Mediaocean limits the SFTP Allowed IP list to have up to 5 IPs (5 each for NA and EMEA where appropriate) to protect the organization's data.  If the SFTP data stores are open to the public internet it makes it easier for hackers and terminated users with the login info to compromise the data.   Adding IPs also means overhead and performance impact.

Client data is secure the same as via VPN and to keep overhead reasonable while limiting the direct connections to the organization and MO.  If the organization wants to share its data with other parties, they need to do so from their host site; not by allowing vendors access to MO.  MO does not have data protection agreements with Third Parties except those participating in Connect. 

It is therefore the best practice and our MO policy to limit the number of allowed IPs to 5.  Any adjustment or exception needs to be approved by operations and security leadership.  This request should come from the BSC (not CX/Support).  However, to date, no exceptions have been approved and many agencies have reduced their legacy allowed lists to meet the requirements. 

Here are some alternatives:

• deliver the file to a server at the client’s organization and they manage internally (this also means if they are down,  files will not get delivered).  
• Work with Product/Dev on a new delivery mechanism that is more self-managed with security that separates better by agency and users at the agency.      
• Determine with senior management that user access trumps trying to improve security and remove IP restrictions for all agencies.