Many organisations have embraced MFT as a way to gain control and oversight over a wide array of file transfer activities. Download this white paper to discover how by deploying MFT products, these organisations have remediated the inherent risk of File Transfer Protocol (FTP) transactions, tightened the security of the data they move and implemented tools for monitoring service level agreements (SLAs) to help ensure oversight of critical file transfer processes.
IBM Software Cross-industry Smarter Commerce Deliver data and value for lower costs with a managed file transfer (MFT) centre of excellence (COE) By Daniel Sweeney, MFT product and industry specialist, IBM Software Group 2 Deliver data and value for lower costs with a managed file transfer center of excellence Contents Why organisations need a managed file transfer 2 center of excellence Defining a MFT COE 3 Benefits to the organisation 4 Roles and responsibilities 5 How to get started 8 Best practices 10 How the IBM® Smarter Commerce approach can help 11 Why organisations need a MFT COE Many organisations have embraced MFT as a way to gain control and oversight over a wide array of file transfer activities. By deploying MFT products, these organisations have remediated the inherent risk of File Transfer Protocol (FTP) transactions, tightened the security of the data they move and implemented tools for monitoring service level agreements (SLAs) to help ensure oversight of critical file transfer processes. While these are all important considerations when deploying MFT something is still missing. Clear strategic direction, organisational standards and most important, the organisational ownership of the MFT technical and operational practice within the enterprise are critical to addressing business needs. The problem is that most organisations across nearly all industries do not use a standardised approach for implementing MFT capabilities as part of a strategic enterprise architecture. Without enterprise leadership, a strategy and an architectural approach, companies often develop multiple in-house solutions or purchase numerous vendor solutions aligned to a specific platform or business unit. Each of these point solutions adds to the overall total cost of ownership (TCO) and the complexity of file transfers within the organisation. Deploying multiple MFT solutions further complicates data movement, security, visibility, governance, auditability and management. Organisations that find these issues and challenges problematic can pursue innovative business initiatives such as the IBM Smarter Commerce approach, which puts the customer at the centre of business with a focus on optimising the entire commerce process cycle, including buying, marketing, selling and servicing. IBM Software 3 By adopting a customer-centric model, companies can align internal processes to allow their organisations to more effectively connect and collaborate, conduct commerce and create a differentiated customer experience across their value chain. A key foundation of this strategy is a MFT architecture managed by a COE. A MFT COE can provide organisations with reliable and security-rich data movement capabilities and the process oversight necessary to synchronise entire value chains and provide faster, more-predictable business outcomes. While most business managers understand that a variety of systems and processes must be integrated to build a product, clear transactions and deliver services, they may be unaware of how file transfer actually supports their business. MFT may not initially seem core to business operations, but todays continually increasing need for reliable and security-rich movement of data makes MFT critical to business success. This paper provides a strategic, customer-centric approach to managing your organisations file transfer infrastructure via the re-alignment of file transfer technology and support organisations into a MFT COE. It offers guidance on establishing a MFT COE to help enable your organisation to: . Rationalise investments in MFT products . Establish an architectural approach to delivering capabilities in a standard way . Establish operational processes and procedures to optimise service delivery and support. Defining a MFT COE A MFT COE offers companies the opportunity to take their current fragmented MFT approach and consolidate accountability and responsibility for file transfer solutions, operational support pro- cesses and procedures under a single organisation. The MFT COE includes a COE owner who is accountable for all aspects of the products and services delivered, including: . Aligning the current and future needs of supported business lines . Managing a team responsible for establishing a technical enterprise architecture and strategy and rationalising product investments against them . Managing an operational support team responsible for day-to-day operations of the services offered . Optimising processes and procedures to help ensure the highest quality of service (QoS). Under the leadership and management of a MFT COE organisations can gain the ability to: . Rationalise vendor's products and in-house solutions . Consolidate duplicate infrastructures . Consolidate or reorganise technical and operational support teams . Establish standards across the enterprise to optimise investments and ongoing expenses related to MFT. The MFT COE is responsible for ensuring that service quality and data security meet or exceed the needs of the business lines. It also 4 Deliver data and value for lower costs with a managed file transfer center of excellence maintains a MFT COE technology road map so that services provided are continually enhanced to align with the requirements of business lines. Establishing standards for the organisation is also an important responsibility of the MFT COE. These include standards for infra- structure, products, visibility tools and transmission templates that empower the business application development teams to create file transfers on their own in a self-service model. The self-service model helps reduce development and support bottlenecks that could oth- erwise occur in the MFT COE and alleviates the need to hire additional IT staff to support expanded usage of the infrastructure. A key goal for any company looking to establish a MFT COE should be to provide a resilient and scalable infrastructure, visibility tools and improved processes around the support and provisioning of file transfer services. Aligning accountability and responsibility to a MFT COE enables organisations to consolidate governance and visibility of file transfer activity. This empowers the MFT COE team to: . Maintain a good understanding of external customer onboarding and file transfer requirements . Develop a strong knowledge of business line requirements and activities . Implement both a business-oriented and technology-oriented approach . Present a single face to the value chain community for cross- product and business line business-to-business (B2B) requirements. A MFT COE helps enable the enterprise to address MFT business requirements related to capabilities, flexibility, security, auditability, service quality and visibility and using this focused, strategic approach can help lower overall costs. By establishing best practices and processes to comply with security policies driven by the chief information security officer, regulators and auditors, a MFT COE can also help protect brands from ever-increasing security threats. Benefits to the organisation Organisations that establish a MFT COE are taking a more strategic and architectural approach for rationalising, deploying and MFT technology throughout their enterprise. This rationalisation and architectural approach leads to improved governance, auditability and security of data throughout the enterprise and across its value chain of customers, partners, suppliers and federal and state agencies. By taking a customer-centric approach to MFT COE activities, businesses can help ensure that FTP, priorities and SLAs are aligned with the value chain processes they support. Using a framework can also facilitate compliance with industry and regulatory mandates as well as other internal security and compliance policies that govern the data being exchanged. Establishing a MFT COE can result in a number of strategic benefits, including improved operational efficiencies, reduced total cost of ownership (TCO), improved straight-through processing (STP), synchronisation of critical business processes and improved time to revenue through quicker customer onboarding. Additional benefits can include the following: IBM Software 5 . Improved perimeter and data security . Increased internal and external file transfer process visibility . Higher service quality and reliability . Improved process efficiencies through consolidation and standardisation . Better organisational alignment of file transfer services and resources . Faster time to market for new customers . Enabled systems consolidation. In addition to the benefits noted above, companies should realise improvements in the business processes they support. Reduced file transfer failures and improved reliability and visibility over file transfer activity play key roles in improving the synchronisation of processes and supporting data that are critical to the value chain of the business. Roles and responsibilities The MFT COE operating model is often developed using the IT Infrastructure Library* (ITIL*) framework of best practices. The ITIL framework is one of the most widely adopted approaches for IT service management in the world. It provides a practical, no nonsense framework to help businesses identify, plan, deliver and support IT services. Typically in large organisations, one department is not solely responsible for all aspects of the services offered through the MFT COE. Such organisations are segmented by functional areas, such as hardware, networking, database, software engineering and operations. Resources from within these organisations need to be assigned to the MFT COE and focused on performing the tasks necessary to support it. In smaller organisations, multiple roles can be managed within a single team and in some cases a single person may have multiple roles. The key role in the operating model is the MFT COE service (product) manager. This role has overall responsibility for the vision of the MFT COE, services offered, budgets, service quality and ensuring that the technology road map is developed and delivered. The service manager works with the business to help make certain that SLAs are in place and that the service is addressing business needs. The responsibilities for the MFT COE service manager are as follows: . Aligning the services offered with business requirements and priorities - Understanding the customer-centric business drivers the organisation is focused on - Helping ensure that MFT COE processes and priorities align with these drivers - Realigning priorities as the enterprise works to optimise execution across the value chain . Managing the quality and value of the services offered - Overseeing communication and internal marketing of ser- vice offerings to existing and potential lines of business (LOB) - Establishing and monitoring service procurement, provi- sioning and billing and reporting processes - Establishing and monitoring SLAs between the MFT COE and business lines and their customers - Managing the overall cost of the service or the TCO - Benchmarking the service internally and externally - Reviewing sourcing and supply strategies and performance management of external vendors . Overseeing overall quality of the services offered 6 Deliver data and value for lower costs with a managed file transfer center of excellence - Establishing operating level agreements (OLAs) for change management and support with internal service pro- viders that deliver MFT COE capabilities (hardware or OS platform, network, database services) - Monitoring, benchmarking and optimising service quality - Developing metrics to measure each aspect of the service delivery chain . Recovering the costs of the service from the LOB of the MFT COE - Establishing and monitoring processes to help ensure the maintenance of accurate inventory data - Establishing and monitoring processes to help ensure timely and accurate submission of chargeback data - Establishing and monitoring processes to handle and resolve customer chargeback questions . Managing the costs and pricing of the services offered - Determining service cost through the aggregate of operational, engineering and research and development costs associated with the service road map and business line requirements - Identifying and prioritising service investments and business cases in line with the service strategy - Identifying sponsorship and aligning service directions with specific business line requirements - Managing service cost recovery using the organisations chargeback process (if this is performed) and working with the business lines to understand the most efficient use of the services - Identifying cost saving and ongoing efficiency programs in the deployment of the service . Driving and evolving the service road map - Aligning service with current and future needs of the busi- ness and its customers - Working with vendors and partners to integrate technology changes in alignment with the road map - Maintaining industry awareness for deployment of new services - Introducing or retiring services within the service portfolio. The service manager develops an OLA with MFT operations and managed file product engineering, hardware support teams and database support teams. The OLA helps ensure that funding and headcount are set, operating practices are established and delivery metrics are in place to track resource utilisation (both people and technology) and SLA compliance metrics. In many organisations, some or all of the file transfer infrastructure has been outsourced to reduce costs and improve operational efficiencies. The service manager role manages these vendor relationships, costs and service quality issues on behalf of the enterprise and where possible, rationalises the service providers and seeks opportunities to consolidate vendors to reduce spending for outsourced services. For outsourced operations, the service manager needs to work with the outsourcer to help ensure that it has prioritised file transfer activity based on the established customer-centric focus or else run the risk of undermining efforts to synchronise information flows across the value chain. The MFT COE service desk or help desk is often used as the point of contact for new service requests and problems and provides tracking information for both. The service desk also helps streamline demand IBM Software 7 and problem management processes, particularly when support provisioning and problem management technology do not already exist. The MFT COE service desk functions should be expanded to support all LOB because this helps position the company to begin standardising processes and procedures that support internal and external file transfers. A special service desk hotline can be established to field calls and is particularly helpful for external customer's ease and speed of issue resolution. The success of a MFT COE depends on a number of roles and responsibilities: . Service (product) management: - Manages the overall services offered - Creates and maintains budgets - Structures pricing and chargebacks - Creates the service road map - Helps ensure service . Service help desk: - Provides Level 1 service support for internal and external users - Receives requests for services - Facilitates client testing - Acts as catch and dispatch for problems - Manages demand . Operations: - Provides Level 2 support - Helps ensure the continuous operation of services and helps resolve escalating issues - Enters new setups and change requests . Product engineering: - Provides Level 3 support - Delivers quality technology solutions to the service - Delivers in accordance with the service product road map. How to get started Now that you have defined what a MFT COE is, the services it offers and its role in the organisation, how do you sell it to the rest of the organisation? Resistance to a MFT COE sometimes comes from stakeholders reluctant to lose control and ownership of their file transfer activities, related budgets and headcounts or perhaps from LOB entities faced with absorbing charges for the file transfer services they consume. Taking a customer-centric approach to your MFT COE strategy allows your organisation to align file transfer activities and resources around a common goal, providing the file integration components in a standard, cost-effective manner that supports value chain processing requirements. Organisationally, a good place to establish the MFT COE is within middleware technology services. These services typically have an established support model for interacting with the business because 8 Deliver data and value for lower costs with a managed file transfer center of excellence of their role in the organisation and their relationships with business staff and application developers. In many organisations, some file transfer services are part of the network services organisation, but with the introduction of Internet connectivity and its increasing use for file transfer activity, this alignment may no longer be ideal. When establishing a MFT COE, it is important to leverage information gathered from your current MFT approach. Who has ownership for existing file transfer activities, where in the organisation do they reside and what are the costs associated with providing the services? Also, it is important not to overlook the hidden costs associated with file transfer activities such as developer-written scripts for monitoring, retry and data validation. These items may be buried in departmental staffing budgets but under closer analysis are directly related to providing file transfer services. It is important to have a solid grasp of these costs and the implications to the organisation as you build a compelling business case for a MFT COE. Leveraging the ITIL service management framework can provide industry credibility to help sell the approach. The business case has to be sold not only to senior management but also to rank-and-file staff whose job roles and responsibilities might be realigned under the MFT COE organisation. Because of this, it is critical to document the financial, organisational and customer service benefits a MFT COE approach offers. Many companies embark on a MFT COE initiative as part of their IT modernisation and consolidation projects. Aligning this initiative to the organisation's business strategy is an effective way of gaining management visibility and helping ensure that a MFT strategy is aligned with the current and future needs of the business. By adopting a smarter commerce strategy, which puts the customer at the centre of the business, organisations can align customer-centric business objectives with the solution necessary to deliver them. The alignment of the MFT COE to those high-level business initiatives can aid in defining the business value of the initiative and help secure funding. Below are some investigatory questions to answer as you begin the process of identifying the current solutions within the enterprise and their associated costs. . What file transfer solution does your application rely on? - What software vendor? - Where is the software installed and running? ° How many servers? ° Are the servers running the current operating system level? ° Is the installed software in compliance with licence agreements? ° When licence keys expire, do you provide notifications on expiry? - Is data encryption in place? - How active are the servers in terms of number of file transfers per hour and per day? . What historical data needs to be preserved, how much and for how long? . How do you keep tabs on the overall health of the environment? - Are servers up or down? - Are product licences about to expire? IBM Software 9 - How many file transfer processes are running on the servers? - Do you run a daily report on server activities or other information? - Do you have failover configured? Is it required? - Do you have disaster recovery configured? Is it required? . What are you monitoring regarding data transfers? - Success and failure? - Did the transfer happen? - Did it happen on time? - Did it make it to the target destination? - Did it make it to the target destination on time? - Did it take too much or too little time whenever it ran? - How many transfers are failing? . Overall, what actions do you take for the questions listed above? - Send email to individuals or a distribution list - Send Simple Network Management Protocol (SNMP) trap - Run a program - Send a command to a server . Do you limit the data users can view and manage? . How many staff members support the solution? - What are the support hours? - How long does it take to set up a new transfer? - How long does it take to remediate problems? - How many outages occur per month? Per year? The creation of a MFT COE offers an opportunity to establish best practices for MFT. With a MFT COE, you have a team dedicated to providing best-in-class MFT capabilities to the organisation. As the enterprise experts, the MFT COE team is versed on available technology and how to effectively and efficiently deploy it to satisfy business needs while providing a highly secure, operationally efficient and cost-effective infrastructure. As you work to establish best practices for your MFT COE, the following list provides a good starting point for key considerations: Intra enterprise MFT (internal) . Common reliable transport protocol . Centralised monitoring . Event-based centralized audit logging . Process automation . Business line self-service . Documented, standardised solutions . Checkpoint recovery . Centralised management . Encrypted data . Encrypted file system and transmission channel . Eliminated risk associated with FTP. Best practices 10 Deliver data and value for lower costs with a managed file transfer center of excellence Multienterprise MFT (external) . Trading partner management . Hardened security for demilitarised zone (DMZ) deployment . B2B governance and security . Broad range of B2B and transport protocol support . User interface for configuration and transaction viewing . Interface for trading partner transaction viewing . Improved delivery with automatic resend. Monitoring and management . Proactive monitoring . Management by exception . Performance shown against SLA commitments . Comprehensive visibility of file transfer activity . Event-based notifications. Perimeter security . Use a DMZ-based proxy . Use session breaks to prevent direct connections between the Internet and internal servers . Establish a session from the DMZ to a trusted zone only after a partner user is properly authenticated . Store no data, files or user credentials in the DMZ . Require no inbound holes in the firewall . Have no web services or user interface ports open in the DMZ . Traverse from less trusted to more trusted . Use protocol inspection, command filtering and blocking of com- mon URL exploits. Data protection . No data written or stored in the DMZ . Controls to help ensure data integrity . Strong encryption options . Support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) . Added protection by interfacing with hardware security modules (HSMs) to store cryptographic keys. Authentication . Authenticate users in the DMZ rather than in the trusted zone . Manage users centrally in external user repositories such as a Microsoft* Active Directory database . Verify users with multifactor authentication using "something you know" and "something you have" questions . Reduce support costs using a login portal for single sign-on and self-service password management . Install role-based access. Business alignment . Synchronise file transfer activity with the value chain processes they support . Identify and prioritise those processes most critical to your customer-centric operational focus . Use SLAs to monitor end-to-end (E2E) value chain performance, not just process-to-process movement. IBM Software 11 How the IBM Smarter Commerce approach can help Migrating from a fragmented MFT approach to a MFT COE presents organisations with organisational and technological challenges. IBM offers a comprehensive portfolio of products that help enable the application of the MFT COE best practices outlined above. Our offerings provide MFT architecture to more reliably move data internally and externally in a security-rich manner, monitor the health of your file transfer environment, help the business adhere to customer SLAs and provide best practices security capabilities in the DMZ. As an industry leader in MFT, IBM has extensive experience helping companies strategically deploy their MFT solutions and create MFT COEs. By adopting an IBM Smarter Commerce approach, which places customers at the centre of your business strategy, the business and the MFT COE align together with a common set of objectives, optimising execution throughout your value chain. IBM's product and industry specialists can help your organisation assess its current approach to file transfer and provide guidance for establishing a MFT COE. IBM offers an industry-aligned technical and business value assessment focused on MFT. This assessment is a collaborative engagement between your organisation and IBM to evaluate your current file transfer infrastructure as well as your operational practices and to provide actionable recommendations plus return on investment (ROI) analysis. The assessment considers your extended value chain of partners, suppliers and customers as well as movement of file-based data both internally and externally. Contact IBM to assist your organisation in establishing a MFT COE. By doing so, you can enable your business to rationalise its investments in MFT products, build a standardised architectural approach to delivering capabilities and establish operational processes and procedures to optimise service delivery and support throughout your business value chain. The IBM Smarter Commerce strategy can help you deliver data, business value and a lower TCO related to your MFT infrastructure. For more information To learn more about establishing a MFT COE and the IBM Smarter Commerce strategy, contact your IBM sales representative or Business Partner, or visit: ibm.com/software/commerce/managed-file-transfer/ IBM United Kingdom Limited PO Box 41, North Harbour Portsmouth, Hampshire, P06 1AU United Kingdom IBM Ireland Limited Oldbrook House 24-32 Pembroke Road Dublin 4 IBM Ireland registered in Ireland under company number 16226 IBM, the IBM logo, ibm.com and Smarter Commerce are trademarks of Inter- national Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other compa- nies. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of The Minister for the Cabinet Office, and is registered in the U.S. Patent and Trade- mark Office. Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or both. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED "AS IS" WITH- OUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU- LAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. © Copyright IBM Corporation 2012 Please Recycle ZZW03116-GBEN-00