Now, it is my pleasure to welcome our presenters. First, I'd like to welcome Bob Luebbe. Bob is the chief architect for them Managed File Transfer product line at HelpSystems. He's been in IT for over 30 years and has spent the last decade designing encryption and file transfer solutions. As a certified information security systems professional, Bob also consults with organizations on how to best protect their sensitive data assets and achieve regulatory compliance. Welcome, Bob. Thank you for presenting today.
Next, I would like to welcome Brooke Furry. Brooke is the marketing manager for the Managed File Transfer product line at HelpSystems, and her team helps educate the market about the value of MFT solutions and connects them with solutions that will make their lives easier. Welcome Brooke. Brooke, can you tell us a little bit what you'll be presenting about today?
Cybersecurity Industry Survey Results
Brooke Furry: Yes. Thanks Holger. As a quick intro to today's topic, I just wanted to talk briefly about an industry survey that yielded some results this audience may find interesting as we talk about the topics of security and efficiency. So, I'm guessing many of you joining us today likely either oversee or belong to teams who are responsible for IT security and operations. Earlier this year, HelpSystems launched a survey asking people just like you to tell us about the cybersecurity risks they're facing, and how they're mitigating those risks. We had over 650 IT and security professionals around the world respond, which gave us a good glimpse into what's really going on in organizations right now related to security. And the survey asked about the top concerns and threats organizations face in 2018, as well as protective strategies they're implementing. And I think many of you may resonate with what we found.
Next slide, please. So the survey results revealed first and foremost that 91% of respondents feel their management considers cybersecurity to be anywhere from moderately to extremely important to their organization. Knowing this well, I think we'd all agree on the importance of security, we also know it's unrealistic to expect to complete security projects and goals all at once, even if your management place importance on security initiatives. Security should be an ongoing priority and effort. And today, Bob is going to share some ways to help in secure file transfer areas specifically. We were also surprised to see over a quarter of respondents tell us compliance doesn't apply to them. We did see that the majority of people who answered in this way work in smaller organizations and likely haven't realized a need for compliance yet, potentially because they're audited less frequently.
Regardless, our team at HelpSystems has noticed an upwards trend in compliance requirements for organizations of all sizes who we work with on security services. So, I just call it out as an area to pay attention to and you'll make sure you're determining what regulations and requirements you need to be aware of, regardless of your company size. We also found that 65% of companies struggle to balance strong security with business efficiency. And if this is a challenge for you, and that's why you're on the webinar today, hopefully it's encouraging to know the struggle is real, and others are still working to figure this out too. And I hope today we can help equip you with some practical steps to improve your efficiency and overall productivity.
And finally here, we found that along with ransomware, phishing, weak stolen credentials and system misconfigurations, unsecure file transfers are a top security concern. So, if this resonates with you and it's an area your organization hasn't tackled yet, keep listening and Bob will provide some education on common file transfer challenges many organizations face and best practices you'll want to implement. And as I hand things off to Bob, I just want you to note that like Holger mentioned, if you're interested in seeing the full results from our survey, you can access that PDF in the handouts area of your screen. Okay, Bob, you can take it away.
File Transfer Challenges and Best Practices
Bob Luebbe: All right, great. Well, thanks a lot Brooke and Holger for the introduction. Again, My name is Bob Luebbe with HelpSystems here. I've been working with file transfer technologies for over the last decade. And I'd like to start off with some of the common file transfer challenges that organizations are having today. And then we're going to get into ideas that we have on how you can solve those challenges. And finally, we're going to show you our managed file transfer solution called GoAnywhere towards the end, we're just going to give you a short demonstration on how you can consolidate and control and audit your file transfer.
So, just kind of starting off with one of the most significant challenges is human error. And unfortunately, a lot of organizations still allow their end users to use PC-based tools to transfer files, that could be FTP tools like FileZilla or QFTP or it could be like an email program. And since this is often a manual process, it's very prone to human error and risk. And just as some examples, for instance, maybe the user forgets to send a file at the scheduled time. And this could be an important order or a financial document, which could delay on the sending of the file and affect your relationship with your vendor or your customer.
And the user may accidentally upload or download the wrong file to the trading partner. For instance, maybe they send a pricing list with special discounts to the wrong partner, or what if the file contains sensitive data and the user forgot to encrypt it before they transmitted it. So these are all things that you're susceptible to when you allow your users to manually perform those functions.
And then, I think, another thing that companies need to think about is who is the backup for that user, if they're gone that day on PTO and are they going to follow all the procedures precisely to make sure that file is properly protected and sent to the correct trading partner on the correct day. So these are all risks that you have to deal with when you have to, when you're relying on manual processes to transfer those files.
Secondly, there's a lot of inefficiencies still in organizations with their file transfers. They might be using unsecure technologies like FTP or email to transmit those files. So they try to automate their file transfers. Many have built FTP scripts on their servers to try to automate on those transmissions. But unfortunately, these scripts have many downfalls. Big problem with FTP scripts is that your trading partner's passwords are often stored within those scripts in the clear. So if a hacker was able to get a hold of those scripts, they could easily find out your trading partner's credentials and their server address. And that can make those servers very vulnerable to attacks.
Another problem with FTP scripts is they can only be written by programmers, which we all know are a very expensive resource. And to write the script properly, you really need the programmer to build in things like auto retry on those connections to make sure those scripts are sending out error alerts when there's problems, making sure they're right now good audit logs. And these are the sorts of things more advanced functionality that can really take a lot of time to code those scripts properly. And every time something changes for that trading partner, let's say they call you up and said they have a new IP address or a new credentials to connect up to their server or a different file name, you have to involve a programmer to get involved to make those changes to the script.
And these changes can really add up over time and distract those IT resources from other priority projects. And we've talked to companies that had even hundreds or even thousands of FTP scripts that have really become unmanageable and almost impossible to maintain over time. So, that's a big problem.
Another big problem is the lack of encryption. And so, as I'd mentioned, if you're leaving it up to your end users to do the file transfers themselves, they might jeopardize sensitive data by oftentimes, they have to download it first from a secure corporate server to their less secured PC or laptop, just kind of stage that file before they send it off. And that's going to make that data much more vulnerable to attack. So maybe they have to download an ACH file or a payroll file from the server before they send it to the bank. And let's say after they've been transmitted that file, they may forget to remove that file from their PC or laptop after it's been transmitted. And PCs and laptops are often more vulnerable than back end servers, they just don't have as much security generally on them. So, that can make those systems very vulnerable, and those file sets are not cleaned up properly.
Also, a lot of end users use email to send sensitive files. And maybe they don't realize that an email attachment is not encrypted on, it's going to be in the clear by default, which is going to make it very susceptible to theft. And also, a lot of users are using pre-file sharing services like Dropbox or other third party kind of cloud services to send files. And this is in essence kind of becomes a shadow IT function in which case the IT group has lost control over those files, there's really no management or audit trails of those files leaving the company, since they're going through those kind of unauthorized cloud sharing file services. So, without having good internal policies for your end users, you're really risking the loss of sensitive files that may be transmitted through one of those unsecure methods.
And then finally, a lot of file transfer mechanisms don't have good error alerts or audit logs to meet compliance requirements. So, when your programmers are building out their FTP scripts or if you have end users using these simple PC file transfer tools, they're not going to be alerted immediately in a lot of cases when transfer fails. And so, unfortunately, you may have to wait for your trading partner to call you to let you know, geez, I did not get my file, please transmit it. And so, that's kind of embarrassing for a company that they have to wait for a trading partner to notify them.
And a lot of these legacy methods and tools just simply do not generate the logs needed to meet modern compliance requirements. And this is becoming a real issue with auditors. Oftentimes, the auditor may ask where are the logs of files leaving your organization? And oftentimes, organizations cannot gather that information. If they can, it's very tedious and can't be pulled together quickly. For instance, can you tell the auditor what file structure network on a given date range or certain time period and by which users? I think a lot of organizations would have problems telling the auditors that. And so, because of these vulnerabilities, it's really become difficult to meet compliance requirements using these older traditional tools and manual processes.
So, what we recommend for secure and efficient file transfers is some kind of multi-part step of bullet items here. First of all, you need to move away from unsecure technologies like standard FTP or email for sending these files. Instead, you should use secure protocols like SMTP or AS2 or FTPS. And there are several available to choose from, but these modern standards have strong authentication and encryption technologies that fully protect the files that are being transmitted or that public network even within your private networks.
Your file should not only be encrypted in transit when you send them across the internet, but you should also encrypt those files at rest whenever possible. Especially if you're staging those files in your DMZ, which is the public facing portion of your network. It's also good to encrypt those files before you transmit them to your trading partner server because they may not have adequate protections on their server. And so you want to make sure those files are encrypted at rest on their systems before they apply the appropriate keys to decrypt those into their private network.
Also, you should look at using automation wherever possible to remove any kind of manual processes and remove the need for any kind of PC tools. And we've seen companies lock down their firewall, so no FTP is allowed to any other tools except for a single centralized solution that they have in place like an MP solution. And so more or less when a user tries to FTP a file right from their PC, that would be blocked by the firewall system in place.
When you do these automated processes, you want to make sure that you have immediate alerts when file transfers fail instead of having to wait for your trading partner to tell you that the file is not received. And you should have at least a year's worth of audit trails for your file transfer activity. Now, depending on the regulation, some regulations require a longer duration. But at a minimum, you should have a year's worth of audit activity and you should be able to quickly generate reports on these logs so you can quickly tell by user or by date or time range what files were being sent.
So, how can you do all these things through a single solution? Well, there's a type of product out there called Managed File Transfer that will help you solve all of these challenges, and really control and secure all of your file transfers through a centralized framework. So, MFT covers all file transfers within your enterprise, be it batch or ad hoc between systems or between individuals. So you really can get a handle on all those file transfers within your organization. Besides ad hoc file transfers, it also provides that automation, protecting the data with strong encryption and providing the audit trails you need to comply with strict regulations.
About GoAnywhere Managed File Transfer
So, that kind of gets me into talking a little bit about our product GoAnywhere. So, as I had mentioned, we're going to give a quick demo on GoAnywhere. That's our Managed File Transfer solution within HelpSystems, and it's enterprise ready MFT solution. So I'm just going to kind of step through some of its capabilities. And I'm going to start off with this diagram that shows the, let me just turn on my drawing tool here. This kind of shows the types of connections that we support down below here. So let's kind of start with that.
So, as your organization grows and connects with more customers and vendors and other partners, you'll find that there's a lot of different types of connecting points that you need. So, we continue to add those through GoAnywhere. So just kind of start off with on the left, GoAnywhere can connect up to just about any type of operating system, file system that's out there, including Windows file systems, Linux, IBM, AIX and so on. And you're going to need a lot of different types of file services to support. Now SFTP is going to be probably the most popular secure protocol that you're going to need because a lot of trading partners utilize that. But you may also have requirements for other secure protocols accept like FTPS AS2 or HTTPS.
Now we also do support non secure protocols like FTP or email, which you can certainly use for sending non-sensitive files. We continue to add more and more cloud connectors. In GoAnywhere, we have connectors to let you connect up to Amazon S3 buckets, AWS, Azure Blob services, as well as you can just do standard web services through GoAnywhere to push and pull information through let's say JSON or XML documents.
Also, you may need to connect up to back end database systems through GoAnywhere. So we support connections to all the popular databases, including SQL Server, Oracle and MySQL. Also, you can call out back end scripts. So you may have some programs that you may need to still be able to call out either locally or remotely. And those you can pass parameters to those applications and get result sets back. So you can have pre and post logic processing within your file transfer processes.
And then finally, we have what's called Managed File Transfer agents that allow you to install this little piece of software on certain systems that you may need to communicate with. If you really don't have any other means to connect up to those systems, you can use agents to initiate those file transfers and call workflows on those remote systems.
So just kind of starting off at the top here, GoAnywhere will allow you to automate workflows. That can be file transfers or other business processes to send and receive files between those various systems below. As part of the workflow, it can encrypt and decrypt the files. We support several different encryption methodologies like AES and PGP encryption. You can also zip and unzip files using like the zip 2.0 standard or gzip or tar within your file transfers. It can also translate data between different formats. So perhaps you need to do a database extract and convert that data to let's say a CSV file or XML before you distribute that off. So GoAnywhere lets you not only write out to those formats, but it can also read in various formatted files, let's say XML or [inaudible 00:20:22] and parse that out, and import that to, let's say, a database.
Now, once you've set up your workflows, you can run those workflows through our integrated scheduler if you would like. So, we have a very comprehensive scheduler that allows you to run jobs by the minute, by the hour, certain days of the week or days of the month. You can set up custom holiday calendars, have it skip certain days of the year, that might be your corporate holidays or on the day before or after those holidays. Another way to kick off jobs though is through folder monitors. So we can watch folders on various file systems that could be maybe a Windows Server or perhaps you have some files stored on an SFTP site. We can just be constantly monitoring certain folders on those systems. And when certain files appear that meet your criteria, that can kick off a workflow to automatically process them. Maybe you have an outbound DDI document that needs to be sent as soon as it appears in a folder through a trading partner.
Now, we also provide commands and APIs that lets you kick off processes in GoAnywhere from your own application. So, those could be like a Linux script, a shell script or a Windows PowerShell script, or maybe you just want to do a web service call to GoAnywhere to kick off a job as you need to. And those can pass parameters and get result sets back as well.
Now, GoAnywhere can handle not only outbound file transfers, but also inbound as well. So it does have an integrated SFTP server. It also has an integrated FTPS server and an HTTPS server and an AS2 server. So your partners can connect up to you and pick up files and drop them off as needed from their authorized folders. As I mentioned, we can do both ad hoc and batch file transfers. They can synchronize files between various systems. We also have what's called Secure forms in GoAnywhere. So you may want to collect information from your trading partner along with the files. So maybe they need to fill out maybe the state that they're uploading from. Maybe they need to put in some form identity during that process. So that form can be submitted along with the file to the workflow for processing.
We do have an alternative to email called Secure Mail in GoAnywhere, where they can strip the file attachment, and they can then instead send the file as a secure HTTPS link to the recipient. So then the recipient can simply click on the link to retrieve the file from your site. So, it's great for sending out large files or sensitive files because we can instead store that file encrypted on your server and only the intended recipient can click on their link to retrieve that file from your site.
Finally, partner management's included in GoAnywhere. So you may authorize or authenticate your partners against Active Directory or LDAP. Or it can authenticate against our own internal database. And for each trading partner, you can indicate what folders they have authorities to, what IPs they're allowed to log in through. It's a very extensive partner management system.
Now alerts can be sent when any kinds of problems occur in the product. So maybe a file transfer's failed. Now, first of all, we do have built in auto retry, so if it can't connect after the first time, it can continue to try that connection for a period of time. And you can set that threshold on there. But if it continues to fail, you can have it sent out like an email or a text message or syslog message to a system to let it know that it exceeded the attempts and it continued to fail. Of course, all activity is going to be audited in GoAnywhere. That's one of the biggest driving factors for organizations to buy a Managed File Transfer solution like GoAnywhere, is they're going to get complete audit data for all file transfers, inbound and outbound, and you'll be able to generate reports based on that.
And I'll jump into a live demo here real soon. But just a couple more things here. You may want to deploy GoAnywhere to a Windows platform, or you may want to put it to a Linux system. Or perhaps you would like to put it on Amazon AWS or Microsoft Azure, or put it on an IBM system. So GoAnywhere is very flexible in that you can choose where you'd like to deploy the product to. It runs on just about any operating system, any platform, including VMware. And so, you can choose where that should be best deployed based on your environment. As I had mentioned, both batch and ad hoc all file transfer management can be done right through the browser interface. So you do not need to install anything onto your desktop. Just open up your favorite browser, be it Chrome, Firefox, Internet Explorer, Safari, it's up to you. Often your management can be done to the browser interface we've talked about.
Inbound services. It also encrypts not only files in transit, but also at rest using AES 256-bit encryption. And if you're in the federal government, we do have FIPS 140-2 compliance ciphers in GoAnywhere. So it can encrypted with just validated ciphers like AES 256-bit encryption, when those files come at rest. And then when the files are then later accessed by an authorized user or application, it can automatically decrypt those files for the authorized user.
We have the built in key management tools to let you work with any kinds of certificates or keys needed in the product. We can import and export those. You can have multiple administrators in the product. Each administrator can have different roles in the system. So you can have some administrators that can maybe set up new jobs and run certain jobs in the system. Others that can maybe only look at audit reports in the system. There's about 15 different layers of security in GoAnywhere that you can pick and choose based on the administrator's role.
So, let me get to some screens here. And what you would do is just point your browser to the IP or the hostname of the server where you've installed GoAnywhere. By default, the port is 8001 for the admin port, but you can change that in the product setup. And then you'll log in with your account. You can, again, authenticate this against your Active Directory domain or against the LDAP server, or you can authenticate against our database. And again, you can have multiple administrators. That helps when you put in the right credentials here. And once you log in, it will take you into the dashboard.
The dashboard is going to tell you real quickly what's going on in the system. It'll give you graphs and charts in detail on file transfer activity. These dashboards can be customized. Each gadget can be rearranged and added or removed. There's about 24 different gadgets to choose from. So it's nice just right at your fingertips, you can quickly see what's going on in the system in regard to the file transfers within your enterprise.
Now, all of your various features that you have access to will be available through these drop down menus along the top. And then for the most popular features, we've created these big buttons, which would call Quick Links to let you set those connections and manage your trading partners quickly.
So, let's just kind of start off with our first quick link, which is called resources. So resources, that shows all the different types of servers that we support. So you can see on the left side of the screen, all the different types that we're talking about that you're going to be able to connect up to. For instance, maybe you need to go out to an SFTP server. So you can go down here to SSH servers, you can see we have several predefined. So all the connections are stored in our central database that you can add new connections to, you can edit connections, remove those, and share those amongst other administrators.
Now, for each connection, let's open one of these up. So, depending on the connection, you may have different properties. For like the SFTP server, you can see we need to specify the IP port user. You can specify key for that connection. Like in this case, it'd be an SSH key. You can put in advanced properties for that connection, like here, I told it to retry up to three times every 10 seconds. That's going to give you that auto retry. You can set which encryption ciphers to use on the connection, or you can just go with the defaults. You can even put in contact information. So if you're having troubles connecting to that server, you'll know who to call or email to let them know that there's an issue.
So that's just the properties for an SFTP site. One thing that's really nice here is you can quickly test the connection, just click the test button here. And I'll make sure that you've set up everything properly. And it will actually authenticate that connection, make sure you got the right credentials. And then it's going to give you a result sent back letting you know if there's any problems connecting to that server. So in this case, I had a problem, and so then I could fix it and, let's get out of here. In this case, maybe you just put in the credentials wrong, and you can put in the right credentials, and then retest it. Let's get out of this.
So that's setting up your SMTP connections. Maybe you want to connect out to a database server. So, for instance, let's just go down here. Here's a SQL Server box I wanted to connect up to. So you just choose the driver from the list, we ship drivers for all the popular database systems. And then you can put in a type to your hostname, and then you'll be able to run embedded SQL within your workflows to interact with those servers. Perhaps you have some data sitting up on Amazon. So you could set up an S3 bucket connection. We're just going to need to know the key ID and the secret access key to connect up to that S3 bucket. And then we'll be able to access files on that S3 bucket just like you would any other network server.
You can also set up connections to HTTPS servers, mailboxes. You can set connections to web services, like maybe you want to go over a rest to server. You can put in its URL, how you're going to authenticate against it. So again, you're just predefining those connections to the system. Now once you've set up your connections, then you can start setting up what we call projects. So projects, think of them as a workflow or a script, and you can organize them into folders and subfolders.
I'm in a folder right now called examples, and here's all the various projects I've set up. Now, again, these could be projects that do just file transfers or it could do additional things like calling out your back end scripts or zipping up the files and other processing. In fact, let's look at this particular project here. And the project designer is going to just give you a quick outline of what's going to happen in the project. So, at the top, that's the name of the project. So you can call it whatever you'd like. And then if you look on this query, you can see that we're going to run an SQL statement to pull some data out of a database.
Now we do ship a database SQL wizard that you can click on here to quickly select columns and tables and build out your statements quickly. And then after that point, we told it to build an Excel file from that data. Now, if you want to build a different type of file, you got a lot of different options here on the left side of the screen. So maybe instead, we want to write out to CSV, you could just drag that into your outline, and that data can go out to a CSV file instead of an Excel file.
But on this Excel file, we're going to build a file with this name. We're going to write out the sheet. You can even format each individual column. For column eight, we're going to use this pattern to show any leading [inaudible 00:33:27]. And then after we encrypt our, created the Excel file, we're going to encrypt it with PGP. So I tell it to give it the same name but with a PGP extension, and to use this PGP key to encrypt it. If you don't know the key to use, you can just, the browse button, browse your trading partners keys, and then you can select that from the list to encrypt the file.
And after we've encrypted it, we tell it to connect up to this production SFTP server. If there's any problems, we told it to call this error module down below which is going to send an email, let's just jump down to there, it's going to send an email out to this person, let them know the transfer failed and we're going to include the error message there.
But on the SFTP connection, we're going to send that PGP file that we created in the prior step onto this inbound folder. And we told it to use the current timestamp to prefix the file. So you would just define the steps to perform in your outline, there's about 100 different tasks to choose from on the left side of the screen. Let me just kind of open some of those up. So here's all of our various cloud connectors you can choose from on the left side of the screen. And these are something that we're really adding more and more cloud connectors over time. And in fact, we allow customers and partners to build the cloud connectors as well and implement those within GoAnywhere.
You can also see all the different compression tasks we have, database tasks. You're going to get, of course your readers and writers for various formatted files, email tasks. You're going to be able to copy, move, delete files. All of our different file transfer tasks. Like here, I've opened up SFTP, you can see all the different actions you can perform. We got tasks to let you run your own native commands within a job. And so on PGP tasks. So there's a lot of tasks that you can add to your project.
Now, once you've built your project, you can run it by just hitting the execute button. And it's going to run this project from top to bottom. So it's executing the project now. When it's done, you can then view the job log. So we're just going to let that run through a quick. The job log is going to keep track of all steps that were performed within the job. And so, let's just go ahead and drill down into the log here. And so, we're going to go into the audit logs and I'm going to show you an example.
So here's a log here that was just generated. And so, every job's going to get a unique job number assigned to it, what we call a job number. And then it's going to tell you all the steps that are performed. So like here's where, if you looked where I've highlighted, we ran an SQL statement, select some data from a database. We then wrote out to an Excel file at this step. We then zipped the file up or you could have encrypted it instead. And then we did an SFTP task to upload that file to the SFTP server.
These logs are going to stay on the system as long as you would like. Go into the log area, you can filter those by date range. You got a lot of other filters, you can filter by user, by job name. Once you see any log generated, you can always click on it to drill down into it here. You can export the logs and generate reports on that as needed.
Now, if you're just interested in a certain file name, you can go to the audit log here and you can say, well, geez, I just know the particular file I'm interested in. For instance, you could specify that here and select here, maybe I know the files employees. And I could apply that and it'll find any occurrence of the file with employees in it. And no matter what [inaudible 00:37:36] is deleted, uploaded, downloaded, it's going to show the activity here.
That's just one example of a workflow. You can also create your own projects just by clicking the create button here. Just give it a quick name, maybe you just want to send a file to ABC Company. Put that in here. And then I'll take you into kind of a blank canvas here, in which case, I just want to do an SFP to that partner, so I just do a put. I just drag that up there. I can choose my SMTP server, I want to put two. I just choose it from the list. And then on my put statement, I can choose one or more files. Maybe I just want to send a single file. And so you can just select that, you can choose the destination on that server. And then you got your transfer defined. And now if you want to save that, you hit the save button, and now you got that project which you can run whatever you'd like.
Now, if you'd like to run that to the scheduler, you go under the workflows and go into the scheduler function. And this will show all the scheduled jobs that are set to run. I'll just show you an existing scheduled job here. Select here's a zip scheduled entry. So that's the name of the project it's going to run. You can tell it what user to run it under. You can then choose to schedule. In this case, I want to run it hourly. I can also have automatically keep trying the job if there's any kinds of problems. And then scheduler can also automatically email you if there's any issues here.
Another way to run a job is through a folder monitor. So let's just jump over to that. So here, we're watching this folder called outbound for any files created or modify with an EDI extension. That finds files that meet that criteria, we can then automatically run whatever project is defined here. In this case, we're going to run this bank transfer. Now, you can also run projects from, as I mentioned, from the command line or through our APIs, and those come at no additional charge, so you can kick off these jobs that you need to. And you can pass in parameters to the projects to override file names and other criteria.
That's on the batch side. Let's flip over to the ad hoc side and we got about five minutes left in the live demo. So I'm going to jump over here. So, we also have a web client for ad hoc file transfers. Now you can have your own corporate logo here. And then users can log in with their AD credentials. Or you can authenticate against our database. You can also let them create their own account in the system, and in which case, they can go through an approval process where they won't be able to log in until your administrator approves them in the system.
I'm going to go ahead and log in with the system with this account. That will then take me into the authorized folders for that user. We call them secure folders. Once they come into those folders, they can then upload, download from those folders and so on as they need to. And they can also work with their secure mailing system. So they may have some secure email that they've created, or maybe they want to send out a secure email to someone else here. They can also go through the Secure Forms, in which case, maybe they need to submit some information along with their files. Like here, we're going to ask them for an email address and the required signature. And then they can then attach files here to upload those to the system.
So secure folders are going to make it real simple to do quick file uploads and downloads as needed. Now, if I flip back over here to the administrator side, let's jump back in to the audit log reports. This is going to show you all that activity that's secured on the system. So let's go into the file transfer activity, let's run that here. This is going to show you for our date range, what that activity is. And so, it's going to open up that report for us. So I can see during this time range, about 7AM is where we're getting the bulk of our file transfers. So you can show by hour of day or by day of week or day a month, where most of your workloads going on within the system.
We also have what's called a PCI security settings audit report. And that's going to analyze all the security settings in GoAnywhere to make sure you've configured all the settings properly. This is just demo system, but it's going to show you how many systems passed or how many features passed the security settings, how many failed and how many warnings. So, before you go live with GoAnywhere, you'll want to make sure that most everything is passed in the system. And we're going to show you what PCI sections each little security settings deal with.
Now, as I mentioned, you can install GoAnywhere on really any system that you'd like. It doesn't matter what platform you deploy to. We do offer a free 30 day trial of GoAnywhere, so you can actually download it right from our website, which is goanywhere.com and try it out for yourself.
And Brooke, I think you wanted to mention something.
Brooke: I did. Yeah. Thanks, Bob. Before we wrap up with some time to take your questions, just to help you think through features you are looking for requirements you might have and any considerations you need to consider when researching MFT solutions. We put together a secure Managed File Transfer buyer's guide. And as Holger mentioned at the top of the call, it's available in your handouts section to download. We've had a lot of people tell us this is a helpful resource. So we like to share it.
And as Bob mentioned, we have a free 30 day trial on our website, and the URL is on the screen. So, go there if you're interested and get started. And then if you have any questions that we aren't able to answer in this Q&A time, feel free to email us. Our emails are on the screen and you can also call us at the numbers above. So I believe Holger is going to transition us into some Q&A time. Holger, do you have any questions coming in from the audience?
Holger: Thank you, Brooke. And thank you, Bob, for a great presentation. Yeah, let's tackle some of the live audience questions that are coming in from our webinar audience. All right, let's see. Bob, the first question here, what are the benefits of SFTP over FTPS? And what is the difference? Bob?
Bob: Okay. That's a good question. We do get asked that a lot. And it's kind of confusing because they just put the S on the front versus at the end for SSP versus FTPS. But they are two totally different secure FTP protocols. SFTP is using an SSH tunnel to send the file, where FTPS uses SSL or TLS to secure that transmission.
So, let's start with SFTP. SFTP is really the most popular secure FTP protocol being used today. And I think the main reason for that, well, there's a couple main reasons, it is, was built into Linux and Unix operating systems so a lot of people are familiar with it. Also, SFTP uses a single port, which is Port 22 by default. And so, it makes it a lot easier to pass that to the firewall. So let's say you need to connect up to a trading partner, you only need to open up Port 22 and now going to make that connection to your trading partner. So that's where that's really become popular.
Where with STPS, that's going to require more ports. Normally you'll have a control port, let's say Port 21 or 990, depending on if it's an implicit or explicit FTPS. But you're going to have that initial port plus [inaudible 00:46:11] open up a range of ports for the data. So they might use, let's say, Port 990 for let's say the commands and the authentication. But then they may request another port for each file that gets transmitted or each directory listing and so on.
So you're going to have a lot more ports that you have to open up with FTPS. That's why we traditionally see FTPS being used more for internal communications between systems like mainframes, and then SFTP being used more for exchanging files with external partners over the internet.
Holger: Very good, thank you.
Bob: That's a good question.
Holger: Exactly. Before I move to the next question, there's a couple of requests coming in for folks who wanted to write down and the details were on the previous slides. Let's switch back to so that-
Holger: Perfect. Bob, the next question, should we use a crypto key to authenticate secure FTP connections in addition to a user and password?
Bob: Okay, that's a good question. I would highly recommend using this second form of authentication like a key certificate in addition to the user password. As you know, users and passwords are human generated in most cases. Therefore, they're vulnerable to attacks through like dictionary or brute force attacks. So by having a second piece of identification like an SSH key, an SSH key being used for an SFTP connection, or you can use X.509 certificate to authenticate an FTPS connection. Those two additional forms will make the authentication much more secure. And there's really easy ways to generate keys and certificates today. In fact, we have it built in to GoAnywhere to work with those keys quickly. If your trading partner generates a key, you can load that into our products so you can authenticate their key when you make that connection. So, I would definitely recommend a key on top of the user and a password.
Holger: Yeah, that makes perfect sense. How can we stop end users from sending files from their PCs using FTP tools like FileZilla?
Bob: Okay. That's good. There's a couple ways you can do it. One is you can take away their admin controls on their PC so they can't load FTP tools on their system like FileZilla and other tools to send out files. Secondly, you can set up firewall rules. So, only a centralized, like an MFP solution can send files over Port 22 for SFTP or Port 21 for FTP. So that way, if the user is able to load an FTP tool and they try to connect in through your firewall, that activity would be blocked. So that's two most popular ways to do it.
You also may want to look into blocking that free file transfer sharing software like Dropbox and other cloud services that they can use to kind of circumvent the more controlled processes. And then again, that kind of gets back to, once you've blocked that, you need to give them an alternative to send those files, and that's where a Managed File Transfer solution comes into play, where you can preconfigure those file transfers for them, and then you can still give them an interface, like we have a user interface in GoAnywhere where they can just log in and still run those transfers when they need to, if they all need to be automated by your client to get that control and audit in those file transfers that you wouldn't get from their PCs.
Holger: Very good. Thank you, Bob.
Bob: That's a good question.
Holger: I think we have time for one more question. Is there a problem with keeping our FTP server and files in the DMZ?
Bob: Yup, that's a good question. So, traditionally, companies have installed their FTP servers in their DMZ area. That's kind of the public facing portion of your network. And the reason why they did that is because they're afraid of hackers maybe getting access to their internal private network. And so they set up this kind of secondary network with their FTP server.
Now the problem with that though, is now that you have that FTP server sitting on your DMZ, now you got to stage files out there for your partners. So you got to put files out in your DMZ that your partners need to pick up. You need to also, your partners when also they do their uploads, those files will land in your DMZ before you can move them up into the internal network. Well, while those files are sitting in your DMZ, that makes them more vulnerable to hackers. So you could potentially have a hacker get into your DMZ since it's much more accessible than your private network and access those files.
And even though the files may be encrypted, they're still on, a lot of auditors still don't like to see any kinds of sensitive files sitting out in that DMZ area. So, what you should look to do is move your FTP services or secure FTP services into your private network. Now, the fear of that for a lot of companies is they don't want to open up inbound ports to their private network. So what you can do is you can put what's called a gateway out in your DMZ. And we have a gateway for GoAnywhere. And that gateway will be used as a reverse proxy.
So any connections that come in to your network will first hit the gateway. The gateway will then reverse proxy that connection into the FTP server that's been sitting in to the private network. And that control channel will actually be open from the private network to the DMZ at start up time, so you don't have to open up any inbound ports to your private network.
So you really get the best of both worlds. You don't have to open up any inbound ports into your private network, and you don't have to stage any files in your DMZ area. So that keeps your auditors happy.
Holger: Excellent. Thank you, Bob.
Holger: All right, we are at the finish line for today's session. And as we're closing this webinar, I would like to thank everybody for joining us. I hope you enjoyed today's presentation. Bob and Brooke, many thanks to you for sharing your insights on how to improve security and efficiency for file transfers. Thank you both.
Bob: All right, thank you.
Brooke: Thank you.
Holger: Now, this concludes today's session. I hope we will see all of you again at one of our future webinars. Thanks, everyone.