0333 123 1240 info@pro2colgroup.com

Open PGP keys under attack: Does this affect your MFT solution?

Open PGP keys under attack: Does this affect your MFT solution?

PGP is the industry standard for securing communications and a common feature of MFT. But it’s recently been at the centre of hacking fears. This guest blog post from Coviant Software CEO Greg Hoffer will alleviate any concerns relating to your Managed File Transfer (MFT) solution.

It was bound to happen one day: the OpenPGP Standard Key Server implementation has fallen victim to attack. When the Pretty Good Privacy (PGP) Keyserver system allows anyone to affix changes (“attestations”) to a given key –these never, ever get deleted. As a result, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software. This is a clear security issue leading to a “denial of service” attack, rendering that public key unusable for encrypting information.

So how does this affect your MFT solution? It is has no negative impact at all. I have never experienced any customer that uses a KeyServer for OpenPGP key distribution. When creating a transaction to move files between a MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. Thus, since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.

Let’s all use this situation as a reminder to be very untrusting when dealing with the security of sensitive data, and not provide an infrastructure that allows anonymous, unregulated edits to information that is vital to secure communications.

Greg Hoffer

CEO, Coviant Software

Your MFT solution is a critical part of your infrastructure, with many business processes depending on it. Without regular maintenance and training, you are risking security and efficiency, and ultimately not getting the best value from your solution.

Our health check service reviews the performance of your software, checking your configuration, version, clean-up rules and more. Our technical consultants will produce and present a report advising on risks we have identified and remedial actions.

Call 0333 123 1240 or contact us online to book a health check today.

Managed File Transfer Buyers Guide

Researching Managed File Transfer? Download our independent Buyer’s Guide

Researching Managed File Transfer? Download our independent Buyer’s Guide

​We know it’s difficult to research and select new software, especially one as fundamental as Managed File Transfer. It underpins your security, efficiency, cloud strategy and digital transformation. None of these are areas where you can take risks.

That’s why we created the Managed File Transfer Buyer’s Guide. It helps you mitigate these risks, so you can confidently select the right solution for your business requirements.

Why did we create the Managed File Transfer Buyer’s Guide?

There are three main reasons we wrote this: To save you time, to save you money and because our independence and expertise means we are best placed to advise.

 

  • To save you time and money

    Managed File Transfer is a big investment. Whether you’re buying for the first time or replacing an outdated solution, you don’t want to make an expensive mistake.
    There are over forty vendors on the marketplace, each pushing their product. Of course they will tell you it is right for your business. But perhaps Managed File Transfer isn’t right for you after all? Or maybe there’s a product that will deliver your requirements better and for a cheaper price?
    To research every product thoroughly will take a lot of time and resource. We have distilled the essential information into this guide, so you can understand whether you need MFT, which business problems MFT can address and how, plus advice for the different stages of your project.

  • Other Buyer’s Guides aren’t up to much

    There’s no-one else who can create a truly independent Buyer’s Guide with our level of expertise. They are either written by vendors trying to push their product, or by businesses without our level of experience.
    Pro2col deal solely with MFT and have done for over 15 years. Each of our senior technical consultants has over nine years’ experience. We are thought leaders in the industry, assisting vendors with product research and development, and are providers and developers of the only vendor-independent training programme: The Certified file Transfer Professional (CFTP).
    Our technical expertise is sought the world-over by businesses and vendors alike. Access this expertise for free now.

What does the Managed File Transfer Buyer’s Guide include?

  • Explanation of MFT and whether you have a current or future business need.
  • A series of common business problems MFT solves, including automation, security and visibility.
  • Which MFT features or modules address which requirement?
  • Use cases explaining how different industries use MFT.
  • Advice for the different stages of an MFT project.
  • Access to more downloadable resources to help you through each stage of your product.
Managed File Transfer Buyers Guide

Digital transformation? Start by consolidating your data transfers

Digital transformation? Start by consolidating your data transfers

Starting your digital transformation is a daunting prospect. It is no secret that success is hard to achieve; researchers at the likes of MIT have proved it! Yet there is a simple starting point, which will get your project off on the right track. We recommend reviewing your data transfer processes and systems first. They tend to underpin most – if not all – of your operational processes, so you will quickly see opportunities to consolidate systems, whilst getting a great overview of what is in scope.

Your review should include, but not be limited to, the following:

  • Existing FTP / SFTP servers;
  • Managed File Transfer solution;
  • Home grown solutions, particularly unmanaged scripts;
  • Ad hoc employee file sharing.

If you already have an MFT solution, we almost guarantee you will spot opportunities to consolidate many of these disparate systems and processes. And if you don’t have one, you will quickly start to see the benefit. There’s the immediate cost savings, plus many more opportunities for efficiencies in the long run. You will also benefit from increased security and visibility, with MFT providing a ‘single pane of glass’ view across all your incoming and outgoing file transfers, plus integration with other security tools such as AV and DLP.

MFT’s data integration capabilities allow you to extend the life of legacy systems, whilst integrating with new cloud-based applications. You keep your options open for future expansion, whilst facilitating the immediate benefits of digital transformation.

Here are the five top ways this technology will drive your digital transformation:

  • Empower employees with an accessible working environment;
  • Gain visibility of all data within and beyond the organisation, enabling data-driven decision making and easier governance;
  • Digitise your processes, including system-to-system, system-to-person, person-to-system and between people. This frees up time for employees to spend on value-add or mission critical work, whilst improving security;
  • You can select the best possible technology for each requirement then integrate between systems using APIs, rather than compromising on a product because it offers the out-of-the-box connectivity you need. You can also easily integrate new technologies as they become available;
  • Capitalise on the benefits of a cloud-based infrastructure, moving files to and from the cloud securely and integrating with applications to deliver onward business processes.

More on MFT and Digital Transformation

You can find out more about this technology in our White Paper, Enablers of Digital Transformation: MFT & Data Integration. You will get a clear understanding of the role Managed File Transfer plays in delivering all aspects of your data strategy, improving operational processes and security by integrating business applications.

Managed File Transfer Buyers Guide

Personal data transfers across international borders: What changes with Brexit?

Personal data transfers across international borders: What changes with Brexit?

eu-data-protection

There’s a lot of uncertainty about how and when the UK will leave the EU. This blog and downloadable guide help businesses prepare for handling personal data in the event of a no deal.

Businesses moving personal data in or out of the UK currently do so under the EU’s General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. The GDPR offers harmonised data protection rules, and regulates data transfers from the EU to the rest of the world.

If the UK leaves the EU without agreeing arrangements for data protection – ie: in a no deal Brexit – there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. However when organisations transfer data into the UK, there are some changes you need to be aware of.

We’ve been in contact with the Department for Business, Energy and Industrial Strategy and have produced a downloadable guide to help businesses prepare in the event of a no deal exit from the EU. The key points are summarised below.

Regardless of whether your business is affected, we would strongly urge you to review how you transfer personal data. Nearly one year on from when the GDPR came into force, there are still many businesses out there emailing personal data, using consumer grade transfer tools and other processes that risk a compliance breach.

Summary

  • The same stringent regulation will remain in place to protect UK residents’ personal data being transferred to the countries either within the European Economic Area (EEA) or beyond.
  • Organisations based in the EEA can transfer data to the UK, as long as they make alternative safeguards in line with GDPR.
  • Organisations elsewhere in the world will need to comply with their own data protection regulations in order to transfer data to the UK. Arrangements are being made with countries who have an EU adequacy agreement (deemed adequate), but if countries don’t deem the UK adequate by the time we leave the EU they will need to make use of alternative mechanisms in their own law in order to continue to transfer personal data to the UK.
  • There are specific recommendations for UK businesses providing goods or services in the EU/EEA but without a presence in an EU Member State, or with headquarters in the UK but with operations in the EU and processing personal data across EU/EEA borders.

For more information, download the resource – Data protection guidelines for businesses in a no-deal exit from the EU – from the Pro2col resource portal.

 

If you have any questions about how to transfer personal data, our experts can help you. Get in touch now to arrange a call. We have been providing secure data transfer solutions to businesses for over 15 years, transforming their infrastructure, increasing productivity, collaboration, data security and streamlining processes.

Managed File Transfer Buyers Guide

Will ADLP improve the security of my file transfers?

Will ADLP improve the security of my file transfers?

Is it possible to stop users from accidentally leaking personal or sensitive information, or to prevent malware being sent from a trusted partner, without completely disrupting the business processes?

Adaptive Data Loss Prevention (ADLP) adds an additional layer of security to your MFT solution, detecting sensitive data, then carrying out a range of complex onward actions.

“ADLP can detect and modify the data, rather than just blocking the whole file,” explained Clearswift’s Pre-Sales Engineer Steve Jeffery, whose product integrates with Managed File Transfer solutions to scan data entering or leaving the business in automated workflows and ad hoc person-to-person file sharing.

“The Clearswift SECURE ICAP Gateway (SIG) integrates with the MFT ICAP interface to enable the content inspection. This detects certain data from key words or patterns – such as credit card numbers, personally identifiable data, healthcare details, or a more complex examination for Intellectual Property. The results of the inspection are then passed back to the MFT workflow, which will determine what happens next.”

Steve Jeffery, Pre-Sales Engineer at Clearswift

Onward actions might include:

  • Returning the file to the original sender;
  • Quarantining the file and sending an email alert so it can be manually reviewed;
  • Redacting data, eg: replacing digits in credit card data with XXXX.

““It works in reverse too for unwanted data acquisition,” explained Steve. “We worked with a hotel to reject incoming credit card data, which customers sometimes emailed in. The technology detected the data, returned it with the data redacted, and directed the customer to a secure payment portal.”

Some other use cases include:

  • Removing metadata in a document history. This is particularly useful for ad hoc person-to-person transfers, where a document has been updated multiple times. An updated proposal for a new customer, for example, may still contain data relating to a previous customer in the document history;
  • The anti-malware component will remove macros in a document, which can contain malicious code.

Integrating your MFT with Adaptive Data Loss Prevention technology will secure the entire flow of data in and out of your business. It does this without halting business operations when something is detected. It supports compliance with the GDPR and other requirements.

Not all MFT products support this integration. If you would like to discuss whether yours does, please get in touch. You can contact us via the web form, or call 0333 123 1240.

Managed File Transfer Buyers Guide

PGP encryption

PGP encryption

To PGP or not to PGP? That is the question several customers have asked us recently. This blog post summarises everything you need to know about PGP encryption, so you can make an informed decision about whether it is right for you.

PGP stands for ‘Pretty Good Privacy’. It is an asymmetric encryption, which means it uses public and private keys to encrypt and then decrypt cipher text. It requires more work than symmetric encryption, which uses a shared key, but is generally considered better security.

PGP provides end-to-end encryption, integrity checking and authentication. It is commonly used for encrypting and decrypting texts, files, directories and whole disk partitions.

 

PGP Encryption: How does it work?

Asymmetric encryption uses two different keys to encrypt and decrypt each file, then two more keys to sign and verify each file. Both parties – sender and recipient – need to exchange their public keys before any transfer can take place.

The sender encrypts the file using the recipient’s public key. The recipient decrypts the file using their private key.

For integrity checking – to make sure the content hasn’t been tampered with – the sender uses their private key to ‘sign’ the encrypted file. For authentication – to check the sender is the sender you think it is – the recipient uses the sender’s public key to verify/validate the sender.

 

PGP and your file transfer solution

PGP Clients will manage the encryption/decryption automatically and are often implemented in FTP servers or as email client add-ons to secure the communication. The exchange of the public keys, however, will always be a manual process.

Any security is only as strong as its weakest point. Security-conscious organisations will usually physically exchange keys via a courier service, and set keys to expire (this is a bit like a password which expires and needs to be reset by the security team). But – as you will have gathered – the process of exchanging keys is time consuming. Most applications provide advance notice about expiring keys, so administrators can plan for the exchange to take place in advance.

Some applications allow you to create sub-keys with pre-configured expiry dates, so that you can plan ahead and have several years of automatic key replacement, avoiding potential outages. We know of some Managed File Transfer solutions that manage this process very effectively.

 

When to use PGP

PGP provides encryption at rest or can be used to protect a file at a particular stage in an otherwise non-encrypted workflow.

Let’s look at a recent example we discussed with a customer who had a PGP requirement for an accounts process. They needed to put files into a specific folder, where they would be PGP encrypted, then moved to another folder to be collected by the bank. This would by-pass a charge that the bank would otherwise make for the processes.

This requirement was driven by the fact that the bank used PGP, and the businesses needed to comply in order to save money.

The advantages of PGP:

  • Security is the big plus. PGP is generally considered more secure than symmetric encryption.
  • Even if the channel transmitting the files becomes compromised, the private keys and files remain safe. Similarly, they are safe if the channel used to share public keys is compromised.
  • Signing files is a built-in procedure, automatically authenticating the sender’s identity.

 

Disadvantages:

  • End users need to exchange keys and use their encryption technology correctly. They often accidentally send their PRIVATE keys to each other.
  • Slower performance than symmetric encryption.

Next steps

If you need to know more about secure file transfer protocols, encryption, or any other aspects of working with a Managed File Transfer (MFT) solution, take the Certified File Transfer Professional (CFTP). It is the only vendor-independent file transfer certification, equipping you with the knowledge you need to implement secure file transfer in your organisation.

Alternatively, if you are investigating which solutions have PGP capabilities, opt for our free MFT Comparison Service. Answer a series of questions about your requirements and our experts will recommend the best solution.

Managed File Transfer Buyers Guide