» 

Blog

Posts Categorized Under "ENCRYPTION"

How Does MFT Work?

Compared to using a variety of standalone  FTP and SFTP tools and scripts, managed file transfer (MFT) technology allows professionals to streamline how data is transferred. Managed file transfers help organizations send and receive files in their cloud and private networks, create and control workflows, automate file transfers, and centralize management from a single system.

The why behind using an MFT solution makes sense. It reduces costs, improves the quality of your data transmissions, and helps you meet stringent data security compliance requirements. It also simplifies your system-to-system, user-to-system, and user-to-user file transfers—and keeps security at the forefront of everything it does.

The what of a MFT solution is fairly straightforward. Managed file transfer solutions are a type of software that use industry-standard network protocols and encryption methods to streamline the management of company data. What does “managed” in managed file transfer mean? It refers to how the solution can automate and transfer your data across your organization, network, systems, applications, trading partners, and cloud environments from a single, central interface.

So we know the what and why of MFT solutions, but we haven’t discussed the how of MFT solutions. How do managed file transfers work, and how do they affect you?

Step One: Original File is Sent from the MFT Program or Plugin

Say you need to send a confidential document to someone in a remote office. Maybe it’s a seasonal restaurant menu for another retail location, maybe it’s an audit report for a trading partner, or maybe it’s a financial document for a homeowner. Whatever the scenario, you can send the file to a third party by using an MFT solution.

The file’s journey from you to your recipient can start in many ways. You can:

  • Securely send the file through a MFT email plugin
  • Send it through a web client (access to the MFT solution from a browser)
  • Automatically sendit directly through the managed file transfer workflow
  • Place a file in a dedicated folder that the recipient can connect to securely for download

Whatever method you choose to send your file, MFT ensures the data is transferred quickly and securely.

Step Two: Your MFT Solution Encrypts the File

After you send the email, upload the file to your browser, or drop it in a monitored folder, your MFT solution receives the data and secures it in a few different ways. MFT can encrypt your files using FIPS 140-2 compliance AES ciphers or the Open PGP standard, among others. To protect your file transmissions, MFT can use SFTP, SCP, FTPS, AS2, and HTTPS protocols to encrypt the data you send. And an MFT solution like GoAnywhere MFT allows you to zip compress files before transmission.

Once your data is properly protected, you can also use your MFT solution to schedule file transfers, translate sent and received data to popular formats like Excel, XML, and JSON, update and pull files from monitored folders, and more.

Step Three: Encrypted File is Delivered to the Recipient & Decrypted

When the file leaves the MFT server, it is sent to whatever location you indicated for the recipient, whether that be a designated folder on a server, email address, or so on. The recipient at the remote office can then grab the file, decrypt it, and even translate it as needed.

For peace of mind, MFT solutions often include audit logs that store and track crucial audit information. This helps with PCI DSS and HIPAA compliance, but it also allows you to track the movement and activity of the file that occur once it leaves you, so you never have to wonder if the transfer was successful, if it failed, or whether or not the file was even opened.

If the recipient has a file to send you, they can repeat the process, starting the journey all over again!

 

Still curious about MFT solutions and if they’re right for your business?
You can learn more about the benefits of an MFT solution in our FREE whitepaper:

Beyond FTP: Securing and Managing File Transfers

 

 

 

 

 


Top Takeaways from the 2017 Cybersecurity Trend Report


Do you ever wish you knew how other businesses are dealing with today’s security threats? The 2017 Cybersecurity Trends Report, recently released by Crowd Research Partners, provides insight into the cybersecurity concerns and priorities of organizations across a wide range of industries.

The report is a comprehensive study revealing current cybersecurity trends in threat management, data protection, cloud security, application security, mobile security, security training and certification, managed security, and more. The 2017 report is based on a survey of more than 1,900 cybersecurity professionals across businesses of all sizes, from those with fewer than 10 employees (7 percent of respondents) to those with over 10,000 (26 percent of respondents). Download the full report here or read on for a few top takeaways.

#1 - Everyone is Worried about Cybersecurity

Security threats are a very real and urgent concern for most companies. Over half (54 percent) of cybersecurity professionals anticipate successful cyberattacks on their organization in the next 12 months. And they aren’t taking that threat lightly. 52 percent are boosting their security budget by an average of 21 percent.

Most professionals are not convinced that they are ready for an attack. 62 percent of respondents were moderately confident to not at all confident in their organization’s overall security posture.

#2 - Lack of Budget is Greatest Barrier to Security

While the majority of organizations are increasing their security budget, finances remain one of the top obstacles to stronger security, with 45 percent of respondents citing lack of budget as a barrier that inhibits the organization from defending against cyber threats.

For this reason, it’s essential that companies spend their money on solutions that give them a solid return on investment. Using free tools and apps where an enterprise-class product is needed can cause a company to fall victim to a cyberattack, while purchasing the most expensive tools on the market can leave you with empty pockets and a long list of features you don’t need.

ROI of MFT calculatorNeed to secure and streamline your file transfers? Maximize your investment with the MFT ROI Calculator.

 

#3 - Internal Threats & Untrained Employees are Biggest Threats

33 percent of cybersecurity professionals are worried about threats coming from within the company. While a malicious employee may hack into sensitive data intentionally, in most cases the more pressing concern is careless or uninformed staff members. A lack of skilled employees tops the list of barriers to both stronger security (45 percent) and to threat management (33 percent).

Whether your insider threats are malicious or careless, solutions with role-based security and auditing are recommended to help mitigate risk of a breach. Role-based security enables organizations to restrict permissions of individual users to only the information and functionality required to do their job, while auditing capabilities provide detailed audit logs of actions taken by each user.

Another top concern is the security of cloud applications, services, and infrastructure. Respondents cited fears including the need to protect against data loss, threats to data privacy, and breaches of confidentiality. To protect sensitive data transferred using a cloud-based solution, experts recommend  verifying that the solution provides end-to-end encryption for protecting files at rest and in transit.

#4 - Encryption is Greatest File Transfer Challenge

The number one concern when it comes to transferring files is security, with 59 percent of survey respondents citing encryption of files as a challenge they face. This is a serious shortcoming given that 67 percent of respondents ranked data encryption as the most effective means for protecting against cybersecurity attacks. It’s critical that any organization transferring files implements a secure managed file transfer solution that streamlines the process of providing various types of encryption like SSL, SSH, AES, and OpenPGP.

Unfortunately, the majority of organizations surveyed are still using inadequate solutions. For example, email is still the most common file transfer method for smaller files, even though unsecured email is both vulnerable to cyberattack and difficult to track for auditing.

Over half of professionals surveyed said that they lack the tools to prove compliance related to transfer of sensitive files. The right enterprise file transfer software simplifies compliance by providing the security features required by major industry regulations, the reports an auditor needs to see, and even tools to help you check if your data transfers are meeting standards.

Learn more about what the 2017 Cybersecurity Trends Report means for your file transfers, or read the full report now.

Download the Cybersecurity Trends Report

cybersecurity trends report


Still using SHA-1 to secure file transfers? It’s time to say goodbye.

Sha-1 Shattered

Securing information is rising in importance for organizations worldwide. Using outdated technology is extremely risky, yet many organizations continue to do so because of legacy systems that don’t allow them to upgrade, lack of resources and time to upgrade, or they are simply unaware. The commonly used SHA-1 algorithm is a perfect example of an obsolete encryption standard that should have been completely phased out long ago. So why are people talking about it today?

With over a decade of warnings about the security vulnerabilities of SHA-1, and deprecation by The National Institute of Standards and Technology (NIST) in 2011, many organizations have since phased out use of this older hash algorithm. For those remaining organizations who haven’t migrated away from SHA-1, Google’s recent public announcement of the first SHA-1 collision should motivate them to abandon this algorithm completely.

Hash algorithms are widely used for a variety of functions including authentication and digital signatures. With file transfers, the algorithm was typically utilized to verify the integrity of sent messages. Using SHA-1, files are compressed into a 160-bit message digest or hash file which is calculated both before and after transmission. On receipt, the two hash values (or signatures) for that transmission are checked to ensure the data has remained intact, as long as both values still match. If the hash values don’t match, the file was likely compromised at some point along the way.

Having two different messages that produce the same hash value should be almost impossible. However, advancements in technology and computational power since the introduction of SHA-1 have exposed its vulnerabilities. With last week’s announcement, Google has proven that systems using SHA-1 can be fooled into thinking a signature is valid when it’s not by producing the same cryptographic hash with two different files. By publicizing their work, this legacy algorithm has been rendered obsolete and insecure.

How does the SHA-1 collision affect file transfers?

If you are still using SHA-1 to verify the integrity of file transfers, you should know that it is no longer considered a safe or secure method. Bottom line, if you still use SHA-1, it should be transitioned to a more secure standard as soon as possible.

If you’re looking to replace SHA-1, an obvious alternative would be SHA-2. The SHA-2 algorithm is a family of hash functions with values of 224, 256, 384 or 512 bits, thus providing stronger security with longer message digests. The more complex algorithms generate more potential hash combinations than were possible with SHA-1 which make the SHA-2 algorithm extremely difficult to break using today’s technology.

GoAnywhere Managed File Transfer and SHA-2

GoAnywhere MFT fully supports the SHA-2 algorithm for secure file transfers over SFTP and FTPS. In addition, GoAnywhere is Drummond Certified for AS2 file transfers and successfully met all requirements for the optional AS2 secure hashing algorithm 2 (SHA-2) tests.

 


Video: How to Encrypt Files with OpenPGP Studio

Have you ever been asked to email a file that includes personal information like your prescription records, or your banking account information, or even your social security number? Many people share that kind of information over the internet and simply hope that it doesn't get hacked.

Download OpenPGP StudioLinoma Software, developer of the enterprise solution GoAnywhere Managed File Transfer Suite, has made it much easier to keep this kind of confidential data protected with its recently released desktop encryption tool called GoAnywhere OpenPGP Studio.

This free PC tool is designed for people who occasionally need to share or store sensitive data. OpenPGP Studio lets users encrypt, decrypt, sign and verify files from their PCs or workstations. An integrated key manager allows anyone to quickly create, import, export and manage OpenPGP keys needed to encrypt and decrypt files. Best of all, it's intuitive so even those who claim to be "non-technical" can confidently use OpenPGP Studio.

Here's a video available on YouTube, that shows just how easy OpenPGP Studio is to use.

You can download OpenPGP Studio from the GoAnywhere website, and then let us know what you think! If you need a more robust solution that includes automation, check out the GoAnywhere suite of products.


OpenPGP, PGP and GPG: What is the difference?

With privacy capabilities of encryption methods such as PGP (Pretty Good Privacy), data security can be heightened and privacy can be achieved.  There are various approaches, however, and various elements of comparison for each of these acronyms.  This article will explore the differences between PGP, OpenPGP, and GPG (GNU Privacy Guard), offering brief histories of their creations and summaries of their capabilities.

PGP (Pretty Good Privacy)

The company, PGP Inc., owned the rights to the original PGP encryption software.  This software was developed by Phil Zimmermann & Associates, LLC and released in 1991 to ensure the security of files that were posted on pre-internet bulletin boards.  From 1997 until 2010, the software changed hands several times until it was acquired by Symantec Corp., who continues to develop the PGP brand.

PGP encryption uses a combination of encryption methodologies such as hashing, data compression, symmetric-key cryptography and public key cryptography to keep data secure.  This process can be used to encrypt text files, emails, data files, directories and disk partitions.

OpenPGP

Automate OpenPGP EncryptionZimmerman, one of the original PGP developers, soon began work on an open-source version of PGP encryption that employed encryption algorithms that had no licensing issues.

In 1997 he submitted an open-source PGP (OpenPGP) standards proposal to the IETF (Internet Engineering Task Force), to allow PGP standards-compliant encryption vendors to provide solutions that were compatible with other OpenPGP-compliant software vendors.   This strategy created an open and competitive environment for PGP encryption tools to thrive.

Today, OpenPGP is a standard of PGP that is open-source for public use, and the term can be used to describe any program that supports the OpenPGP system.

GPG (GNU Privacy Guard)

GnuPGP was developed by Werner Koch and released in 1999 as an alternative to what is now Symantec's software suite of encryption tools.  It is available as a free software download, and is based on the OpenPGP standards established by the IETF so that it would be interoperable with Symantec's PGP tools as well as OpenPGP standards. Therefore, GPG can open and unencrypt any PGP and OpenPGP standards file.

GPG provides a graphic user interface when integrating into email and program systems such as Linux.  Some software solutions for encryption utilize GPG coding, while others encrypt using command line functions in a menu-based Perl script.

A variety of popular solutions have developed their PGP encryption products following the OpenPGP standards.  Some of these products include GoAnywhere OpenPGP Studio and GoAnywhere Managed File Transfer.

Summary

OpenPGP is the IETF-approved standard that describes encryption technologies that use processes that are interoperable with PGP.  PGP is a proprietary encryption solution, and the rights to its software are owned by Symantec.  GPG is another popular solution that follows the OpenPGP standards to provide an interface for end users to easily encrypt their files.

As the need to encrypt and protect data becomes ever more critical, organizations will continue to develop software based on these three systems.  

 

Start protecting sensitive files today with our Free Open PGP Encryption Software available for download.

 

Do you have a specific question about PGP, OpenPGP or GPG? Comment below and an encryption specialist will weigh in!


FIPS 140-2 Validation Encryption Module Now Available for GoAnywhere

Linoma Software has partnered with RSA Corporation to make it easier for organizations to do business with the government by adding the FIPS 140-2 Validation Encryption Module to its GoAnywhere suite of managed file transfer products.  Read the press release.

Most companies at one time or another find that they need to transfer or exchange sensitive data files with the government, whether it's the IRS, the SEC, or other state or federal agencies.

Increasingly, more organizations are wanting to become vendors for the government, and for those companies, meeting the federal government's strict data security compliance standards is required before any business relationship can ensue. FIPS 140-2 Validation Encryption

That's where the Federal Information Processing Standard (FIPS) 140-2 comes in.  FIPS is a U.S. government computer security standard for the accreditation of cryptographic modules.

In order for a  module to receive FIPS 140-2 accreditation, it must undergo a time-consuming and rigorous testing process through a third-part laboratory that's been certified by the National Institute of Standards and Technology (NIST) through its National Voluntary Laboratory Accreditation Program.

Because the FIPS 140-2 accreditation process is so daunting and expensive, only a few vendors have successfully earned the esteemed designation. RSA Corporation is one of these elite vendors.

RSA is a leader in information security and sponsors the popular annual RSA Conference that attracts security professionals from all over the world.  As a premier security organization, they have chosen to partner with Linoma Software to embed their FIPS 140-2 validation encryption module into GoAnywhere Director and GoAnywhere Services.

Once a GoAnywhere customer activates the FIPS 140-2 Compliance Mode, only FIPS 140-2 compliant ciphers (e.g. AES, Triple DES) will be permitted for encryption processes. The RSA security module will be utilized for any SSH and SSL communications in GoAnywhere including SFTP, SCP, FTPS and HTTPS protocols.

For companies exploring the myriad business opportunities available with government at all levels, being prepared by incorporating FIPS 140-2 validation encryption into your data transfer processes is a key step in winning those lucrative government contracts.


Encrypting Files with OpenPGP

When our users send a file over the Internet there are really just a few things that seem important to them at the time:

a)      Is the file complete?

b)      Is it being sent to the right place?

c)      Will it arrive intact? and -- if the data is sensitive --

d)     Will the intended recipient (and only that recipient) be able to use it?

That's where encryption comes in: By scrambling the data using one or more encryption algorithms, the sender of the file can feel confident that the data has been secured.

But what about the file's recipient? Will she/he be able to decode the scrambled file?

Encryption, Decryption, and PGP

For years, PGP has been one of the most widely used technologies for encrypting and decrypting files. PGP stands for "Pretty Good Privacy" and it was developed in the early 1990s by Phillip Zimmerman. Today it is considered to be one of the safest cryptographic technologies for signing, encrypting and decrypting texts, e-mails, files, directories and even whole partitions to increase the security.

How PGP Works

PGP encryption employs a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography. Each step uses one of several supported algorithms. A resulting public key is bound to a user name and/or an e-mail address. Current versions of PGP employ both the original "Web of Trust" authentication method, and the X.509 specification of a hierarchical "Certificate Authority" method to ensure that only the right people can decode the encrypted files.

Why are these details important for you to know?

Growing Pains for PGP

PGP has gone through some significant growing pains - including a widely publicized criminal investigation by the U.S. Government. (Don't worry! The Federal investigation was closed in 1996 after Zimmerman published the source code.)

One result of PGP's growing pains has been the fragmentation of PGP: Earlier versions of the technology sometimes can not decode the more recent versions deployed within various software applications. This PGP versioning problem was exacerbated as the ownership of the PGP technology was handed off from one company to another over the last 20 years.

And yet, because PGP is such a powerful tool for ensuring privacy in data transmission, its use continues to spread far more quickly than other commercially owned encryption technologies.

Fragmentation and the Future of PGP

So how is the industry managing the issue of PGP fragmentation? The answer is the OpenPGP Alliance.

In January 2001, Zimmermann started the OpenPGP Alliance, establishing a Working Group of developers that are seeking the qualification of OpenPGP as an Internet Engineering Task Force (IETF) Internet Standard.

Why is this important to you? By establishing OpenPGP as an Internet Standard, fragmentation of the PGP technology can be charted and - to a large degree - controlled.

This means that the encrypted file destined for your system will be using a documented, standardized encryption technology that OpenPGP can be appropriately decrypted. The standardization helps ensure privacy, interoperability between different computing systems, and the charting of a clear path for securely interchanging data.

The OpenPGP Standard and Linoma Software

OpenPGP has now reached the second stage in the IETF's four-step standards process, and is currently seeking draft standard status. (The standards document for OpenPGP is RFC4880.)

Linoma Software uses OpenPGP in its GoAnywhere Director Managed File Transfer solution. Just as importantly, Linoma Software is an active member of the OpenPGP Alliance, contributing to the processes that will ensure that OpenPGP becomes a documented IETF Internet Standard. This will ensure that your investment in Linoma's GoAnywhere managed file transfer software remains current, relevant, and productive.

For more information about OpenPGP and the OpenPGP Alliance, go to http://www.openpgp.org. To better understand how OpenPGP can help your company secure its data transfers, check out Linoma Software's GoAnywhere Director managed file transfer (MFT) solution.


Who is Protecting Your Health Care Records?

Patient Privacy in JeopardyHealth Care Records

How important is a patient's privacy? If your organization is a health care facility, the instinctive answer that comes to mind is "Very important!" After all, a patient's privacy is the basis upon which the doctor/patient relationship is based. Right?

But the real answer, when it comes to patient data, may surprise you. According to a study released by the Ponemon Institute, "patient data is being unknowingly exposed until the patients themselves detect the breach."

The independent study, entitled "Benchmark Study on Patient Privacy and Data Security" published in November of 2010examined  the privacy and data protection policies of 65 health care organizations, in accordance with the mandated Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached.

Patient Data Protection Not a Priority?

According to the study, seventy percent of hospitals say that protecting patient data is not a top priority. Most at risk is billing information and medical records which are not being protected. More significantly, there is little or no oversight of the data itself, as patients are the first to detect breaches and end up notifying the health care facility themselves.

The study reports that most health care organizations do not have the staff or the technology to adequately protect their patients' information. The majority (67 percent) say that they have fewer than two staff members dedicated to data protection management.

And perhaps because of this lack of resources, sixty percent of organizations in the study had more than two data breaches in the past two years, at a cost of almost $2M per organization. The estimated cost per year to our health care systems is over $6B.

This begs the question: Why?

HITECH Rules Fail to Ensure Protection

HITECH encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, the majority of those organizations in the studies (89 percent) said they have either fully implemented or planned soon to fully implement EHR. Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and the Ponemon Institute's study provides a sobering evaluation:

Despite the intent of these rules (HITECH), the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

Unintentional Actions - The Primary Cause of Breaches

According to the report, the primary causes of data loss or theft were unintentional employee action (52 percent), lost or stolen computing device (41 percent) and third-party mistakes (34 percent).

Indeed, it would seem that - with the use of EHR systems - technologies should be deployed to assist in these unintentional breaches. And while 85 percent believe they do comply with the loose legal privacy requirements of HIPAA, only 10 percent are confident that they are able to protect patient information when used by outsourcers and cloud computing providers. More significantly, only 23 percent of respondents believed they were capable of curtailing physical access to data storage devices and severs.

The study lists 20 commonly used technology methodologies encouraged by HITECH and deployed by these institutions, including firewalls, intrusion prevention systems, monitoring systems, and encryption. The confidence these institutions feel in these technologies are also listed. Firewalls are the top choice for both data breach prevention and compliance with HIPAA. Also popular for accomplishing both are access governance systems and privileged user management. Respondents favor anti-virus and anti-malware for data breach prevention and for compliance with HIPAA they favor encryption for data at rest.

The Value of Encryption

The study points to the value of encryption technologies - for both compliance purposes and for the prevention of unintended disclosure - and this value is perceived as particularly high by those who participated in the study: 72 percent see it as a necessary technology for compliance, even though only 60 percent are currently deploying it for data breach prevention. These identified needs for encryption falls just behind the use of firewalls (78 percent), and the requirements of access governance (73 percent).

Encryption for data-at-rest is one of the key technologies that HITECH specifically identifies: An encrypted file can not be accidentally examined without the appropriate credentials. In addition, some encryption packages, such as Linoma's Crypto Complete, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that - should a intrusion breach occur - the scope and seriousness of the breach can be assessed quickly and confidently.

So how important is a patient's privacy? We believe it's vitally important. And this report from the Ponemon Institute should make good reading to help your organization come to terms with the growing epidemic of security breaches.

Read how Bristol Hospital utilizes GoAnywhere Director to secure sensitive data.


SQL Field Procedures in IBM i 7.1

Field Encryption on the IBM i just got easier. SQL Field Procedures are a new DB2 feature in version 7.1 that allows a user-specified "exit" program to be called whenever data is read from, inserted into, or updated in a field (column). This is somewhat similar to database column triggers; however there are two distinct advantages:

  1. Field Procedures allow data to be modified on a Read operation, which allows the exit program to automatically decrypt the field value before it is returned to the customer's application.
  2. Field Procedures provide a separate internal space to store the encrypted version of the field value. This allows organizations to encrypt numeric fields such as packed decimal, signed decimal and integer data types without having to store the encrypted values in a separate file.

While IBM provided the hooks into the database with Field Procedures, they rely on 3rd party vendors like us to provide the encryption functions and key management. Linoma worked closely with IBM to test the new Field Procedures and provide feedback to their development team during the early release beta program for 7.1. This also allowed Linoma sufficient time to fully integrate Field Procedures into Crypto Complete for readiness when i 7.1 ships.

We're excited about Field Procedures since it will allow customers to implement column-level encryption on the IBM i without modifying their applications. This is especially important if a customer is running a canned application and/or does not want to modify their source code.