Does Managed File Transfer Make You Compliant?

The Transfer Files Podcast Season 2 Episode 1

The Transfer Files Podcast is back for Season 2, bringing even more expert insights, real-world experiences, and thought-provoking conversations on managed file transfer (MFT), AI, cybersecurity, and the evolving threats shaping today's security landscape. This season also features a line-up of special guests who will share their expertise and perspectives from across the industry.

In the first episode, James and Steph unpack what compliance looks like in practice, why so many organisations mistakenly assume they're compliant, and where managed file transfer fits into the wider security and governance picture. From healthcare and financial services to defence and other highly regulated sectors, they explore the unique compliance challenges organisations face, as well as the critical role that visibility, reporting, and Zero Trust principles play in protecting sensitive data.

Watch the full episode below. And if you're new to the podcast, or simply want to revisit previous discussions -you can also catch up on every episode from Season 1, all available to watch in one place.

 

 

Implement a Zero Trust Strategy across your Organisation 

Learn how to put Zero Trust principles into practice with the Zero Trust Approach for Data Transfer whitepaper featured in this episode. You can also explore the Maturity Model for Managed File Transfer Guide to assess your current capabilities and identify opportunities to enhance your file transfer strategy. 

 

Episode Transcript

A common misconception in the world of file transfer is that by simply using secure protocols like SFTP or implementing a managed file transfer solution means automatic compliance. In today's episode of The Transfer Files, I'm sitting down with James Lewis to discuss what compliance means in practice and how MFT plays a part in a much bigger picture, especially when it comes to different industries with very different requirements. Enjoy the episode.

James, how are you?

I'm very good, Steph. And you?

Good. I'm very well. Very well, thank you. I am glad to be back in the studio. We have had a...

Makeover.

A makeover.

Looks lovely.

For this season. Yeah. I'm excited.

Looks like a next directory.

We're going to be saying that to all our guests that come on.

Yes. I'll have to be careful not to wear anything too beige. No. Morph into the background.

Oh, good. I'm glad you're good. I'm excited for all of the episodes that we have to come.

Indeed.

And all of the guests that we have to come.

We've got some amazing guests.

We do indeed.

We do.

But today it's just you and I. And I thought we could talk a little bit about compliance. It comes a lot. It comes up a lot, I think.

It's a dry topic, isn't it?

We're going to make it really interesting.

Right. I'll do my best.

And something I mentioned in the intro was that personally I feel that there is that misconception out there that by just having an MFT solution means you've ticked a box, you're compliant, when actual reality is there's more to it than that. But firstly, why do organisations maybe think that? Do you feel that they think that too?

Let's start with what compliance is. And there's various types of compliance, I guess. So what we're not talking about here is we're not talking about compliance within an organisation. So you're not compliant with an internal operational process, for example, or service level agreement that you might need for a client. What we're talking about here is compliance with industry regulations, so compliance such as ISO, PCI DSS, DORA, ITAR, all these lovely acronyms, not acronyms, but well, yeah, I guess they are acronyms, aren't they? That proliferates the IT world. Why do people feel they're compliant when they've bought something? It could be a number of different things. It could be that they have, they've looked at the vendor's website and they see that buying a particular product X gives them a tick in a box for PCI compliance, for example. And simply by putting something in, they think that box is ticked. But MFT is just an enabler fundamentally. And unless it is configured to a particular organisation's requirement specific to the compliance regulations and mandates that exist inside their industry, then it really is just a piece of software. And furthermore, I think that one of the sort of bigger challenges is that certainly in larger organisations, there'll be an IT function and the responsibility will sit with IT to deliver a lot of this, certainly from a technology standpoint. There may also be, and quite often with the larger organisations, a compliance function, which we'll look at internal compliance, but also be aware of and lead on external compliance, that compliance that affects and impacts that organisation in that industry. So one of the key things there is making sure that the compliance function works alongside and hand in hand with the IT function to ensure that a piece of software isn't just a piece of software, it's actually there to do a particular job.

Yeah. So how does that look? So managed file transfer alone doesn't make you... compliant. It's, as you say, the way you set it up. What sort of things do you then, what role does it play? How do you need to configure it in order to be compliant? Is that a valid question?

Yes and no. So, I mean, an MFT piece of software is a bit like a toolbox. It's got lots of things in it that you can enable, disable, use, make use of. if you so wish. So it really depends upon the type of compliance that affects your industry. And it may well be that there's multiple types of compliance. It's really, MFT is one of those tools that can make an organisation or certainly enable an organisation to be compliant. And without it, you're probably going to struggle more often than not if you're in a regulated industry or an industry that has compliance around it. One of the ways which I talk about an organisation, one of our customers, is that no organisations these days are an island. They all have the requirement to do business with other organisations, otherwise they fundamentally wouldn't exist. So they have suppliers and they have customers. So they'll have a supply chain. within that supply chain, each of those individual organisations probably has their own set of compliance standards. It may well be that they all within one industry and they all have a similar set of compliance regulations. So to answer your question, I think to be compliant, it's not as simple as, you know, just installing the software and getting away with it, or heading off with it. It's a case of trying to make sure that it's configured in a particular way.

Yeah. And how important is something like visibility and reporting when it comes to auditing and compliance?

Visibility and reporting is probably one of the key features of MFT, which will help with compliance, but it's not the only feature, obviously, within the software. Visibility and reporting can also, or the MFT tool, certainly from the point of view of visibility and reporting, can interact with a variety of other tools that an organisation has in place that will enable the organisation to extend that visibility and reporting. We're talking about some of the tools that we sell, such as the activity monitor, the BAM solution from Accolm. There are systems that we can integrate with. There's analysis reporting tools. So there's a lot of different things that we can interact with as well to enhance that posture.

Yeah. And how easy is it to show that you are compliant?

It's so some compliance is one of those things that is largely process, is about processes and documenting processes and making sure that you've adhered to those processes because the process has been written in such a way to ensure you remain within compliance. So the software, the configuration of the software can be easily accessed to see whether you've followed the process that's been set. But once again, you know, the the data from within these systems can be automatically ported into a variety of different systems to aid with that visibility too.

And moving on to industries, which you've briefly mentioned industries, and it's safe to say that compliance isn't a one-size-fits-all necessarily. Pro2col work with a number of industries, we've seen our fair share of everything from healthcare, finance, government. They're all sort of subject to different compliance legislations. Starting with healthcare, for example, I understand they've got HIPAA in the US, which is all about protecting patient data, very, very sensitive data. And then in the UK, you've got the likes of GDPR. With that level of scrutiny and sensitivity when it comes to their data, how important is MFT to those organisations and what role is it playing and helping them meet compliance?

So how important is it? I would argue very important. So you look at the type of data that we're talking about here. Well, and in fact, there's two ways of answering this question. So if you look at PHI, personal healthcare information, then as it's called, largely in the States under HIPAA, that information is probably about as sensitive as you can get. I know we're going to come on to a different industry sector in a minute, which also has extremely sensitive data. But when it comes to the sensitivity of data, then healthcare data is pretty much there as the number one. How organisations handle that data within the healthcare sector, specifically in the United States, is is extremely highly regulated, more so than it is really here in the UK. And then what you find is things like the HIPAA and HITEC, which are both US compliance and regulatory sort of frameworks, flow through to the UK, but aren't necessarily mandated. So they do have very sort of strict requirements about how data is handled and the the process whereby an organisation needs to go through a review and an audit of what it is that it does and what controls it needs to put in place from a compliance perspective, then in theory what tools that organisation should use to ensure the safety and security of that very sensitive data. That aside, because that's really the majority of the personally identifiable data or the PHI data, but a healthcare organisation is much the same as every other organisation we deal with. They all have an HR function. They all have a marketing function. They all have legal functions and finance functions. They all move highly sensitive data around. So there are those almost business as usual processes that exist inside organisations. Then we find that sort of a subset or a different side to the coin that is the what that business does within that industry that needs to secure a different type of data. And then that's sort of where the compliance and regulations sit. So when it comes to things that you'd want to put in place and features, I guess, that are appropriate within an MFT solution, it's the standard stuff. So it's the securing of the data in transit, securing the data at rest. are really focusing in on sort of role-based access control. So who can get access to the data? Where is it stored and why is it stored there and for how long? Those sorts of things.

So I was going to say actually then, if we move on to the financial services, it's largely the same in terms of how they need to meet compliance. They're just sharing different data. You've got in the finance industry, you've got standards like PCI DSS, you've got SOX, more recently you've got DORA. So yeah, it was is it sort of, they need MFT to do virtually the same thing, it's just they're sharing a different kind of sensitive data around?

Yeah, so the health, sorry, the financial services sector has been really at the forefront, I guess, or financial services in general banking, has been at the forefront of a file transfer pretty much since its inception. And they're still sitting on a lot of older, one might argue, legacy systems that they're working with. They do have more compliance mandates and regulations for their industry, and rightly so. The breaching of a healthcare organisation may be bad for the individuals whose healthcare data has been breached. You breach a bank, and then a certain section of the economy might fail. So the impact is somewhat bigger. Therefore, I think realistically the regulations and the compliance need to be tighter. So that's why you see things like PCI DSS and DORA in place. PCI DSS looking specifically at a set of regulations around organisations. It's not just the banking sector. This applies to anybody that's transacting effectively, financial transactions. The PCI DSS piece is fundamental to the whole of the business that operates within that industry as well. So it's not just that it affects the data that is for financial transactions at that point. It's a whole framework for the organisation. And DORA's an interesting one in so much that it is really looking at the resilience of those organisations. So I think the financial services industry and banking are very, very aware that there's a lot of focus on them from the point of view of organisations wanting to get access to them, to their systems, to their data, to the money. And DORA specifically, and paraphrasing it an awful lot, is there to look at the resiliency of the organisations in that industry so that if something was to happen, then the industry is as well structured as well managed and is they considered the availability of their systems as much as possible. So they, shouldn't in theory fall over. So rightly regulated and with strong compliance in that sector. Fundamentally though, same sort of things as we're talking about with healthcare in terms of the features that are important. We've got to be in securing the data in transit. We've got to be really careful about who has access to that data as well. Regardless really of industry sector, the features and functionality is much the same from one business to the next. And really, we've a model, we've talked about zero trust in the past. This is really a model that should be adopted by all organisations from the point of view of the hacking and breaches is certainly on the rise. We would recommend this approach to any business in any sector to help them to achieve the compliance that they need to achieve.

Yeah, I feel like retail itself has come under a lot of fire recently with breaches and not necessarily there for their file transfer, but I know retail, you might not necessarily think it's a highly regulated space, but actually there's a lot goes on behind the scenes of retail. Another industry I've noticed we are starting to see more of is the sort of military and defence industry. And I know a couple of customers have come to the team around ITAR compliant file transfer. And I just wondered if you had much knowledge on ITAR compliance file transfer or, yeah. What you could share about that?

Yeah, you're right. ITAR is becoming more and more prevalent for us. We have a number of customers in the defence sector that have to adhere to ITAR. So ITAR is a US standard. It stands for the International Trafficking Arms Regulations. And really, we're talking about another type of very sensitive information here and a very sensitive industry. So again, there's no surprise that there are some very stringent compliance and mandates for this particular industry sector. Driven out of the US, as a lot of the compliance regulations are, but this one very much does flow down through international organisations, whereas HIPAA, not so much so, not necessarily adopted internationally. ITAR is adopted internationally for defence organisations. It places a lot more stringent controls on processes, on people, on data sovereignty. You'll see specific to what we do, obviously, from an MFT or either as on-premises or SaaS solutions or hosted solutions. The data residence is a really important thing for ITAR. So you now have, if you look at the big three hosting providers, they all have ITAR compliant hosting infrastructure. So that's something that is hugely important. Not a lot of people necessarily know, but the defence sector and those sort of critical infrastructure organisations don't necessarily always move the data over the internet either. They have their own private managed networks for moving data. So that then helps to achieve compliance by them not being exposed to a lot of different I guess attack vectors would be a good way of looking at it. Other things, I was looking at this just this morning because ITAR is not something I read about every day, but verification process. So if I'm a bank, maybe not necessarily the best example, but let's say I'm in retail and I'm wanting to exchange data with a trading partner or supplier, the likelihood is I'll know who that supplier is as an organisation and I'll get their credentials to be able to exchange data with them. ITAR is very much different in terms of there's a strict verification process for organisations. So you wouldn't necessarily be building out trading partners on a platform straight away with just details that have been emailed over the internet, something of that nature. And naturally, there is a greater degree of sensitivity and within that particular industry sector. And as a consequence, things don't move particularly quickly either. This is not a case of I need to be able to get exchanging data very quickly between two organisations. This is I need to be uber sensitive and secure, one because of a regulatory approach to it, and two, because of the sensitivity of what it is, we need to make sure that every single box is ticked and double ticked and triple ticked.

Yeah. So do you think organisations need to consider who they choose as their solution provider when it comes to their compliance requirements?

It depends. We do love, love. It depends. Depends what sort of file transfers we're talking about. So slightly going off piste here, sort of a subset of MFT is that person to person file sharing. There are some great products out there that really hone in on the compliance capabilities. So if I'm wanting to send a sensitive piece of data to you, obviously it doesn't want to go as an e-mail attachment, but it's an e-mail, an attachment offloading process that's data sits securely and then you're accessing it via the secure platform and you're tracking and auditing and login, all that sort of good stuff. And there's features that make their way into those platforms that are very specific to particular compliance frameworks, should we say. So you can very much, so you're wanting to select a platform for that particular type of sending in an ad hoc fashion data around, there are some great platforms for that. Some of them have got compliance modules and compliance centres, and they really hone in on that. When it comes to choosing an MFT solution, the way I typically, an analogy I use when I'm talking about MFT solutions is they're all like cars. They've all got four wheels, unless you're driving a Reliant, I guess, but that's going off on a tangent. They've all got four wheels. They've all got a windshield or a windscreen. They've all got rear views. They all roughly do the same thing. I will suggest that it's the nuances, the slightest details is the reason why you're choosing a particular platform. I guess the same by extension, the same is true with regards to compliance. So does the product in itself address compliance? Yes and no. I mean, there are features in some of them that allude to the fact that they help with compliance, but fundamentally, if they're securing the data exchanges and reporting on it and all the other good things that we know they do, then they sort of tick the box to sort of become a part of that compliance process for the organisation. But really, I think as part of that selection process, the organisation, so the customer the end user who is looking to buy one of these solutions probably needs to look a little bit deeper. So is the software vendor, are they compliant with whatever regulations might be required for software vendors? So for example, if it's a hosted solution, SOC 2 and all sorts of SaaS different compliance regulations that are absolutely mandated. And if we go back to ITAR, there are products that are specifically hosted certainly in the US, FedRAMP environments like an ITAR compliant environment, a hosting environment. So there's lots of different ways in which you can look at the selection of a product depending upon what compliance is appropriate for you as an organisation, but also have a look at the compliance that the software vendor is following as well. Are they just developing the software and put it out to the marketplace or are they are they sort of taking their own advice and becoming as compliant as they possibly can be, where it's appropriate, of course.

That's a good point. Do you feel that there's anywhere organisations fall short when they when it comes to compliance and where they think they need to get and they might not be?

I think there's organisations have a false sense of security that they're compliant in a lot of a lot of instances. I think it's a compliance is a it's a massive can of worms. Lots of different avenues we could go down with it. But fundamentally, if the solution is deployed in as secure a manner as possible, then you are pretty much doing as much as you can to be compliant in pretty much any industry and under any compliance and regulatory framework. And to that, then I've come back to with a point that I made a bit earlier, our zero trust model or the zero trust model, any zero trust model to MFT is probably the approach to take. The way it's deployed and configured, who has access to it, both externally and internally, what happens with the data. None of these things are necessarily new for MFT, but maybe organisations that are running MFT solutions might have might have deployed a solution and not necessarily given it the scrutiny that it might well need. So I'd potentially suggest that they go back and fully scrutinise what it is they have in place and look at it from a zero trust perspective and also another shameless plug, get them to look at our maturity model as well. So certainly if you're in a financial services organisation, you're thinking about DORA and resilience, then if you think about maturity, you don't have a single server. You've got to have multiple instances for a high availability and those sorts of good things.

I feel like you've kind of just checked off my last question to you, which was going to be someone listening, wondering whether they may have gaps in their own setup, what should they do first? But I think you've plugged that quite nicely.

I might have done a little bit of a plug there. Yeah, so yeah.

Anything else to add to that or?

Probably not, no. I mean, it's a complicated topic. It's not the most interesting of topics either.

What are you talking about?

Compliance.

No, it's been it's been really helpful and you're breaking it down and the industries. I think will be incredibly useful. So yeah, thank you, James. As always, very big thank you.

You're welcome. Thank you, Steph.

And a very big thank you to our listeners. As I say, if you are sat there thinking you may have gaps in your own systems and want to talk it through, please use the contact details in the show notes below. As always, please like and subscribe and we shall see you in the next episode.