet supported (e.g., new networks, protocols, formats, etc.). Infrastructures that are too rigid simply break like the tall oak in the wind and need to be replaced.

Back in December 2008, a leading analyst predicted that, due to the then-burgeoning, now-stabilizing financial crisis, the major business case for many application and infrastructure initiatives was going to align with cost reduction.

And they were right. Nearly every customer I’ve spoken to corroborates the analyst’s prediction. But I submit that there’s more to life than saving money, even in lean times like these. So what, you may wonder, are those things, those compelling drivers for B2B/MFT projects besides getting things done on the cheap?

Five stand out to me.

  • Compliance: You must have the right auditing and logging information to comply with industrial, financial or legal obligations. In a way, you might see this as a continuation of the saving-money school of thought. After all, preventing fines and lawsuits is a money-saving activity, right? But there is a vast difference between spending too much on something and any amount on nothing, which is never an easy circumstance to accept.
  • Business Growth: Business growth often drives architecture refreshes, and rightly so: when the existing solution cannot efficiently handle the demands of the business, when the business outgrows its architecture to the point that no amount of ingenuity or reorganization can accommodate it, it can no longer cope with the demands of its trading partner community.
  • Business Risk and Loss of Data: When your current processes lack the control you need for guaranteed, once-only delivery, the result is a story of misfortune: missed SLAs, multiple payments made, orders lost, etc. And all of this directly impacts the bottom line.
  • Personnel Rollover: Developers of legacy, home-grown FTP solutions, like long-gone inhabitants of ancient civilizations, move on to new opportunities, and in their wake they leave behind little or no documentation on the tools and mission-critical data that their successors need in order to keep operations running smoothly.
  • Expanding Requirements: New requirements constantly emerge for additional standards that are not yet supported (e.g., new networks, protocols, formats, etc.). Infrastructures that are too rigid simply break like the tall oak in the wind and need to be replaced.

In my view, none of the above drivers are compelling enough in their own right to bring about a new infrastructure initiative without thorough proof of accompanying TCO reduction and ROI. This truth cannot be stressed enough.

Fortunately, reducing TCO can be done in many different ways. Consolidation, however, is by far the approach that brings the most value. B2B/MFT consolidation can be achieved by replacing multiple legacy and home-grown solutions with a single solution that is solid enough to maintain and even enhance performance, and covers all the required formats and protocols for the exchanges.

Consolidation can cover a variety of business cases:

  • Replacing on-premise FTP/home-grown file transfer infrastructure with a managed file transfer solution
  • Replacing on-premise product with a managed file transfer solution
  • Replacing several on premise multi-enterprise/B2B gateways with a single B2Bi platform
  • Replacing a VAN with an on-premise B2Bi solution
  • Replacing on-premise B2B gateway(s) with a B2Bi on-demand solution

As well as any combination of the above.

Finally, there is the ever-important ROI. Three ways consolidation brings you ROI include:

  • Reducing your IT costs: This includes personnel, planning, organization, acquisition, implementation, delivery and support, as well as monitoring/evaluation costs.
  • Reducing your business costs: This includes costs due to an error or a delay in message/file delivery, downtime hours, fees and penalties per missed SLA, audits, losing customers and data breach penalties.
  • Increasing your business value: This includes incremental revenues due to getting new products to market faster, being easy to do business with, reliable delivery and non-repudiation, increased customer satisfaction and loyalty, and being able to add new partners to your network.

When you increase business value, you increase your revenues and quickly bring better services to market. Your suppliers and customers can deal with you easily, and that brings about customer fidelity, satisfaction, loyalty and a host of other benefits too numerous to explore here. It’s easy and vitally important to take measures to save money, no doubt about it, but it’s the truly savvy business people who remember the essential nature of nourishing and flourishing business value, and it’s those business people who will, years from now, look for new ways to save money while their long-gone competitors fondly remember the business they were once in.

(Photo by zenera: http://www.flickr.com/photos/zenera/ / CC BY-SA 2.0)