If you’re planning on taking advantage of a Software-as-a-Service MFT solution you need to consider several key features to ensure you’re getting something that will meet all your requirements.
In a previous blog post I looked at the Three Main Benefits of Cloud MFT and discussed how organizations looking to move their Managed File Transfer solution to the cloud could realize some major advantages in terms of deployment speed, flexibility, scalability and pricing. However, that doesn’t mean Cloud MFT isn’t without some potential drawbacks. If you’re planning on taking advantage of a Software-as-a-Service MFT solution you need to consider several key features to ensure you’re getting something that will meet all your requirements. While evaluating Cloud MFT offerings, keep these in mind:
- Reliability and Uptime – taking everything off your network is worse than a waste of time if you aren’t always able to access it. Ensure any potential vendor has an SLA guaranteeing at least 99% availability – preferably higher. MOVEit Cloud, guarantees 99.9% uptime outside of planned maintenance and that's what you should be looking for. Part of that uptime requirement is also high-levels of redundancy. If one of their servers goes down you need to be able to know for sure that your data isn’t going down with it.
- Security – it doesn’t matter how available that service is if your data isn’t secure. If your data isn’t fully public, you absolutely need to be looking for a Cloud MFT solution that supports these basic capabilities:
- Encryption in transit and at rest – look for FIPS 140-2 validated encryption. And note that the word ‘validation’ is essential! Some vendors may claim to be ‘compliant’ (and they might very well be) but they haven't actually gone to the people at the Federal Information Processing Standards to have them validate the solution for certain.
- Access Control - you want full control over user access and permissions as well as centralized user authentication. And maybe even single sign-on via SAML 2.0 integration to IDP or IAM systems. Support for Multi-Factor Authentication can provide even more security.
- Integrity Checking – you need to know that all transferred files came out the same as they went in
- Anti-Virus – an up-to-date virus scan can prevent corruption of your entire system.
- Intrusion Detection – it doesn’t help to find out your files have been compromised after the fact, you need to know your vendor had penetration tested the entire system and can identify unauthorized access immediately.
- Audit trails – you also need to know what authorized users have been doing, so a complete audit trail of all activities is a must.
- Compliance – you’re trusting a third party to handle your sensitive data and you need to know that they are compliant with the industry standards and regulations you require. That could be HIPAA, PCI, or it could be GDPR which can be particularly challenging. Note that GDPR requires data to be stored within the confines of the EU, meaning that if you're going to be doing business with EU citizens and transferring their personal identifiable information, both you and your third-party MFT provider need to have their data centers in the EU.
- Reporting - robust reporting, logging and retention capabilities are absolutely essential. Look for usage reports on bandwidth and storage, bill back support for tracking usage consumed by user groups so you can allocate costs internally, and online audit log retention. Don’t forget the capability to export expired audit logs automatically into a format that you can store them in.
This isn’t an exhaustive list – there are likely going to be other considerations depending upon your organization, your users, your business requirements and your data. But it’s essential to have a basic set of requirements in mind when assessing your options for Cloud MFT. Remember that this is just a starting point when it comes to asking questions of your cloud provider.