The xEvolve blog.
Migration, audit, and security notes for regulated file transfer.
- Entra SSO for SFTP operations: what auditors want to see OIDC federation for MFT consoles, MFA pairing, and SSH key hygiene — the identity story vendor reviews expect in 2026.
- Vendor risk questionnaires for MFT: the questions that stall deals Tenant isolation, audit exports, protocol sprawl — the dozen items that block procurement if your evidence pack is thin.
- ISO 27001 evidence for file transfer: A.8 controls that fail audits Deletion, DLP boundaries, and per-transfer logging — Annex A controls that sink surveillance audits on SFTP shares.
- AS2 vs SFTP: how to answer when buyers ask Batch folders vs signed MDNs — map each protocol to the use case so RFP answers do not sound interchangeable.
- Cron schedules vs folder watchers: picking the right MFT trigger Predictable batch pulls vs event-driven latency — how to choose triggers without duplicate transfers or audit gaps.
- SFTP to cloud migration: the checklist auditors actually ask for Identity, encryption, retention, and evidence export — the four buckets every ISO 27001 or DORA review hits when you replace legacy MFT.
- MFT security controls buyers expect in 2026 Entra SSO, TOTP MFA, per-transfer audit logs, and tenant isolation. What changed since the last vendor questionnaire you filled out.
- Data room vs SFTP share: when each fails compliance Ad-hoc SFTP folders leak permissions. Generic data rooms miss protocol adapters. How to pick the pattern for regulated file exchange.
- Your retention policy says 90 days. The SFTP archive has files from 2019. A documented 90-day retention policy never made it into the file-transfer lifecycle, so a litigation hold reveals years of regulated files nobody was supposed to still have. Why policy-without-enforcement is the retention trap that creates discovery risk.
- The acquisition closed before anyone audited how the target moved files Post-merger integration uncovers the acquired company's regulated data flowing over undocumented FTPS scripts and a personal Dropbox workaround. Why MFT due diligence is the integration gap that becomes the acquirer's liability.
- You moved SFTP logins to Entra SSO. The service accounts still use static passwords. A director proudly reports SSO coverage for human operators, but the automated partner integrations authenticate with shared static credentials no MFA touches. Why the service-account blind spot undoes your SSO compliance story.
- The auditor gave you a week. Pulling the evidence took three. An ISO 27001 surveillance audit requests access reviews, transfer logs, and key-rotation records for file transfer, and a director discovers the evidence is scattered across hosts, scripts, and spreadsheets. Why evidence export readiness is the trap, not the controls themselves.
- The nightly transfer failed silently and the SLA breach surfaced a week later A cron-driven SFTP push hit a partner outage, retried zero times, logged nothing actionable, and nobody noticed until the partner reported missing settlement files. Why fire-and-forget scheduling is the operational trap behind missed SLAs.
- Two tenants, one misconfigured directory, and a cross-customer file leak A shared file-transfer landing zone with directory permissions instead of true tenant isolation lets one regulated customer glimpse another's filenames. Why 'logically separated' folders are the isolation claim that fails a pen test.
- The partner mandated AS2 with signed MDNs and your stack only does SFTP A new enterprise customer's onboarding packet requires AS2 with encrypted payloads and signed MDNs, and your SFTP-only platform stalls the go-live by a quarter. Why protocol breadth is a deal-timeline risk, not a technical detail.
- Your data never left the EU, except for the file-transfer hop that did A residency commitment to a regulated buyer holds for storage and compute, then a file-transfer relay routes through a US edge node and breaks the promise. Why directors miss residency violations hiding in the transfer path.
- The audit asked 'who received this file' and the logs couldn't say An auditor picks one regulated transaction and asks for the full chain of custody. The scripted SFTP job logged a connection but not the file, the recipient, or the outcome. Why missing per-transfer audit trails fail evidence requests.
- NIS2 turned your file-transfer vendor into your personal liability NIS2 makes management bodies personally accountable for supply-chain cyber risk, and the MFT platform moving your partner data is squarely in scope. Why a director can now be fined or banned over a transfer vendor they never reviewed.
- The MFT renewal that tripled because nobody counted the connections A legacy MFT license priced per trading-partner connection quietly grew from 20 to 140 partners, and the renewal quote lands at 3x with no negotiating room. Why per-connection pricing is the cost trap finance owners never model.
- Why IT directors fund managed file transfer after the breach, not before The budget request for a governed MFT platform gets deferred two cycles, then approved in a week after a Cl0p-style file-transfer breach hits a peer. Why the business case for MFT only lands once the headline risk is concrete.
- Four file-transfer tools, three teams, zero consolidated audit trail Finance runs FTPS, the integration team runs AS2, ops has scripted SFTP, and a SaaS connector moves the rest. Why protocol and tool sprawl leaves an IT director unable to answer a single 'who moved that file' question.
- You deleted the data. You just can't prove it. The GDPR trap directors walk into. A data-subject erasure request is honored in the application, but the file sat in three SFTP staging directories and a partner's inbound queue. Why 'we deleted it' without deletion proof fails GDPR Article 17 and a DPA audit.
- Why 'we use SFTP' is the answer that lost your team the regulated deal A procurement lead's one-line security answer reads as naive to a regulated buyer's vendor-risk team, who wanted per-transfer audit trails, tenant isolation, and protocol options. How a flat protocol claim sinks deals before the demo.
- The SSH key that still works six months after the contractor left Offboarding revoked the contractor's Entra account but never touched the authorized_keys file on the SFTP host. Why orphaned SSH keys are the offboarding gap that turns into an unauthorized-access finding nobody can explain.
- The expired AS2 certificate that stopped a supply chain for a weekend A self-signed AS2 signing certificate expires at midnight on a Friday and every signed MDN from your largest retail partner starts failing verification. Why certificate lifecycle, not protocol choice, is the AS2 failure mode that bites operations managers.
- DORA quietly made file transfer a board-level risk. Most directors missed the memo. DORA's Register of Information forces financial entities to document every ICT third-party arrangement, including the MFT vendors moving regulated data. Directors who treated file transfer as plumbing now owe the regulator a documented, criticality-classified entry.
- The shadow SFTP server no director knows about, until the auditor finds it A forgotten OpenSSH daemon on a decommissioned VM moves real customer files for two years before an ISO 27001 auditor maps it. Why unmanaged SFTP is the single most common reason directors lose an asset-inventory control.