Software escrow agreements are becoming increasingly common for organizations worldwide. Medium and large enterprises, especially those in retail, energy, and financing, rely on these agreements to provide coverage for the unique source code, files, and other software assets that are critical to a company’s intellectual property.
To prevent loss of this information during sudden downtime, a successful data breach, or natural disaster, organizations create a software escrow agreement with a third-party vendor to protect and back up this data. The third party then takes this data, creates an inventory of everything that’s to be escrowed, and puts the source code and other assets into a vault for maximum protection.
SES is a third-party vendor that provides software escrow agreements, intellectual property protection, and cybersecurity risk management globally. Based in Manchester, UK, SES has spent nearly twenty years providing security to over 2,500 professionals in 40+ countries.
"Dealing with software escrow agreements is our bread and butter," said Tom Sweet, Information Security and Systems Manager at SES. It’s an area of constant growth and adjusting to keep clients happy and source code regularly updated. "We are continually developing and innovating," he continued. Often, they do this "by using tools like GoAnywhere MFT."
For SES, GoAnywhere Managed File Transfer (MFT) has been a well-used and finely-tuned addition to their cybersecurity solutions. With the software in place, they perform nearly 2,000 uploads for clients a day on average—a mix of small and large files—as well as help monthly and quarterly businesses with their source code deposits. "GoAnywhere is well used," Sweet said.
Before GoAnywhere came into the picture, SES used a web gateway, an AWS-backed instance, to receive source code for clients. They also occasionally used old-fashioned file transfer methods: physical disks and SD cards that were tracked, signed for, and had a direct chain of custody that could be followed.
While this mixed process—AWS-backed instance and physical mail—worked at the time, they were still missing the ability to track user and file transfer activity. Having an audit trail was important to the business. When auditing also became a client requirement, SES looked for a way to streamline, structure, encrypt, and audit their exchange of data.
They handled a high volume of file transfers and needed robust security practices for the data they processed and stored every week. It was time to find a centralized solution that could do all of this and meet their trading partner needs.
The tracked-and-signed file transfer processes they used led to an evaluation of GoAnywhere MFT from HelpSystems, a robust and fast-growing product that used similar tactics (tracking, signing, and a clear chain of custody) for sensitive file transfers.
GoAnywhere was a hit. It took Sweet mere days to learn the product. He attended two webinars with GoAnywhere’s General Manager, Bob Luebbe, then jumped in and followed his intuition.
The turnaround had to be quick, but the learning curve was straightforward. They implemented GoAnywhere across their Linux systems and have depended on it ever since for day-to-day file transfers, streamlined encryption, and consistent auditing.
With GoAnywhere fully implemented, SES has been able to make sure all file transfers sent by their clients are encrypted in transit and sent to the right place. SES has also ensured that encryption keys are held separately. These are just two of the strict requirements SES needs to follow for their clients in order to stand out in a sea of escrow and backup service platforms.
"It’s risk versus security," Sweet said. "With HR and payroll data, the risk is high, so the security aspect needs to be high as well."
GoAnywhere’s granular security controls allowed Sweet to make GoAnywhere as safe and security-driven as possible against internal risks and user errors. "I stripped it back to who can do what," he said. Previously shared passwords were locked down. Web users were restricted to only the areas of the product they needed, and file storage was controlled—files could only be stored in the right areas of the network.
Sweet continued, "If someone in a company wanted access to the transfers, or to the systems, they could break the loop to that cycle. So that’s why we vault [client data] and back it up in an encrypted format. We make sure the file transfers are encrypted; that’s key too."
New trading partners and file transfer users can be set up in minutes. "Less than that if I’m rushed," Sweet said. "The quickest ones we’ve had people test: I’ve sent the email saying here’s your username, sent the password out over SMS, and people test the log-in within 10 minutes."
Sweet uses private and public keys to ensure the encryption and validity of the new transfers he creates. When the file transfers are executed, most run, start to finish, in under 30 minutes.
"The main thing we use GoAnywhere for is managing users, auditing the logs, and giving users a secure gateway into our systems that would normally be firewalled," Sweet said. All of this is simple with GoAnywhere, as Sweet believes the product’s biggest strength is its ease of use. Whether he needs to streamline, update, or re-deploy the product across systems and users, the process has been painless.
Automation is another huge benefit of GoAnywhere. SES uses GoAnywhere to do the heavy lifting for SaaS-based clients. These clients transfer large amounts of source code end data that are pushed into a SaaS escrow and captured in real time.
"We help these clients configure a script that connects over SFTP to a GoAnywhere service," Sweet said. "GoAnywhere then audits those transfers." The product securely transfers and audits at the same time, all automatically for nearly 60 clients who need their source code updated on a daily or monthly frequency. This enables SES to automate on Windows and Linux to meet the security requirements of each client.
SES works with a variety of clients every day. Many of these clients have compliance requirements that SES must meet if they want to work with these organizations. To achieve these needs, SES has applied ISO 27001 compliance across all clients to ensure all information sent between SES and other companies is secure.
"ISO 27001 mandates that we create policies, processes, and procedures which we can prove using evidence-based systems," Sweet said. "This says, ‘Okay, by default, you [the client] get all of this [security]. All files will be encrypted, and all second factor messages will be sent out of band so they aren’t sent over the same method of communication, and so on."
Meanwhile, while encryption is the same and applied for everyone, clients can choose if they want to use multi-factor authentication (MFA) with passwords or SSH keys for an extra layer of security. GoAnywhere offers multi-factor authentication methods, including keys and certificates, for increased file protection. SES also uses GoAnywhere to encrypt every backup of escrow data that is then kept in offline vaults.
"This ensures there’s 99.9% availability," Sweet said. "No one thinks escrow is important until it’s too late," he added, so SES provides these offline backups with GoAnywhere’s help to give organizations peace of mind.
One of the biggest justifications for purchasing GoAnywhere was its auditing functionality. Sweet and his team uses these audit logs to see who is connecting to their SFTP servers, what they’re doing on those servers, and how much they’ve done. This level of detail is critical, especially when dealing with sensitive escrow documents, software assets, and source code.
"The log-in and auditing process in GoAnywhere is important for our information security standards. We audit the transfers not just to be able to take them securely, but also to prove who has been on and transferred what and when. The audit trail is important."
If Sweet needs to change something, GoAnywhere makes it easy. Admins can make modifications or adjustments to their processes to keep constant with security requirements. "We can do this with GoAnywhere very easily," he said. "Then we just send out a new host key to our clients."
Right now, SES retrieves files from clients. But in the near future, they hope to roll out GoAnywhere Remote Agents and GoAnywhere Advanced Workflows for customers who want zero involvement in the file transfer process.
With these features enabled, Sweet and his team will be able to pull data from each client when needed without requiring manual work or engagement on their end. "Remote agents and advanced workflows will allow us to go out, talk to, and pull the requests for daily, weekly, or monthly file transfers," Sweet explained.
Tom Sweet has used GoAnywhere for four years. As the main product administrator, he’s always looking for new ways to implement the software, integrate it with other web and cloud services, roll it out as part of security-client processes, and improve the success of GoAnywhere at SES.
"I want to get as much out of the product as I can," Sweet said, reflecting on being the singular admin for GoAnywhere. "The more I push it out, the more we get a better return from our customer experience." And for any organization—SES included—customer satisfaction is top priority.
Thankfully, GoAnywhere’s encryption, automation, and ease of use can help make that happen.
You can learn more about SES by visiting their website.
We're committed to giving you a better way to automate, secure, and streamline your business processes. Schedule a demo with one of our product specialists today to see if GoAnywhere MFT is the right fit for your organization.