The  Imperative  for  Effective  Data  Flow  Governance  in  Response  to  Data  Security,  Risk  Mitigation,  and  Compliance  Requirements

Understanding how managed file transfer and API management support changes in integration strategy

An Ovum white paper sponsored by Axway

Executive summary Catalyst The complex interplay of data security and compliance requirements coupled with the need to drive business agility while containing IT costs is forcing enterprises to rethink their integration strategy. While the  disciplines  of  ‘integration’ and ‘data security and governance’ have remained isolated for a long time, enterprises can no longer afford infrastructure and governance silos that increase exposure to security and compliance risk and reduce adaptability to new business and operating models.

Ovum view The size and volume of files which enterprises are exchanging internally and with customers and trading partners continues to increase at a rapid rate. In addition to file transfers, enterprises are increasingly exposing sensitive data via messaging platforms and APIs to external parties. At the same time, the proliferation of insecure and ad hoc approaches to file transfer, such as file transfer protocol (FTP)-based and personal file sync and share (FSS) solutions, has significantly increased the business risk associated with data breaches and non-compliance to regulatory mandates.

There have been many changes in regulatory compliance mandates over the last decade, including the introduction of new data security regulations. These changes call for a rigorous review of existing enterprise security, governance, and compliance frameworks and policies. In particular, new compliance mandates require proper documentation of business processes and greater control over internal and external file transfers.

Business users have a tendency to circumvent IT policies to safeguard their interests and working style, which place more importance on easy and flexible access to enterprise information assets. IT continues to face the dilemma of how to govern file transfers while meeting ease-of-use and mobility requirements of the modern workplace.

In order to meet the diverse requirements of internal users, trading partners, customers, and data security and regulatory compliance, IT should focus on a shift to a comprehensive managed file transfer (MFT) solution. This represents a far better option than maintaining and managing several ‘islands’ of file transfer and integration infrastructure. In particular, a comprehensive MFT solution will allow file transfers to and from a range of endpoints, including simple object access protocol (SOAP) services and file-based interfaces, as well as across application-to-application (A2A), B2B, and cloud integration scenarios. Moreover, it will simplify integration with existing security systems and governance processes, thereby enabling IT to effectively govern data flow across internal and external file transfers (including ad hoc transfers).

A ‘central governance’ layer over the various components of the existing middleware stack is essential for ensuring data security and governance across integration flows which connect a range of applications, services, users/devices, and trading partners/customers. What enterprises need is a unified approach to the enforcement and management of data security and governance policies within, at, and beyond the edge of the enterprise. With a range of solutions being used for managing identities  of  individual  users,  services/applications,  and  devices,  ‘identity federation’ becomes of paramount importance. In this context, API  management  will  provide  a  “brokerage”  layer  for  identity  federation across the various identity and access management (IAM) suites, registries/repositories, and other identity solutions, and offer a centralized policy enforcement point.

Methodology This white paper was sponsored by Axway and includes results from an extensive primary research survey comprising responses of 450 senior IT decision makers (150 each from North America, Asia-Pacific, and Europe, Middle-East and Africa) with significant influence over integration initiatives and an understanding of enterprise IT security governance, risk management, and compliance strategy. The  views  expressed  in  this  white  paper  are  based  on  Ovum’s  ongoing  research  into  the  middleware  market, which takes into account the opinions of industry consortiums, integration practitioners, and enterprise and solution architects.

Key messages � FTP and other traditional and ad hoc approaches to file transfer expose enterprises to the

risk of data breaches and non-compliance with regulatory mandates. With IT under pressure to deliver new capabilities under strict budget and time constraints, the prospect of maintaining infrastructure and resources to keep traditional file transfer solutions up and running is difficult to sustain.

� A comprehensive MFT solution is essential for meeting increasingly complex data security and governance requirements as well as stringent regulatory compliance mandates. In addition to securing and governing file transfers across internal and external integrations, a comprehensive MFT solution will allow governance of file transfers across email solutions, collaboration tools, and enterprise file sync and share (EFSS) solutions.

� A comprehensive MFT solution simplifies community management to allow rapid onboarding of new customers and partners, and enables realtime monitoring of business and technical key performance indicators (KPIs).

� IT should develop a strategy to consolidate file transfer infrastructure and processes to reduce infrastructure footprint and maintenance and support costs. A comprehensive MFT solution will provide the flexibility required for meeting new business requirements, which would otherwise require significant custom development effort.

� There is a growing need  to  shift  from  ‘governance  silos’  to  a  ‘central governance’ layer offering a common view of data flow to all stakeholders, both at a business process level and a technical level, across the various processes, applications, communities, and users/devices involved in application and B2B/MFT-based integration. This layer will allow IT to centrally manage user identities and access rights, and provide a single point of enforcement for security and governance policies.

� It is time that IT thought about using a suitable combination of MFT, B2B integration, and API management solutions for enabling, securing, and governing interactions at and beyond the edge of the enterprise.

Key survey results � On average, 32% of business-critical processes involve file transfers and about 4% of

FTP-based file transfers fail. This indicates that at least 1.3% of business-critical processes involving FTP-based file transfers will suffer failures.

� The average total cost of a data loss/breach incident is $350 per breached record (or $3million, on an overall basis).

� About a quarter of survey respondents revealed that their organization failed a security audit in the last  3  years.  Furthermore,  17%  indicated  ‘no  confidence’  in  passing  a  compliance audit with the existing file transfer solutions.

� While 38% of respondent enterprises have already implemented an API program, an additional 19% plan to implement an API program in the next year. This figure is expected to increase by another 40% over the next 2 to 3 years.

� While for 58% of respondent enterprises data security, privacy, and governance is an integral element of integration strategy, an even greater share of respondents (71%) revealed a disconnect between integration strategy and data security and governance frameworks and policies.

� About a third of the respondent enterprises are using both on-premise and software-as-a-service (SaaS)-based file transfer solutions. However, there is little inclination to shift towards  a  “cloud-only”  model  for  delivery  of  file  transfer  capabilities, with only 11% relying on SaaS-based file transfer solutions for all of their file transfer needs.

� A large section of respondent enterprises (56%) are using discrete solutions for on-premise application integration, B2B integration, and cloud integration. Moreover, 46% of survey respondents agreed that existing enterprise service bus (ESB)/ service-oriented architecture (SOA) infrastructure offers less flexibility and is difficult to maintain.

Traditional and ad hoc approaches to file transfer are inadequate to govern data flows FTP servers do not offer the requisite security and reliability and are difficult to maintain FTP is one of the most widely used and arguably the least secure of the various approaches to file transfer. The survey results depicted in Figure 1 show that there is little difference (just 2%) in the number of respondent enterprises using email solutions and FTP servers for file transfers. Indeed, FTP has long been used as the primary means to point-to-point file transfers and continues to enjoy a strong foothold in the enterprise user segment.

FTP is non-transactional in nature and does not provide support for handling network errors. In cases of large file transfers, a lack of quality-of-service (QoS) mechanisms and inability to resume interrupted file transfers often lead to major delays and transfer failures.

Figure 1: Different approaches/solutions used for file transfer

Source: Ovum

The survey results in Figure 2 reveal that on average 4% of FTP-based file transfers fail. Interestingly, 21% of the respondent enterprises reported a failure rate in excess of 6%, while for another 24% of respondents the failure rate was in the range of 4 to 6%. Another interesting observation is that on average about 32% of business-critical processes involve file transfers. The survey results, when extrapolated, indicate that at least 1.3% of business-critical processes involving FTP-based file transfers will suffer failures. From a financial standpoint, these failures will lead to major business disruptions and will have a significant impact on the bottom line.

Figure 2: Failure rate of FTP-based file transfers

Source: Ovum

As there is no mechanism for encryption of data in motion, data security and privacy is a major concern with FTP-based file transfers. With user names and passwords sent as plain text over FTP, there is little protection against interception and hacking attempts. Moreover, enterprises need complex scripts and additional infrastructure to establish a security layer to overcome the limitations of FTP. Furthermore, the cost associated with regular maintenance can be quite high. As FTP on its own can support only manual file transfer processes, enterprises will incur additional costs for automation and integration with business processes.

For ad hoc file transfers, the process of setting up a FTP server and the installation and configuration of client software can be quite painstaking. FTP systems do not provide the necessary data management capabilities and it is common to see data residing on servers once file transfer is complete. This could lead to data breaches and unauthorized access from both internal and external users.

Another limitation of FTP is the lack of tracking and reporting capabilities. With FTP, users struggle to ascertain data integrity and identify whether a file transfer process is successful or not. Moreover, with very limited information on and visibility into end-to-end file movement and user access, enterprises will struggle to enforce governance policies and meet auditing requirements.

Email solutions are inadequate for large file transfers and offer limited security and visibility Email remains the most widely used medium for file transfer. While this is easy to understand, given the widespread availability and ease-of-use of email solutions, nevertheless, there are limitations and drawbacks that cannot be ignored. Firstly, email solutions do not support transfers beyond a certain file size and attempts to increase size limit often result in network bottlenecks, storage bloat, and increased backup time. Secondly, data security and governance is a key challenge with email solutions, as IT has limited visibility into and control over the information shared via email, and it is difficult to enforce policies that help ensure encryption of sensitive information.

Personal file sync and share solutions lack enterprise-grade security and governance Cloud-based personal FSS solutions, such as Dropbox, Google Drive, Hightail, and SugarSync are increasingly being used by employees in the workplace. In fact, in 17% of the enterprises surveyed (Figure 1), the use of personal FSS solutions is beyond the control of IT. Such practices pose significant risk to enterprise IT security governance, risk management, and compliance.

While personal FSS solutions do offer simplified mobile access capabilities, a key requirement for enterprise mobility, they lack the requisite IT security and administrative controls. Moreover, integration between personal FSS solutions and existing enterprise IT security systems can be a difficult proposition.

As IT has little or no control over and insight into the potential locations where information shared via personal FSS solutions can be stored, and who has access to this information, there is practically no protection against data theft/siphoning.

Homegrown file transfer solutions are a liability and vulnerable to data security and compliance threats The survey results reveal that despite the increasing adoption of relatively new file transfer solutions, homegrown file transfer solutions are still being used in over a quarter of the respondent enterprises. While the initial costs associated with homegrown file transfer solutions, which are proprietary or FTP/secure shell (SSH)-based file exchange solutions, might be reasonable, the subsequent maintenance and development costs can be onerous.

As homegrown file transfer solutions were developed for specific use cases, significant additional development effort is often required for adding new capabilities necessary to meet a different set of requirements. At  a  time  when  IT  is  hard  pressed  to  “do  more  with  less”  and use developers for more-strategic and higher value initiatives, the need for additional development effort for maintaining the relevance of homegrown file transfer solutions is more or less a burden.

Another issue with homegrown file transfer solutions can be the lack of reporting and auditing capabilities. Without these capabilities, enterprises will struggle to compile data on the identity of the users initiating file transfers/interacting with files and the type of information transferred, and set up alerts/ notifications for any potential disruptions. These limitations expose enterprises to the risk of non-compliance with regulatory mandates. Moreover, homegrown file transfer solutions often fail to provide sophisticated encryption and authentication mechanisms safeguarding sensitive data against unauthorized access at various stages of the file transfer process.

Stringent regulatory compliance mandates and the ever-increasing data security and privacy risks call for a comprehensive file transfer solution Regulatory compliance mandates require transparent audit trails and a high level of visibility into and control over the flow of sensitive information The Sarbanes-Oxley Act of 2002 (SOX) calls for robust mechanisms for user authentication and access control, data encryption, and data integrity in order to control the flow of sensitive financial data. In addition, enterprises need to provide proper documentation of these processes and policies to comply with the requirements of a SOX audit. Another case in point is the payment card industry data security standard (PCI DSS), applicable to every enterprise that handles payment card data. One of the key requirements of PCI DSS is the secure processing, transmission, and storage of payment card data. This requires strong access control mechanisms and regular monitoring of access to network resources and cardholder information.

Several other industry and government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Foreign Account Tax Compliance Act (FATCA), Gramm-Leach-Bliley Act, Basel III Accord, and Solvency II Directive have stringent data security, privacy, and governance requirements, which cannot be met by FTP and other traditional and ad hoc approaches to file transfer. In particular, enterprises will need comprehensive and transparent audit trails to comply with

these industry and government regulations and gain better visibility into the enforcement of data security and privacy policies.

The survey results in Figure 3 indicate that there is a large gap between the requirements of industry and government regulations and the data security and governance capabilities offered by the existing file transfer infrastructure in enterprises. With data/file encryption at rest, defining and enforcing security policies, IAM, viruses/spyware/malware, and data/file encryption in motion being the top 5 concerns, it is clear that enterprises will struggle to meet regulatory compliance requirements with the existing file transfer solutions.

Figure 3: Main data security- and privacy-related concerns with file transfers

Source: Ovum

These requirements can only be met by a comprehensive file transfer solution that helps ensure security and privacy of mission-critical data, as well as offering realtime visibility, monitoring, and reporting at technical and business levels for governing the flow of data, within and outside the enterprise. Moreover, there is a need for good visibility into data flow at a business process level, which extends beyond a technical view of file transfers.

Tackling internal and external security threats is a top priority for IT management Figure 4 shows that business continuity/disaster recovery, protecting against cyber threats, managing insider threat, compliance monitoring, security incident and event management, data loss prevention (DLP), and service-level agreement (SLA) compliance figure amongst the top priorities for C-level respondents to the survey. While effective security and governance of file transfers will play an important role in achieving these objectives, it is especially critical for managing insider threat, DLP, and SLA compliance.

Figure 4: Top priorities for CIOs/CISOs/CROs

Source: Ovum

In recent times, data misuse by employees has emerged as a major reason for data breaches, though in many cases, it is due to a lack of awareness of information security and privacy policies. The case of file transfers is no different. Unless IT puts in place the essential data security and governance infrastructure and policies, insider threat from the unauthorized access and sharing of sensitive information will be difficult to contain.

With employees using personal FSS solutions and other ad hoc approaches to file transfer, and doing so via a range of access channels (including mobile devices), data security and governance becomes a major challenge. With  the  implementation  of  “bring  your  own  device”  (BYOD)  policies,  enterprises  are allowing employees to bring a range of devices, operating systems, and applications into the workplace. In most enterprises, BYOD initiatives extend beyond access to basic resources and information, such as email, calendar, and contacts. IT continues to be under pressure to safeguard sensitive data against unauthorized access and to keep track of file movement, within and outside the enterprise.

Another compelling insight from the survey (Figure 5) was that only 11% of the respondent enterprises rely on SaaS-based file transfer solutions for all of their file transfer needs. Moreover, while nearly one-third of the enterprises currently only using on-premise file transfer solution(s) are inclined to shift to a SaaS model over the next 12 to 18 months, an even greater share of respondent enterprises (42%) are still evaluating the associated data security and privacy implications.

Figure 5: Usage split between on-premise and SaaS-based file transfer solutions

Source: Ovum

It is clear that while the adoption of SaaS-based file transfer solutions continues to grow, most enterprises are not inclined  to  shift  towards  a  “cloud-only”  model  for  the delivery of file transfer capabilities. Nevertheless, 35% of respondent enterprises are using both on-premise and SaaS-based file transfer solutions.

Ovum forecasts that the global spend on cloud-based integration platforms will grow at a compound annual growth rate (CAGR) of 24.3% between 2013 and 2018, reaching $3.7billion by the end of 2018. A significant share of this spend will be accounted for by B2B integration services delivered via the cloud (including MFT-as-a-service). In contrast, the global spend on traditional B2B integration middleware is expected to grow at a CAGR of 6% over the same period. This can be attributed to enterprises’  inclination  to  shift to an integration approach capable of delivering faster time-to-value, while ensuring the requisite scalability and performance at a lower total cost of ownership (TCO).

A comprehensive MFT solution reduces business risk and IT costs, and drives greater business agility A comprehensive MFT solution alleviates the risk posed by internal and external security threats and helps enterprises to comply with regulatory mandates and customer SLAs As indicated by the survey results in Figure 6, most enterprises use a mix of file transfer approaches, without any provision for centralized governance over internal and external data flow. With such a fragmented file transfer infrastructure, comprehensive and transparent audit trails become a difficult proposition. As IT has limited visibility into the use of insecure means of file transfer, the risk of data loss/theft and non-compliance looms large over internal and external file transfers. Indeed, the survey

results (Figure 6) specify a lack of reliability, non-compliance of data security and privacy regulations, and a lack of end-to-end visibility and monitoring as the top 3 concerns with the features and capabilities of existing file transfer solutions.

Figure 6: Main concerns with the features and capabilities of existing file transfer solutions

Source: Ovum

Analysis of the survey results indicates that the average total cost of a data loss/breach incident is $350 per breached record (or $3million, on an overall basis). From a holistic perspective, there are consequences that are difficult to quantify, especially during the initial stages. These consequences can range from a high customer attrition rate and damage to brand image, to litigations and fines, and potentially a major impact on the share value.

Interestingly, 23% of the survey respondents revealed that their organization failed a security audit in the last 3 years. Moreover, 17% indicated that they have ‘no  confidence’  in  passing  a  compliance audit with their existing file transfer solutions. Given the sensitive nature of the associated questions, it can be argued that these are conservative figures and do not necessarily reflect the extent of risk enterprises face due to the lack of a suitable file transfer solution.

Key features and capabilities of a comprehensive MFT solution While the initial adoption of MFT was driven by the need for a suitable alternative to FTP, its role has become more strategic and enterprises frequently use MFT solutions as part of a range of integration initiatives, including with SOA and A2A (application-to-application), B2B, and cloud integration. In addition to securing and governing file transfers across internal and external integrations, a comprehensive MFT solution also allows governance of file transfers across email solutions, collaboration tools, and EFSS solutions. Key features and capabilities of a comprehensive MFT solution include:

� Support for a wide range of open standards and protocols, and off-the-shelf integration with common middleware platforms and security products (IAM suites)

� Integration with existing applications via APIs

� Rapid configuration of integration flows based on business requirements and abstraction from technical implementation at middleware layer

� B2B integration:

� multi-enterprise process automation

� dynamic routing based on content, context, and trading partner role

� integration of business applications with B2B transactions and processes

� Support for mobile access and ad hoc file transfer/EFSS-type scenarios

� Community management: rapid onboarding of new customers and partners, and governance of interactions with trading partners

� End-to-end visibility and monitoring: dashboards for the realtime monitoring of file transfers, B2B integrations, and KPIs

� Reporting and auditing: compilation and reporting of information on file transfers, user interaction, and business processes

� A governance layer enabling:

� policy definition, management, and enforcement

� SLA management via a dashboard offering data flow analytics and reporting

� support for error resolution

� runtime and design time definition of interactions between different parties

� guaranteed delivery, even with limited or no control over users/devices and/or underlying infrastructure

� management of user identities and access rights

� audit trails

As per the survey results in Figure 7, increased reliability and uptime, improved responsiveness to business change, auditing and regulatory compliance, and easier collaboration with partners and customers are regarded as the top 4 benefits of a comprehensive MFT solution.

Figure 7: Benefits of a comprehensive MFT solution

Source: Ovum

A  comprehensive  MFT  solution  will  not  create  another  ‘island’  of  infrastructure,  which  further  widens the gap between the existing integration platforms and security and governance frameworks and policies. Rather, it simplifies integration with different components of the existing middleware stack and security infrastructure, and offers greater visibility and end-to-end monitoring to secure and govern data flow, both within and outside the enterprise.

A shift to MFT will help in reducing operating costs MFT allows enterprises to shift from disparate file transfer solutions that are difficult to manage and maintain, and require extensive custom development for accommodating new business requirements. At a time when IT is under pressure to deliver new capabilities under strict budget and time constraints, the prospect of maintaining infrastructure and resources to keep traditional file transfer solutions up and running is difficult to sustain.

A comprehensive MFT solution will eliminate the need for point-to-point connectivity for file transfers across application-to-application (A2A), B2B, and cloud integrations, thereby reducing the costs associated with the maintenance of different file transfer platforms. Moreover, a suitable MFT solution will offer the flexibility required for meeting new requirements, which would otherwise require significant custom development effort.

Figure 7 shows that about three-quarters of the survey respondents agreed with the premise that MFT as a shared service helps reduce costs. A  similar  share  of  respondents  selected  ‘reduced  development  and  troubleshooting  effort  and  costs’  as  a  key  benefit  of  MFT.  It is easy to understand that consolidation of file transfer infrastructure and processes will reduce IT footprint and maintenance and support costs.

MFT simplifies community management and increases responsiveness to business change A comprehensive MFT solution allows rapid onboarding of partners and customers, including automation of the various enrollment processes, such as subscription, registration, provisioning, and testing. It will allow for the customization and management of onboarding workflow and trading partner profile via automated communications and approvals, and provide reporting and administration features for community management, including SLA reporting.

A comprehensive MFT solution supports file transfers to and from a range of endpoints, including FTP and B2B endpoints and web services, and helps ensure flexibility in addressing customer requests. It will support both event-driven and schedule-based file processing, depending upon business requirements.

Developing the business case for a comprehensive MFT solution As is the case with any strategic IT initiative, securing funding for an infrastructure transformation project is no easy task. In the case of a shift to MFT, IT will need to develop a strong business case as to how this initiative would add business value. Figure 8 shows that budget constraints, organizational change management issues, and concerns around ease of use are the three major factors hindering MFT adoption. Interestingly, the survey takes into account the opinion of IT leaders who are already aware of the limitations of FTP.

Figure 8: Factors hindering MFT adoption

Source: Ovum

There will always be some inertia involved in any initiative intended to change the way that IT tools are used, more so from the perspective of organizational change management. Then there is the “ease  of  use”  factor,  which  adds  to  this  inertia, especially as business users are well conversant with ad hoc approaches to file transfer and may not have good understanding of the strategic role of MFT. It is therefore important that IT demonstrates (ideally via a proof-of-concept) how a comprehensive MFT solution extends file transfer and governance capabilities to A2A, B2B, and cloud integrations, as well as supporting ad hoc file transfer to meet the ease of use and mobility requirements, while mitigating the risk posed by internal and external security threats.

IT should conduct a business value assessment, preferably with the support of a suitable MFT vendor, to assess the current state (an “as-is”  state  analysis)  of  file  transfer  infrastructure  and  processes, identify inefficiencies and bottlenecks, and develop a “to-be”  state  design  and  technical  requirements specification. This assessment should also take into account the views of business and IT leaders, including line-of-business (LOB) and process owners/leaders. Thereafter, a clear specification of gaps in the “as-is”  and  “to-be”  states  should  be  developed.  The  business  case should focus on factors/indicators directly related to the potential business value that could be realized with a shift to a comprehensive MFT solution. Indicators include:

� Comparison between TCO for existing file transfer solution and MFT solution.

� Reduction in development and maintenance costs.

� The business risk associated with data breaches and non-compliance to regulatory mandates.

� Impact of non-compliance to customer SLAs.

� Ability to handle large volume of file transfers, while ensuring guaranteed delivery and data integrity.

� Rapid onboarding of customers and partners.

� Increase in customer satisfaction.

� Long-term viability of a MFT solution and its strategic fit to enterprise integration strategy.

� Greater agility in meeting new business requirements.

Governing the flow of data: Data security and governance should be integral to enterprise integration strategy Complex data security and governance, and compliance requirements are forcing enterprises to rethink their integration strategy As per the survey results in Figure 9, the need for a 360 degree view of customer engagement and relationship, the need to reduce the cost of integration, security and governance of integrations involving on-premise and cloud-based applications, and more stringent compliance requirements figure amongst the top 4 factors driving enterprises to rethink their integration strategy. With the rapid proliferation of SaaS and mobile applications, there is a great need for integration with enterprise applications and data sources. In such scenarios, an often-neglected aspect is the governance of integration flows exposing mission-critical data to the cloud and to mobile platforms.

According to the Ovum ICT Enterprise Insights survey of 4,722 IT decision-makers from across the globe, around 38% of respondent organizations plan to invest in integration infrastructure modernization projects, with 15% interested in investing in new integration solutions, while the remaining 23% are interested in major infrastructure transformation. On top of this, 32% of the respondent organizations are planning to invest in small-scale integration infrastructure upgrades. The survey results show that return on investment (ROI) and price/expenditure are the most important criteria in the selection of integration solutions.

Figure 9: Factors driving a rethink of integration strategy

Source: Ovum

Figure 10 interestingly shows that 56% of the respondent enterprises from our survey are using discrete solutions for on-premise application integration, B2B integration, and cloud integration. There are two facets to the complexities associated with such a fragmented integration infrastructure. The first one relates to the complexity of managing and maintaining a heterogeneous middleware stack combining solutions offered by different vendors and developed under disparate standards. The second facet relates to the complexity arising from discrete approaches to security, management, and the monitoring of interactions between different applications, systems, and business processes.

Figure  10:  The  ‘current  state’  of  enterprises’  integration  infrastructure

Source: Ovum

Moreover, 69% of the respondent enterprises indicated that there is some level of integration between existing application and B2B integration infrastructure. This is along expected lines as complex orchestration use cases, such as the extension of B2B integration (including via MFT) to on-premise and cloud integration scenarios, are no longer uncommon. However, a more cohesive approach is required for securing and governing data flows across a wide range of applications/services, environments, and business processes.

API management is central to the integration infrastructure required for supporting complex and multi-faceted integration and governance needs Enterprises are looking for alternatives to traditional integration approaches to meet pressing integration requirements at a lower cost and within a reasonable time. For example, enterprises are not inclined to wait for weeks for the integration of a SaaS application, which they can start using in a much shorter time. Indeed, 46% of respondent enterprises agreed that existing ESB/SOA infrastructure offers less flexibility and is difficult to maintain.

There are several use cases where an API gateway will be a good fit from the perspective of service/message transformation and securing and governing data flow across on-premise, B2B, cloud, and mobile integrations. A suitable API gateway can function as a security gateway supporting a wide range of security protocols, IAM suites, and standards across different access channels and

integration scenarios. Enterprises can use an API gateway as an integrated policy enforcement point for access control, performance and QoS, compliance and audit, and data security- and privacy-related policies. An API gateway will enable the transformation of existing services, such as simple object access protocol (SOAP) and extensible markup language (XML) over hypertext transfer protocol (HTTP) services into REST APIs/services to simplify these interactions.

APIs in their various guises facilitate the externalization of the enterprise and open up new revenue streams, simplifying the integration of digital sales, marketing, commerce, branding, and other channels into established business processes and models. Lightweight and developer-friendly representational state transfer (REST) APIs have emerged as the primary enabler for integration between different applications and services. In the case of B2B e-commerce, APIs serve as a secure means for exposing mission-critical data to business partners. APIs also simplify the implementation of enterprise mobility initiatives and are one of the key enablers of the  “Internet  of  Things”  (IoT)  phenomenon.

As per the survey results, while 38% of respondent enterprises have already implemented an API program, an additional 19% plan to implement an API program in the next year. Moreover, an additional 40% plan to implement an API program over the next 2 to 3 years. Interestingly, the survey results indicate that enterprise API initiatives are largely driven by business motivations, such as better engagement and collaboration with partners/customers, and branding, marketing and sales initiatives conducted via mobile and social channels. However, unless IT puts in place the necessary security, governance, and performance-management framework, the real business value of API initiatives will be difficult to achieve. The survey results reveal that 16% of respondent enterprises do not have a strategy for securing and governing the use of enterprise assets (applications, services, and data) exposed via APIs to external parties. Moreover, only 7% of respondents believe that existing data security and governance frameworks will be adequate for this purpose.

API management provides the requisite governance, performance management, and security framework to help ensure that enterprise API initiatives deliver positive business outcomes. Building on the service/message transformation and data security and governance capabilities provided by an API gateway, API management offers analytics and monitoring, as well as simplifying developer community management and engagement.

Given the diversity of access channels and user profiles within the digital ecosystem, security considerations extend far beyond access control and management. API management will allow security administrators to exercise fine-grained control over mission-critical data that is exposed to external parties and ensure data privacy and secure transmission over different interfaces.

Enterprises should focus on developing and implementing a holistic data security and governance strategy The prevailing disconnect between enterprise integration strategy and data security and governance frameworks and policies makes governance of data flow across various applications, partners/customers, environments, and devices difficult to achieve. While in 58% of respondent enterprises (Figure 11) data security, privacy, and governance is an integral element of integration strategy, an even greater share of respondents (71%) revealed a disconnect between integration strategy and data security and governance frameworks and policies. This is easy to understand - even though key stakeholders may agree on certain security and governance frameworks, it is an entirely different proposition to implement the same across the enterprise and outside the firewall.

Figure 11: The level of disconnect between integration and data security and governance strategies

Source: Ovum

One of the reasons behind this disconnect is the disparity  in  how  the  “edge”  of  the  enterprise is defined. With integration flows extending beyond the firewall, and to cloud environments and external devices, systems, and users, the traditional definitions  of  the  “edge”  are increasingly losing relevance. This results in the enforcement of different security and governance policies across integration flows within and outside the edge of the enterprise.

Another layer of complexity is added by the disparity in the identities of the various users, devices, and services involved in application and B2B integrations. For example, in many enterprises, individual users have corporate and social identities, services identities are tied to registries/ repositories, and device and application identities (including contextual identities) are managed via a range of solutions. Identity federation is one of the most critical requirements for a unified approach to the enforcement and management of data security and governance policies within, at, and beyond the edge of the enterprise. API  management  will  provide  a  “brokerage”  layer  for  identity federation across the various IAM suites, registries/repositories, and other identity solutions, and offer a centralized policy enforcement point.

Enterprises should refrain from a LOB-driven procurement of file transfer solutions to ensure a strategic fit with existing data security and governance frameworks and policies. It is common to see LOBs using disparate file transfer solutions, without assessing the associated data security and compliance risk.

Enterprise architects and integration competency center (ICC)/integration center of excellence (COE) directors should focus on developing a composite governance layer across the different components of the existing middleware stack. A central governance layer offering a single view of data flow across the various processes, applications, communities, and users/devices involved in application and B2B/ MFT-based integration is essential for meeting increasingly complex data security and governance requirements. This will ensure that there are no ‘governance  silos’, which hinder the implementation of enterprise-wide data security and governance policies. In particular, IT should use this governance layer to centrally manage user identities and access rights, and as a single point of enforcement for security policies.

Conclusion Complex data security and governance requirements as well as stringent regulatory compliance mandates have rendered the traditional approach to file transfer obsolete. While ad hoc approaches to file transfer (such as personal FSS solutions) continue to thrive, IT leaders increasingly recognize the need to eliminate the use of insecure means for internal and external file transfers. IT continues to struggle to keep traditional file transfer solutions up and running, as there is an unrelenting focus on higher value and more strategic initiatives. However, IT leaders have no option but to mitigate the business risk posed by internal and external security threats. A good start could be made by deploying a comprehensive MFT solution.

A comprehensive MFT solution will provide off-the-shelf integration with common middleware platforms and security products and end-to-end visibility into and monitoring of file transfers. In the context of multi-enterprise process automations (B2B integration), it will help to ensure the rapid onboarding of new customers and partners, as well as governing interactions with trading partners. Nevertheless, the true value of a MFT solution lies in its data security, governance, and auditing capabilities.

In particular, a comprehensive MFT solution will provide business and IT users with good visibility into internal and external data flows, and simplify the enforcement, management, and monitoring of security and governance policies. For example, insights based on monitoring and analysis of interactions involving file transfers can be used to streamline process automations and improve the efficiency and effectiveness of B2B e-commerce collaborations.

Beyond the integration imperatives, enterprises need to govern the flow of data within, at, and beyond the edge of the enterprise. For enterprise architects and ICC/integration COE directors, there is a clear call for action to devise a strategy for the development of a central governance layer on top of the different components of the existing middleware stack. For this purpose, a suitable combination of MFT, B2B integration, and API management solutions can be used for enabling, securing, and governing interactions at and beyond the edge of the enterprise. API management will be the crucial link to identity federation, besides being a centralized point of enforcement for security and governance policies.

There is also a requirement for data flow analytics to identify bottlenecks, exceptions, and policy violations to streamline process automation and improve QoS. Data flow analytics will allow the monitoring of business and technical KPIs and the creation of automated alerts and action triggers.

Appendix Author Saurabh Sharma, Senior Analyst, Software

Saurabh.sharma@ovum.com

Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have  further  requirements,  Ovum’s  consulting  team  may  be  able  to  help  you. For more information about Ovum’s  consulting  capabilities,  please  contact  us  directly at consulting@ovum.com.

Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited.

Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard - readers assume full responsibility and risk accordingly for their use of such information and content.

Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited.

CONTACT US www.ovum.com

askananalyst@ovum.com

INTERNATIONAL OFFICES Beijing

Dubai

Hong Kong

Hyderabad

Johannesburg

London

Melbourne

New York

San Francisco

Sao Paulo

Tokyo