Supply chain disaster: Do you need an MFT dev environment?

The reasons why you need an MFT dev environment

MFT dev environment - lorries in supply chain disaster

 

In all the years we’ve been working in file transfer, there have been a few occasions when we’ve witnessed the financial impact and reputation damage a system failure can have. This article looks at:

 

  • Why you should think twice before testing in a live environment;
  • When you need to consider a development (dev) environment for your Managed File Transfer (MFT) solution;
  • Details of the six stages for testing and development.

“A few years ago, one organisation was developing workflows in a live environment, and broke other automated processes. The system was down for just a few hours, but the impact was huge. This business supplied products to retailers across the country, but were unable to access the order information. The lorries couldn’t leave the factory and delivery drivers had to be paid overtime. Worse still, the retailers were left out of stock, consumers bought other brands and some ended up staying with that brand. The impact on the business’ finances and reputation were catastrophic.”

 

Richard Auger, Pro2col technical consultant

This particular example could have been prevented if the IT team were developing in a test environment, instead of a live environment. But so many organisations only have a live MFT production licence. That might be to save money, or because decision makers just don’t think a file transfer server needs a test licence. But we know an MFT system is doing so much more than transferring files, so if you have any workflows involved, you need to reconsider.

Is a dev environment business critical?

This will depend on the value of the data your system is handling. Is it critical to business processes? Do you risk breaching service level agreements (SLAs)? Or will you simply not be able to operate, like the example above? While you may be able to send files by some other method for a few hours, it isn’t viable for a sustained period.

You also need a change control policy to meet ISO27001 requirements. While it is down to you to determine the right policy for your unique set of circumstances, example ISO best practice advocates testing in an isolated, controlled and representative environment. Similarly ITIL requires an organisation to follow both ‘change management’ and ‘release and deployment management’ processes from non-production to production systems. It’s an old IT joke that in weaker, less secure environments TIP doesn’t mean ‘Transfer into Production’ – it ends up being ‘Test in Production’ instead.

So to avoid disrupting your system when deploying new releases, building workflows or making other changes, you should follow these six stages for testing, developing and transfer into production:

  1. Sandbox, or experimental environment: This is a local environment no one else can access, where the developer has a working copy of the code. Here they can try it out and change it without putting it live. This environment will typically be an individual developer’s workstation. Once they are happy with it the developer would submit the code to the repository for the next stage of development. Most MFT solutions by default don’t have a sandbox but you can sometimes set it up by installing the software onto a private virtual machine.
  2. Development or integration environment: This is a clean environment where you test how your code is interacting with all the other bits of code associated with the system. The code itself doesn’t get changed in this environment – updates are made to the working copy back in the sandbox and resubmitted. When ready, the developer accepts the code and it is moved to the test environment.
  3. Testing: This is the environment to test the new or changed code, either manually or using automated techniques. You may have different test environments to focus on different types of testing. The developer looks at how it interacts with and impacts other systems and tests performance and availability. If you are upgrading, for example, this will show how your system will behave once the upgrade is in place. From here, the code can be promoted to the next deployment environment.
  4. User acceptance testing (UAT) or quality assurance (QA): In this stage users will trial the software, making sure it can deliver against requirements. Stress testing is also carried out in this stage.
  5. Pre-production, or staging environment: This final stage tests in conjunction with all the other applications in the infrastructure. The aim here is to test all installation, configuration and migration scripts and procedures. For example, load testing happens here. It’s really important that this environment is completely identical to the production (live) environment. All systems should, for example, be the same version.
  6. Production or live environment: Transfer into production – or TIP – is the final stage, bringing the updates live. This is the environment that users actually interact with. This can be done by deploying new code and overwriting the old code, or by deploying a configuration change. Some organisations choose to deploy in phases, in case of any last minute problems.

If you follow these steps you can be confident that any upgrades to the production environment will be completed reliably and efficiently. But if your budget or internal policy won’t allow you to invest in all of these, we would recommend at least a test environment, which should be an exact copy of the production environment.

All our vendors offer test licences at reduced rates. If it’s time to get this set up for your MFT solution, get in touch now. You can contact us via the website or by emailing your account manager.

Interested in a file transfer solution?

Secure online forms and automation

Secure online forms and automation

Businesses need information from their internal users, external customers and suppliers all the time and it is highly likely this will include personal or sensitive data.

It is definitely not appropriate to ask users to share this information over email, but we know that is still common practice for many organisations. Email is not secure, so you risk a breach of the General Data Protection Regulation (GDPR), plus there is no guarantee of delivery. Email cannot support large files either.

Online forms provide a secure, customisable mechanism for your customers, suppliers and internal users to submit information to your business. It is a popular feature of Managed File Transfer systems and can capture any type of information or file size. Fields can also be configured to trigger onward business processes or integrate with internal systems.

To demonstrate the versatility and functionality of secure online forms with automation, let’s look at a use case from the motor insurance industry.

Use case: Motor insurance company

A customer is involved in a collision and needs to claim on their insurance. Using the secure online form, they enter the information required: Policy number, personal details, vehicle information, details of the collision and images of the damage.

Once the data has been received, a number of tasks need to happen to progress the claim.

This is where the technology really comes into its own. Automated actions sitting behind the secure online form, can execute many of these tasks and you can find out more in this video.

Examples of automated workflows

Once the user submits the form, it can trigger a range of automated workflows, such as:

  • Check the policy number meets alphanumeric sequence
  • Validate customer name against policy number
  • Assign claim to a claims handler
  • Automatically input the description directly into the customer database
  • Rename images to a pre-determined format, eg: policynumber_date
  • Move images to the image server
  • Send an automated reply via email or SMS or other business communication platform. The template can be personalised to include the name, assigned claims handler, policy number etc.

All of these processes can take place without any human intervention, demonstrating just how more efficient these labour-intensive tasks can become. You can see how this would suit other industries, such as mortgage brokers, doctors and private healthcare providers, or any outsourced business service, such as HR or payroll.

These are fairly simple use-cases, but there’s no end to the automation capabilities that can be applied. We recently customised secure online forms for a company sequencing hundreds of thousands of anonymised records of biological data. Customised logic built around metadata in mandatory fields in the form triggered the next step in the process.

Can you see how your organisation could benefit from adding secure online forms to your infrastructure? Get in touch for a chat now. Alternatively, complete our Managed File Transfer (MFT) comparison; answer a series of questions about this and other business requirements and our technical experts will recommend the best solution to suit your needs.

Interested in a file transfer solution?

The World Cup 2018: A file transfer use case

A file transfer use case: The World Cup 2018 has many ways MFT can be used

Are you missing the World Cup already? It’s been an exciting few weeks of football!

As the novelty of England’s best performance in years wears off, we turned our attention to the IT infrastructure that underpins a tournament of this scale. It’s actually a really good example of the many ways data is sent, received and processed, and the types of technology that enable this to be done quickly and securely.

This article looks behind the scenes at this file transfer use case, which translates across many different industries.

High definition broadcast

Firstly and most importantly is the high definition broadcast that sports fans have come to expect. Streaming the World Cup involves data sets measuring in tens of terabytes or even in petabytes, and it needs to be moved quickly with perfect quality maintained.

The broadcasters would use a fast file transfer solution combining UDP and TCP technology across high bandwidth networks.

Traditional UDP transfers move big datasets much more quickly than TCP, regardless of size, distance or network conditions. That’s because it continually sends data packets without waiting to see if they are received successfully. In this case, the usual UDP trade-offs (slight distortion, or frames freezing) are offset by the TCP protocol, which ensures any lost packets are resent. An agent at the receiving station reconstructs the data after the transfer.

The result? The viewer sees every kick, goal and penalty in real-time high definition.

 

Sharing sensitive documents securely

During the World Cup or other football tournaments, sensitive data is continually shared between managers, medics, FIFA and other parties. It might be personal information about players, which needs to comply with data protection legislation like the GDPR, or sensitive data critical to a team maintaining a competitive edge. Some examples include:

  • Player details are sent to their training camp with medical and dietary requirements;
  • Medics sharing injury information and treatment plans back to the player’s home club;
  • Referees sharing match reports with the officiating body;
  • In the run up to the tournament, scout reports are shared across the globe, providing valuable insights into the competition;
  • New contracts in the aftermath of a big tournament are uploaded to web portals.

A secure file sharing solution would typically have a set of features to protect the data from hackers and malware: Secure protocols (SFTP, FTPS or HTTPS); Encryption (PGP or AES); Access control with the ability to restrict user permissions; User authentication; Secure data wiping; Administrator view; Audits and reports to show what was transferred, when and how.

 

Of course, these examples aren’t exclusive to the World Cup. The chances are that you face similar challenges in your organisation. Maybe that’s live streaming events or simply sharing employee data.

There are many reasons why a business might decide to implement a file transfer solution. If this has got you thinking about your system, our free resource – Does your organisation require a file transfer solution? – will help.

Inside you’ll find a questionnaire to record your responses to some typical file transfer challenges. There’s information on how a system can resolve these, plus recommended next steps for your project.

Does your organisation need a file transfer solution?
Download our free resource now.

Interested in a file transfer solution?

Upgrade to Diplomat Managed File Transfer v 8.0

Upgrade to Diplomat Managed File Transfer v 8.0


Coviant have released Diplomat Managed File Transfer v8.0. We’d recommend you upgrade as soon as possible to take advantage of the new features and fixes, which include:

Support for Windows Server 2016

  • When using search/move features for keys, partners or transactions, leaving the ‘containing phrase’ field blank displays an unfiltered list of objects. Enter ‘Accelerate’ into the ‘containing phrase’ field when All Fields is selected to identify any SFTP partners that have ‘Accelerate transfers’ selected.
  • Added Reset with accelerator CTRL-R to the top level menus for Public Keys, Key Pairs, SSL Certificates, Partners (Enterprise only) and Transactions.
  • Added accelerators for the Search/Move items of Partners (Enterprise only) and Transactions – CTRL-P and CTRL-T.
  • Added ability to add Integrity Protected Packets to PGP-encrypted files.

Standard and Enterprise only

  • Added initialisation error messages to server startup email going to IT Support email addresses.

Enterprise only

  • If in use, the SQL audit database is updated to add multiple columns to the JOB_AUDIT and JOB_AUDIT_ARCHIVE tables the first time the Diplomat Service is started after an upgrade to v8.0. No data conversion is done, but the SQL audit database can no longer be used by earlier versions of Diplomat MFT.
  • Added fields for API and FILE_MONITORING to SQL audit database to indicate how jobs were initiated.
  • Added ability to zip source files before transferring and unzip destination files after transferring.
  • Added support for shared folders in Citrix Sharefile partner profiles.
  • Added ability to start Diplomat Service in ‘safe startup mode’ with all transactions suspended. Right-click on the Transactions folder to unsuspend any transactions that were not suspended before the Diplomat Service restart.

Fixes

  • Changed scheduling so that previously defined ‘excluded days’ are not considered when the Recurrence Type is Weekly.
  • Corrected scheduling error that occurred when scheduling window spanned midnight. Jobs do not stop at midnight, but now run until the end of the scheduling window.
  • Fixed error in getting correct file modified date when using subfolders in the source file name field.
  • Ensure that SMB partner profiles that are defined with a non-blank Directory field can successfully overwrite destination files.
  • Corrected problem where attempts to create new sub-folders on FTP, FTPS and SFTP destinations were not occurring.
  • Corrected a problem where a Run Now dialog would not display the summary information at the end of the job if the associated transaction was saved while the job was running.
  • Corrected problem where a second job based on a transaction could start while an earlier job based on the transaction was still running.
  • If a left-nav item is selected and the user scrolls it so that it is not visible, the left nav will not scroll back to the selected left-nav item when the display refreshes.

You can download the installation files and related documentation at http://www.coviantsoftware.com/partner-portal.php. You will need your Coviant support username and password.

If have a maintenance contract and experience any difficulties upgrading, please submit a support ticket and one of our technical consultants will be in touch.

Interested in a file transfer solution?

What do the new SSL and early TLS requirements mean for my file transfer solution?

What do the new SSL and early TLS requirements mean for my file transfer solution?

PCI DSS is the security standard for processing and storing credit card information. From 30th June 2018, organisations can no longer use SSL and early TLS to meet the PCI DSS standard. This blog post will remind you of the requirements and what this means for your file transfer solution.

Earlier this year we reminded you that Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) are no longer considered secure protocols. It’s because of the growing number of attacks and vulnerabilities, with online and e-commerce the area most at risk.

From 30th June 2018 organisations will need a more secure encryption protocol in order to safeguard payment data and meet the PCI DSS standard. With just over a week to go, we wanted to share these key points, so you can check you have everything in place and understand what it means for your file transfer solution.

What do I need to put in place?

Essentially, you need to have a secure alternative – both at the network layer and at the data protection layer – and disable any fallback to SSL or early TLS. Your two options are as follows:

1. Migrate to TLS 1.2

The PCI council make a clear recommendation that you transition to TLS 1.2:

“TLS 1.2 is considered secure and is the recommended option from the council.”

SSL and Early TLS Migration webinar, Feb 2018.

TLS 1.1 is a more complicated option because it is possible to meet the requirements for strong cryptography, but it depends on the configuration, algorithms, strength of keys and other aspects of the implementation.

2. Compensatory controls

SSL and early TLS are not considered strong cryptography so they cannot be used as a security control for PCI DSS. You could add alternative security controls that remove the reliance on SSL and early TLS. Encryption would need to be in place to secure the transmission before it is sent using SSL or early TLS. Eg: at the application layer.

Exception for POI devices

This exception is in place because Point-of-Interaction (POI) terminals are not as susceptible to the vulnerabilities as browser based systems. If the device is built and configured in a way that’s not susceptible to the known vulnerabilities, it is possible to keep using it. You need to contact the vendor or support provider for that terminal, who can evidence this.

The device will still need up to date patches, must not use weak cipher suites or unapproved algorithms (eg: RC4 or MD5) and you must continually check that it hasn’t become susceptible to any new vulnerabilities. You should also have a migration plan in place that you can execute at short notice, should the device become susceptible. Any new devices should be configured to TLS 1.2.

You can find out more information on all the topics covered in this blog by watching the video from the PCI Security Standards Council.

What does this mean for my file transfer solution?

If you are running a file transfer solution and have kept it up to date, there is a good chance you won’t need any major changes. All the current versions from the main MFT vendors support TLS V1.2 and many default to only have TLS enabled.

Some products have PCI compliance scans built in, which will warn you if you are running SSL v3.0. It may not differentiate between TLS V1.0 and V1.2 though, so you will need to do a manual check. If you have a support contract with Pro2col, raise a support ticket and one of our technical consultants will find out if your solution is configured for TLS V1.2 or not.

If you are running an older version of your file transfer solution, you may need to upgrade. Again, Pro2col can advise on the process and our professional services team have experience getting out of date software up to the latest version.

If you are running an older SSL certificate built using 512-bit or 1024-bit key sizes, it is worth renewing it. The recommendation is now to use 2048-bit or greater.

To compare Managed File Transfer (MFT) solutions with PCI DSS compliant features, complete the Managed File Transfer Comparison Report. This will recommend and compare solutions meeting your specific requirements.

Interested in a file transfer solution?

Certified File Transfer Professional (CFTP) acquisition

Pro2col aquire and update Certified File Transfer Professional (CFTP) accreditation

Pro2col Ltd have acquired and enhanced the Certified File Transfer Professional (CFTP) programme, meaning they will provide training for file transfer engineers across the world.

It is the only independent file transfer certification for IT professionals. Users gain knowledge of file transfer concepts and technology, plus the capability to deliver secure and managed file transfer in their organisation. It is recognised worldwide by employers looking to recruit experts to their file transfer team.

Pro2col have been involved in its design and development in recent years, and this acquisition marks an important step forward for the programme.

“We have updated the study guide, enhanced the user-experience and developed an exciting roadmap for future development. This includes new GDPR and PCI-DSS modules. It’s informed by our knowledge gleaned from 15 years’ delivering secure file transfer solutions, plus contributions from an advisory board made up of the world’s leading experts in this technology. There’s also now a digital accreditation badge, which users can add to their email signature, LinkedIn profile or elsewhere to share their success. Plus, we are delighted that the CFTP has received CPD certification.

Pro2col Managing Director James Lewis.

CPD accreditation means the learning value and structure of the course meets the rigorous standards of the CPD Certification Service. Users who pass the exam will be be able to add the course to their CPD record, recognising their knowledge of file transfer.

Secure and managed file transfer is becoming an increasingly important component in IT infrastructure. Knowledge gained from the CFTP helps organisations address GDPR and PCI-DSS compliance, plus FIPS 140-2 certification, HIPAA, SOX and GLBA. That’s why the course has proved popular with finance, insurance, consulting and many other sectors. Participants also learn how the technology improves business efficiency, freeing up resources, streamlining business operations and reducing human error.

“The secure transfer of files and personally identifiable data needs to be done correctly,” explained James. “Our aim for CFTP is to give IT professionals the file transfer training they need to implement secure file transfer into their organisations whilst giving a professional certification to the learner. With an understanding of the technology, CFTP qualified staff help organisations to stay compliant, improve efficiency and save time.”

The course is delivered online through downloadable study resources and video lessons, ending with an online open book exam. It takes users through file transfer concepts, basic and advanced protocols, accelerated file transfer, file sync & share, encryption and more.

“Pro2col are independent data transfer and file sharing specialists and I’ve made no secret of my aim for us to be the best at what we do, worldwide,” James said. “This acquisition is an exciting step for Pro2col and the CFTP programme. To be responsible for training file transfer engineers across the world is testament to the knowledge and expertise of our technical consultants.”

Interested in a file transfer solution?