MFT 101: Securing, Automating, and Managing File Transfers

Thank you for your interest in this on-demand webinar. If you have questions following the webinar, please contact us. You can also download the presentation slides here.

 

Transcript

Michelle: Hello everyone, thank you for joining today's webinar on MFT 101 and how organizations you get to secure sensitive files in transit, centralize administration and automate workflows for better business efficiency. Before we get started, I wanted to let you know, this event is scheduled for one hour. We are recording the event, so if you'd like to re-watch any portions or share it with a friend, you can absolutely do so. We'll email you a link with the recording within 24 hours. If you have any questions throughout the webinar, please submit them through the questions pane in the floating control panel on your screen. We have dedicated team members online to answer questions throughout the presentation. We'll also have a Q&A time at the end of the webinar, so if you'd like to stay on the line for that and submit a question live, you can do that. And lastly, at the end of the webinar, you'll see a quick survey pop up. Please fill that out for us, as it helps us understand how we did and what parts of the presentation were most helpful to you. If you have any questions that aren't answered on today's call, you can enter those there as well, and someone will get back to you. Let's take a look at our agenda for today. We're going to cover the four common file transfer challenges, we'll talk about industry trends you should know, we'll get into what is MFT, anyways? And talk about the top three things to look for in MFT software. Then you'll get a short intro into GoAnywhere MFT, and then we'll have our Q&A section. So today's presenter is Dan Freeman. Dan is a senior solutions consultant at HelpSystems for the GoAnywhere product line. Dan has spent the last 10 years of his career in various security roles, ranging from systems engineer to security officer. As a CISSP, Dan has designed networks, systems, and procedures to ensure regulatory compliance using the NIST Risk Management Framework and HIPAA standards. Dan, thanks for being with us today, I will let you take it from here.

Dan: Awesome, thank you for the introduction, Michelle. Can you guys hear me okay?

Michelle: Yep, loud and clear.

Dan: All right, and thanks for all that are in attendance today. Now, before we get started, I did want to share with everyone a quick anecdote of what actually happened to me just this past weekend. As you don't know, but I'm about to tell you, I happen to live next to the state penitentiary. Now, this past Saturday, I was walking my dog along the fence line and actually became witness to a prison break. In fact, I saw a man of particularly short stature climb up the fence, and as he jumped down he sneered at me, and I couldn't help but think, "Well, that's a little con descending." Okay, I'll wait for the groans to stop. I think we're ready to go. All right, let's start by talking about some of the challenges we face today when trying to share information between employees, trading partners, and customers. Basically, how are we transferring files? First off, even though the proper tools have been out there for quite a while, unfortunately a lot of IT departments are still using old technology such as FTP, legacy scripts, and PC tools. Which, those are either rogue installs by employees or even decisions made by staff because of the free price tag that goes along with them. And a lot of times the older technology will be kind of a one-function type tool, and we end up using more than one tool to handle the different protocols or mechanisms required by our trading partners and customers. Now this can lead to a real hodgepodge decentralized solution, making management almost impossible. And take FTP. For companies have built FTP scripts in their corporate servers, and unfortunately these scripts can have many downfalls. For instance, a lot of times these scripts can be a bit complicated for the average user, and thus need to be written by programmers or someone spending an awful lot of time on YouTube videos. Now, should it be the former, that can an expensive resource. And think about how many scripts you have out there, and the many different servers they're accessing. Now, let's think if one of those servers happens to change their URL or IP username, now you get the luxury of hunting down all those scripts for that one server name's information change, and this can most likely be done by that same programmer, and thus wasting more time and taking away from other priority projects. No bueno. Now, another problem with scripts that your passwords potentially stored in the clearing can make them successful to attack. Now, on the flip side of these complex scripts, most of the time they can be simplistic in nature and don't have advanced features like auto-retry, error alerting, as well as much-needed auditing capabilities. They don't take into account when transfers fail. So, what happens if the file you're expecting is not there? Or maybe the server you're trying to connect to is not available. Are you getting alerted immediately so that you can stay at the forefront and not be reactive to an upset customer who didn't receive their file? This alone is why a lot of folks are looking for a centralized, secure way to manage file transfers, and maybe one reason why you're sitting here today. Now let's take a look at the issues of PC tools and freeware used by a lot of employees. Most of these tools are usually a manual process, which introduces one of the biggest and most common reasons for data breeches, the human element. Making these tools prone to human error and severe risk for your network.

Now what if the user downloads or uploads the wrong file? What if it contains sensitive information and the user forgot to encrypt the data before sending? What if the particular human is the only one who knows what and when to send these files to be transferred, and then they decide to be gone for the day or get hit by that proverbial bus? Moreover, with PC tools you put sensitive data at a higher risk by downloading from a secure server environment to a non-secure managed local PC or laptop. Not to mention there are often no logs of where the files were sent. This can be a huge problem with otters, as you can't tell what files are coming or leaving your network. Especially the ones with sensitive information in them. And auditing and accountability is a huge security concern with compliance. Those auditors definitely want to know that you know what is going on with your data at all times. Now, to add to these challenges, a lot of end users are still sending files through unsecured email or cloud services like box, Dropbox, without any controls or centralized management. So unless you're locking this down, either by DOP content filters or application and web controls, it's very tough to prevent sensitive information from leaving the environment. And even with that in place, there's really no centralized auditing and control. It makes for a very disorganized, and most likely non-compliant system. Now the next few slides, we'll show some statistics from a survey we conducted showing cybersecurity trends and concerns.

Here we're looking at the top five most concerning cybersecurity exploits of 2018. As you can see, unsecure file transfer did make the list. Although that would be the most obvious one in the context of the managed file transfer solution, even number three, weak or stolen passwords, could be because of using insecure protocols like FTP during the transmission, passing those passwords in clear text. And maybe number four was system misconfigurations being caused by manual processes by untrained individuals. Automation of secure protocols and processes could prevent some of these concerns. Now, looking at this slide reminds me of the constant battle between security and convenience. With over 65% claiming difficulty balancing cybersecurity controls with business efficiency shows this battle is still evident. Providing centralized automation could eliminate some of these pain points. Now, couple that with insufficient skills and staffing brings automation to the forefront of these potential solutions. Not to mention that automation can greatly reduce the amount of resources needed to complete tasks, thus reducing costs and chipping away at that number three, or 44% who have budgetary concerns. Here we see a few items that companies would like to implement in the next 12 months. Making the list is encrypting files in transit as well as at rest. Now, one of the items that I used to preach when I was a security and privacy officer, was is if you had a limited budget and weren't quite sure where to start, I always mention encrypting your data in transit and at rest is a great place to start. Now, you may not prevent the breach, but you will show due diligence that the information that was compromised is unusable and most likely will avoid hefty fines. From an access control standpoint, multi-factor authentication, which leads the list here at 33%, should definitely be available in your solutions. I can't express enough how MFA makes it really tough for someone to crack passwords, or even get those pesky phishing schemes to work. Another cheap and quick way to bolster your security. And of course, being a former security and privacy trainer, it was really nice to see that folks recognize the importance of training end users on security.

Now, they can be your first line of defense and foot soldiers, or as we see probably too often, they can be the open doorway to the next breach. Now, I can't agree more with this next slide. As mentioned before, encrypt your data. We see that number one, at 64%. It seems that most popular cloud providers are making it a point to secure their infrastructure so that customers feel comfortable putting their data and systems up in the cloud. But one thing still remains, while they may be providing the hard candy shell, but once that past that, you need to make sure that there isn't a nice, soft nougat filling inside. That's, again, not encrypting your data and making that accessible. So, again, want to reiterate one more time, let's encrypt that data. Here, so if we're gonna, so why are we concerned with all the security stuff? I like to think that we're just bein' forthright and moral folks and want to protect data, but I have a feeling these compliance regulations have a lot to do with the money goin' out the door to ensure data security and privacy. As you can see here, almost three out of four folks currently have to comply with some sort of regulation, and with the, I don't want to say lenient, but it's kinda wide open, GDPR settings getting goin', I have a feeling that number may jump up quite a bit. Now, not so much because the company's doin' with European citizens' data, but maybe some copycat blanket privacy laws from other nations tryin' to go international. Who knows? Okay, so what is Managed File Transfer?

A one quick liner can describe it as a solution that allows organizations to control and secure their file transfers through a centralized framework. Now key points are taking all the sharing of information that may have been done using multiple tools, and getting them under one pane of glass for ease of management, as well as centralized control for security and auditing purposes. Now, managed file transfer, or MFT for short, covers all aspects of file transfers within your enterprise and with your trading partners, including batch transfers between systems, as well as ad hoc file transfers between individuals. MFT provides the automation, AKA, removing the error-prone human element as much as possible. That you need for your file transfers, protecting that data with strong NIST-approved encryption, while providing the audit trails you need for compliance with strict regulations. So, what to look for in an MFT solution. Well, although there are a lot of attributes and capabilities we could evaluate here, today we'll look at three that we think are pretty important. Number one, being a SysAdmin for about 15 years before coming to HelpSystems, I can't tell you how many times I was part of the shelfware procurement process. It was either a product that one of the managers did some research on and decided it would solve all their issues, without consulting those who would be managing the software, of course. Or maybe a knee-jerk reaction to a compliance regulation. In any case, whatever product you buy needs to be easy to use. Ease of use will facilitate ease of adoption. Not only for your end users, but also for the admins responsible for maintaining it. If your end users don't like the solution, then they tend not to feel vested and go back to their old habits and you have successfully not solved their issues. This puts you back right where you started. Now, the ease of use can also go to the SysAdmin side as well. Make it easy to set up, manage, and create workflow automation to match what your business needs are without havin' to hire consultants from the vendor slowing things down, using up resources, and frustrating those employees.

The solution must make it easy to set up new transfers in a matter of minutes, not hours or days. Not only your batch system to system transfers, but also those ad hoc transfers that are pretty popular with those one-off situations. Allowing your SysAdmins to preconfigure connection settings so that your users don't have to know what's going on beneath the covers, but can still kick off jobs that need to be processed as a valuable, easy to use asset. Although, also, make sure that your solution is able to interact with other servers, system, applications, and APIs so it can expand its capabilities to automate and centralize your entire business processes end-to-end. This'll keep management centralized in auditing and all processes funneling through your solution. Now security compliance, kind of a no-brainer nowadays for any application that's part of a system on your network. The product must be able to support all the latest and popular protocols, cipher suites, key exchange algorithms, so that you can accommodate all your trading partners and customers first, but also be able to show your auditors that the software is able to be configured so it is compliant with whatever regulation you did here too. The product must have centralized control. It should run natively on an internal server, and only be accessed by authorized administrators.

Make sure that you give the solution, make sure that the solution utilizes our back or roll-based access controls, so that you can maintain job separation duties and only give right to the product that are needed depending on the job responsibilities. Again, auditing and accountability, as well as access control are two huge security concerns with auditors. So the product must have centralized audit trails on all transactions as far as file activity, user activity, and system configuration changes. And then of course, error handling and peace of mind. Who doesn't like peace of mind? This goes hand-in-hand with guaranteed delivery. This is very important when dealing with your customers to make sure that your solution is doing it all, is doing all it can from a connection standpoint to make sure the files are delivered. From built-in auto-retries to getting immediate alerts if they fail. So that the appropriate individuals can jump on these situations and alleviate any non-favorable result, especially in the case of maintaining SOI with some customers. Okay, now let's take a look here, adaptation tool. Take a look a little bit at GoAnywhere and get a nice overview, this is kind of a busy slide, we'll try and keep it quick and then we'll jump more into the product and the live demo here.

As mentioned here, on this side we can access the product from anywhere. As far as getting into the administrative console, we can use a web browser. Any of the popular web browsers, whether Chrome, IE, Firefox, or Opera, you can get in there. Also you can use command line interfaces, we do have free APIs that offer to either connect up to induce some administrative functions or actually use another application to call a project within GoAnywhere. Speaking of projects, that kinda moves over to our workflow automation. And this is kinda where we do a lot of the automated movement and manipulation of files once they come into or tryin' to leave your network. Things like encryption, whether you're doin' local P2P file encryption, decryption, or digital signatures and verification. Compression, as well as maybe some data translation. Sometimes you might get a file of a certain type, a CSV, XML, font file, and maybe you need to translate that to an Excel file, or actually read that and enter it into a database. All those things can be done within here, we'll kinda look at the stuff when we get in the projects. As far as the projects are concerned, what's very important is gonna be these samples of what we call resources.

Now, resources are gonna be ways that we connect up to other servers and services so that we can expand the capabilities of GoAnywhere. Simple things like, maybe we want to connect up to different network shares. To actually monitor a folder location, to grab files, and then SFTP 'em out to a partner. Or vice-versa, it could be a destination directory for files too, when they're comin' in. Cloud services natively connect up to Amazon S3 Buckets as your blog storage, very popular, to maybe offset and do some archiving and chute storage. Databases, another common feature. Connecting up to maybe a customer database. And maybe files aren't quite files yet, you gotta get 'em prepared. So we do a Select statement, pull out information we want, write it to CSV, Excel, flat file, whatever the case may be, and then we P2P encrypt it and send it out the door. And vice-versa, maybe you get files from folks and you need to read that CSV file, and then do some Insert or updating into a customer database. Lots of different resources, and we'll jump in those when we get in the product. Everything, like we mentioned before, is very detailed, audited. Not only from the service, listeners that were listening on the server's side, but also any file activity, web user activity, and any system configuration changes. We do have about 24 different canned reports that you can do on an ad hoc basis, or maybe throw them in a project, put 'em on a schedule basis to send it up to your manager or the IT personnel responsible for that certain section, maybe a C-level staff member, whatever the case may be. And all that auditing and reporting is good, but if you're not getting alerted on certain things immediately, that's where, especially in the case of SLAs, it's nice to have those alerts to stay in the forefront of things in order to be non-reactive and stay in front of some of those issues to get those things out the door to maintain those SLAs. All right, let's go on to the next one here.

Okay, couple more key points here. The multi-platform, GoAnywhere is OS-agnostic. Not being a Java-based application, we don't get our hooks in many of the, or many of the dependencies upon the OS, thus we're able to install on virtually any platform. Windows, Linux, Novell, IBMI, AIX, pretty much any platform we can install GoAnywhere on. The batch and ad hoc, now we're able to do those system to system batch transfers, as well as easily set up those ad hoc transfers via an intuitive web interface, which we'll have a demo here in a second. As mentioned, we have detailed auditing across all service listeners and protocols, file transfers, user activity, as well as system config changes. And one of the big reasons I really like and I think separates ourselves from MFT solutions is our interface, our UI. It's very intuitive and easy to use. Especially when it comes to the workflow automation project, you don't have to be a programmer to build out intuitive, even complex business processes to replace those old scripts. Now, the inbound services, we do have the ability to listen on many different protocols, like FTP, FTPS, SFTP, SCP, AS2, as well as an HTTPS web interface leveraging four different modules, and we'll go over those four modules in a little bit. GoAnywhere can also fulfill the encryption in transit and at rest, and we talked about, kinda one of those big concerns, we wanna make sure that our data is encrypted at all times. With our secure protocols and industry-standard encryption algorithms and cybersuite, we can securely transfer files. And then with our encrypted folders tool, we can target those folders for AES 256 bit encryption at rest. Now helping us along with that, we have a, we have a built-in database key management system. Now this is to maintain encryption via those SSL TLS certificates, SSH keys, as well as PGP keys. All this with the ability to create straight within the product, or import existing keys for use. And also on the admin controls, kinda what we talked about, maintaining that least privilege and job separation of duties for your administrative users.

Okay, so let's go ahead and jump into the live demo, let's bounce outta here. Get into here. This here, like we mentioned, this is going to be the web interface. That's successful to the administrative console. It raised that little arrow there. This instance happened to be on a Linux cluster, you'll notice we have the IP address or host name, by default, port 8000. Those things are configurable up to you. Again, I'm gonna be using Chrome throughout this demo, but you can use IE, Firefox, or whatever browser that you want to use. So I'm gonna go ahead and log in here with my admin credentials. So every single administrator, when you log in, the first thing you're gonna notice is you have a dashboard. These are pretty configurable, whether it's from the actual layout from a one couple flavors, a two or a three-pane window, I'm using the three-pane, to the actual gadget that you put on your dashboard. This can be one of 25 different gadgets that you can select from, whether it's disk usage, recently lightpost IP address, quick links, whatever the case may be, you can actually modify each individual gadget, as well, to be as granular or as broad as you want. And you can kinda figure these by moving 'em around, to give it that layout that you want. Point being is, this is your one quick snapshot view of what's going on the system at any given time. Speaking of admins, that's how we're logged in now. And goin' to the admin user role, this is gonna be the 16 different, our back rules that we talked about, to maintain that job separation of duty and least privilege. So we're not just throwin' blanket admin like our product admin or, in the case of Windows, say a domain administrator, we are being very granular with what the rights that that person needs to have.

Okay, one of the things that we talked about in that first busy slide is we talked about resources. And resources being how to we connect up to or how can we leverage other service and services? Now, this expands, I guess, the tentacles of GoAnywhere to be able to leverage those things, to move files and do file manipulation, all within this centralized environment. As you can see here, there's a lot of different resources, we definitely won't go through 'em all. Again, a couple popular ones that people like, The Amazon S3 Buckets, blog storage. Here we'll look at the database servers. We'll kinda take a peek at this one here. They're a very popular resource to connect up to. So when you're goin' through here, you can just put in below the most popular JVC 2.0 drivers, so you'll select the driver that is what you're connecting up to, in this case an AS400. The JDBC URL, maybe not the most intuitive thing in the world, so you can always use our wizard or get it from your DBA. But in this case, for the I series, we'll just put in the actual IP address, hit Generate URL, and there it is. And hit select there, and it'll populate that in there. And then you'll get a username, password on whatever you want this resource to have rights to, so if you want to use this in a project for writing, updating, inserting, you'll make sure that that user has that type of access. In any case, every single resource has a test button. Now this test button is really nice, it's kind of the sanity check to make sure that everything you put in worked. It's gonna do two things, it's gonna check for network connectivity, and any applicable credentials that have been provided, so getting "Resource Test Successful" is obviously a good sign. So now we've got that resource set up to use further down in that project, and we'll see how that works in a second. Again, a lot of other resources, network share is very popular. Pointing to different locations within your network. To either pick up or drop off files, or do file monitoring. Another one that we'll look at real quick, and the last one we'll look at, is SSH servers, and--