Site iconAxway Blog

Zero Trust security model: A modern approach to MFT

Zero Trust security model: A modern approach to MFT

Managed file transfer (MFT) continues to be a mission-critical aspect of a business. But as MFT dynamics change, so does the conversation around security. Teams are facing a once-in-a-generation data breach crisis. MFT is now a top ‘threat vector’ for organizations across regions and industries. This security concern has prompted a switch to a more secure cloud or hybrid file transfer. The biggest takeaway: the Zero Trust security model is the path forward. 

“From stolen or compromised credentials to malicious insider attacks, zero-day vulnerabilities, or cloud misconfigurations, MFT teams across regions and in all industries are facing a once-in-a-generation file data breach crisis,” says Paul Lavery, General Manager of Axway MFT. 

What is Zero Trust?   

Zero Trust is a security principle that no user, system, device, network, or service can be trusted until they verify themselves. All access attempts are treated as hostile unless proper authentication is provided. Authorized users, devices, and applications are given the “least privilege” access, or access only to those parts of the infrastructure that they need to complete specific tasks.   

Think about Zero Trust security in the context of a hotel. Everyone in a hotel has keycards: staff, guests, and even the hotel manager. The keycards only allow access to certain areas of the hotel: guests get access to their rooms and don’t have access to other guests’ rooms; they can access their floor but not other floors; they get access to the gym or the pool, but not the kitchen. Only a keycard can grant access, so if the hotel manager forgets their card at home, they need to go back and get it. 

Zero Trust architecture for managed file transfer combines network security principles with data protection strategies to create comprehensive cybersecurity frameworks. Operating under a principle of “trust no one until they’re verified,” the Zero Trust security model supports the strong security posture that modern enterprises need to operate successfully.  

Zero Trust is a guiding principle that enables secure digital transformation and allows your brand to be open for business. This cybersecurity framework allows you to:  

Assuming everyone is in breach mode, the Zero Trust security framework encourages giving users the most restricted access.  

Zero Trust architectures are a great step in the right direction to allow the business teams to innovate and the technology providers to enable what the business needs. It shouldn’t be any other way. In fact, Zero Trust should be a key skill to help you survive this wave of digital transformation. 

The Zero Trust security model supports modern MFT

Consider all the movement that’s happening in today’s MFT market. More and more businesses are moving to the cloud, with hybrid cloud models being popular. This shift means that MFT is being deployed in various ways.

As Meetesh Patel, Chief Product Officer at Axway, explained in a recent roundtable webinar with me, it also means the MFT footprint is getting bigger, making data breaches more of a beast to tackle.

 

Businesses undoubtedly need to adopt hybrid infrastructures to remain agile and competitive. But as the IT infrastructure becomes more complex and cybersecurity suffers a skills shortage, companies tend to lack visibility into what’s happening within their system — and that’s problematic.  

Industry research from McKinsey shows that “companies with high cloud aspirations don’t always have the right talent or culture to help them navigate complex cloud economics, operating-model changes, and the technical requirements needed to make cloud value a reality.” 

The cloud security statistics show that the number of data breaches is rising. In 2022, 39% of businesses experienced a data breach in the cloud. Now, in 2025, 54% of businesses report an increase in direct attacks to compromise infrastructure, highlighting escalating threats and data security risks.   

Attacks aren’t the only problem. We’ve all figured out a way of sharing a larger file via Dropbox, or at some point, used personal devices for unauthorized file sharing and shadow IT practices. We need to ensure the job gets done. The world we live in almost mandates us to figure out a quick way, and security often forces additional complexity. Who wins or loses in this battle?

From convenience to vulnerability: the case for Zero Trust

Zero Trust has gained prominence precisely because too much trust is what led enterprises to the very situation we now see: giving overly generous access to bypass complex security measures in order to keep up with the speed of business.

Using a personal device, transferring files over Dropbox, whitelisting internal IPs, or giving too many people admin permission levels to resolve error codes quickly gets the job done, and as a result, important security measures have frequently taken a back seat.

IT teams have attempted to put band-aid measures on the problem, masking the severity of the underlying damage.

We blocked and punched holes in firewalls and put a decent-sized perimeter around the datacenter hosting all our apps and services. Of course, this didn’t stop the actors who were already inside the building from causing extensive damage.

Cue the mass emails offering identity protection packages to customers when such incidents happen, affecting the brand value of the business. At the end of the day, businesses aren’t getting adequate quality of service from IT departments to process payments in financial services, fulfill medications in healthcare systems, or run supply chains in manufacturing and retail in a secure, reliable manner. A perfect example of such modern vulnerabilities is the file transfer vendor breaches seen in 2023: public access was being permitted to the admin interface of the solution, which was susceptible to injection attacks. The very fact that hackers were targeting businesses via their software supplier is a perfect example of Zero Trust failures: supply chains are targeted because they are trusted. 

Zero Trust is a reset of fundamentals that says, “we will no longer tolerate holes in policies and controls, and everyone will therefore be considered ‘untrusted’ at all times.”

How can businesses start to tackle Zero Trust security?

While there are clear incentives to adopt the Zero Trust security framework, aspects of it aren’t fully understood.  

In Capterra’s 2022 Zero Trust Survey, 47% of IT professionals reported that their company’s leaders don’t understand Zero Trust security. In 2025, Tailscale reported that 39% of IT, security, and engineering professionals cited leadership or organizational priorities as the reason for delayed security updates. This makes it more difficult to get their buy-in.  

At the same time, there’s a lack of consensus between security and operating teams. When these two teams aren’t aligned, it can lead to incompatible approaches that create further confusion in an already-complex process.  

Adding to this perfect storm, vendors are also still maturing and evolving in the Zero Trust security space. So, while customers are figuring out the best plan of action, many vendors are doing the same. 

Transitioning to a Zero Trust security model is a balancing act. On the one hand, businesses need the flexibility to accommodate unique needs in their MFT infrastructure.   

On the other, businesses need to establish rigid access in other areas to keep critical data safe. How does a solution do both jobs?  

“A lot of organizations are trying to figure out the best approach to using their own tooling connected with external third-party vendor tooling to secure their files or data,” noted Paul Lavery, General Manager of Axway MFT, who also joined us in the recent webinar discussion.  

The truth is that no one solution exists to deliver Zero Trust security. As an MFT, cloud, and hybrid infrastructure provider, Axway is working alongside customers and providers to validate appropriate solutions — and also providing guidance on how to start the Zero Trust security journey. 

5 steps businesses can take to kickstart their Zero Trust security journey  

Information Security expert Dan Hitchcock eerily predicted the current state of our existence:  

“The notion that the data is the asset of greatest interest is certainly not new to the attacker — the data has, ultimately, always been the target of the most successful, prolific, and damaging attacks.”  

“It starts with an important question: What is it that you’re trying to protect?  

It is not the network. It is not the host. It is the data.”

With that understanding as a foundation, security experts recommend these four methodologies and best practices that can help build a Zero Trust security journey: 

Download the checklist: 5 steps you can take to move toward Zero Trust security

What is stopping us from implementing Zero Trust principles to secure MFT?  

We don’t need to put the consumers of our services at risk of gambling away their privacy.  

We can enable that control plane by being ready to shrink the perimeter around the data and resources we are trying to protect. This is akin to asking hotel patrons to swipe their badges every time they are trying to access the gym in the hotel lobby.  

Zero Trust guides IT services and service providers in reducing the attack surface and providing the least privileged access. Fine-grained access controls have always been in place, but linking those with centralized identity management is the hygienic thing to do.  

Zero Trust is not really about trusting nothing. Zero Trust is about verifying everything explicitly. When I access my internal messenger from a new city, the pop-up to re-authorize is a price to pay for the risk of gambling with our customers’ data,  i.e., the context of where the users are coming from, the anomaly detection, and appropriate response to verify explicitly are done seamlessly behind the scenes. If humans are adept at it, why can’t we tokenize the authorization exchanges for our systems-to-systems interactions? 

The human element of the Zero Trust security model  

The learning curve around Zero Trust security is rather significant. It requires cybersecurity training, skills development, and a change in management approach. So it takes time for IT and operations teams to wrap their head around the logistics of it all. If people don’t spend enough time here, that’s where mistakes can occur.  

Architects and security experts are facing the challenge of how to get up to speed, fast. After all, the goal is to disrupt their MFT operations without slowing them down.  

 

While helping make Zero Trust security usable, Axway is also helping to deliver the technical expertise needed to support these initiatives.  

Our Managed File Transfer solution combines the power of a cloud platform or hybrid deployment with the reliability of experts who have 10+ years of experience in the space. We welcome the challenge of helping businesses successfully run their MFT operations in today’s security-driven landscape.  

Frequently asked questions  

What is Zero Trust security, and how does it apply to managed file transfer?  

Zero Trust security framework operates on the principle that no entity should be trusted by default and requires verification for every access request. In MFT systems, this security model treats every file transfer as potentially risky until authentication and authorization are provided. Applying Zero Trust creates systems where users receive only the minimum access necessary for their specific tasks. Rather than relying on network perimeters for protection, Zero Trust creates secure boundaries around the data that is being transferred, making sure that file exchange processes maintain security regardless of location or device used for access.  

How does Zero Trust architecture prevent data breaches in file transfer security?  

Zero Trust prevents file transfer breaches by eliminating the assumption that internal traffic is inherently safe. Instead of allowing users broad access, this architecture requires verification for each file transfer operation. If a breach occurs, Zero Trust architecture limits damage by restricting access to only the specific files and systems that users need, preventing further movement through the rest of the data.  

What are the main challenges to implementing Zero Trust in MFT?  

Balancing security requirements with operational flexibility may seem challenging. Nearly half of IT professionals report that company leaders don’t understand the security model. The introduction of personal mobile devices and cloud services complicates implementation further. The additional challenge is the lack of security specialists and culture to navigate the technical requirements. All of that makes achieving operational changes necessary for Zero Trust deployment difficult.  

What skills and training do IT teams need for Zero Trust MFT deployment?  

Zero Trust deployment requires architects and security specialists with modern competencies. This step will ensure that the system is functioning as intended without disrupting your normal operations. Other people dealing with this system need training in centralized identity management and governance model design. Little to no preparation time and training may compromise both security effectiveness and operational efficiency.  

What are the costs and ROI considerations for Zero Trust MFT implementation?  

Implementing Zero Trust architecture may require immediate implementation costs to prevent potential expenses from data breaches and compliance violations. The complexity of setting up and maintaining Zero Trust file transfer systems can drive the costs higher than anticipated. However, the ROI becomes apparent through reduced risk of security incidents and improved operational reliability that eliminates the need for manual work associated with legacy security systems. Besides, the pay-as-you-go subscription models that can help implement the Zero Trust approach provide predictable expenditures and scaling flexibility.  


Watch this webinar to learn more about the value of adopting a Zero Trust security model.

Exit mobile version