PGP encryption

PGP encryption

To PGP or not to PGP? That is the question several customers have asked us recently. This blog post summarises everything you need to know about PGP encryption, so you can make an informed decision about whether it is right for you.

PGP stands for ‘Pretty Good Privacy’. It is an asymmetric encryption, which means it uses public and private keys to encrypt and then decrypt cipher text. It requires more work than symmetric encryption, which uses a shared key, but is generally considered better security.

PGP provides end-to-end encryption, integrity checking and authentication. It is commonly used for encrypting and decrypting texts, files, directories and whole disk partitions.

 

PGP Encryption: How does it work?

Asymmetric encryption uses two different keys to encrypt and decrypt each file, then two more keys to sign and verify each file. Both parties – sender and recipient – need to exchange their public keys before any transfer can take place.

The sender encrypts the file using the recipient’s public key. The recipient decrypts the file using their private key.

For integrity checking – to make sure the content hasn’t been tampered with – the sender uses their private key to ‘sign’ the encrypted file. For authentication – to check the sender is the sender you think it is – the recipient uses the sender’s public key to verify/validate the sender.

 

PGP and your file transfer solution

PGP Clients will manage the encryption/decryption automatically and are often implemented in FTP servers or as email client add-ons to secure the communication. The exchange of the public keys, however, will always be a manual process.

Any security is only as strong as its weakest point. Security-conscious organisations will usually physically exchange keys via a courier service, and set keys to expire (this is a bit like a password which expires and needs to be reset by the security team). But – as you will have gathered – the process of exchanging keys is time consuming. Most applications provide advance notice about expiring keys, so administrators can plan for the exchange to take place in advance.

Some applications allow you to create sub-keys with pre-configured expiry dates, so that you can plan ahead and have several years of automatic key replacement, avoiding potential outages. We know of some Managed File Transfer solutions that manage this process very effectively.

 

When to use PGP

PGP provides encryption at rest or can be used to protect a file at a particular stage in an otherwise non-encrypted workflow.

Let’s look at a recent example we discussed with a customer who had a PGP requirement for an accounts process. They needed to put files into a specific folder, where they would be PGP encrypted, then moved to another folder to be collected by the bank. This would by-pass a charge that the bank would otherwise make for the processes.

This requirement was driven by the fact that the bank used PGP, and the businesses needed to comply in order to save money.

The advantages of PGP:

  • Security is the big plus. PGP is generally considered more secure than symmetric encryption.
  • Even if the channel transmitting the files becomes compromised, the private keys and files remain safe. Similarly, they are safe if the channel used to share public keys is compromised.
  • Signing files is a built-in procedure, automatically authenticating the sender’s identity.

 

Disadvantages:

  • End users need to exchange keys and use their encryption technology correctly. They often accidentally send their PRIVATE keys to each other.
  • Slower performance than symmetric encryption.

Next steps

If you need to know more about secure file transfer protocols, encryption, or any other aspects of working with a Managed File Transfer (MFT) solution, take the Certified File Transfer Professional (CFTP). It is the only vendor-independent file transfer certification, equipping you with the knowledge you need to implement secure file transfer in your organisation.

Alternatively, if you are investigating which solutions have PGP capabilities, opt for our free MFT Comparison Service. Answer a series of questions about your requirements and our experts will recommend the best solution.

Need further expertise? Download our FREE resources

Choosing the right Managed File Transfer protocol

Choosing the right Managed File Transfer protocol

This blog post answers your questions about Managed File Transfer protocols. Which are the most widely used file transfer delivery protocols? Which should you be using and how do you identify which solution uses which protocols?

A protocol is the set of rules that determines how files are transferred from one computer to another, through a network. That might be an internal network (from one computer to another within the same network) or more commonly a Wide Area Network such as the internet.

The nature of your data and its destination will determine the right protocol for the transfer. For example, personally identifiable data and credit card information will need a secure protocol.

BASIC PROTOCOLS

FTP
(File transfer protocol)

How can it be used?

Upload/download files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files

When can it not be used?

X Secure data at rest
X Secure data in transit (FTPS can)
X Work over just one firewall port
X Provide strong authentication

FTPS
(“FTP Secured” using SSL)

 Secure data in transit
Upload/download files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files
 Provide strong authentication

X Secure data at rest
X Work over just one firewall port

SFTP
(“Secure FTP” using SSH)

Secure data in transit
Upload/download files
Rename and delete files
Create/delete folders
 Provide strong authentication
Work over just one firewall port (22)

X Secure data at rest
X Check integrity of files
X Execute custom commands on server

SCP
(“Secure CoPy”)

Secure data in transit
Upload/download files
Work over just one firewall port (22)
 Provide strong authentication

X Rename and delete files
X Create/delete folders
X Check integrity of files
X Execute custom commands on server

ADVANCED PROTOCOLS

HTTP
(HyperText Transfer Protocol)

HTTP CAN ALWAYS
Download files
Work over one firewall port (80)

HTTP CAN SOMETIMES
Upload files
Rename and delete files
Create/delete folders
Execute custom commands on server
Check integrity of files

Secure data at rest
X Secure data in transit (HTTPS can)
X Provide strong authentication

HTTPS
(HTTP Secured with SSL)

HTTPS CAN ALWAYS
✓ Download files
✓ Work over one firewall port (443)
✓ Secure data in transit

HTTPS CAN SOMETIMES
– Upload files
– Rename and delete files
– Create/delete folders
– Execute custom commands on server
– Check integrity of files
Provide strong authentication

Secure data at rest

WebDav

WEBDAV CAN ALWAYS
Download/upload files
✓ Rename and delete files
✓ Create/delete folders
✓ Work over one firewall port (443)
✓ Secure data in transit

WEBDAV CAN SOMETIMES
 Provide strong authentication

Secure data at rest
X Execute custom commands on server
X Check integrity of files

EMAIL PROTOCOLS

SMTP
To send mail

Push files as attachments
✓ Be secured with SSL/TLS
✓ Often uses ports 25, 465 or 587

Pull files from other servers

POP3
To get mail

Pull files from servers as attachments
Delete original email from servers
Be secured with SSL/TLS
Often uses port 995

X Push files as attachments
X Synchronize email folder contents
X Not supported in all email environments
POP3 is becoming obsolete

IMAP
To get mail and sync mail folders

Pull files from servers as attachments
✓ Delete original email from servers
✓ Synchronize email folder contents
✓ Be secured with SSL/TLS
Often uses port 993

Push files as attachments
X Be trusted if its key mailbox is also accessed interactively

Which Managed File Transfer protocol?

Guidance on what constitutes a secure protocol will change, adapting to stay one step ahead of cybercrime. That’s why it’s important to choose a vendor that releases regular product updates. With Pro2col’s free Managed File Transfer comparison service, you submit your requirements via a questionnaire. Our experts compare them against the different solutions and recommend the right product for you. Our experts consistently review the marketplace and only select credible solutions from credible vendors, who provide excellent support and regular software updates.

Interested in a file transfer solution?

Pro2col Cyber Essentials certification

Pro2col Cyber Essentials certification

Pro2col Ltd have received Cyber Essentials certification, recognising our ongoing commitment to security and data protection.

“As Pro2col becomes more widely recognised for our niche expertise in data transfer and file sharing technology, we are servicing larger organisations. It is important that our already rigorous security standards are formally recognised, and we are delighted to have achieved this certification.”

James Lewis, Pro2col Managing Director

This badge reassures customers that an organisation takes cyber security seriously and will protect their data. It is issued by Bureau Veritas who are a trusted testing, inspection and certification body. You can see Pro2col’s Cyber Essentials certificate of assurance online.

This achievement comes just a few months after Pro2col secured ISO 9001:2015 certification, recognising our commitment to customer service and quality.

About Pro2col

Pro2col are independent consultants, specialising in hybrid integration platforms and secure data transfer and collaboration technology, support and professional services since 2004. We have deployed over 750 solutions for a range of different industries across 30 countries. Companies use this technology to automate regular transfers, send large files, secure data, replace home-grown scripts, move data to and from the cloud and integrate with other systems.

Could your organisation benefit from this technology? Find out more about Pro2col’s products and services. Alternatively complete the Managed File Transfer comparison and receive a free software recommendation based on your organisations unique requirements.

Interested in a file transfer solution?

How can I find out if a file transfer failed?

How can I find out if a file transfer failed?

Data transfers underpin many operations within an organisation, so it’s important to know if a file is not delivered. Your customer SLAs may depend on it. Read on to find out how an MFT solution can alert you when a transfer fails and identify the reasons why.

Organisations transfer data all the time. That might be financial information in the form of invoices, orders and BACs files, or other operational transfers received through a website or shared between internal offices.

If an automated transfer fails it can disrupt business operations and risk breaching service level agreements (SLA) you have in place for that activity. Unfortunately, for many organisations, the first indication that a transfer has not happened, is a call from a user missing the file. By then, it’s usually too late.

That’s why you need good visibility of all your transfers and
alerts set up to notify you if they fail.

Visibility

Managed File Transfer solutions – or MFT – provide excellent visibility of transfers. At a basic level, that might include email message alerts when a file has been delivered. BUT, this relies on you noticing you haven’t received the email.

These systems record events between the server and client, so – with the right module or add ons – you can usually get a detailed level of reporting. This real-time transfer monitoring allows you to keep an eye on the most important transfers as they happen.

A good MFT system will provide the following:

  • Real time status of your servers and sites
  • Views of transfers in and out of your system
  • A dashboard giving key system statistics
  • The run history of event rules configured on your system

With many systems you can design customisable reports showing transfers, which you can then export to save or share. And – because prevention is better than cure – the IT department can uncover factors which may lead to future errors, such as connection failures, firewall misconfigurations, and data corruption.

How you achieve this will depend on your MFT solution and other monitoring systems in your environment. Ideally they will interact, but if this isn’t possible, you could use SNMP traps, or write to a Syslog server. Many monitoring systems read Windows event logs to detect errors, and happily most MFT systems allow this directly. Alternatively you could use a database as an intermediary location for storing monitoring events. Our technical consultants provide professional services to help you if you need it.

Never miss an SLA again

With a good MFT system, you can build a rule to check if a particular file has been transferred by a certain time. The system will generate an email, alerting the administrator or another specified user, if the transfer has failed.

Setting the rule to check before the file is needed gives you advanced warning. So if – for example – an order isn’t sent or payment not made, you have time to contact the sender and address any difficulties before the SLA is breached.

These rules can be set for file names, file sizes or specific senders. You can also track the number of files sent. For example – you can check that at least three files of 100KB or more were uploaded from a specific group of users, with a file name starting ‘finance’.

Why did the transfer fail?

The more sophisticated MFT solutions on the market will allow you to pinpoint which of several steps in an event rule has failed. This means you can quickly identify the problem, without the cumbersome process of analysing logs. Some solutions will display high-level information in a dashboard view, which can be customised to highlight errors, such as failed logins or PCI compliance. You may be able to display other KPIs as well.

Next steps for your organisation

  • You already use an MFT solution
    Our technical consultants can advise on how to achieve this level of visibility.
    Get in touch
  • You don’t have an MFT solution
    Our free download, Do I need MFT?, will identify if this is the right choice of technology for your organisation.
    Do I need MFT? DOWNLOAD
  • You are ready to compare solutions on the market
    If you know MFT is right for your organisation, our free comparison service will identify the best solution for your needs and budget.
    Request MFT comparison

Interested in a file transfer solution?

Secure online forms and automation

Secure online forms and automation

Businesses need information from their internal users, external customers and suppliers all the time and it is highly likely this will include personal or sensitive data.

It is definitely not appropriate to ask users to share this information over email, but we know that is still common practice for many organisations. Email is not secure, so you risk a breach of the General Data Protection Regulation (GDPR), plus there is no guarantee of delivery. Email cannot support large files either.

Online forms provide a secure, customisable mechanism for your customers, suppliers and internal users to submit information to your business. It is a popular feature of Managed File Transfer systems and can capture any type of information or file size. Fields can also be configured to trigger onward business processes or integrate with internal systems.

To demonstrate the versatility and functionality of secure online forms with automation, let’s look at a use case from the motor insurance industry.

Use case: Motor insurance company

A customer is involved in a collision and needs to claim on their insurance. Using the secure online form, they enter the information required: Policy number, personal details, vehicle information, details of the collision and images of the damage.

Once the data has been received, a number of tasks need to happen to progress the claim.

This is where the technology really comes into its own. Automated actions sitting behind the secure online form, can execute many of these tasks and you can find out more in this video.

Examples of automated workflows

Once the user submits the form, it can trigger a range of automated workflows, such as:

  • Check the policy number meets alphanumeric sequence
  • Validate customer name against policy number
  • Assign claim to a claims handler
  • Automatically input the description directly into the customer database
  • Rename images to a pre-determined format, eg: policynumber_date
  • Move images to the image server
  • Send an automated reply via email or SMS or other business communication platform. The template can be personalised to include the name, assigned claims handler, policy number etc.

All of these processes can take place without any human intervention, demonstrating just how more efficient these labour-intensive tasks can become. You can see how this would suit other industries, such as mortgage brokers, doctors and private healthcare providers, or any outsourced business service, such as HR or payroll.

These are fairly simple use-cases, but there’s no end to the automation capabilities that can be applied. We recently customised secure online forms for a company sequencing hundreds of thousands of anonymised records of biological data. Customised logic built around metadata in mandatory fields in the form triggered the next step in the process.

Can you see how your organisation could benefit from adding secure online forms to your infrastructure? Get in touch for a chat now. Alternatively, complete our Managed File Transfer (MFT) comparison; answer a series of questions about this and other business requirements and our technical experts will recommend the best solution to suit your needs.

Interested in a file transfer solution?

The World Cup 2018: A file transfer use case

The World Cup 2018: A file transfer use case

Are you missing the World Cup already? It’s been an exciting few weeks of football!

As the novelty of England’s best performance in years wears off, we turned our attention to the IT infrastructure that underpins a tournament of this scale. It’s actually a really good example of the many ways data is sent, received and processed, and the types of technology that enable this to be done quickly and securely.

This article looks behind the scenes at this file transfer use case, which translates across many different industries.

High definition broadcast

Firstly and most importantly is the high definition broadcast that sports fans have come to expect. Streaming the World Cup involves data sets measuring in tens of terabytes or even in petabytes, and it needs to be moved quickly with perfect quality maintained.

The broadcasters would use a fast file transfer solution combining UDP and TCP technology across high bandwidth networks.

Traditional UDP transfers move big datasets much more quickly than TCP, regardless of size, distance or network conditions. That’s because it continually sends data packets without waiting to see if they are received successfully. In this case, the usual UDP trade-offs (slight distortion, or frames freezing) are offset by the TCP protocol, which ensures any lost packets are resent. An agent at the receiving station reconstructs the data after the transfer.

The result? The viewer sees every kick, goal and penalty in real-time high definition.

 

Sharing sensitive documents securely

During the World Cup or other football tournaments, sensitive data is continually shared between managers, medics, FIFA and other parties. It might be personal information about players, which needs to comply with data protection legislation like the GDPR, or sensitive data critical to a team maintaining a competitive edge. Some examples include:

  • Player details are sent to their training camp with medical and dietary requirements;
  • Medics sharing injury information and treatment plans back to the player’s home club;
  • Referees sharing match reports with the officiating body;
  • In the run up to the tournament, scout reports are shared across the globe, providing valuable insights into the competition;
  • New contracts in the aftermath of a big tournament are uploaded to web portals.

A secure file sharing solution would typically have a set of features to protect the data from hackers and malware: Secure protocols (SFTP, FTPS or HTTPS); Encryption (PGP or AES); Access control with the ability to restrict user permissions; User authentication; Secure data wiping; Administrator view; Audits and reports to show what was transferred, when and how.

 

Of course, these examples aren’t exclusive to the World Cup. The chances are that you face similar challenges in your organisation. Maybe that’s live streaming events or simply sharing employee data.

There are many reasons why a business might decide to implement a file transfer solution. If this has got you thinking about your system, our free resource – Does your organisation require a file transfer solution? – will help.

Inside you’ll find a questionnaire to record your responses to some typical file transfer challenges. There’s information on how a system can resolve these, plus recommended next steps for your project.

Does your organisation need a file transfer solution?
Download our free resource now.

Interested in a file transfer solution?