Kyle Parris
Director of Product Management
nuBridges

We’re seeing Managed File Transfer (MFT) solutions being embraced by savvy global enterprises that recognize the business value of investing in what is increasingly being viewed as an infrastructure requirement. Today’s extended enterprise needs to share information internally across departments, divisions and acquisitions. It also needs to share information externally with customers, suppliers, business partners and with online collaborative communities.

These enterprises are telling us that the new generation of MFT solutions is providing numerous benefits on both sides of the business partner equation – supply and demand. For example, MFT is providing them with an opportunity to speed business cycles, improve responsiveness to market conditions and remove barriers to doing business electronically on a global scale.

Let’s look at some specific benefits:

• Real-time business partner collaboration and business application integration
• System-to-system and person-to-person file transfers
• Visibility into all file transfers
• Integration of critical back-end business applications with file transfers
• Best practices in governance, risk management and compliance
• Real-time issue/problem detection, resulting in speedy resolutions and avoidance of supply chain disruptions
• Timely decision making, reporting and analytics

We’d really like to hear about the benefits your enterprise is reaping from MFT.

You’ll want to read next week’s nuBlog, where we’ll tell you about several real-world examples of how extended enterprises are translating these benefits into bottom-line business results.

Until next week,

Kyle

Kyle Parris
Director of Product Management
nuBridges

The answers to this question can be as varied as the global enterprises that are investing in managed file transfer (MFT) solutions.  But what we’ve found over the last six months in researching the market and speaking with dozens of global enterprises that are planning to replace a jumble of file transfer solutions with MFT, is that the answers can be grouped into three broad categories:

√   “We’ve outgrown our current solution(s).” In asking for specific examples, we found a number of trends:

• We are starting to move too many files, or files are becoming too large to transfer quickly, reliably and securely
• As our business expands, we need to collaborate with more business partners; each requesting a different protocol, or encryption method
• Our current solution doesn’t track or monitor file movements, so it doesn’t help at audit time
• We need scheduled, event-triggered and ad hoc file transfer capabilities that our point solution just doesn’t offer
• We have multiple platforms, but our current solution only supports <enter your favorite platform here>
• We need to integrate ERP applications into our file transfer solution, but our current solution doesn’t handle this

√  “The costs of managing and supporting multiple file transfer applications are staggering.”  Common themes were that enterprises are incurring major costs due to:

• Keeping the administrative and support teams trained on multiple solutions
• Lack of economies of scale in licensing and maintenance costs
• File transfer workflow inefficiencies resulting in wasted time, expense and errors associated with manual file transfers

√ “The risks associated with lack of control over file transfers keeps me up at night.” What we learned is that enterprises are equally concerned about data breaches, non-compliance with applicable regulations and laws and loss of critical business documents.

All three seem to be top of mind with the folks we’ve been talking with recently.

How about you? Are you considering a move to the new generation in managed file transfer? If so, please let our readers know what’s driving your decision making.

Until next week,

Kyle

Gary Palgon
Vice President, Product Management
nuBridges

Onsite in Las Vegas – The Payment Card Industry’s Security Standards Council (PCI SSC) is on a 24-month cycle of reviewing and editing the PCI Data Security Standard (PCI DSS).  Version 1.2 was issued in October 2008 and the next major release is expected around the same time in 2010.  While last years’ theme seemed to be around “Compliance does not equal security” and “Network Segmentation”, this year’s theme was very much about submitting feedback on the current standard and reviewing new technologies for reducing the scope (and burden) for initial and ongoing PCI DSS compliance.

Pricewaterhouse Coopers (PwC) was contracted by the PCI SSC to “look at technologies out there that have the potential to reduce scope for PCI DSS” and PwC presented their preliminary findings at the meeting this week.  They interviewed more than 160 individuals from 125 companies across 10 countries and evaluated 12 technologies. They narrowed their focus down to four, which they drilled into to understand the impact of implementation and affect in reducing scope of the PCI DSS audit: end-to-end encryption, magnetic stripe imaging, tokenization and virtual terminals. The report will be forthcoming; however, it serves as “feedback” to the PCI SSC as they review the standard and recommendations in the coming year(s).

As funny as it sounds, one “aha!” from the meeting was “What is considered cardholder data?”  Believe it or not there was no easy answer.  The Scoping Special Interest Group (SIG) will take that under review in the coming year. 

And finally, the annual meeting is a time where many people express the difficulty in understanding, implementing and changing the standards.  Much of that was put into perspective when former Congressman Tom Davis explained how the U.S. government works to create laws!  He was the co-author of the Federal Information Security Management Act (FISMA), so standards are near and dear to his heart.  I have to remind myself when I submit questions to the PCI SSC and months go by without an answer that it could be worse – I could be in politics!

Until next time,

Gary

Gary Palgon
Vice President, Product Management
nuBridges

While you can attend a conference any week or weekend throughout the year, most of us can’t afford the time away from the office, even when we’re on the vendor side of the business equation like I am.  And given summer is a time when many people travel, it turns out that March through June and September through December are prime times for the “conference tours.”  Surely not as glorious as a “band tour,” but exciting nonetheless.  For me it’s an opportunity to meet customers, prospects, business partners and other people I’ve connected with during the year who I may have or have never met.  And for them, the same – an opportunity to put a face with the name.

First up is the Payment Card Industry’s Security Standards Council (PCI SSC) Community Meeting which will be held September 22nd - 24th in Las Vegas.  This is the third one, with the previous ones having been held in Toronto and Orlando.  The surroundings will surely be better than the prior cities (no offense to them – heck, I have to visit them during other conferences in the coming months too) and I would expect a bigger crowd than ever as each year it has grown since it started in 2007.

There’s always some interesting topics, discussions and debates (and this year we’ll add gambling to that).  Last year there was a focus on the quality of Qualified Security Auditors (QSAs) and network segmentation while this year all indications are there will be lots of discussion about virtualization, PCI scope, tokenization, end-to-end encryption, and chip and pin.

If you’re planning on being there, drop me an email at gpalgon AT nubridges DOT com.  I’d love to meet or catch up with you.

Gary

Gary Palgon
Vice President, Product Management
nuBridges

That just may be the tip of the iceberg as the details of this latest cybercrime unravel.

On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years. Then, yesterday, Radisson reported that some of the computers at several hotels were breached between November 2008 and May 2009, possibly exposing guest information and credit card numbers.

This is BIG, but it’s only the latest in a long series of avoidable data breaches. Cybercriminals are opportunists. They steal information from wherever it’s easiest to reach. In the last couple of years they’ve methodically climbed the technology stack. In this case, Gonzalez and his band of global thieves started at the top breaching the web application interface and then went deep down to gather the internal credit card data in transit, the latter a problem that has yet to be enforced by the PCI DSS as a requirement.

Regardless of all of the ways that criminals get into systems to access data, the only sure method of protecting it is to actually ensure that the data is always encrypted, whether at rest or in transit.  And there are methods to do this including encryption, key management and tokenization which you’ve probably read in articles that I’ve published recently or presented.  http://www.nubridges.com/presscenter/articles-2009.php

Until next time,
Gary