Meeting GDPR Compliance with GoAnywhere MFT

Donnie: Ladies and gentlemen, welcome to the HelpSystems webinar Meeting the GDPR Requirements With GoAnywhere MFT. Can I personally thank each and every one of you for taking time out of your busy schedules to join us today?

About the Presenters

My name is Donnie MacColl. I'm the Director of Technical Service here in North EMEA. I'm based in the UK, and I look after the technical sales team and some of the development teams over here in North EMEA.

So why am I talking to you about GDPR? As company, we need to make sure that we are GDPR compliant ourselves. So I'm responsible for making sure that happens, and I'm also in a great position to be able to offer you some amazing HelpSystems solutions to help you along the GDPR compliance journey as well.

It's also a great privilege to be joined by Dan Freeman. Dan Freeman is a senior solutions consultant here at HelpSystems. He spent the last 10 years of his career in various security roles ranging from system engineer to security officer. He's extremely well qualified. He's a CISSP. Dan has built networks, built and designed networks. He's designed systems and procedures to ensure regulatory compliance using the NIST Risk Management Framework, HIPAA Standards amongst others. And you'll be hearing him talk to you and also do a live demo of one of the solutions that we have here at HelpSystems to help you along your journey to the GDPR compliance. So you'll be hearing from Dan in about 15 or 20 minutes time.

So today's agenda, quite a lot to cover. Probably about 45 or 50 minutes or so. There is an introduction now, which I've just introduced to this. I'll be talking about the GDPR, the General Data Protection Regulation, what it is, why it's come about. I'll give you some hints and tips about how you can prepare for it. There's not long left. It comes into effect on May the 25th of this year. I'll also mention the implications of noncompliance. I'm going to give you a hint, it's a huge fine. So there's great incentive for companies worldwide to make sure they do comply with the GDPR.

Then I'll be handing the reins over to Dan Freeman, who'll talk to you about managed file transfer and what it is and also how it ties in with managed file transfer and the GDPR compliance, and the benefits of using managed file transfer, not just for GDPR compliance but for other aspects for new business as well.

Now, we do have a Q&A session, so you'll see the Q&A button where you can ask questions during the presentation from [inaudible 00:05:01]. Any questions you ask we'll endeavor to answer them either during the presentation, but I do assure you and promise you that any questions that you do ask will be personally answered by us after the event if we haven't had time to answer them during the event.

Introduction: What is the GDPR, Why Does it Matter, and How to Prepare

So the General Data Protection Regulation, what is it? Why does it matter? And how do you prepare for it? Now, I mentioned, or I'll talk about 15, 20 minutes. So I'm going to be telling you about 20 years worth of changes that have occurred, have ended up with us having the GDPR come into effect on May the 25th, and I'm going to tell you that 20 year's worth in about 20 minutes. So I'll talk rather quickly if I may.

The new General Data Protection Regulation is effective from May the 25th, 2018. Now, what I mean is effective it's here now. It's been here for almost two years. When it comes into effect it will be enforceable. So it's here now, people should be compliant with it. Certainly some companies are. Some companies are yet to start, which is quite frightening. But from May the 25th it will be enforceable.

It's a regulation that succeeds the Data Protection Directive and the Data Protection Act that we have here in Noumea. The Data Protection Directive came in in 1995, the Data Protection Act in 1998. So it's been 20 years plus in it's making.

Now, there's been a real need for a new regulation to come into effect over here. It's surely to do, and you need to think about this in the forefront of your mind, securing personal data. Anywhere you've got personal data on any of your systems or if you've shared personal data that you've gathered with anybody else such as a third party supplier or a cloud provider or CRM, Salesforce for example, you need to ensure that that data is secured.

Now, if you can imagine 20 years ago, the types of data, personal data that we held and where it was held, very different than it is now. I didn't, for example, walk about with what is effectively a computer in my hand at all times. So changes were very much needed.

The difference between the existing Data Protection Act and the directive is the directive is, here's a set of rules that the government and various other governing bodies have put forward and said, "This is some rules that you should follow. Here's the direction you need to take. Be sure that personal data is secure." Very good to them. Who wouldn't want their personal data secured? The negative is it's a direction you can take. So it's open to interpretation. That means there's no commonality. It means that each country, each member of the EU has applied their own directive, taken the direction and applied it almost however they like, which has lead to some anomalies and also meant that personal data isn't as secure as it should be. So it's been long time in it's coming. It's now required.

The regulation, when they say it's regulation, read law. It's a law. Because it's a law, there's rules set down you have to follow. Because it's a law you can break it, because you can break it there's consequences. The consequences are severe fines and penalties that I'll come onto in a moment. There's less than three months to go, and on our last count, when I did a talk with a number of our partners and direct clients, 11% of the companies in Europe, and also outside of Europe, would be fully compliant. Then that means there's a lot companies that need to do something about it rapidly, and that's why we've got Dan on the line later, to give you one of the examples where we can help you ensure that the personal data is secured.

What Is the GDPR?

So what is the GDPR? As I mentioned, it's to ensure that the EU citizens, or subjects, it's people, it's you and me, if you reside in the European Union, it's a new law to make sure that your personal data is secured. So it also rules how data is transferred between other EU member states, and also between other EU and non EU locations. Let me give you an example, so I'm based here in the UK and I work for HelpSystems, and our headquarters are in Minneapolis. All my personnel files and my personal data, and my payroll data is handled in the US. Does that mean that the HelpSystems has to comply with the GDPR? Yes it does, because although they're based in the US, and my data in the US, I'm not, I'm in the EU. So the full force of the GDPR applies to the HelpSystems of the company. And that means if any of you do any dealings whatsoever, with anybody who resides in the EU, and you may look at their personal data, or store their personal data, it applies to you as well.

The GDPR also governs what happens if access to personal data is breached. Now a breach, people think somebody's hacked in and stolen the data. It's not just that. It could be unintentional by an employee who's got proper access to your data, and the breach is not just accessing data, it's also the unlawful destruction, or changing of the data as well.

So you need to have technological measures in place, i.e. GoAnywhere, MFT is one of them that can help you there to make sure the data is fully secured, so it can't be tampered with. If it is changed, you have an audit trail, you've got to make sure that personal data is absolutely secure. If you don't you'll get fined. Sounds a bit harsh, doesn't it? Don't shoot the messenger.

Who Does the GDPR Apply To?

So who does it apply to? I've touched on this already. It applies to any controller, or processor, established in the EU that processes your personal data. It doesn't apply to me then because I'm not in the EU, unfortunately it does.

It also applies to any non EU controller or processor, offering goods and services that use data subjects. Now one of the tests, if you like, or test cases that we've looked at, is a US based company, with US based web service, and they are targeting, i.e. they have a website that can offer goods and services to citizens in Poland, a member of the EU. That means that company has to fully comply with the rules of the GDPR.

It also applies to any non EU controller process in monitoring the behavior, typically government bodies. Now I just want to touch very quickly on the controller and processor, because this has changed. At the moment, under the data protection act, a controller is a company, or a person who controls how data is accessed, and how it is protected as well. So they need to ensure that the existing rules are applied. That doesn't change, apart from the new rules that apply in the GDPR are much harder to apply, and make sure they're controlled.

A process is anybody that processes data. Now that could be somebody that you've passed it on to. It could be a [inaudible 00:11:50] as mentioned Salesforce for example, it may be that you have your data backed up to a cloud provider. That cloud provider is also a processor.

The way the rules are changed now is on the existing Data Protection Act, in the events of data breach, the controller can be personally held liable, and can be fined lots of money in a court of law. After May the 25th so can the processor. So that means if you do anything with any data, on any subject who's residing in the EU, just processing it, come May the 25th you are jointly liable for making sure that data is secure. Even if you are just storing it. Even if you're the cloud provider hosting the data, you don't do anything with it. You're jointly liable. It means you're opening yourself up to a fine. So it's well worth making sure you have controls in place to protect yourself.

Preparing for the GDPR

Within the GDPR there's really two parts. Again we talked about personal data. There's consent or a lawful basis for using that data in the first place. You must be able to prove that you have a lawful basis, consensus, typical ones to use that. So really that falls under the marketing regime, broadly speaking. The other bit is to make sure that if you are doing anything with personal data, including just hosting it, that it's secure, because the persons data that you're holding, has a number of rights, eight rights in fact, that they can exercise at any point in time. Now some of these rights they can exercise now, the difference being, after May the 25th, they can still exercise those rights, but they come with added emphasis. It means it's harder to enforce.

So the right to be informed, people have that now. At the first point of contact with your company, whether that's a telephone call, or whether it's a touch on the website, registering on the website, that person has the right to be informed what you're doing with their data. Now, that could be a cookie policy, or a privacy policy, so you'll probably have them, pretty certain you'll have them now. You'll need to update them. I have not found a company yet who's being GDPR compliant, unless they've already started purposely along the project to be GDPR compliant.

So in your privacy policy, you need to specify what data, bear in mind that's the first point of contact, what personal data you're going to be storing? What you're going to do with it? Who you're going to share it with? How are you going to process it? How long are you going to keep it for? That's right, how long are you going to keep it for?

Because at the moment you probably gather personal data, and keep it forever. Why wouldn't you? There's no law says you can't. That law comes in and you have to say how long you're going to keep it for. If you tell them how long you're going to keep it for, then you have to destroy it after that, if there's no contract or legal basis to keep it, or if they withdraw consent.

The second one's right to access. So at the moment I could say to any company or even as an employee, I could ask my employer say, "Can I have a copy, can I have access to all the personal data you hold on me?" Do you have a policy and procedure to do that? Maybe, maybe you haven't. After May the 25th this may happen. I think it will happen more often than not, that people will say, "Right, I want to see what personal data you hold on me."

To do that you need to know where it is in the first place. So you need to go to a data mapping exercise to identify where all that personal data is. You need to make sure it's secure as well, and you need to provide, on request, free of charge, you can charge for it at the moment, free of charge, a copy of all the data that you hold on me as a person. And any supplemented data you may have shared with anybody else as well.

Tying in to that is a right for [inaudible 00:15:22]. So if I believe that the data you hold on me is incorrect, at the moment I can ask you to change that, and you can say to me "Prove it. Prove it's wrong and I'll change it for you."

After May 25th it changes in my favor. You have to prove it's wrong, or you have to change it. I would recommend you change it. Now, leading up to this one, the right to erasure, or the right to be forgotten is how I prefer to call it. If there is no contractual or legal reason, or I withdraw consent, I can ask you to forget about me. I can say, "I no longer have any dealings with you. I want you to erase all the personal data you hold on me," and you have to do that. You have to prove you've done it. So again, it goes back to the right access. You need to know where it is. You need to make sure that the data that you erased is all the personal data you hold of me. If you shared with anybody, you have to have GDPR contracts in place to make sure that the people hosting the data also know not only how to keep it secure, but when you request for it to be removed, they have to remove it. That's going to be quite a hard one to implement.

The restriction of processing, not so bad. As long as you know that the data is, I can say to you, "Please can you not process my data anymore." Now that can be because, typically, I think there's something wrong with it. It's not too bad, it won't happen too often. So if I think there's something wrong with it, I say, "Don't use my data. Don't delete it. Don't do anything with it, just stop using it. Also, anybody you shared that with like should they not use either."

Slightly more tricky one. Data portability. Bit like the right to access. I can say, "Show me what you've got." With the data portability, I can say, "Provide it to me, all that data in an easily portable format." So what the GDPR specifies and I smile because it's such a strict rule, but then this seems quite an easy way of doing it. As long as you know it isn't the first place. The GDPF specifies, this could be a CSV file or an Excel spreadsheet. That's that portable format.

However, it does also imply that there'll be pushing for it to be an electronic way of transferring data costs as well. So the idea for that might be if I've applied for perhaps a loan on the house or a car or perhaps an insurance policy. I provide all the data to a company. It's my data is personal data. I've given them to them free of charge and freely given it to them because I want to. I could say to them, "Can you please provide it to me in a portable format. Ideally, please pass it on to these companies as they can go through the same process." Now, the other added complication there is if you do that as a company, you may also need to have a policy procedure that will enable you to receive that data coming in.

The right to object to processing. If I say to you, "I know you've got the data, I want you to stop processing it." It's not restriction. I object to you processing it or I consent to direct marketing. So I don't want you to send me. You have to comply immediately if it's to do with direct email, direct marketing. Or I could say I don't want you to profile me, I don't want you to take my information and send me other information based on the profiling exercise.

The example I like to give is I can walk around the supermarket and I can use my scanner or I can buy items and in the supermarket they know that Tony likes to buy cheese and beer and bread. So send me money off coupons for those items. I can object to that. I say you can't do that. And they're not allowed to do that. They have to have the process in place not to do that. The right to not be subject to the tool to make decision making. I think it's rare that many companies will have to comply with it. And what I mean by that is they wouldn't be affected by it too much.

And the example I've given this is let's now I went to LinkedIn and applied for a job, which I'd never do because I'd never leave HelpSystems. But if I applied for a job, a new position, I could put in all my details and it could be a program, computer program, that decides whether I get put forward to the next round, or my resume goes forward. I could say, "I don't want that to happen. I want to give my opinion to a person, in the my point of view, I want to explain to human being." So really this is not the, it's to say, "I don't want to be automated. I want to give my point of view across."

You still say no, it doesn't matter as long as you have a process in place to do that. So there's a number of rules and rights have been through very quickly and it literally comes down to making sure that you know the data is making sure it's secured. Because if you tell don't there'll be some massive fines. And making sure you have policies and processes in place to make sure that you can comply with those rights.

There's a lot of information there, not a lot of time. So what can you do? Here's a few steps. You need to do this as soon as you possibly can. Identify what data you use and what you don't. So if you don't need it, get rid of it. Have a clear out. Have a house clearing exercise, where any data that you've gathered over the years you don't need, get rid of it. The less data you hold, the less data you have to secure. And that's where, for example, GoAnywhere MFT comes in. Making sure that if you have good data, if you're transfer in anywhere internally, externally, or whatever you like, you can make sure it's very, very secure and can't be tampered with along the way.

Step two, create a GDPR responsibility framework. Organizational and technological. Organizational, make sure people within your company know they have to comply with the GDPR. And if you need to know what that is in the first place we can help you with that. Technologically make sure your processes, procedures and when to say technologically read software solutions in place to secure that data. That's the most important aspect of the GDPR personal data. If you can prevent access to it, in the event of a data breach, if you can assure that it's been totally, totally secured, it will certainly help you not be subject to massive fines.

Make sure you have policy procedures in place to not only react to the [eight 00:21:10] rights that people may call upon for you to do. Including what might have been forgotten, just to remind you of that, if you hadn't forgotten already. That's a really onerous one to comply with. And make sure, this is extremely important, and again this GoAnywhere MFT comes in, that you have an audit trail to prove what you've done. It's extremely important. One of the areas that you have to really struggle with here is with the eight rights, you have to identify that the person asking for it is who they say they are in the first place. Dan can help you with that.

Step full. Embrace the GDPR, make it part of your processes and decisions. Privacy by design. This is thinking about this all the time. You can't become GDPR compliant and then stop. It's not a destination. It's an ongoing continuous process. Make sure that everything you do, whether it's upgrading an ERP system, whether it's making a change to a program, whether it's onboarding a new person, make sure that all the time you think, "Does this affect anybody's personal data?" If it does, make sure that you know how to make sure it's secure.

Step five, have a process to prepare for a data breach. Baring in mind that it's not just exposed to our data, it could be changing it. It could be anything at all. Make sure you've got process that if there's a data breach, or suspected data breach, you know who to contact. You know what to do. You know how to put process close to time, preventing the data breach getting any worse, and then preventing your massive fine happening.

Implications and Non-Compliance

This is the fines. Now I'm going to give you an example, I just want you to digest that. 10 million euros or 2% of your total worldwide turnover or doubled. The example I'm going to give you is a bank in the UK, a very well known bank in the UK that had a data breach. They had lots of controls in place, not enough. Had a data breach, they were fined £400,000, happened last year. They were fined £400,000. The maximum fine that could have been fined by the information commissioner's office in the UK is £500,000. If that same data breach in exactly the same circumstance has happened after may the 25th they'd be fined £1.9 billion for exactly the same data breach. The reason they were fined was they did have technological processes in place, but not enough. Transfers to data is one of them, encryption's another one. You've got to make sure the data's secure.

If you don't have consent, as I mentioned, to use the data, you get fined £20 million or 4% of your total turnover. Anyway, like I say, lots of information, 20 years worth of information in 20 minutes. So any questions you have, feel free to ask them on Q and A. Feel free to send them into account manager and Dan or myself will get back to you.

Talking of Dan, I'm going to be quiet now and I'm going to pass the reins over to Dan so he can talk to you and explain and give you a live demo on the GoAnywhere MFT. Over to you Dan.

Dan: All right. Thanks Donnie. Can you hear me? Just quick sound check.

Donnie: Yes, you sound good.

Dan: Okay, sounds good. And thanks for all for joining as well. When talking about the GDPR, any regulation for that matter, PCI, HIPAA, a multitude of privacy laws by country, anything that deals with protecting sensitive information, whether PII, PHI or anything deemed needing protection, you quickly realize that it is a significant undertaking and effort from top to bottom within an organization. You will need technical, administrative and managerial controls as well as organizational policies to enforce and ensure you are compliant. So it's almost exhausting just talking about it. So what is Managed File Transfer and how does GoAnywhere MFT fit into the GDPR picture? Well, let's take a quick step back and look at a fundamental problem, if you will, at why we seem to continue to have data breaches and the need for all these regulations.

Well, to quote Alexander Pope's essay on criticism, to err is human. Yep, that's right. We seem to have the technology to properly protect data, but leave it up to us, the humans to leave that door wide open. I believe this is where the terms ID 10 T error and BT KAC or otherwise known as between the keyboard and chair errors originated. Not to worry. This is where technology mixed with a lot of automation can definitely help. An in steps managed file transfer solutions.

What is MFT?

So what is Manage File Transfer? From a high level perspective, it's that black box that can reach out to and leverage countless servers and services from simple network shares, FTP servers, cloud storage, mailboxes, databases, and much more. Also listen to or initiate file movement or manipulation in a secure manner. That was a mouthful, but if we look at it from a transfer perspective, we can leverage industry standard network protocols to move files in a secure and compliant way.

Whether using SSH keys for SFTP connections or the latest TLS encryption for FTPS or HTTPS type protocols. There are multitude of ways to securely transfer your sensitive information. Now that takes care of the in motion, but what about the when and where those files land? We need to make sure that we're able to handle the end to end encryption and automate the all-important at rest requirement. Often forgotten about. A managed file solutions can automate that sensitive data to sit on a hardware encrypted sand for instance, or even provide a software solution built in to not only allow authorized users or processes to decrypt them. Basically Managed File Transfer Solutions should handle all the transfer of your data across your organization, network, systems and other environments with ease and better yet in a secured and automated fashion.

Now in further steps, GoAnywhere. And this is to satisfy all our affirmations, concerns and capabilities, of course. Now I realize this is a pretty busy slide but I'll try and pull out the main concepts and move on as we'll cover this in the demo. On the left there, how do we manage GoAnywhere? It's as simple as choosing your preferred browser and connecting it to the installed host IP or name and providing your admin credentials. From there you can configure, GoAnywhere to act as both client and server. Now GoAnywhere, can listen around the clock on secure protocols like HTTPS, FTPs, SFTP or maybe act as the client and initiate the file movement or manipulation. This is done by defining what we call resources. Some are listed there in the clear blue box at the bottom of the slide. Now remember the black box description that we can reach out and leverage other servers and services capabilities?

Well, that's what's going on here with resources. Now for instance, savings monitor a folder that resides in a partner's SFTP server for a particular file and then take that file and update my customer database. For this simple example, we would add that SFTP server as a resource to be available for monitoring as well as add your customer database as a resource for the proper sequel insert or perhaps update statement. This small example gives a quick view into how GoAnywhere can not only move but manipulate data in a secure and automated fashion. Finally, as with every data protection regulation, we need to take care of the audit and accountability security family. With robust auditing of all file transactions, user activity, security logs, as well as administrative activity, you can be sure and feel confident answering any questions any would-be auditor may ask. Alongside with the detailed auditing, we can generate reports either ad hoc or on a scheduled basis and send to the appropriate personnel for review.

Now detailed auditing is great, but coupling that with automated alerts makes for a powerful, secure, and compliant tool. From system alerts to knowing when a file has been dropped off or downloaded or maybe just when a certificate or PGP is about to expire. I mean who hasn't been on the wrong side of a certificate expiring? Yep, definitely not a good experience.

MFT and GDPR Compliance

Now that we've briefly to find the black boxes GoAnywhere, let's take a look at some of the specific regulatory articles throughout the GDPR and how GoAnywhere can help with that compliance. One key point to mention, and you may have come to this conclusion already, is that there's not one technology or product solution that'll make your system GDPR compliant. It is going to take many tools, policies, procedures, and especially executive staff support to get there, but GoAnywhere can be that Swiss Army Knife in the toolbox.

GoAnywhere does have the capability to secure your sensitive data, transmute transmissions using the latest security standards for encryption. Whether in transit, TLS, 1.2 with Shaw 5-12 RSA signature algorithms, it's a 40 96 bit keys leveraging open SSH or six secure shell public key formats for your SFTP transmissions and or authentication. Now let's not forget about the at rest requirement. GoAnywhere can configure targeted encrypted folders to leverage NIST approved AES 256-bit encryption. We also have the capability to automatically encrypt or decrypt as well as provide integrity via digital signatures and verification for the use of PGP keys.

Built into some of the secure protocols, they will have integrity checks upon upload and download, but we also have provided check some tasks using MD5, SHA1, all the way up to SHA512 algorithms. Within our automated tools. All the secure activity will be audited and available simply via the audit logs and completed jobs in a web based administrative console or maybe scheduling out reports to be run and delivered to the appropriate staff.

As it is on this slide, we pointed out a few articles and how GoAnywhere can help mitigate or address requirements. For article 5-1, GoAnywhere provides the appropriate security algorithms, cipher suites, key exchange methods to meet the needs of processing personal data from end to end. For example, going back to that earlier example, we could be monitoring a fall on a partner SFTP server. When it arrives, we could first PGP encrypt the file using our public PGP key and then send it via the SFTP protocol. For article seven and eight could be used leveraging GoAnywhere secure forms, for instance. We're going to show a quick example of this in the demo, but basically this is we're able to create web-based forms asking for information and when the client hits submit, all the fields are assigned a variable and pass back to a project performed for the processing. Articles 15 and 20 I think we've talked about in the secure protocols available for secure file transfer if requested.

And finally, article 25 which is a little open for interpretation, but again, with all the capabilities to allow secure file transfer from end to end, GoAnywhere definitely can help prove to auditors you're providing that reasonable level of data protection. Here's a few more articles for consideration. Check the boxes. Article 30, GoAnywhere covers by maintaining records or processing activities by its robust and detailed file audit logs. What's nice about the audit logs is that they're segregated by type meaning for each service listener, there's a separate log as well as for file activity, administrative use, triggers, completed jobs and more. There's also a general search across all logs using some advanced conditions that supplies a Google-type response list of length. Now, Article 32, and there's another one of those wide open interpretation rules, being a member of the PCI DSS Security Council, we keep up-to-date with the industry standard protocols, algorithms, cipher suite, key exchange algorithms, et cetera, to give you the tools to maintain compliance.

In fact, we have a built in report called the security settings audit report that goes through the 76 different applicable security settings throughout GoAnywhere, and we'll let you know whether you pass or fail. If fail, we will give you those mitigation steps to fix the reported failure exactly how to do it within the product. Although this is not specific to GDPR, risk-based approach to security is a common practice across most data protection regulations.

Finally, article 39 talks about each organization employing a data protection officer. GoAnywhere does provide 16 administrative RBAC roles for job separation of duties and lease privilege. Now, this employee could be assigned probably the auditor RBAC role thing GoAnywhere to be able to view audit logs and such.

The Benefits of Using MFT

Here is just a quick recap of the benefits as one of the tools in your arsenal to help maintain compliance within the GDPR. We got industry standard encryption technologies to make sure that you're protecting your sensitive information in transit, as well as at rest. Leverage secure HTTPS to build out web-based forms for folks to securely enter in information, whether to update a customer database, data validation or simply sign a consent form, which we'll show an example of. Whatever the case, each secure form submission will be audited for potential review and recording. 16 specific RBAC roles for admin users to easily ensure job separation of duties and lease privilege. Robust and detailed audit logs to know what's going on with your data at all times and go on in all sides of database-driven key management system to create, import and manage all of your SSH and PGP keys, as well as SSL certificate.

Now, this is essential for automated transfers using secure protocols, as well as automating the PGP encryption/decryption, as well as digital signature and verification process.

Now, this last slide shows a way that we can accomplish the overall reasonable data protection and due diligence. Now, anytime that you're allowing folks initiate file transfers, a file transfer processed by logging into your SFTP, FTPs or maybe the HTTPS web client, you need to be diligent in protecting your sensitive information. Now, traditionally, we would see the FTP type flavor server sit out in the DMZ. This could leave for potential sensitive information being stored out in the DMZ.

Now, with GoAnywhere Gateway's proprietary relationship with GoAnywhere MFT, we allow the Gateway to act as a reverse and for proxy allowing for no storage of information, as well as not having to open up any inbound ports to your private network.

Now, quickly, we'll illustrate how this actually works. So, basically upon startup, everything is configured on the internal MFT environment here within the private network. IoT starts up a control channel to give the Gateway all its IP, port mappings, basically all traverse proxies. So, you're going to have to open up an egress port that's going inbound into the DMZ.

So, again, egress not coming in. So, it's going to give its proxy information here. So, this service here, when we're coming in, will say a customer's coming in over SFTP on port 22. It comes in through your external firewall. It then added to your Gateway. Gateway sees that information come in. The way that it's going to do its authentication checks is it's going to use that preexisting, again, outbound channel to go back into your private network and say, "Hey, I've got John Smith here. He's coming on 22. Here's his credentials," whether it's a username, password or SSH key. If everything checks out, we're going to open up a separate channel, a data channel that's going to go ahead and glue that or broker that connection.

So, again, no files ever stays in that DMZ, no security credentials, no sensitive information, never stays here, just stream through the Gateway, and probably most importantly, no inbound ports are needed to be opened from the DMZ into your private network. All right.

Live Demonstration

Let's go ahead and get out of here, and let's share my screen and jump into the product here. Okay. So, what we have here is what we talked about in just at the beginning or that busy slide. This is how we're managing GoAnywhere. This is going to be from an administrative or web-based interface. I'm going to be using Chrome throughout this webinar here, but you can use whatever flavor you like, Internet Explorer, Safari, Firefox, whatever the case may be. Whatever instance it's installed on, by default port 8,000 is going to be how we're leveraging or accessing the admin console. I'm going to go ahead and log in with my administrative account.

When you first log in, each administrator is going to have a dashboard. Now, this is derived from that detailed auditing and logging. So, we have about 25 different gadgets that you can choose from depending upon what you want to look at when you first log in, whether it's file transfer summaries, recently blacklisted IP address, job statistics, whatever the case may be. You can customize the look and feel, the layout, and you can even customize each individual gadget. Maybe you want to look at certain days or go by hour, whatever the case may be. Whatever you want to see, it gives you a nice quick snapshot of what's going on the system at any given time.

One of the common features, underlying features of GoAnywhere is the users, and we've got two different types of users. One is going to be the administrative users and that's what you're going to see me for the most part in the administrative console. We'll jump out to the web client and look at a web user, but for the most part, we'll be in the admin console, and this is where we're configuring, installing, doing all our changes within the product.

As I mentioned, we do have 16 RBAC roles, and for the data protection officer that is going to be required, most likely will probably be part of the auditor role, so that he can get in there and take a look and see what's going on. If any breaches, he can at least see how and what things happen, but he doesn't have the ability to change anything.

Now, getting back to the web users, these are going to be the users that you create to leverage the servers and the services that you're offering through GoAnywhere. Now, as we mentioned quickly the FTPs SFTP, HTTPS, there's a couple of other listeners that we have available to us here, and we'll go through a few of these on the HTTPS web client. All these on the vertical column are all the different services there. We'll definitely look at secure forms and maybe secure mail if we have a chance, but these are going to be things that you can individually give rights to each individual web user.

So, speaking of the service aside, let's go to the service manager. Don't save that there. This is going to get to all your service listeners that you are listening on as far as being a server. Now, you're seeing a duplicate because this is actually an active-active cluster in this demo environment, but let's take a peek at, say, the SFTP service here.

So, you'll see here a couple maybe access controls here. login failure delay, maximum login failures. This will help prevent brute force attacks. Here's your Diffie-Hellman key exchange sizes configurable up to 8192, and then your cipher suites and algorithms that you can allow or at least force the clients to support that connect up to your SFTP server in this case, whether it's your exchange key algorithms and your compression algorithms. The host keys, this is going to be your way of identifying your organization, or basically proving that you are who you say you are. Each individual key will have a thumbprint or fingerprint associated to that. These keys are going to come from your system key vault, which we'll talk about here in just a little bit. But again, we'll kind of go through, and once you actually create the keys or import existing keys, you will hit the dropdown, select the key that you want, and we both support RSA as well as DSA keys.

Let's look at the HTTPS real quick. And for this one here, choose the port that you want to listen on. And more importantly, we do want to make this SSL enabled. We'll choose our protocol, and then more specifically what versions that we are actually going to require that client to support to connect up to our HTTPS Web Client.

For now, we're allowing TLS version 1.0, 1.1 and 1.2. But as things like PCI DSS, I believe their latest version, they're, in a few months, they're going to require TLS 1.2 only. Now, you can also choose your enabled cipher suites. And this will get probably more to your security officer to dive into exactly what all of these are and what are actually acceptable for your HTTPS connection. And then the actual certificate that we're slapping on there to make this an HTTPS listener.

Now for that certificate, as well as that SSH key on the SFTP server, that's where we go over to our key management system, and we'll go into our system key vault. Here is where we can manage our certificates. Whether you're importing a certificate, which we see a lot of folks do, maybe they'll have a wildcard certificate they just want to slap on this listener, or if they don't have a certificate, you can do an add certificate and go through the options here and create your own certificate key pair.

Once that certificate key pair is created, you can actually right from here do a generate CSR, copy that, go up to your internet trusted provider, give it to them, they'll give you a CA reply. You will take that file and come right back to this exact same spot and import it right here. And now you have an actually internet-trusted signed certificate.

Same thing with the SSH keys, whether you're importing a public and private key, or adding a key pair as we see here, as we did, either way, you can add them or just import them to make them available for your SFTP listeners.

Now for PGP keys, this is going to be more for on the automated decryption and encryption, as well as digital signature and verification process. That's going to be part of the key vaults that you create. But in any case, this is very, very similar to the SSH keys. You can either import keys that you have existing, or for your public trading partners that are requiring you to PGP encrypt to send to them, they will send you their public PGP keys. This is where you'll import them or you can add the key pair for your own PGP keys to distribute your public key out to your partner, so that their PGP encrypting file is sending them to you. In any case, that's where we can do that here.

Now, this is going to take care of all our transmission mediums, so our SFTP, HTTPS, FTPs type transmission. But, we also talked about that encryption at rest, which within a project and the automation, we can just point those files to maybe a encrypted, hardware encrypted SAM.

But we also offer what was called encrypted folders. Now what's in here, this is where we can target an actual folder on your network that GoAnywhere has access to. So this is going to use unique GoAnywhere MFT built in AES 256-bit encryption keys to encrypt this data. So the only way that you can encrypt and decrypt this data is by using an authorized GoAnywhere user or process. The one way that you can make sure that you have that end-to-end encryption.

Okay, so let's go to the web client side. We kind of talked very briefly about a secure form and maybe it's just something you want the people to log into, a website to fill out a consent form. So I'm going to go to our HTTPS listener and this is what we set up here and this is our certificate. It's the portal.[Inaudible].com. And I've got rights, my D. Freeman account has rights to the HTTPS service as well as the other modules within there. One being the secure forms, secure mail, my Go drive as well as secure folders.

So as soon as we get logged in here, we'll build to go to the secure form and do a quick test. So we'll go to secure forms and we'll just go down to the consent form here. And this here is just kind of giving us a little disclaimer on what we're doing by placing a check in the verification box, "You're appearing to, we may share this data," blah, blah, blah. Again, obviously you can put in what you want there. So let's put it in Tommy test. Let me see if I can spell and that sounds good.

Let's say we forgot there. We should have some logic to say, "Hey, by the way, yep, I noticed you did not click on the consent check box. Please resubmit." So I'll say, "Oops, my bad. Let's go ahead and click on that, submit." And we got a message back saying, "Congratulations, you successfully submitted your consent form." Now, we have other options too to even kick back maybe a copy of the consent form back to them or other messages, but you kind of get the idea here.

Let's flip back to the actual administrative console. So I'm back on the admin side. And we'll kind of look at how we audit these things and how we can see what actually was going on. Let's go out to completed jobs and we'll see 1242, so we just did this one. Let's take a look at this job ID.

So this is where again, now there is five different fields, first name, last name, social security number, the checkbox as well as the email address. Those are getting overwritten here with those variables that we talked about. And then we're actually executing this project consent form and we'll take a quick peek at that. And we go ahead and we do the SQL task execute statement.

Now we're doing our SQL task of doing an insert and we're inserting these values into my database. And then sending an email saying, "Hey, everything was successful," so I should have an email in here. That came through. [inaudible 00:46:36]. Oh, actually, no, I did not. I don't have an email task in this one. I think that's in the next project here in just a second.

But anyway, if we go back here and look at what's going on underneath the covers, oh yeah, I don't have an email one in this, all this is doing when we actually hit the submit button is the first thing it's going to do is to see, hey, did they actually hit the checkbox to say, yep, I'm consenting? If it's false, that's where we got that response saying, "Hey, we notice you didn't submit. Please resubmit that and we're exiting the project." If they do, then we're going to call the database server. Now, this database server here, this dropdown list is filled by the resources that we've defined earlier and we'll take a look at that real quick here in a second.

We'll select the actual database. And then the query, we're just inserting into a table and the values, which are the variables that you've defined in your secure form, and that secure form, "Congratulations," blah, blah, blah. That's a simple way that you can gather information, insert into a database and pull that stuff over. So if I actually look at my database, we should have Tommy test in here. I just want to execute that. And if you can see it, it's kind of small there, Tommy test helps systems one and his last four digits of his [soc 00:07:55]. So that's a simple project. This is a quick way to get some feedback from customers, then actually updates your customer database. All right, let's also go to logs and audit logs. Another way to quickly look at what just happened, we can go to the HTTPS logs here and we can see that we submitted the form.

Well, first off we didn't submit it. We failed because we didn't check the box, but the second go around, it was successful. You can take a peek at that, where did it come from, the user command, all that good stuff. So a couple of different ways. Within the audit logs, like we mentioned, we kind of divvy them out by every individual service as well as some triggers, completed jobs, all file activity, all administrative use. All the administrators that are assigned to this instance, whatever changes they're making, when they're changing it, what changes they're making, who made those changes, all those things are getting logged.

Then what we mentioned on the global search here, you can do some contains, equals, begins with or maybe just a search term, and we can put in consent. That should pull up exactly the stuff that we just did just a second ago and that Google type link set up. All right, real quick, I'm going to jump over to the resources just to give you an idea of where those resources came from in that project that we just looked at. Here's where you one time define them. This is that black box and leveraging and spreading its wings out to other servers and services so that we can leverage them to make that automated file movement and manipulation. The database servers is as simple as this one here. You select the actual JDBC driver, which mine was my sequel.

If you don't know the URL, either your DVA can give it to you or you can come here to the wizard and build it out yourself. It's not too tough here, but you just put in whatever your IP address is and then database name. You hit generate URL, and it would pop it right in there. I'm going to go ahead and cancel that one and then a username and password. Always have a test button within your resources. This gives you that sanity check to make sure that that resource is actually functioning properly.

Same thing with that SFTP server, which is what we're going to look at here in just a second. This here, you're just going to build out the SFTP server by what they're giving you, host name, port, username, password if applicable, or maybe you have an SSH key for authentication. Once you do that, you can hit your test button there. See if that works. I don't see a pass or something if that's going to work or not. When this goes through, the test button is basically testing for network connectivity and then any username or SSH key, whatever's applicable to make sure that it can actually connect. Once you do get that resource test successful, then you can leverage it in those drop down lists within those automated projects.

We'll try and get out of here. Nothing like live troubleshooting here. All right. Let me just jump right back out of here. Jump back in there. Okay. All right. For the last project here, we'll go through. Just go through a quick project to show you that example that we talked about by PGP encrypting files and then SFTPing them on an automated basis. We can go to our projects and add basically a PGP encrypt task. For here, this one, we're just taking an individual file, explicitly taking this PDF file. I'm going to PGP encrypt it using this help system test key. Now, where'd this key come from? It's coming from that key vault that we looked at earlier. This would be something where the partners sent you the public key initially, and you would import it into the PGP key, whatever key vault that is, that's up to you.

Here we're just going to select that help systems test key. Then instead of actually putting it into an output file or directory, since I've got another task after there, I'm going to actually put it into an output file variable or just kind of a placeholder so I can leverage that. You'll notice these get created automatically. In my SFTP task, now, this dropdown list as we looked at earlier, this is getting populated by the resources that we defined earlier. You select the actual SFTP server that you want to send to and in the put file, the source, is going to be the output from that PGP task. You can just drag and drop that right in there. Then your destination file, you can see, you can do on-the-fly name changing if you wanted to. You can leverage system variables, maybe the timestamp, you just want to pin or pre pin pen, but you can definitely do that.

Then this is the one where it's actually sending an email saying, "Hey, everything's good to go," and off on our way. So if we view that quick job long, not to go through it in detail, but just see you're adding the public key to the file, you're encrypting it. We're opening up that SFTP connection and we're uploading the file. It was successful. Then we're going to go ahead and send that email out showing that that was successful. So hopefully... There we go. This is the one. Going over, successfully delivered that actual file.

But, in another words, another way that you can do this... Instead of it just being an explicit single file, we've got this input files variable. There's a couple of ways that you can kick off projects just aside from interactively or on a scheduled basis. We do have what's called monitors, and monitors are going to be basically monitoring a certain folder, the file system for certain events to happen, whether it's a file created, modified, deleted, or if a file just exists using wildcard or even regular expression. Key point is you're going to decide how often it's going to check that folder and when you do get a hit, whether it's one, five, 10 a hundred different files, it's going to go ahead and create a file list or files variable by default and then kick off a project. So getting back to that project that we were just on, instead of the actual PGP encrypt input file being a specific file, we could actually pass in the variable files that is being built by that monitor.

Again, however many files it is, it's going to PGP encrypt them and then SFTP them amount to whoever you want to. Another item which didn't GoAnywhere... And then we're getting close on time here... is triggers. When we talk about web user activity, those users that are logging into your system to do file uploads, downloads, you want to know what they're doing. A very popular trigger is going to be the upload successful or upload failed. This is going to mean if you want to know when a file is uploaded successfully from partner A, let's go ahead and move it to this directory or rename the file or maybe just simply send an email or maybe execute a native command that you have on that actual system. Or probably your most flexible option is calling a project and a project is where we just were, where we can build out a number of different functions to do whatever it is you want to do in an automated fashion.

But not just file movement. Things like login failed or IP address blacklisted or things like account disabled. Maybe you have SLAs with certain partners and their web user accounts, you need to make sure that they don't get disabled because you're expecting file deliveries every single day. You definitely want to stay on the forefront of that or be notified if an account like that or maybe it's just a C-level staff member you just want to keep happy. There's a lot of different ways that you can be automatically notified by all kinds of web user activity. The last thing I'll show you here real quick... I mentioned it through there... was that security settings audit report.

This is just going through and taking a peek. You can run this ad hoc like I'm going to do right now, or you can put this with a nice scheduled basis and have this sent out to somebody. But this is going to go through in about 76 different applicable security settings within the GoAnywhere product, and it's going to tell you whether you pass or fail. Now if you fail, it's going to give you those mitigation steps and tell you exactly how to fix it within GoAnywhere and then match it right now currently just to PCI DSS.

Again, all these regulations, they kind of overlap. A lot of the security settings are very, very common. So this is a good spot check to see how you are, at least from a GoAnywhere perspective.

So I think as you can see, GoAnywhere can definitely be that Swiss army knife in your compliance toolbox and it comes with data protection and the GDPR. That's all I had for the demo. Let me jump back here, see if we had any questions.

Q&A

Donnie: Thank you very much for that. Just looking at the time. Just a couple of questions that will allow us on the site, and there'll be other questions we'll answer personally. And also any other questions that come in, please do to pass onto your account manager and we will answer them personally after the event.

Anyway, first one, on the GDPR made me smile. Is there any good news for the GDPR? Yeah, there's some great things. So certainly as a person making sure our personal data is secure, that's really good news. But, I think the question really is, is there any good news for companies who have to make sure the data is secure? One of the areas that it's quite pertinent to this particular presentation is at the moment when you transfer any personal data intercompany or into other member states, you have to get permission every time you do a data transfer. Under the GDPR, if you have a proven audit-able methods such as GoAnywhere MFT, once you have a proven method to do that, you need to do that once and then you can do all your data transfers without having to get permission every single time you do one.

So putting in a small amount of effort to user solutions such as GoAnywhere MFT will save you lots of time in the future. And then one question I do have for you, Dan, scalability of solutions. So the example was we are a multinational company. We have offices with 10 people in, we have offices with over a thousand people in. How does this solution scale?

Dan: Yeah, that's a great question. The actual scalability can be either vertical or horizontal depending upon the use case. Adding clusters as you saw within the demo, we had a active active two node cluster. Adding the actual systems to a cluster is a very, very simple product. Not to get too in depth but the product is a Java based application, sits on top of the OS, doesn't really get its hooks in the OS, not dependent upon the operating system. That's why we are a cross platform system. You can put it on Windows, Linux, IBM i, Novell AIX.

The point being is upgrades and actually adding systems or systems to a cluster is a very, very straightforward and very non-intrusive, easy process. So it's very easy to... From an architecture standpoint, as well as from a resource, especially if you're in a virtual environment... to add actual resources to the machines.

Donnie: Well that's great. Thanks very much for that Dan. So I think that we'll wrap up now. I think we'll just take the time to thank everybody for attending. Thank you all for staying the duration. And as I mentioned before, any questions at all, do you just get in touch with us and we will answer each and every one of them personally. So thanks very much and thank you Dan very much for the excellent demo and the information as well. Have a great day everybody. Bye bye.

Dan: Bye.