How to Prevent Data Breaches with GoAnywhere

Brooke: Hello everyone. Thank you so much for joining today's event on How to Prevent Data Breaches with GoAnywhere. In the next 60 minutes or so, we'll talk about the cold hard reality of data breaches and then the better news of how managed file transfer can help prevent them. We'll send you a copy of the recording after the event if you'd like to rewatch anything and as we go, if you have questions, please submit them through your control panel in the questions pane. If we don't get to your questions and we have time at the end, we'll try to get to them live otherwise, we'll make sure to follow up after the presentation. I am joined today by my co-host, Dan Freeman. Hey Dan, are you all set?

Dan: I think I am.

Brooke: Great, so to give everyone a quick introduction to Dan, if you haven't been on his webinars before, Dan has spent the last 10 years of his career in various security roles ranging from systems engineer to security officer and he currently serves as Senior Solutions Consultant at HelpSystems for the GoAnywhere product line. Let's take a quick look at our agenda for today's webinar. We're going to talk about the risk of data breaches, including some interesting statistics around the cost of data breaches to today's organizations. We'll discuss how managed file transfer can help. We'll show you our GoAnywhere solution in action and we'll finish with a quick Q&A session if time permits. All right, Dan, I'll let you take it from here.

Dan: All right, I appreciate it Brooke, and thanks for everyone for taking the time out to sit on this webinar, taking a peek at how managed file transfer and GoAnywhere specifically can help prevent your systems from being hacked. Now, having said that, GoAnywhere will most likely just be a segment of probably your entire network and systems, but we can provide you with the latest encryption ciphers and algorithms to safely transfer and store your data. Now before we get started, I do have three disclaimers. If you happen to sit on the, Think Like a Hacker webinar a few weeks back, the first couple minutes or slides will be a little bit of a recap. Number two, for those existing GoAnywhere customers, there'll be a little bit of a GoAnywhere one-on-one basics so we can get those that are not familiar with GoAnywhere some context as to what we're doing. The third disclaimer is, the joke I'm about to tell you is pretty bad.

The Risk of Data Breach

In other news, did you guys hear about the latest big cyber attack? If the government is on high alert looking for them, unfortunately, they don't know exactly where he or she went, they just know that they ran somewhere. Okay, I'll wait until the laughter starts here and we get jumped in. All right, let's get jumping into why we're here. Let's talk about some of the ways that GoAnywhere can help in preventing those data breaches. As we all know, data breaches are bad, from financial loss, potential secrets being leaked, customer data compromised, basically everything leading up to tarnish reputations and can be very, very resource intensive and consuming to get everything back the way it was. How do we avoid this potential disaster? Well, as mentioned earlier, I don't have the comprehensive answer and neither does GoAnywhere, but we can definitely show you a few areas where GoAnywhere can assist.

Let's first take a look at some stats on 2018 as related to the breaches and their costs. Now for the next few slides, I'll use both the Verizon DBIR or Data Breach Investigative Report from 2018 as well as the cost analysis report conducted by the Ponemon Institute. The first one here, there weren't a ton of high-profile breaches as there were in recent years. A couple years ago, Equifax, last year you had Yahoo and Facebook had some fairly large breaches, but this is going to be just a kind of a breakdown of what happened here. You'll notice at least from the per capita standpoint this last year, 2018, was just a smidge, $7 more per incident than last year, but you'll see over the last five years they've been right around the 145 ish rate per, per incident.

By country or region, the United States shines above the rest, unfortunately. That's probably not a good thing as the highest per capita cost per breach at $233 per record and then you have CA and Germany respectively below that and then Turkey, India, Brazil, much lower per capita costs at 105, 68 and 67 per record. Assuming I think the obvious things are going to be the amount of target vectors that each country might have, that's probably going to be a lot of things and maybe other things, maybe not as good security, whatever the case may be. This next one here, we're going to look at the per capita cost by industry.

The first one on the left, if you can see that, the bottom left graph there is going through the frequency of samples by industry. I don't think it's a huge surprise probably to most folks, but financial services getting hit the most with services and industrial manufacturing behind that, but then the other one that point out way down the list, like the fifth one from the bottom is healthcare. Only reason why I point that one out is if you look at the next graph over to the right, if you look at the actual cost per record by industry, healthcare far and away blows everybody away as far as how much per record those breaches are costing those companies.

Financial, a little bit behind them but the reason why financial I think in health in comparison as when we look at these certain types of things with the health industry, you've got your protected health information versus maybe financial data, credit card information, account number. With those types of information, financial data, users can pretty much just put it on hold, suspend, change their credit card, cancel, things like that. That's a one and done or a very, very time limited basis. With PHI, you really obviously can't change who you are, some of those things. Things like healthcare industry or healthcare premiums being so high, it can be very lucrative to get individuals healthcare information to maybe start accounts and do payments on their information.

Also, maybe to the fact that maybe you don't want things to get out in the open so there could be blackmailing going on for different individuals. Point is, the shelf life for financial data, very, very short whereas the shelf life for healthcare information can be very, very long. One stat I saw last year on the black-market, financial data, my credit card information could be right around a dollar per record, whereas if you start adding PHI, it starts somewhere around $20 per record so it definitely can be more lucrative and that's why I think you're seeing that.

Here's some of the cybersecurity statistics by costs. The black items, going to the right, are going to be how you can save money. The blue ones, going left, are going to be your cost additions. I'm not going to point through all of these, but your incident response team, extensive use of encryption, we'll definitely talk about encryption more often, your business continuity management involvement, employee training, but basically the three of the top four are human involvement of some sorts. Will point on the one down there, extensive use of DLP or your Data Loss Prevention appliances? Again, those are going to be things that you can do to save you and again, by those dollar amounts per record, how much.

Now you look at the bottom and you talk about compliance failures where we can talk about how we have built in security auditing reports that can look at your current configuration and point it against, well, we're gong to point it against kind of a PCI DSS type standard but it'll look to see how you have go anywhere currently configured, where you're lacking, where you're failing, give you mitigation steps, and then obviously map it to a PCI DSS security setting. We can take a look at that when we jump in there.

Keep on rolling here. The root causes for a lot of these breaches. The one to me that stands out is that 27%, that human error, I think this really gets to the point on how MFT in general and GoAnywhere can help you, hopefully, try to eliminate that as much as possible through that workflow automation, things that we'll talk about. System glitches, again, you can do it from a configuration settings, I think those reports to tell you where you're at, can help you with that. Then malicious or criminal attack and we'll look at breakdown of that 48%, but a lot of it is sometimes insider misuse. In that case, we can do a lot of auditing and access control to help mitigate some of those as well.

Some of the key findings, I guess from the 2018, you had a 6% increase in total costs, 4% on capita and 2.2 as far as the number of records that were breached in 2018 as compared to 2017. Average breach, 3.8 million so not really complete chump change, at least for a lot of organizations. Again, the hacker and insider threat. It's not just outside users, it can be malicious insiders comprised of almost half of all the breaches. This next bullet point we didn't really touch on in the previous slides, but the meantime to identify usually those breaches is 197 days in 2018 and if you just sit back and think about that for a second, that's a long time. That's a really long time for folks to be sitting on your network, doing network probing discovery to really pull and infiltrate data out of your network without you even knowing.

Mean Time To Contain what you do find in about 69 days again, a long time for you to get those fixes mitigated. Then both Mean Time To Identify and Contain were highest for malicious criminal attacks versus human error. I think that's kind of common sense. If it's a malicious or criminal attack, most of the time it's going to be somebody having to find that, whether or not you have proper defenses in place whereas human error, we'd like to think most humans have a moral compass and they actually know when they did an error and they will actually tell it. That's probably part of the reason why those are a little bit shorter on the identifying and contain, because they probably know what they did.

There's a couple other ones, that third party involvement, if you think of Target when they had their HVAC contractors, how they actually got hacked way back a few years ago. Anytime you have third party involvement it's going to cost an increase because you have to deal with somebody else. Same thing for cloud migration. There's usually a lot of IT folks in action there to help identify what resources that we need to deal with, so that can be another tough one to deal with. That gives you that maybe shock factor on what we're looking at as far as how breaches can affect your organization and some of those, especially from the bottom-line standpoint. What are we actually doing from the bottom-line?

How Can Managed File Transfer Help?

Let's look at how managed file transfer can help. On this one we've got, we'll say four pillars of a generic idea of where MFT can help prevent data breaches. I do actually want to take a second to make sure you read that title there, How MFT Helps Prevent Data Breaches. One thing I've noticed in our industry and other industries as well that is a little misleading I think, is when vendors will say that their product is something compliant or can make you something compliant. That's pretty tough to swallow from out of the box. Usually, those programs or those software solutions, especially like ours, we give you those cipher suites and algorithms and key exchange methods to configure the product to make that application compliant as far as whether it's PCI, whether it's NIST compliance, whether it's Bismuth, Hippo, whatever the case may be but you've got to realize two things.

One, it's how you configure. We give you the tools to configure properly. Two, usually, this application is only going to be a part of your entire system that's under scope. That's maybe just a quick FYI when I definitely mention how we can help you prevent data breaches. I don't want to be misleading like I see a lot of folks' do every once in a while. Having said that, encryption. There's going to be two things I'm going to say. If you don't remember anything from this webinar, because I know it's going to be a lot going on, this is one of them. Encryption have an easier way and a really good way to cover a lot of how breaches happen. We need to make sure that we're encrypting our data both in transit and at rest, whether it's server to server, user to system, person to person, whatever the case may be, we definitely want to make sure that we are encrypting our data.

Alerting, alerting is great and we'll talk about auditing in a second here, but then your auditing log files, all those things are great but if nobody's paying attention to them, if nobody's getting alerted on them, they can almost be a moot point and you're maybe just checking boxes for your auditor at that point. Alerting, whether it's the files that you're trying to send out, they fail, whether it's just system alerts, your service going offline, admin alerts, the account gets disabled and it's tied to an SLA. You definitely want to be on the forefront of things like that to make sure that these actually go through and we'll talk about more triggered alerting as well.

The automation piece, this is where you try to eliminate that 27% that we just looked at of data breaches caused by human error. If we can eliminate the human processes as well as manual processes as much as we can and make it automated, then we can hopefully eliminate some of those human error and get rid of that, again, that 27%. Audit and access. If you guys are a part of any compliance regulation, you'll know that auditing and accountability as well as access control are usually two very, very important security families that need to be addressed for pretty much any chance of securing your systems.

You definitely want to have insight in what users are doing, when they're doing it, what files are changing, when they're doing, et cetera. Also, have good tight access control for at least privilege and allow only what's needed per user. On that note, that's the second one I want you to remember, if nothing else. If you have, for your access controls, I highly recommend multifactor or two factor authentications. It really makes it difficult for hackers to get into your credentials if you have some form of two step verification. On that note, bad joke number two, what's the hardest step in a hacker's career? Two step verification. I'm sure you guys got that one. Anyhow, we'll keep on moving.

All right, so encryption in depth here. We'll look at on the move. This is obviously applying encryption for in transfer. We will have the latest cipher suites and protocols as defined by NIST to make sure that we are FIPs 140-2 compliant or at least have the capability of configuring it that way. These are going to be things like your HTTPS channels, your SFTP, FTPS, whether you use a certificate, TLS encryption, SSAS technology, we can have the means for you to have that ability to transfer those files securely. At rest, we definitely want to have an ability to provide to you if you don't have your own, say, disk level encryption or stores that has actually encrypted at rest.

We have a few ways to do that, whether we're going to do our encrypted folders, whether we're going to leverage PGP file level encryptions for those files to be encrypted at rest. Also, going to have lots of different modules and we'll look at them here in a little bit like your Secure Mail, Secure Forms, your GoDrive, any passwords. All of those can be encrypted with the master encryption key, which again, we'll mention in a second, leveraging AES 256-bit encryption for those files at rest. Now, how do we manage those keys? This is going to be managed by a database driven key management system for your three keys, your certificates, your SSH and PGP keys. Again, we'll jump into that.

The master encryption keys, like we mentioned, those have always been available. Just recently, a couple of versions ago, we added it to where you can rotate the keys. There's nothing you can do from a management or configuration of the actual keys themselves. You just have the ability to add new keys so that you can rotate them say every year, every two years. A lot of times that is another compliance regulation that you met, that you actually rotate some of your master encryption keys. Alerting. We have things like system alerts like we mentioned. We can look at system events. If you have, the servers actually goes on, you have a cluster, one of them goes out of the... one of the nodes go out of the cluster and you have a gateway in front of it. The gateway goes offline. They can't communicate. You can get email or SMS alert on those types of things.

Things like your thresholds. We talk about certificate protection on certain protocols or PGP file auto encryption. Those individual keys can have a threshold of say, "Hey, these are going to expire in 30 days. Someone needs to be notified." Triggered events. We'll go through a few of those as well as examples, but these are going to be based off of web user activity for those who are not GoAnywhere customers, web users, think of those as the folks that you're creating to log in to GoAnywhere to leverage whatever service you're offering, whether it's SFTP, the web client, FTPS, FTP, some of our proprietary protocols, the actions that they're doing, whether they're uploading successfully, their account gets disabled, they downloaded something successfully, the upload failed, things like that where we can actually trigger an action, whether it's calling a project, whether it's doing some simple file movement, executing native commands or simply sending an email to let people know.

The project logic. We'll talk about a little bit. We won't go in depth too much on projects, but that's going to be where you're doing your automation. At a very high level, think of it as kind of traditional scripting. If you have a script that's grabbing a file and it's FTP in and out the door to somebody, if something fails in there, usually in scripts you don't have retry logic, you don't have notifications within your projects. Now we can actually put some of that error logic in there to where maybe we do try some retries or we just send an email notification to the person responsible for that product to let them know that this actually failed or was successful, either one.

Then built-in alerts, we'll look at the schedulers and monitors. On schedules, they have built-in alerts to see if the project that was called that was successful or not and monitor same type of thing. We'll talk a little bit more of those. A little sneak peak, this is... I'll definitely mention ones that are not out today, but our latest stable release 604 does not have SLAs but that is going to be coming out in our release here very, very soon in 6.1. I won't dive too much into that. I'll just give you a little teaser on a couple of things that are coming. Automation projects, kind of touching on that real quick, but just your way to create some sort of business function by selecting action items to build out whatever kind of data manipulation or movement that you want to do, and we'll look at a couple.

Schedulers, again, pretty much straight forward as far as the scheduler is concerned. There is a repeat option in there. It's kind of a built-in retries upon success, failure or even conditional logic, looking at certain variables and what their values are depending upon what they are, you kick the schedule off or you don't. Monitors are going to be file system monitoring, kind of what it says. You're going to be looking at certain folders for certain types of files, certain event types to then grab, make a file list and pass it to a project for further processing. Triggers, I won't talk much on that because we'll go through a few examples but again, that's going to be off web user activity.

Then the API down at the bottom, we do have GoAnywhere Command lets, they're free out on our site that you can download that can use command line interface to basically call projects. That's going to be one of the ones, there's a lot of web user management you can do and a lot of project management you can do from those. You can also use web services. We have another web services guide out there as well that you can leverage SOAP or REST from maybe a custom application to call different project or do anything within the GoAnywhere Command lets that you want to do just using SOAP or REST protocols

Audit and access. We do have administrative role-based access. This can help maintain that job separation duties, least privilege and another teaser we'll look at is we do have, we just added the custom role in the 6.1 beta, that isn't out yet, but it's coming. I'll show you a little teaser on that when we get in the product. Multifactor authentication. Again, this is that point number two, if you don't remember anything from this. We got point number one is encryption, two is multifactor authentication. We have for both web and admin users a lot of different MFA options and we'll look at those on the service listeners.

The built-in accounts disabled just came out in 6.0 so the current release has this. When you first install the product, we are now disabling the built-in root and admin accounts. You will be forced to create an actual admin account upon login. Detailed logging, again, we're going to be looking at all the service listeners, protocols, admin user, usage, web user activities, anything from the files that are going in and out of GoAnywhere, we'll look at all of those as well. Then Syslog options, kind of threw that down there because you do have the ability, maybe you don't want to use GoAnywhere as your central place to look at log files or get alerted on. You can pass all those logs that you're getting in from GoAnywhere out to a Syslog server.

This is the one on one basis I warn the current GoAnywhere customers about. We're just going to run through this very, very quickly. We just want to give a general overview of what's going on with GoAnywhere. As you may or may not have kind of figured out, we can act as both the inbound and outbound side of things. If you want to be an FTP, a FTPS, SFTP, HTTPS web client, you can act as that type of server. We can also do outbound connections where you're actually doing the file initiation, whether it's data translation or movement. That's going to be done by workflow automation and I'm just going to jump down here to point out these are going to be what we call resources and resources are GoAnywhere's way of acting as the client. So this is us reaching out, putting in connection information, reaching out to other servers and services, whether it's other FTP servers, whether it's network shares on your network for origination or destination locations or places where you're doing file monitors, connecting out to Amazon S3 buckets or Azure Blob services or any other web services.

Database is very common. Maybe you want to dip into a backend customer database because it's files aren't files yet, haven't been prepared. You can do a select statement, pull out what the information you want put into CSV, flat file, whatever the case may be, Excel file, put it into a certain directory, kick off a project to PGP encrypted and then SFTP and out the door. Point is, and we'll look at some of the other ones in here, this is how we act as the client to connect out to other resources to further expand the capabilities of GoAnywhere. We'll, again, we'll look at the workflow automation as what we call projects, some encryption methods and a few of these other items here.

The audit logging, again, lots of detailed audit logs. We'll jump in there when we look at the jumping into the product as well. With those detailed audit logs though, we can generate different reports. I think there's 25 currently canned reports that you can just generate ad hoc or put them into a project on a scheduler to send to your C-level staff or help desk or whoever needs to see them, but you'll have access obviously, to the backend database and if your DVAs want to do some customer reports, they can do so. Then of course, pointing on our alerts, I know we talked briefly about them and we'll look at them when we jump in, but that's obviously going to be hand in hand with those detailed audit logs so that we can send out appropriate alerts to certain folks so that we can stay on the forefront of a lot of these potential issues that we might have.

Okay, let's go on. I've just got, I think one more slide and then we'll get rolling here. This especially, this is going to be on the DMZ side. Let me get a different color here. There we go. This here and what we're looking at is the GoAnywhere gateway. This is, for the most part going to be installing a service. It is going to be a broker from the outside whether it's your customers, trading partners, whoever it is, or just external web users, coming back into your internal network where MFT is going to be installed. Say you've got SFTP on 422 that you're listening on back here in MFT and you've got all kinds of different network locations that they have as far as what you're giving them access to when they log in. Similar to if they log in via when SAP they get a folder structure that you've defined. Where these are, who knows. It could be an Amazon S3 bucket, it could be just a network share. We don't know.

Point is, this gateway is going to be in front of that and what it's going to do is it's going to proxy those connections with two key elements. No files or credentials are ever going to be staged within this DMZ, so gets away from that traditional FTP type server in the DMZ where you're staging files out there, potentially the pickup. This is just going to stream that information through here. Second thing is, and probably most importantly from a security perspective, no inbound ports are needed to be open on this backend firewall back to your private network. The way that's done, very, very quickly, we open up an egress control channel port, so that's going to be a port outbound going into that gateway and it's going to say, “Hey gateway, here's your IP port mappings.”

Basically, your proxy information so that when someone does come in, we'll say it's on SFTP, they'll come into the gateway. It's going to use that pre-existing channel to go back to MFT and say, “Hey, I've got Tom here, he's coming in at 22, here's his username, password, SSH key, whatever.” If everything checks out, we're going to open up a separate, and this is going to be a data channel that's going to go out and broker that initial connection. Now that we have data flowing back and forth, seamlessly, all being streamed through here, and most importantly we did not have to open up port 22 here. That can be a really nice addition, especially if you're on the server side of things and people are actually logging into GoAnywhere on your site.

Live GoAnywhere Demo

All right, let me get back to my pointer here. Let's jump into the demo so let's exit out of here. All right, first thing we're going to look at, let's look at one of the authentication methods. This is... I want to make sure I'm on the right box, local hosts. What you'll notice too here as well when you do install it, it is a web-based console for the administrative console. You don't have to download a client or anything like that. Another quick step back tidbit, it is a Java based application. Really don't get any hooks into the OS, no dependencies so no matter where you install this, whether it's Linux, AIX, Novell, IBM i, Windows, it'll look the same, just like you're seeing here, I'm going to go ahead and log in with the right account, with my login or admin credentials and first thing you're going to notice is, I use the username password and I've also got this one time or TOTP password that I'm doing.

Now, what you guys aren't seeing is me on my phone right now. I'm particularly using the Google authenticator. Let's go, make sure I pick the right one here, and it gives you that TOTP. That's that one time based, one-time password. You can use Microsoft's app, Duo, anything that does those TOTP, I just happen to be using Google authenticator. That's one way that we can do some multifactor authentication and this is from the administrative standpoint so that's a good thing. First things first, I'm going to jump in here again, just a quick overview on certain things here. We do have two different types of user roles. We've got administrative user roles and that's going to be the folks that are logging into what you're seeing here to do administration. Makes sense. Configure web users, set up your service listeners, create projects, anything from a configuration standpoint.

Within here, as the product stands now, the first, the stable release, we have 16 different RBAC roles. There are a couple in here. This is the beta version I'm running so I just want to make sure I'm clear on that. There is a web user device manager added, an SLA manager, which is great, but I think what's really cool is they added this ad role. This is coming out in the beta version too where now you can get very, very granular. So for example, we had a web user manager and if you were part of that role you could do anything with web users. Now, if you wanted to limit that to maybe some of your help desk staff, now we can go in and they call them the subject, I won't get too in depth on that.

But basically, what I'm going to do is choose what's the actual function that I want to do. Well, I want to deal with web users. If I'm dealing with the subject web users, what can I do there? Now, if I was in the web user manager role, I would have all these, but maybe I just want this person or these administrators to be able to create and edit web users. I don't want them to be able to delete them, change passwords, export or anything like that. Point is, you can get very granular and it's not just one subject. You can mix and match subjects. You can add another subject to go to a different subject over here and get very, very granular with what those specific admin users can do. I think this is a huge game changer. We've had a lot of customers asking for specifics like this for the admin user roles so this is going to be pretty cool. Again, this is in the beta, that's not out yet, but it will be coming very, very soon. I think that's a really cool addition to this model.

The second type of users is going to be your web users. Web users are going to be those folks that you're creating to log into GoAnywhere to leverage again, whatever service you're offering, whether it's a SFTP, the HTTPS web client, FTPS, FTP, go fast agents, a couple of proprietary protocols, that's totally up to you. Now, if we jump into the web users. Just a couple key things to look at. Log in methods. There's going to be a default GoAnywhere or we're going to have the GoAnywhere credentials stored in our database. They're going to be a half shot, five 12 or if you add log in methods and that's basically connecting to some sort of directory service, whether it's Generic LDAP, IBM Tivoli, Windows Active Directory is probably the most common one, point being, is you can have a different way of managing or having different login methods for the users.

On a security standpoint, no matter what service you give them, now you can decide what their actual authentication is, whether it's username, password, whether it's going to be a certificate and all the listeners except for SFTP, which is going to use a public key either or maybe you want to do some form of dual authentication. Now in the HTTPS web listener, there's also going to be an option for hooking up to a radius server should you have one, whether it's RSA, Duo, Google or whatever the case may be, as long as it's using radius, you can do a TOTP just like you saw on the administrative users when I first logged in. You can do it from the HTTPS web client. This last one is also a beta option. It's not in the current model. For those current GoAnywhere users, you're probably not seeing this because this will be on the beta, but that's going to be our own TOTP type of option where it'll send either an email or an SMS message, the password to you.

Just like any, if you were, say an SFTP server, you need to decide when they do log in, they authenticate, what do they have access to. This is where you can be very, very granular and locking them in to what they can actually see. You're going to define virtual folders so that's what they'll actually see when they log in. Then where they're physically going, that's completely up to you. You on the backend decide where they're going. The permissions, this is going to be very, very important from a security perspective, what can they actually do in this physical location that I gave them? You can get very granular on what they can actually do, and then you can also do disc quotas to make sure that people aren't blowing things up.

You can also do IP filters from a security perspective for individual users. There's also one at the global level. We'll take a peek at in a second, but if you know that this user, you want them to only log in when they're at work and you know that external IP, then you can definitely turn that on, and I would suggest doing a white list, which is going to deny everybody but only the ones you explicitly define. This will prevent users from going to like a Starbucks or something like a public free WIFI that has no password to it. You can hopefully, do your best to ensure that they're at least connecting up to you on a secured network.

Time limits. If you know accounts are going to expire, maybe you have 90-day contractors or whatever the case may be, you can expire them on a certain date so you don't have to worry about it. Time of day, I think is pretty straight forward. Day of the week, pretty straightforward. Disabled account with no activity. A lot of regulations require this, so maybe you want to do it after 30 days of no activity, 60, 90, whatever you want to do so it'll automatically disable those accounts.

One thing I skipped here was the features tab. This is going to show you the different protocols that you want to give to certain users so whether it's SFTP, the web client, FTPs, whatever the case may be, you decide on what they have access to. This horizontal check box list here is all dependent upon the HTTPS web point, which we'll take a look at it a little bit and there's four different modules which we'll dive into in just a second. But speaking of those web listeners, let's go into the service manager and this is going to be where you configure GoAnywhere to be on the service side of things, so things like, and I'll just dip into two of them. Your HTTPS web client, whether you want to, there's a couple things from a security perspective that are turned off by default, allowing browsers to save login credentials. As you know, that can probably store credentials and clear text in a local machine, which is someone got access to your local machine. That could be a bad thing.

Assessing ID in URLs and embedding with an eye frames kind of gets to your click jacking and hijacking sessions so by default, we, as a security option do not have those checks but for convenience perspectives, we allow people to configure. The HTTP strict transport security, this from an application standpoint, we'll make sure that the certificates are valid and it will not let you override it, and then a content security policy makes sure that you're only allowing certain content from domains that you define to actually populate. There is a single, SAML single sign on so if you do have an identity provider that you want to use for your logins, you can do single SAML single sign on.

Then from the HTTPS tab here you can do some file level filtering. You can obviously, not allow EXCs, whatever the case may be. On the listener standpoint, pretty straightforward. On the SSL tab, you do have enabled SSL protocols. This is going to address the poodle attack from a few years ago. Maybe you just only want allow TLS 1.2 to because you're a PCI compliant company and I believe as of now they only allow TLS 1.2. That will from a server perspective require clients connecting up to you to only use those protocols and then your cipher suites, and this gets pretty granular, so probably your security team would cipher or siphon through these to pick the ones that you want to accept and then of course the certificate, which we'll talk about in a second, that you apply to make it an actual HTTPS listener.

On the SFTP, this is a little bit more, I think straight forward. You still have the filter options as far as upload restrictions. You have your log in failures and log in failure delay before they actually get disabled. You're Diffie-Hellman exchange sizes, you can make it whatever you want minimum to be and again, similar to the HTTPS, you have cipher suites here. One of the things that we do have if you're not sure about the cipher suites and maybe you need to be FIPS 140-2 compliant, you can do that as well. There is a FIUPS 140-2 compliant module. It's just a radio button to turn on and off. What it is doing in a very high-level general sense is it's taking away the different algorithms or cipher suites that are not missed in FIS 140-2 compliant, so basically your Blowfish, Triple DES. I think only your AES ciphers would be actually allowed.

Similar to down here, Your key exchange algorithms only your 512, 256 are going to be actually allowed. That's a way that from a system, programmatically standpoint, you can have the system take away certain algorithms that are not NIST approved or FIPS 140-2 compliant. Okay. Let me give you another quick overview. We're just going to talk about resources very quickly. We're going to leverage an Amazon S3 buckets so you can define an Amazon S3 bucket. This is the one we're going to use. If you're familiar with AWS and Esri buckets, you'll have this information so you just plop it in there. Every resource you define, you can have a test button which is going to connect for the network connectivity as well as any credentials applicable.

Database servers, like I mentioned, pretty common, whether you want to query to pull information out or if you get information you can insert it or update it into your database. SSA servers, another one, whether you're connecting out to different SSA servers, most likely SFTP servers, and another one that's nice too from a security perspective is looking at those DLP data loss prevention devices. GoAnywhere doesn't have them natively. That's why we have it as a resource, so if you have a clear Swift or a Symantec or whatever the case may be, if it's ICAP compatible, we can add that as a resource. Once we define those resources, we'll just jump into projects really quick. I'm just going to just grab a random one.

Well, actually let me jump back out here. Also, from a security perspective on the folders, you can always choose the permissions that each administrator has, so not only can you custom RBAC roles, but even at the folder level here, kind of like NTFS permissions if you're a Windows person, you can get very, very granular on what those actual admins can do. Let me jump into a project just to give you a quick overview. This project designer windows where you're going to build out your business function, so kind of like the scripting, just a graphical way to put together a certain task to build out that business function.

The component library is all your different action items. The project outline, once you do grab an item, you can just drag it into the project outline. That's going to build out your step-by-step tasks. It looks like this one's monitoring email box for emails that come in with that email address and then we're taking the Excel attachment off of it and grabbing a couple of columns out of it and then doing a insert into a SQL database and I know I flew through that, but I want to get through a few other things but just to get you an idea of what I mean when I talk about projects, because we'll do a couple examples.

This being just your attribute window, once you do select a task, you need to define a few things and then we'll have some variables available to us depending upon if they're user defined, they're just system variables like we have here. They were actually passed into the project that runtime, different things that we can do. I know that was a quick overview, but just want you to get an idea, at least a little perspective what we're going to talk about in a second. All those keys that we talked about, how do we manage those whether they're SSL certificates, whether they're SSH keys? This is going to be on our RKMS. This is a database driven key management system that can manage your certificates, SSH keys and PGP keys. For instance, let's say... and you can do these from cradle to grave, if you don't have any SSH keys, you don't have any PGP keys or certificates, you can create them right here.

From a certificate standpoint, we'll just put in whatever, we'll choose the algorithm. Most people have a certificate in mind or they have a wildcard certificate. This is my domain.com. As you may or may not know the common name, if you're applying this to an HTTPS listener, this is very, very important. It needs to match whatever the host name is going to be to get to that. All this other stuff really doesn't matter. The subject, alternate names. Again, I don't know how familiar you guys are with this, but you need to make sure that you add that common name, security.mydomain.com, so that you don't get that, say a missing error when they actually go there.

Point is, you can create your certificates right here. Now granted this is self signed cert, so nobody's going to trust it publicly, but you can do your generate certificate signing request right here. Take this. GoDaddy, Verisign, whoever use, past it in their site, pay them a little bit of money, of course. They'll give you a CA reply, which then you can come right back in here, import the CA reply and now you have a trusted signed certificate that you can go put on your HTTPS listener, what we just looked at. The other ones we won't go through in detail too much because I think the SSH keys and PGP keys are pretty straightforward. It's a public and private key pair and you can apply them to your SFTP server and the SSH keys perspective or you can use public keys to do encryption to send files to somebody or you can use a public private key pair for your decryption and digital signatures.

So different things that we can do with the KMS there. The master encryption key, we talked about real quick. Here's where by default you won't see any master encryption keys, it comes shipped with the product but once you start adding or rotating encryption keys, which I'm not going to do here, you'll start seeing them here. It'll tell you which one's current and obviously if you create a new one, that old one you don't have the option to delete because we're still going to need those old ones to decrypt files that were encrypted using that when it was actually the current one. But again, this is mainly for a rotation of keys. This is going to be used for encrypted folders, GoDrive, Secure Mail packages, Secure Forms, passwords, a lot of those things. This will leverage AES 256-bit encryption.

All right, so looking at, and again we'll look at an example of like encrypted folders. This is a way that we have give you the ability to encrypt data at rest by picking out a specific physical location and encrypting all the contents that go into there. One caveat is, it has to go through a GoAnywhere authorized user for encryption and decryption. I can't go to this physical location via Windows Explorer and throw a file in there and expect it to be encrypted because GoAnywhere won't know about it, so it will still be in plain text and vice versa. You have to go through a going over process to actually decrypt files in this folder.

All right. Moving along and I apologize for flying through, I just got a few things to cover. From the alerting standpoint very, very important, I'll skip some of the, I think straightforward ones that go into our service, Java memory, hitting a certain threshold. Obviously, being a Java based app, we're going to be very dependent upon Java memory, but two of them that I hold dear because I've been burnt by this before, many, many, many years ago when certificates are going to expire, that's nice to get an alert so that you don't have your Outlook Web Access or anything tied to Exchange certificate expiring because that's a bad thing. PGP keys as well. You don't want your folks to be able to not encrypt or decrypt files depending upon your partners and who you are having encrypting or decrypting VAPGP and then a couple of other ones, gateway services going offline, clustering going in, one of the clusters dropping out. You can get notifications on those.

If we look at, I think a good one to look at is triggers. Triggers, again are going to be those ways for web users, any kind of activity they're doing and I'll give a couple examples. Account disabled. So this is going to say, what's my condition? I'm going to say, hey, if anything, any service that they come in, I don't care what service it is, I don't care what user it is, I just know if an account gets disabled, I want to send an email to and it looks like it's going to me and it's going to use a couple of variables so it should say D. Freeman when I log in here was disabled at a certain time.

Let's go to the web client really quickly and let's use the... oh, I think it was disabled, actually what I called it and let's give ourselves a couple bad passwords and it should be set to three. Let's go back to our site here. Let's go to our users and web users and disabled. Okay, it's disabled. Now, let's look at my email notification to make sure that trigger worked. Let's pull that over and here... okay, there's our email that just came in, 10:46 and yep, it just says disabled, account disabled. Well, that was the name of the user and that was probably a bad choice on my part. Account was just disabled at, and it gives me the timestamp. That's a good way to stay in the forefront and things like that, especially if you have SLAs tied to these users. That's definitely important.

We've also had people using things like using the upload or download successful. As you noticed, if I go back into the triggers, there's about 35 different triggers that you can trigger off of. I'm just going to choose three of them. Just some common examples that I see, but we had someone wanting to know that, hey, we want users to log in once. Once they download a file successfully, I want them... their account to be disabled because they're done. That's all they needed. We can use a download successful trigger to do just that. The condition, we don't care who it is at this point. The action, we're going to call a project and it's going to call this one time disabled user and we're going to leverage a couple of variables. Username and file are going to be just arbitrary, whatever you decide to call them, their values on triggers is you're going to get certain different variables, there's tons of different things to choose from. I'm just going to choose the username and the actual file name.

Now if I go to that project, which I know we talked very, very little about, but if somebody downloads a file successfully, that trigger will get triggered and this will be called this project, which I'm going to be leveraging a SOAP server, which is pointing back to our APIs are going where we command our APIs, specifically the update web user API, which has username, which I'm going to fill in that variable that I'm passing in as well as the enable then I'm going to make that false and then send an email. Let's try that one. Let's go back to our web client and let's log in as that one time and so this one-time user comes in, I download a file, there we go. It goes successfully.

Let's go back to our interface here. Let's go to that user and now he's disabled so that worked and we'll look at that actual... it says job log here or nope, my email, sorry. Here we go. There's the email that I got one time, which is the user variable was just disabled after successfully downloading and there's that test.text. I just passed it in the actual file name and those are variables that you can use on those triggers to pass into things like this, like an email. The last one is kind of our most popular trigger as far as notifying is going to be on upload successful. This one here, it looks like it's anybody, it's specifically the D. Freeman user and I'm going to just send an email and again, leverage maybe just one variable here and I'm actually going to attach the file that I upload. Let's go back here. Let's log out and let's log in as D. Freeman.

That's not right and let's just go ahead and upload a file. Let's just grab this testing CSV sounds good. We're going to upload this testing CSV so now let's go back to our email and if Office 365 is prompt, we should get another email here, maybe or unless it went to junk. Oh, why is it doing that at 10:50. Okay, yeah, 10:50. That's when it just came. I'm not sure why it went to the junk. In any case, you'll see there. Actually you won't see the... let me move that to the inbox because you won't see the attachment if it's in junk and where did that go? Oh there it is. There we go. It says, test message body, D. Freeman was the user, variable I passed and this is the actual file that I pass as an attachment to the email. Again, some nice triggered events to really keep you on your toes and stay in the forefront of certain actions that happen.

Let's look at another one... I realize the time here, but let's look at another one from a monitor standpoint. Let's say especially from an automation standpoint, so we've got... seen people have... maybe they have their medical review nurses and they're doing review and then when they get done, they need to send that file to provider A or in this case customer A. A lot of times they're letting the users do the PGP encryption or the SFTP transfer or something along the lines. In this case, we can just say, hey, we're going to have a folder structure out there. When things need to go to customer A, B, provider A, whoever, you don't need to worry about any of that stuff, you just dump the file in there. Now, from GoAnywhere standpoint, I'm going to have a folder monitor that's saying grab CSV files. I'm looking in customer A, whether a file exists, it has to be a CSV file. I'm going to call this PGPs and SFTPs out the door and I'm going to pass whatever files I grab, whether it's one, 10 or a hundred as this file's parameter to that project.

Let's look at that project real quick and monitors, there you go, PGP and SFTP. What it's going to do is the first step, it's going to PGP encrypted. There's that file is variable. It's going to get passed in. I'm going to use customer A's public key. Now, you would have had to import the public key at some point, and then I'm going to SFTP it to partner A's site. This is actually just going to a S3 bucket under customer A folder. Here's my customer A folder where it should end up so let's go to that monitor and let's go and activate it and this is pulling every 15 seconds, so hopefully, this doesn't take very long.

Again, this could be nice for just telling your customers, hey, or your co-workers or staff, just dump the files in there. You don't worry about encryption, you don't worry about sending it to them, just dump them in there. They're going to take care of the rest. If we keep refreshing this bucket, there we go. There came our sample and testing PGP files. I'm going to go ahead and disable this while I'm here and now those actually got not only PGP encrypted before they left, but they went over the SFTP protocol to the right person so that's good, another good way. Now, instead of humans putting the files in the folders, maybe an application, maybe a database does it automatically depending upon what the query is or the application steps are that can dump the file into the certain folder and go ahead and tick it off that way.

Looking at the time here, let's look at, from a reporting and audit log standpoint, now we've done quite a few changes just during this 50 minute session here. Everything from an administrative standpoint, so you're going to see, I logged in as GoAnywhere. You're going to see a few things, the grab CSV file monitor, looks like I changed it from status active to inactive. Yeah, those are a couple of things we just changed. Here's where we created that certificate, that random goofy certificate. Point is, it's going to give you all the different things that the administrative users are doing. We won't touch on this because that's not in the product yet, that's coming in our beta release here in a few weeks.

Service logs, it's going to be individual service logs that you can look at. We did a couple of things via HTTPS, back, D. Freeman logged in, it looks like he uploaded a file successfully and you can hit the Spyglass to see what it was, what the physical path was, but you can also see that project kicked off a trigger as well and that's what this is emulating. So then you click on that and see what the actual trigger was, was it successful? What did it actually do? Or you can go to the trigger logs as well.

Completed jobs, that's going to be very, very important. Every single project that gets run is going to have a unique project ID and then you can go in here and it'll just be a text depiction of everything that happened. Then we mentioned everything from a file perspective going in and out. You're going to see, looks like I deleted here a couple of files, the sample and test PGP file that went out to my Amazon S3 bucket but all those things are going to get audited as well.

With that, looking at the time, one of the other... I didn't get to the HTTPS web client features as far as Secure folders, GoDrive mail or Secure Forms, I won't touch on all these. One of the ones I thought was kind of neat actually is going to be... given maybe your employees or even publicly accessible or you can do it via SOAP or REST for custom applications and actually it's on this one. You can have people log into your web client interface and maybe do... have some search criteria to allow them to do some querying on a backend database.

Obviously, you don't want to give them access to the database or they probably won't know how to do the select statements anyway. This is a super simple form. All I'm giving you is one parameter, but you can see you give it as many parameters as you want to pass back to a project, which I know we went over, that can do some SQL queries for you and then spit back maybe a PDF file. When I hit submit, what's going on in the background is it's taking this one parameter as a minimum salary, it's calling a project that's doing a SQL query and it's just pulling the information from the wages directory or wages column, where's greater than 90,000 and it's going to spit back a file to me.

Point being is, this is one of the locations as well, not only are you giving this information over HTTPS, but this file right here is actually stored in a location, AES 256-bit encryption using that master encryption key that we talked about earlier. Same thing with Secure Mail and GoDrive, the default locations, this is going to be a packages directory, this is going to be a GoDrive directory. Those directories on your internal network are going to be AES-256 bit encrypted at REST, meaning I couldn't as a Windows' admin or whatever system you put it on, I can't even go back and browse those directories. I have to be an authorized user or recipient of any of these types of file exchanges. With that, Brooke, I'll pass it back to you because I just saw the time there so I definitely want to pass that on back to you here.

Brooke: Sounds good. Can you hear me okay?

Dan: I can.

Q&A

Brooke: Okay, great. Before we take a question or two, just wanted to make sure everyone knew, a survey will pop up after the webinar ends. We love your feedback, we read all your comments and if you have any questions that we don't answer today, you can fill those in there and we'll get back to you. I also just want to mention really quick, if you liked this intro into GoAnywhere or want to see any more features specifically in action, you can request a custom demo. We'll do a one on one with you and answer any additional questions and go through things. That URL is on the screen where you can do that and then our contact information as well. With just a couple minutes left Dan, we did get some good questions.

I'll read you one, it's a little bit long but here we go. We have clients that connect to our GoAnywhere portal, using MFA for these clients will not be scalable. Our internal users that connect to our portal have access to all client folders and data. Is it possible to require MFA for internal web users but still allow username and password for external client web users?

Dan: Yeah, so you can do that when we went through that, you can turn on MFA in general, like TOTP is something that you actually have to turn on from a system standpoint but each individual web user, you can do one offs, you can decide what their authentication type is. Two, one thing we didn't talk about is, we also have web user templates and web user groups, which if you're managing the directory service, it's kind of the same thing, web user template, just giving somebody a baseline of configuration items, web user groups going further to give you different things within there. You can do it obviously, at the individual level or kind of via template level. Yes, you can do it for some people and not others.

Brooke: Great. Another question. Will we need our own SMS client to handle upgrades in 6.1 in reference to OTPs and such?

Dan: SMS? Yes. You have to have your own SMS service. We are not an SMS service nor an SMTP so yeah, you have to either leverage whatever your mail server is for SMTP and whatever SMS service that you have for texting. Yes.

Brooke: Then the last one here, what about the ability to bulk update web user settings for IP filter time limits and such? Also, is there a way to know which template a web user was created with or applying updates to those users upon update to the template itself?

Dan: Three questions, I think. Yes, you can do the bulk, I guess uploading for or permission setting via the templates for web user activity, whether you're creating them from scratch because when you hit scratch or hit the web user within GoAnywhere, the first thing that's going to prompt you is what template do you want to use. If you're doing it via LDAP, each login method is required to tie into a template so you can do it that way.

The third question, if you apply a template to somebody after the fact it will... oh, I'm sorry, let me take that back. If you change a template that somebody has already been applied to after the fact that they've been created, they will not get those updates. I don't know if that was what you asked, but that's kind of how I read it. The second one, Brooke can you read the second because I think there was something in the middle that I forgot.

Brooke: Yeah. Is there a way to know which template a web user was created with?

Dan: Oh, that is a good question. I think you can view the actual web user, if I can jump in that real quick. I don't know if this was created by a template or not. I don't think this one was, I think this was manually created but I believe if you go to the view menu and I flew through that real quick. Yeah, none of these are created by templates, but if you go to view and pan all the way down, it should tell you the groups. Obviously, the forms, you can tell the forms and the template that was actually used to create this.

Brooke: All right. Great.

Dan: I might have to check on that, but I'm pretty positive that there... unfortunately, I don't have any example in this box.

Brooke: Great. Sounds good. Well, we are out of time so that's all the questions we'll get to, but feel free to put more questions in that post webinar survey if you have them, we'll get back to you guys. Just want to thank you so much for joining. Thank you, Dan, for the great presentation and we hope everybody has a really great day.

Dan: Awesome. Thanks guys.