» 

Blog

Posts Categorized Under "FTP"

USPS Eliminates FTP, Requires Secure File Transfers via SFTP, AS2 or PDX

Early this year, the United States Postal Service (USPS) announced the elimination of FTP (File Transfer Protocol) from their business practices and policies—a change that strengthens the security of their data transmissions and addresses recent audit findings.

What does this mean for you? The change is still in transition for now, but after August 31, 2017, mailers and shippers will need to send data to the USPS using one of the following secure communication methods: PDX (Parcel Data Exchange), SFTP (Secure File Transfer Protocol), or AS2 (Applicability Statement 2). This applies to SSF, EMM, BPOD, DEXTRO, and ERR files.

Any of these approved methods will work. The USPS lists PDX as preferred, allowing business customers and third-party vendors to use PDX through their web application. But for those who can’t or don’t want to switch to PDX, SFTP or AS2 are just as secure, cost-friendly, and easy to implement.

Are you in the market for a solution that supports SFTP and AS2 protocols? GoAnywhere MFT offers both of these in a managed file transfer solution that’s affordable and intuitive. Connect to Secure FTP servers (including SFTP, FTPS, and SCP) for protected communication, or send AS2 messages with multiple file attachments. However you want to do it, we’ve got you covered.

To see how GoAnywhere MFT can meet these new USPS policies and save your organization money in the process, request a demo.

 


SFTP vs. FTPS: The Key Differences

SFTP vs FTPSFTP, SFTP, FTPS, HTTPS, AS2… the many options for transferring files can make it confusing to answer the question that matters—what is the best way to secure your company’s data during transfer? This blog post is an introduction to the differences between the two mainstream secure FTP protocols, SFTP and FTPS, and which is the best choice to protect your file transfers.

Can’t I Just Use FTP?

FTP is a popular file transfer method that has been around longer than the world wide web—and it hasn’t changed much since it’s invention. Back then, it was usually assumed that internet activity was not malicious, so FTP wasn’t created with features to deal with the kind of cybersecurity threats we now see in the news every day.

FTP exchanges data using two separate channels known as the command channel and data channel.  With FTP, both channels are unencrypted, leaving any data sent over these channels vulnerable to being intercepted and read.

Even if a man-in-the-middle attack is a risk that you are personally willing to take, industry regulations such as PCI DSS, HIPAA, and others, require data transfers to be encrypted. Unfortunately, despite escalating security risks and the high cost of non-compliance, FTP is actually growing in popularity.

We highly recommend you avoid the basic FTP protocol and choose a secure option.

What is FTPS?

In the 1990s concern about internet security was growing, and in response Netscape created the Secure Sockets Layer (SSL, now known as TLS) protocol to protect communications over a network. SSL was applied to FTP to create FTPS. Like FTP, FTPS uses two connections, a command channel and a data channel. You can choose to encrypt both connections or only the data channel.

FTPS authenticates your connection using either a user ID and password, a certificate, or both. When connecting to a trading partner's FTPS server, your FTPS client will first check if the server's certificate is trusted. The certificate is considered trusted if either the certificate was signed by a known certificate authority (CA), or if the certificate was self-signed by your partner and you have a copy of their public certificate in your trusted key store. Your partner may also require that you supply a certificate when you connect to them. If your certificate isn’t signed by a third-party CA, your partner may allow you to self-sign your certificate, sending them the public portion beforehand to load into their trusted key store.

User ID authentication can be used with any combination of certificate and/or password authentication.

What is SFTP?

While FTPS adds a layer to the FTP protocol, SFTP is an entirely different protocol based on the network protocol SSH (Secure Shell) rather than FTP. Unlike both FTP and FTPS, SFTP uses only one connection and encrypts both authentication information and data files being transferred.

SFTP provides two methods for authenticating connections. Like FTP, you can simply use a user ID and password. However, with SFTP these credentials are encrypted, which gives it a major security advantage over FTP. The other authentication method you can use with SFTP is SSH keys. This involves first generating a SSH private key and public key. You then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any user or password supplied, then the authentication will succeed.

User ID authentication can be used with any combination of key and/or password authentication.

What is the difference between FTPS and SFTP?

We’ve established that both FTPS and SFTP offer strong protection through authentication options that FTP can’t provide. So why should you choose one over the other?

One major difference between FTPS and SFTP is that FTPS uses multiple port numbers. The first port, for the command channel, is used for authentication and passing commands. However, every time a file transfer request or directory listing request is made, another port number needs to be opened for the data channel. You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network. SFTP needs only a single port number for all SFTP communications, making it easy to secure.

While both protocols have their benefits, we recommend SFTP thanks to its better usability with firewalls. For an enterprise, it is ideal to have a managed file transfer (MFT) solution that can manage, monitor, and automate file transfers using a variety of protocols, including FTPS and SFTP. MFT is extremely valuable if you have trading partners with different requirements, and it has additional features like detailed audit logs to help you comply with industry regulations.

GoAnywhere is a managed file transfer solution that supports both SFTP and FTPS. Learn more about GoAnywhere MFT.


No Such Thing as a Free File Transfer, Part 2: Cost-effective Security

With new corporate data breaches in the news seemingly every day, it’s no surprise that security is a top concern for IT professionals. However, file transfers are an area where many companies are still vulnerable. Most file transfers still use FTP, a protocol that comes with inherent risks. It’s especially worrisome that, as TechRepublic points out, FTP is actually becoming more popular again. Other common file transfer solutions, like file sharing apps, come with their own security concerns.

GoAnywhere MFT ROIThis is the second in a series of articles about the ROI of managed file transfer (MFT), the first of which covered time savings. There’s no doubt that data breaches are costly. The 2016 Ponemon Cost of Data Breach Study puts the current cost at $4 million—$158 per record breached. So it’s a no-brainer that a solution to secure your file transfers would bring you a great return on investment.

And yet, when you try to get internal approval for products to help with security, proving the ROI can be difficult. A good security tool is by nature preventative. If you haven’t suffered a breach (or you have and don’t know about it yet), you probably don’t have a way to precisely calculate cost-savings.

Still, your data certainly has value, and you know you have to keep it secure. So how do you know you are protecting your file transfers with the solution that gives you the most bang for your buck? By making sure the software you choose addresses all of the top file transfer security concerns within one solution—no additional purchases or custom scripting required.

A Variety of Secure Protocols

FTP has been proven vulnerable to hacking. For example, 7,000 FTP sites, including an FTP server run by The New York Times, had their credentials circulated in underground forums in 2014. In some cases, hackers used the credentials to upload malicious files.

It’s essential for modern enterprises to turn to more modern and secure file transfer methods, such as:

  • AS2: AS2 generates an "envelope" for the data, allowing it to be sent using digital certifications and encryption.
  • SFTP and FTPS: These secure FTP protocols bring down the risk during data exchange by using a secure channel between computer systems
  • HTTPS: The secure version of HTTP, HTTPS encrypts communications between browser and website.

Which of these methods your company implements may depend on several factors, like your industry compliance requirements or what your trading partners use. Your requirements may also change over time. That’s why the best investment is a versatile managed file transfer solution that can handle any of these protocols and more.   

GoAnywhere MFT ROIProtection against People

When you imagine the security threat to your company, you might conjure up images of hackers working tirelessly to access your systems and use your data for nefarious purposes. The truth is, one of your biggest threats is probably in the office down the hall.

A 2015 study found that internal actors were responsible for 43% of data loss. Half of this is intentional—disgruntled or opportunistic employees, contractors, or suppliers performing deliberate acts of data theft. But half of it is accidental. People like to cut corners, and probably most employees in your company aren’t as concerned about security as you are.

Any file transfer solution with a good ROI has to address the threat coming from within the business.  You want to have role-based security options that limit each user to the servers and the functions of managed file transfer that they absolutely need to use. Detailed audit logs mean you always know who is doing what with the solution.

Ensure Compliance

In many industries, inadequate security practices don’t just put your own corporate data at risk, they can endanger highly sensitive information like credit card numbers and health records. For this reason, a number of regulations exist to protect personal data. A few of the most common are PCI DSS, Sarbanes-Oxley, and HIPAA, but your industry may have others.

A 2011 study found that while the cost of compliance averaged more than $3.5 million, the estimated cost of failing to comply was $9.4 million, showing that a solution that can help you comply with regulations has a clear ROI. In the case of file transfers, your MFT platform should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES, and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, and who the sender and receiver are.

Modernization and Scalability

Once you go to the effort of choosing a file transfer solution that will protect your company, convince management of its necessity, and implement the software, the last thing you want to have to do is  change it two years down the road because your company is bigger, has more compliance requirements, or new trading partners.

A managed file transfer platform from an established, reliable software provider will make sure you stay updated with the features necessary to combat current security threats. Furthermore, if your volume of file transfers increases, you won’t need to invest in a new tool to handle the workload.

Bonus: Increased Productivity

If your managed file transfer solution can prevent a data breach, that alone makes it worth the investment. But what if it could increase productivity and reduce errors at the same time? The automation capabilities of managed file transfer software allow you to make a high-volume of file transfers without the need for tedious manual work. Streamlining this process—and eliminating the risk of human error—add to your organization’s bottom line.

Read more about safeguarding company data and limiting risk, or get started with a free trial of managed file transfer.


No Such Thing as a Free File Transfer, Part I: How MFT Saves Time

How MFT Saves Time - GoAnywhere MFTEvery business engages in some kind of information exchange, whether it’s a small retailer attaching an invoice to an email or a hospital sending hundreds of patient records between departments. Some methods of exchanging files, like a basic FTP server or a file sharing app, seem like an inexpensive way to deal with your transfers. In the long run, however, the shortfalls of these tools will likely cost your company significantly more than the investment in a sophisticated managed file transfer (MFT) solution.

A study by the Aberdeen Group found that every file sent “for free” actually has an 80% chance of costing your organization money. In a new series of articles, we’ll break down the reasons why MFT gives your company a better ROI than any other file transfer solution. The first reason we’ll discuss is the time you’ll save with managed file transfer.

We’ve all heard that time is money, and if you’ve ever been the unlucky person manually transferring files by FTP, it’s no stretch of the imagination to think that automated file transfer software would save a bit of time on each exchange. But you probably haven’t even thought of all the ways a rudimentary file transfer tool can waste costly hours. Here are a few:

  1. Dealing with Exceptions

As with any process, your file transfers aren’t always going to go smoothly. While even a basic tool will work most of the time, you’ll inevitably run into the occasional problem which will require you to divert members of your staff away from more important projects to help get the files moving. Aberdeen’s analysis found that those who don’t use MFT have more than twice as many of these errors and exceptions as MFT users. With a single-function file transfer tool, the operator is solely responsible for checking if the transfer succeeded and trying it again if it failed. A good managed file transfer solution has ways of dealing with issues that arise—for example, the software could automatically reconnect and resume the file transfer after a problem occurs with the network.

Moreover, the MFT solution will provide visibility into the status of automated file transfers and let you know if something goes wrong. This allows you to attack the problem immediately and get back to your more strategic initiatives as soon as possible. A basic tool or script may cause you to waste hours just trying to determine what happened to your files.

  1. Upgrades and Modifications

A common solution for moving files is with custom scripts. This seems like an easy option at first. Your company has talented programmers and it’s not too hard to create a homegrown FTP script that gets the job done. The first few times you need a modification or a new feature, that’s not difficult either. But pretty soon your company is transferring thousands of files every day, your homegrown solution is severely lacking in the error-handling, security, and logging capabilities it needs, and updating your mess of sprawling scripts will cost you dearly in expensive programmer hours. Or maybe the original creator of the scripts has left the company and those hours will be spent just trying to figure out how it all works.

Managed file transfer has the features you require as your business needs grow more complex. You can trust that it will continue to be updated when necessary and upgrades won’t require the same technical expertise as creating a homegrown tool does. 

  1. Compliance Requirements and Auditing

Storing and tracking detailed audit information is crucial for staying compliant with PCI DSS, HIPAA, state privacy laws, and other regulations. A managed file transfer solution will store detailed audit records for all file transfer and administrator activity and provide that data in an easily accessible format to authorized users. If you are legally obligated to collect this information, there’s no better time-saver than implementing file transfer software that stores the data automatically.

Furthermore, compliance requirements can always change or new regulations can be put in place. While you may already have a process for complying with current regulations, MFT provides the flexibility to respond to new security requirements without creating too much additional time-consuming work.

  1. Avoiding Downtime.

Just one minute of unplanned system downtime costs a company an average of $5,600. Talk about expensive hours! Make sure your file transfers keep running even if a server goes down by implementing MFT software that integrates clustering. This means you have a group of linked servers running concurrently, with each installation of your MFT tool sharing the same set of configurations and trading partner accounts. The servers in the cluster are in constant communication with each other, so if one fails, the remaining systems in the cluster will continue to service the trading partners. With the fast pace of modern business, you can’t afford to let your transactions wait while you take the time to get your systems functioning again.

Every minute that your business isn’t paying employees to fight fires, write custom scripts, or compile audit reports is a minute that can be put towards the work that helps the bottom line.

Interested in learning more about the ROI of Managed File Transfer? Read the next installment in our series: No Such Thing as a Free File Transfer, Part 2: Cost-effective Security.

 

Learn more about the risks of inadequate FTP implementations or get started with a free trial of managed file transfer today. 


Four Modern Alternatives to FTP Explained

Today's data-driven world is demanding, requiring accuracy, speed, integrity and above all -- security. It's a tall order to fill, and in the past, many organizations relied heavily on the legacy FTP protocol to transmit files. But over time, the security of this method has been tested by hackers.

FTP AlternativesFor example, a serious breach occurred at Yale University in 2001, when more than 43,000 user IDs were exposed and all data was carefully harvested from an FTP server. Acer customer details were stolen in a similar fashion the same year. And most recently, 7,000 FTP sites had their credentials circulated in underground forums, including an FTP server run by The New York Times.

Security and file transfers are a significant concern for IT security professionals, but what is the best way to safeguard your company's data?

Leveraging More Secure Options

As many organizations have evolved past traditional FTP, they are opting for modern and secure options for transmitting data, including:

#1 - SFTP

Also known as FTP over SSH, SFTP brings down the risk during data exchange by using a secure channel between computer systems to prevent unauthorized disclosures during transactions. Authentication of an SFTP connection involves a user id and password, SSH keys, or using both. It is also firewall friendly, only needing a single port number to be opened.

#2 - HTTPS

Many sites are gravitating to HTTPS instead of the traditional HTTP, but what are the major differences? For starters, traditional HTTP doesn't encrypt traffic to your browser, which poses a security risk. In contrast, HTTPS provides an added encryption layer using Transport Layer Security (TLS). This creates a secure channel so the integrity of the data is not changed without your knowledge. HTTPS is ideally suited for file transfers where a trading partner requires a simple, browser-based interface for uploading data.

#3 - AS2

This is a popular method for transporting EDI data safely and reliably over the Internet. The AS2 generates an "envelope" for the data, allowing it to be sent using digital certifications and encryption. For example, Walmart has become well known for using EDI through AS2 and has played an important role in driving adoption in the retail industry.

#4 - MFT

A method that supports the above options and makes FTP more secure is managed file transfer (MFT). This secure option streamlines the exchange of data between systems, employees and customers. Numerous protocols and encryption standards are supported, and MFT provides extensive security features that meet strict security policies to comply with PCI DSS, HIPAA, GLBA and other regulatory requirements.

MFT solutions provide advanced authentication and data encryption to provide secure and reliable file transfers. You can also track user access and transfer activity through reporting features.

Overall, managed file transfer offers the best option for securely managing the transfer of data quickly, efficiently with detailed audit trails. It's preventive, rather than reactive, which is what security professionals in today's environment need most.  

 

Click to learn more about each of the four options below:

               

 


Free FTP Server and Client Helps Businesses Improve Security and Audit File Transfers

GoAnywhere MFT's integrated FTP Server and Client for automating and auditing file transfers is now available as a Free Edition of the enterprise-class Managed File Transfer solution. 

GoAnywhere Managed File Transfer Free FTPThis free FTP software can be installed on a variety of platforms including Windows, Linux, Mac OS, UNIX and IBM i, providing flexibility to organizations of all sizes.  GoAnywhere MFT improves FTP security with features like AD authentication, granular folder permissions, password policies to comply with PCI DSS, brute force and DoS attack monitors, and IP blacklists/whitelists.

"Legacy FTP servers are lacking the security controls, user management and detailed audit logs needed to comply with regulations like PCI DSS and HIPAA" says Bob Luebbe, Chief Architect at Linoma Software.  "With the free edition, any organization can now take advantage of the comprehensive FTP features in GoAnywhere MFT."

Using the free FTP client from GoAnywhere, organizations can add automation to their file transfers.  The ability to schedule transfers and scan for new or modified files on local or remote systems reduces manual processes and the risk of human error.  This saves time and money while improving productivity through reliable data delivery.

The GoAnywhere FTP server makes it possible to set access controls and generate detailed audit logs on all file transfer activity.  This offers a layer of regulatory and policy compliance to organizations currently using FTP to exchange files with trading partners.

GoAnywhere MFT is an on-premises solution that provides centralized control over data access. There are no upfront costs or renewal fees for this fully scalable FTP solution. GoAnywhere MFT can be easily upgraded to meet the changing needs of any business through the purchase of secure file transfer protocols, integrated Open PGP encryption, advanced workflows and in-depth reporting.

This free software installs in minutes and is available for download from the GoAnywhere website at https://www.goanywhere.com/free-ftp.


GoAnywhere Gets Best Overall Value Scores for Server-to-Server and Ad Hoc Enterprise in Info-Tech Research Group's Study of Managed File Transfer Solutions

Info-Tech Research Group, an IT research and analysis company, has released a report naming Linoma Software's GoAnywhere managed file transfer (MFT) solution as having the highest Value Score of the MFT vendor group in Server-to-Server and Ad Hoc Enterprise use cases.

Info-Tech Research Group defines a Value Score as an index of "each vendor's product offering and business strength relative to its price point. Vendors that score high offer more bang-for-the-buck (e.g., features, usability, stability) than the average vendor, while the inverse is true for those that score lower."

Info-Tech Research Group released the findings in its report entitled, "Select and Implement a Managed File Transfer Solution," which lays out numerous criteria for designating MFT products and evaluating products in that market niche.

In particular, the report makes the point that "FTP is no longer a viable option" for enterprises with high-volume data transfer needs because of such challenges as difficult installation processes, no file delivery guarantee, limited storage-management options, user-training problems, increased risk, limited visibility, and lack of encryption.

Info-Tech Research Group evaluated different MFT software solutions for such attributes as speed, volume (capacity), security/encryption, and compliance with industry standards and governmental mandates. GoAnywhere received the only 100 out of 100 possible points awarded for Server-to-Server and Ad Hoc Enterprise in Info-Tech Research Group's Managed File Transfer Vendor Landscape.

Info-Tech Research Group's Vendor Landscape reports recognize outstanding vendors in the technology marketplace. Assessing vendors by the strength of their offering and their strategy for the enterprise, Info-Tech Research Group's Vendor Landscapes pay tribute to the contribution of exceptional vendors in a particular category.

According to the report, "With enterprise-level controls and rigorous audit logs, GoAnywhere ensures strict security policies and compliance regulations are met, regardless of industry. The product is FIPS 140-2 certified and is compliant with PCI DSS, HIPAA, HITECH, SOX, and GLBA. Its ability to connect and interface with multiple technologies provides a versatile solution in disparate environments. GoAnywhere's reverse proxy restricts which ports are open on your internal network. This is useful for all high security and regulatory environments."

Further details on Info-Tech Research Group's Managed File Transfer Vendor Landscape are available at http://go.linomasoftware.com/infotech2015.


SFTP Server in the DMZ or Private Network

Many organizations have an SFTP server installed where their trading partners can connect to securely upload and download sensitive files.

SFTP Server in the DMZ

Traditionally SFTP Servers have been installed in the DMZ (or public facing) segment of the network since organizations were fearful of opening inbound ports into the Private (internal) network.

sftp server - DMZ

Keeping the SFTP Server in the DMZ, however, has posed several problems. The primary issue is that files have to be stored in the DMZ when they are dropped off by partners, or otherwise staged temporarily for pickup. Those staged files have a higher risk of being accessed by hackers since the DMZ is more exposed to the Internet. You could require those staged files to be encrypted with something like Open PGP, but many auditors don't like to see any sensitive files in the DMZ, encrypted or not. Another issue is that you often have to write scripts to copy the files back and forth between the DMZ and private network, which takes programmer effort and can lead to errors.

SFTP Server in the Private Network

To keep sensitive files out of the DMZ, some organizations have moved their SFTP server into the private network.

sftp server - private network

This approach eliminates the need to write scripts for moving files back and forth. The big downfall of this approach is that ports were traditionally opened into the private network for trading partners to gain access to the SFTP server. These open ports could create a potential risk for attackers to gain access to the private network. In today's security-conscious environment, most IT auditors do not like to see any inbound ports opened into the private network... especially if you are storing sensitive PCI DSS or HIPAA data on those servers.

Gateway in the DMZ while keeping the SFTP Server in the Private Network

An approach that is quickly gaining in popularity is to implement a gateway component in the DMZ. The gateway will serve as an enhanced reverse proxy which does not require inbound ports into the private network.

sftp server - gateway

At startup time, the SFTP server will establish a special control channel with the gateway, which is kept alive continuously. When partners connect to the gateway, it will make requests over the existing control channel to the SFTP server. The SFTP server will then open any data channels needed back through the gateway to service the trading partners. The whole process is transparent to the trading partners. No data is ever stored in the DMZ since it is simply streamed through the gateway.

A gateway in the DMZ therefore solves two major security issues:

  1. No files need to be stored in the DMZ, including user credentials
  2. No inbound ports need to be opened into the Private network

Since a proprietary control channel is used to communicate between the gateway and the SFTP server, you will need to purchase both components from a single vendor. When looking for the right gateway for your organization, make sure it is easy to set up and manage. It is critical that it does not require inbound ports into the private network or require any data to be stored in the DMZ.

 

DMZ gateway securityWant to learn more about DMZ Gateways? View this informative whitepaper: DMZ Gateways: Secret Weapons for Data Security.

 

 

 

 

 

 

 


Why Bother Upgrading Beyond Standard FTP?

Right out of the box, most operating systems come with a built-in File Transfer Protocol (FTP) tool that makes it possible to transfer large files between people, computers and servers. It accomplishes the key goal, which is to deliver the file from one place to another. However, too many organizations' philosophy has been that as long as the files were getting where they needed to go, standard FTP was good enough. That was especially true when they were transferring files internally.

The truth is that FTP alone has never been good enough, because too much information (file data, user names, passwords, etc.) is vulnerable to hackers and it only takes fairly rudimentary hacking skills to steal it. Now with increased pressure to protect sensitive data coming from regulators and consumers, it's urgent that companies implement a more secure file transfer method.

Take a look at this short video to hear Bob Luebbe, Linoma Software's Chief Architect, talk about the dangers of standard FTP.

 

 

At the end of this video, Bob mentions the value of clustering and load balancing to promote high active-active availability. Since this video was produced, we've also added these features to both GoAnywhere Services and GoAnywhere Director.