About the Webinar
Are you using a free PGP encryption tool? Now it's time to take file transfers to the next step! Although free tools like OpenPGP Studio are a great option, GoAnywhere helps to automate file transfers securely and can save crucial time, plus so much more!
This webinar focuses on automating your PGP encryption, touching on the negatives that can come from employees managing their own PGP encryption and decryption, such as:
- Uncertainty if files contain viruses after decryption
- Difficulty for admins regarding what activities they can see
- Unnecessary maintenance and provisioning
Discover the time savings and centralization that comes with using an enterprise MFT solution like GoAnywhere. This webinar highlights some of GoAnywhere's key features, such as the ability for admins to easily create PGP Key Paris, and centralized management and control.
If you're doing PGP encryption today and curious about the benefits of upgrading beyond a free PGP tool, explore ways to improve your file transfer processes, along with encryption and decryption practices.
Transcript
Stephen Mabbutt: Good morning, good afternoon and welcome to today's webinar on how to automate your PGP encryption. We'll be running for about 50 maybe 65 minutes on this. We will have time at the end to cover any questions you have. So, feel free to jot them down as you're going through, and then we will have time to answer them at the end. So if we have... If you feel like we've ignored you at all, don't worry, we will see them right at the end and we will pick up the questions there. Let's go on to the next slide.
Today's agenda, we'll be looking at how to automate your PGP encryption. We'll start with free PGP encryption pros and cons on why you should or shouldn't look at using this as a solution that's free, why you should automate your PGP encryption, some automation best practices. So, if you are looking at automating your encryption, decryption and then other parts that you can do with that, some best practices, maybe some thoughts on what you should look at. We'll have a very quick look at a customer story. This is someone who has been using free tools in the past, and is now using a solution that is fully automated. Then, we'll move into an introduction to GoAnywhere and a live demo on that solution with some use cases that we should touch on during the slides. Then as I mentioned, right at the end, we will have time for questions and answers.
Like I said today I'm Stephen Mabbutt. I'm a Technical Services Manager from HelpSystems for North EMEA. I'm also joined by my colleague Dan Freeman. He's the Senior Solutions Consultant for HelpSystems. I'll be covering some of the slides up to when we switch over into demo and then we'll bring Dan on and he'll run through the demo presentation.
Pros and Cons of Free PGP Encryption
Okay. We'll start with some of the pros and cons of using of free PGP encryption tools. I guess one of the first real pros or plus points for using free tools is that they are free, no cost associated with them. There may be some minor costs for maintenance, but in the end you are paying for, well not paying in this case, for a free utility. They're usually easy to install. They're relatively basic and they're a feature set, but that does mean they're relatively easy to get started. So, there's no real major training that you have to go through. There might be maybe a little bit of training required for end users just to get them to use the application, but after that, they should be relatively self sufficient and straightforward on their use.
It does what it needs to do. Well in this case, yeah. It covers you for encryption, decryption, hopefully signing and verifying the signature on these files as well. So in theory, this will perform any requirement you have for encryption or decryption of these files using PGP.
But let's look at some of the cons to this. Well, it is free and it does do what you need it to do. There are some pitfalls from using a solution like this. So, from an auditing perspective, you have no centralized management or visibility to any activities performed on your user's machines. As an administrator potentially, you don't know what users are encrypting or decrypting. You may not even know exactly where your PGP encryptions are held or your PGP keys are held, sorry.
No automation ability. Well in this case, using a free utility, everything is a manual process. This goes from starting the application, locating the fall you want to either encrypt or decrypt, then the processing of the file, and then maybe right at the end of it, once you have either decrypted it or encrypting it, you might have to manually email it to somebody else or maybe move it into another location where it can then be processed by maybe another application further down the chain.
So, every part of it requires some manual involvement. This does lead into situations where mistakes can be made. So, maybe a file has been encrypted with the wrong PGP key, or maybe the wrong file has been encrypted but sent to the person it should have been sent to. So, you've now got issues where either a user can't decrypt the file or they are decrypting the file correctly, but it's not actually the file they should be receiving. So, we're all humans mistakes can happen, so again, one of the pitfalls from having a manual process.
Free tools like Open PGP Studio require administrators to provision and maintain the software on user desktops. So, it depends on the number of users that require access. This can be a time consuming process, so, another thing to consider when using these free tools.
I've already touched on this, but users do need training in the software. Now, the tools themselves are relatively straightforward. They're quite basic in their use. So in theory, this shouldn't take too much time, but it's still something you have to consider. For every new user that has to then encrypt or decrypt files, you're then training those or provisioning the software, copying files into them. Every part of that is still going to take time from not just the user but the administrator or the trainer as well. So, there may be a number of different people just to provision one additional user.
The fact you were you were still having users going through this manual process and maintain this application on their machines, also means in most cases these users then have access to the private keys. Now, that can be a dangerous process because, if you're giving the private keys to these users, you now have your private keys in multiple locations within the organization. That's something that can be quite dangerous. If for any reason one of those keys does manage to go into the wrong hands, then you've got a lot of things you need to do to correct that. So again, while it is a free utility, another issue you may have with it.
Finally on here, risk of files containing viruses after they are decrypted. Well, the files you're receiving because they're encrypted, they're not going to easily become scannable by your AV until they've been decrypted by the user. So this point, the users decrypt the file, they've saved it, well that file could well be a virus. They didn't know where it's come from. It's an encrypted file. So they assume it's good, because that's the process they have been trained to go through. So again, something else you just need to be aware of when you're going through these manual processes.
We've mentioned that we obviously have our free open PGP Studio. So, just to quickly mention it here just in case you haven't seen it, or maybe you haven't used it for a little while, just a quick recap. This is what the interface looks like. As I mentioned, it's relatively simple in its design. We've tried to make it so it is easy to use. As you mentioned, this does support encryption, decryption, digital signatures, that's the signing and then verifying the files that you've been received. You can use this to create key rings and key pairs. So, this holds your PGP keys. You can import them if you need to, you can export the keys you create. Maybe you've got multiple users using this application, one person can create a set of PGP keys, then from here you can export them and save them onto other users machines.
Now, I've got a tip coming up on here as well, just to make that a slightly simpler process. Obviously, when you've encrypted these files they can be compressed at the same time. So, we thought we'd just cover three quick tips on maybe making the most out of this solution. Most of the cases you might find on here or most of the ways you'll go through this application are mouse driven. You're going to right click on a file or folder and you're going to then encrypt or decrypt it. Well, there are keyboard shortcuts available. Now, they're not available from the right click context menu, but if you click at the tasks menu at the top, you can see some of these keyboard shortcuts. I'm quite a keyboard heavy user. I move around through the keyboard quite a lot. So, using control keys like control E to encrypt, it saves me time when I'm using a solution like this.
I mentioned before that you can use this to create key rings and key pairs and then move them to other users machines. Now, that's quite an overhead to move these files around. Plus, then you've got these keys in multiple locations. One tip you can do on here is to create your key pair, then move that to some centralized server. You can restrict user access to that location, so only the users you define can have access to it. Install the software, re-point the public and secret key rings to those locations. In that case, every user you then bring on using this application in future, you just change these settings and straightaway they have access to the keys, public and private keys that you've defined. Nice little tip that you can actually then have centralized key management. I say centralized key management, at least a centralized key store where the keys are stored.
Finally, you can encrypt or decrypt multiple files. Now, you can right click on a single file encrypt it, decrypt it, sign it or verify, whatever you're looking to do. But, you can also do this against folders. Now, you can right click on a folder in the left hand panel. It's on the left of the screen, so you can see there's different folders. But, if you select the parent folder in the left hand panel, and then the right hand side right click on the folder, you still then have those same context menu. So, you can encrypt a folder, sign it, decrypt. So, if you've got multiple files in there that are encrypted from the same public key, maybe 10, 20 of them have all just being sent across, you can just right click on that folder decrypt, and it will decrypt every file in there directly.
Why should you look at automating your PGP encryption? Obviously we've already covered some of the issues where we have pitfalls from using a manual process. So, what are the other alternatives? Well, ultimately a PGP encryption means that you open up a large number of benefits, not just the fact that it is automating things like the time and cost saved from users manually performing the processes, but it also eliminates the human element for potential mistakes. We've touched on the fact that users can encrypt the wrong file, they can send the wrong file or the right file to the wrong person. So, all of these we try and eliminate entirely by automating these through some other process.
The encryption and decryption of files is just one part of the centralization that you can help achieve with automating your processes. So, one single solution would then be responsible for moving the files, maybe receiving them from third parties, that could be through an SFTP process and pushing them to another user. So, this automated process isn't just automating the files or encrypting and decrypting them. It's then moving them and pulling them back. By automating them, you can then have a large number of files processed in a very small amount of time. Obviously, one of those tips we just looked at was the ability to encrypt or decrypt entire folders, but using an automation tool. You don't need to worry about that. You can literally just have it pick up files as soon as they're made available to you, and it's going to automate the entire process.
Last one here, well, the problems with things like open PGP Studio and manual processes is that, you have to teach users how to use it properly, we've touched on this as a pitfall. You have to teach them how to keep their private keys safe. Again, we've mentioned that. And, teach them how to use the software and hope they remain compliant, because compliance here is a big issue when you're dealing with encrypted files. They're most likely going to be confidential. They could be financial. So, your users will have to make sure they're remaining compliant with this user confidential data. So, automating those things removes that as a requirement.
PGP Automation Best Practices
Let's look at some of the best practices. So is there anything you should be looking for in a solution to automate these or any best practices you should follow? Well yes, here's a few we've mentioned. So number one, create open PGP key pairs. It's obviously a given when you're dealing with PGP encryption, but you need to keep them secure. They should never be given to end users. If that private key was misplaced, or accidentally shared outside your organization, then you would need to replace your key pair and then send a new public key to anyone that's sending you encrypted data. Now, this is very time consuming and it could be a potentially dangerous situation if your private key has managed to get out into the outside world.
Number two, set up automatic decryption. Now, this can be performed in a number of different methods. So, it's not just thinking about, "Oh, there's a file, it's going to be encrypted." It's how that decryption process will take place. So, you could create a trigger on a web client or maybe a trigger when the file is uploaded to you via another method, something like FTPS or SFTP. So, when an encrypted file is uploaded to a designated folder, a trigger automatically decrypts the file using the private key stored in, let's say within our application key management system. It's a secure vault for keys. The decrypted file is then automatically copied to a destination location, and that could then be made available to a user automatically, or placed into a certain location.
A similar process could be set up maybe using secure forms. Similar to maybe a web user uploading a file, the organization could have a company secure form where employees upload their encrypted files. The form has a workflow that runs under the covers that again extracts this private key from the secure location, decrypts the file, then transfers that file back to the form where the users can download it. So again, you're still keeping your private keys secure and safe. In this case, you're allowing the user to manually decrypt the files. It's still automated, it's still logged, which takes us to number four, which is everything you do should be audited. Everything you should do is all logged. So, every file is decrypted, every file that it encrypted should be logged and made available for administrators to search. On top of that, administrators actions should also be logged as well. So, you've got a full audit trail of every single thing this application has done.
I know I skipped over number three, just because the flow went past it a while ago. Drag and drop workflows. Now, while you're creating these automated processes to encrypt and decrypt your files, they need to be simple to create, simple to look at and simple to design. Well, drag and drop workflows created through an application like GoAnywhere, they are very easy to use. You can see exactly what's going to happen with the files as they go through, and Dan will cover some of those examples as we go through and how easy they can be to create.
Finally, we've already touched on one of these things in a previous slide, where we talking about viruses. These files could have viruses contained within them, but you want to add within your workflows, the same drag and drop interface, add in some additional steps. Maybe just send the files to an ICAP system for antivirus scanning or some other scanning process you may look to take. This way, your automated process will be to receive the file. It could be to decrypt the file using your encrypted or secure PGP keys. As soon as it's decrypted it, then sends it off for scanning before it then saves it into a location where it's picked up by maybe the next process in the chain. This way, you are completely removing any impact from receiving a virus. It's deleted before it's even had a chance to move throughout your organization.
Customer Story
Just before we move on to the live demonstration, we'll hopefully look at a customer story. This was one of our customers that was previously using our free utility, using open PGP Studio. Originally, their requirement was from one of their business units, they required a CSV file to be encrypted during transport from a partner. So, they provisioned their users with GoAnywhere open PGP Studio to basically encrypt and decrypt these files that are sending to them from the user. So, why did they look at moving? Well, originally their goal was to just encrypt and decrypt this file. But really, once they started using this, they realized that they needed more. So eventually, they looked at GoAnywhere MFT, and realized that they can actually automate not just the encryption and decryption but the full file transfer process. So, not just decrypting and encrypting the files. They're now automating every part of that entire process. So, receiving the file and decrypting it, placing it in the right location.
They were able to consolidate and simplify all of their file transfer requirements that cover both internal use and external. So, not just receiving and sending these files out, including internal file moves. Not solely talking about encryption, but actually just simple file moves from file A separate to file set in B. Every aspect of it is now in one solution, all covered in one place.
If we can go to the next slide. Perfect. That brings us into the GoAnywhere introduction and live demo, and I'm going to pass it over to Dan to continue this, right Dan?
Dan Freeman: All right Stephen, I appreciate that. Can you hear me okay?
Stephen: Indeed, yep. I can hear you.
Why Managed File Transfer
Dan: All right, awesome. Thanks guys for taking some time out today. We'll go over some of the intro to GoAnywhere as the slide suggests, and go through a couple scenarios to touch on a couple of points that Stephen just brought up on some of that automation of PGP encryption, whether that's incoming or whether we're sending files, outbounds. We'll take a peek at a couple of those examples here in a little bit.
Why would we want managed file transfer? Well, I think with security being at the forefront of most CIOs and well CEOs for that matter anymore, coupled with the exponentially increasing data year after year, we'll get files moving all over the place. A lot of it's sensitive information. So, having some secure managed file transfer solution is becoming pretty critical. Not only that, but staying current with the latest Cipher suites, algorithms, encryption methods, definitely crucial to staying compliant and keeping company information and other people's information for that matter confidential. I'm sure you've probably actually seen the prevalence of data security breaches over the past 10 years or so. FYI, that's not good publicity and definitely not cheap either. So, securing data is definitely critical nowadays.
The centralized management, I know Stephen touched upon that from a PGP standpoint, but this is from an overall standpoint. Having that single pane of glass, really helps you with that insight into all file movement and manipulation in just that one location, and absolutely helps with auditing and accountability. Flowing into the full traceability and control, there's nothing worse than having an auditor walk through your doors and getting those sweaty palm feelings, and having almost no clue where you're going to pull all these reports, where you're going to pull all this information that that individual's going to ask of you. It's nice to have most of all those things in a single pane of glass, centralized place for that to be easily accessible.
Going along with that, that traceability and control, having those detailed audit logs, whether it is on the service side of things, any of the service listeners, setting off triggers, the administrative users that are logging in and making changes, the actual file audits, anything that's coming in and out of your MFT solution, what's happening, who's touching it, what are they doing when they're in there, all those types of things.
Not to mention on the control side, access control, if you have any compliance regulation, access control is going to be integral to your audits. You need to know that you have control of whoever's accessing what at any time, to help maintain that CIA or Confidentially Integrity and Accessibility or availability of that data, to make sure that you are keeping control and compliance with that type of data. Then automation, I think a great point on this is the fact that, pretty much every year, year after year, the biggest cause for those data breaches we keep hearing about is human error, bottom line. I mean, we make mistakes. It's just a no brainer. So, the more that you can automate things, the more it takes that out of our hands, whether it's the user's hands, whether it's even CIS admins hands, it doesn't matter. It's great to get most things automated to hopefully alleviate those data breaches as best we can at least.
So, some of the points on GoAnywhere MFT specifically, I guess the modern MFT solution, I'd say point to MFT or at least GoAnywhere MFT, it's great to work with a development team or R&D team that's constantly working to improve this. Being on the pre-sales and support and professional services side, sometimes it's tough because these guys do pump out things pretty quick, which is amazing. These guys, they target four major releases a year is their new standard which is pretty aggressive. If you ever pay attention to other MFT solutions or any applications for that matter, I think it's a pretty aggressive turn or getting that new features pumped out. Also by the way, the continual flow of feedback from our customers definitely drives innovation. So that's really awesome. We really like that when you guys shoot things back that you would like to see.
Ease of use, I think this is another great I guess "selling point" for GoAnywhere. It's got a very intuitive interface. I've seen some of the other interfaces and they're very, very convoluted. I think probably half their sales model is to provide professional services, because it's really, really hard to configure. I think GoAnywhere is absolutely easy to use. The gooey task-based projects to drive workflows, we'll see a couple examples of workflows. They're going to be pretty simplistic, but you can get an idea of how easy it is to develop those. Then also from the CIS admin perspective, ease of use, upgrades, adding or setting up a cluster, things like that, that the actual CIS admin part of it is probably one of the easiest applications I've ever dealt with. I was a CIS admin for about 15 years before this. So, it's very, very straightforward.
Cross platforms, nice as well. Java application, we really don't get our hooks in the OS. We're not dependent, so we can pretty much place this on anything. Going to behave pretty much the same thing no matter what. What's also cool about that is, if you are a Linux windows IBMI or whatever, and you want to move it to something else and maybe you get new staff come in and they're more comfortable with Linux than windows, great. You can do that pretty much seamlessly, move that over. We don't really care what the OS is.
On the extensibility, the whole product is going to be modular, so talking about your future needs and things like that. If you just want to be an SFTP server at first, great you pay whatever it is from a professional license standpoint, which again is another point I think as well. The perpetual license model, just paying for it up front, you own it and you're not constrained by user accounts, file transfers, the sizes of those file transfers, things like that. It's really nice that you don't have to worry about those things. You don't have to keep tabs on how many transfers and stuff like that. Then also from a flexibility standpoint, which is going to bleed into this next slide, is the connections that we can make via resources to really expand the capabilities of GoAnywhere.
So on that note, this slide has a lot of stuff going on here. I'm not going to cover all this, don't worry. But, this is going to be a sample set of the different types of resources that we can connect up to. So, resources from a high level is us GoAnywhere acting as the client side. This is you putting in different connection information for different servers or services. Now, we can leverage those types of things. Again, not going to touch on all these, but maybe the file system is pretty common, network shares, you can connect up to maybe you're going to monitor a folder or looking for certain files to grab, then send to a project that's going to PGP encrypt it and then SFTP it out the door, which we'll look at that specific example.
Database. Maybe you need to connect to a backend database to update certain records when you get a CSV file from somebody. FTP or different FTP flavors, if you need to connect up to partners to do pushing and pulling, you can definitely do those types of things. So, lots of different resources that you can add to GoAnywhere to really expand that capability for the product to do whatever it is you need to do. We'll take a look at a couple of those examples as well.
One of the other resources that is available is the cloud connector resources. These are going to be ways for us to leverage the already cool and common cloud resources out there like Google drive, Dropbox, Box, whatever the case may be, any of those you see out there. We probably have closer to 40 of these now. This is another area where our R&D team is really aggressive. They pump these out pretty quick. A lot of them come from you guys who are our customers suggesting, "Hey, we'd really like to be able to connect to this with GoAnywhere." Why would you want to do this? It's nice. Again, going back to that single pane of glass, now we can connect up to these different resources.
Now you have, and I know we haven't seen the project designer window yet, we're actually building out those projects or think of it as like scripting, but it's not scripting, it's gooey based, task-based type programming or building I should say, not programming, to now you can suck all those things into GoAnywhere. Again, getting back to all the different auditing and everything that you can do within a SharePoint. Maybe you want to create a certain file to share out, we can do those types of things within GoAnywhere, to have all that stuff audited within GoAnywhere.
Basically, we're going to do all the REST calls behind the scenes, unbeknownst to you. You're just going to see tasks and drag them into project, and carry out those functions. So really cool. If you get really savvy, you can build your own cloud connectors.
Again, with that drag and drop interface using the project designer, it's pretty straight forward to build your own cloud connectors should you do that. Some of the different ways that we can connect to GoAnywhere, whether we're going to do some administrator functions, web user functions, maybe we're going to do just some workflow calling projects, things like that, we have free APIs out there. So, we have a GoAnywhere commandlet APIs that you can pull down from our portal website. Again, they're free. You just need to install those commandlets on whatever machine that you're going to make those calls from. Again, those are going to be things like your ad web user, run project, things like that, to go ahead and call.
A common use case, I think if you have already an enterprise scheduler in your network like a Control-M or something like that and you want to keep that, the schedule functionality, and going to call things from there, you can do that from that, whatever your enterprise schedule is, to use those GoAnywhere commandlet APIs to call projects that can execute on the GoAnywhere system. As you see, available pretty much for any of the OSs out there for you to install those commandlets to run those. Or if you're more comfortable with SOAP and REST web services APIs, we can do that. Basically, everything you can do from the GoAnywhere commandlet standpoint, we can do leveraging web services, specifically SOAP and REST protocols to do that.
And a lot of things, there's guides on both of those web services and also the GA commandlets. So, when we talk about the override variables running on record batch, those are types of things you'll see all the parameters that you have available to you, so you can configure and set those parameters should you see fit, however you want to do those types of things.
Some of these, we covered a few of these. So, I'll skim over some of these. The multi-platform we covered, auditing interface. Inbound services, we can be on the inbound side of things. We talked about resources being the client side of things, making connections out to different servers and services, but we can be all your traditional FTP flavors, an HTTPS web console which is really, really popular, to be a supplement or even maybe a replacement to a traditional FTP type thing. As well as a collaboration feature, a SecureMail option. I know Stephen briefly mentioned secure forms, basically a web form for folks to log into to enter in certain types of information and submit that, and we can go from there.
The key management system, we'll definitely take a look at very briefly, just because we're going to show how we can create, how we can manage, how we can import PGP keys in this specific example, but also from an SSH and SSL certificates, we can manage those from cradle to grave or if you need, if you already have some, you can import them into the product to use. Encryption, again, we've talked briefly about that as well. We provide you all of the different FIPs 140-2 validated type encryption algorithms, whether it's at REST, using encrypted folders or some of the modules like GoDrive or SecureMail, automatically have that data at REST with ASE 256-bit encryption. But also in motion, just using like your SFTP, your FTPS, your HTTPS type protocols, we can handle those types of encryption methods and make sure that you are compliant.
The admin controls, we'll see that really quickly, but you can do some role-based administration, basically to do your least privilege on the admins that are coming in, so that they only can do the things that you want them to do. Agents, very quickly I think a really good use case of that is, a lot of times people have a secure network or secure VLANs in a network and they don't allow inbound traffic. A cool thing about agents is, we can throw an agent in that secure network because all initial communication is done from the inside out, so outbound back to MFT, and then we use that control channel we'll say, to go back and forth to transmit data back and forth. So, there's other use cases, but for interest of time, that's one of really common use case for those agents.
We talked about the cloud connectors. Customer portal is really cool. That's an HTTPS web portal, where you can log in, drag and drop things from your desktop right into the webpage and away it goes, which is cool. Synchronization, the GoDrive, SecureMail, we can definitely leverage a SecureMail, which is nice I think from the standpoint of file size. I think a lot of people like it for that, obviously from a security perspective. But, a lot of times your exchange server or whatever you're using for your mail server, they have limitations usually like 15, 20 meg limitations for attachments. SecureMail, and we're going to go ahead and use the SecureMail, it's going to send everything back into a packages directory on-prem, that's ASE 256-bit encrypted at REST, and it sends a replacement link out to the recipients.
They come back in, you decide how they get authenticated. But what's cool is one, you don't care about the size, because they're going to log back into via HTTPS and basically download or pull that file down. Two, you're only creating one copy of everything. So traditionally, when people would send maybe a thing to a distribution list that maybe they didn't mean to, and they sent a 15 meg PowerPoint slide to the entire company, that could really get exchange admins annoyed. Not to mention, now you have potentially hundreds of copies of that all over the place. So, imagine if that was PHI or PII or FTI, not a good situation. So, SecureMail is advantageous for a few reasons.
The two factor authentication we'll talk about, we'll briefly look at. There's some traditional ones like the SSH keys or certificates, but then we also have things like leveraging radius, leveraging a traditional time-based one time password, whether it's like your Google or Microsoft all duo, or we have our own GoAnywhere TOTP option that can leverage SMS text messages or SMTP email, which almost everyone knows how to use. So, that's a cool option as well.
The DMZ gateway, I'm just going to do a quick, if I can do some annotation there, if I can figure this out, a quick little drawing here. The DMZ gateway is nice. This is going to be a nice little buffer between GoAnywhere. Very, very quickly, we can allow things to where nothing is ever really staged in the DMZ. That's a bad color. Let's choose, let's go with red. Probably most importantly, we don't have to allow any inbound ports from your DMZ through this firewall into your private network. What's cool about that is, we have a relationship with that MFT to that gateway. We're going to do a control channel from the inside, so it'll be an egress port going out that firewall, to that DMZ to give basically its proxy information so that when people are coming in, we'll just choose SFTP.
So, they'll come in on SFTP. We're going to use that preexisting control channel to go back to MFT and say, "I've got John Q here, he's coming in on port 22 here's his SSH key. If everything checks out, we're going to open up a separate data channel on 9101, those ports are configurable," and that is going to broker that initial connections. Now, we've got data flowing inside and out all without, and probably most importantly not having to open up these inbound ports on those common ports like 22, 443s, all those types of things. So that's nice from a security perspective.
Let me go ahead and... Nope, we've got one more. Sorry. This one here I guess there's a little bit of stroking the ego a bit here. I don't know if you guys are familiar with the Gartner Magic Quadrant. They went to the wayside on specifically the niche market of MFT. It's been hard to find things like that. This year, Info-Tech came out with their own data quadrant specifically for MFT solutions. As you can see, we're at that very top right, which if you're familiar with Gartner Quadrants, that's where you want to be. That's the leader category. So, that's pretty awesome that we're up there. I think a lot of times, when we try to evaluate things like this in a niche market that are maybe not as well known as some of the other things, it's really cool to see things like this where you've got a respected organization putting somebody, or at least evaluating whether you like the very best one or at least the leader and MFT, or the other one's there. It's nice to see that stuff out there, especially when you're doing evaluations.
But also with ours, you can always pull it down for at least 30 days to do an eval, do some proof of concepts, stuff like that, to where you can evaluate it that way. But, we realize you probably aren't going to evaluate every single one of them. So, I think this is a great starting point to get you an idea of who you want to at least go down, I think like the proof of concept avenue. So, cool. I'll stop stroking the ego there, and we'll move on.
GoAnywhere Demo
Here, let's go ahead and jump out of here and we'll jump into the product. This is going to be the administrative interface to GoAnywhere. We'll go with high level features first just to get an idea of what we're looking at. One key item is going to be, we have two different types of users within GoAnywhere. We've got our administrative users and those folks are going to be the ones logging into this admin interface like you see here, to do your configurations, installs, setting up your service listeners, connecting out to resources, things like that. The other users that we're going to pay attention to, and this one is going to be our web users. Now, those are going to be the folks that you're creating and not to be a misnomer to our HTTPS web client. I know some people get confused with that. Web users are going to be any of those users that you're creating to log into whatever service it is that you're offering.
If we look at a web user really quick, just to give you a little context to some of the examples that we're going to do, we'll just pull mine here. Looking from a feature standpoint, you're going to give them certain features or protocols that they're going to have access to. Then, this here is going to be solely based on the HTTPS web client, which we're not going to really pay attention to. We're probably going to focus more on a traditional SFTP type protocol to pull a PGP file in and do some specific activity depending upon who's actually sending us the file.
The other key thing I think on web users is going to define, no matter what protocol they're logging in with, we need to give them access to certain areas. So, here's where the admins can define different virtual directories should they want to, call them whatever they want to. But probably most importantly, where are they physically going to land once they actually do get on the network? This one an Azure Blob Storage, this one looks like a Linux mount, this is probably an AWS S3 Bucket as the name suggests. But point is, that's where you can point them. This is where those resources that we briefly talked about, making those connections out to other servers and services comes into play. Because once I define them, they're going to show up like in places where I hit this ellipsis, and I can see my Amazon S3 buckets that I've defined. There they are. Any network shares that I've defined, there they are. These could be those physical locations that I'm plopping or defining these virtual directories to.
So, just really quick on what the web users look like just so we can have some context when we go through a couple of these scenarios that we're going to go through. Since we're going to be talking about PGP encryption let's go over to that key management system that we briefly mentioned on those slides. Within our key management system as we talked about, you can manage SSL certs, your SSH keys or in our case what we're going to look at it as our PGP keys. I'm not going to go into a lot of what's going on over here, but just letting you know and you can create multiple key vaults maybe for an organizational standpoint, purposes, department, whatever the case may be.
But, I'm just going to go ahead and jump into one of them in our PGP key section. Just from looking at the things that we talked about where we can manage things from cradle to grave by adding a key pair or if you already have existing ones, you can import them pretty straightforward. But for our example, let's say we're going to add a key pair, and this is going to be partner A who's going to be sending, we're going to require them to send us files. Let's show this partner A, email address doesn't really matter for now. RSA 2048, SHA 512, those are pretty good defaults. Password's going to be whatever you want it to be. Hopefully they match. Then store password, what this means is, it's going to store the password in the actual database where these PGP files are stored within that KMS. It's a convenient setting for admins within the product because, anytime you apply this key and it's going to ask for the password, if you have it stored in the database, you don't have to supply it as an admin. So, a convenient setting.
Then, your preferred algorithms should you want to choose different algorithms or negate some of these algorithms, you can do that here. So, we'll hit save here to create our PGP key. We called that one partner A here. If this was the case, we've got our PGP key and let's say we do want to have people encrypt files to send to us. What we would do is, this is a PGP key, so it's got a public and a private key pair. I would first go ahead and export the public key and we'll call it whatever that is. We're going to send this out to partner A, whoever partner A is. Because, they're going to use our public key to do the encryption because we're the only ones that have the unique associated private key to do the actual decrypting of the file.
I'm going to say we did that, because I've created a project already. So I'm going to avoid this partner A one. I'm going to just go ahead and delete that. So, don't get confused. We're going to use probably the partner A PGP encryption key instead, that I created before this. Let's go ahead and delete that one. Now, we'll go into, and we'll look at, actually we're going to look at a trigger to see when we talked about those web users, when web users do certain types of actions like maybe their account gets disabled, maybe they tried to upload a file and it wasn't successful, maybe they had an upload file and it was successful. We can trigger off certain types of actions.
So, in one of the scenarios that we're going to look at in a second, one of the scenarios is going to be, I'm going to do... The first scenario is, when somebody uploads a file successful, that's going to be the first condition of this trigger. I want to, and I'm going to go ahead and open up this trigger here that we've defined, and this is just saying, if somebody uploads a file successfully and it's on the SFTP protocol specifically, and the event username or web user equals redact in this case, I want to, it looks like we're going to call a project called ICAP project_redact_trigger, which we're going to go take a look at that to see what this is actually doing. I'm going to add some variables here. So within this trigger, all triggers have different types of variables, whether it's the username, first and last name. In our case we're going to use the actual file, which is event physical path is the actual file that gets uploaded, things like that. There's different, different variables that you can define and pass as parameters into this project.
I think the only one I'm actually going to use is the actual file that I'm passing in, but just to show you, there's a few things you can do. So here in just a little bit, I'm going to use the redact user account to send a trigger or sorry, send a file via SFTP to this environment. We'll see how that plays out. First, I know I teased you a little bit with that. First, I'm going to show you from the outgoing perspective. So, keep that trigger in mind. We're going to go to monitors. Monitors are going to be a way for us to monitor the file system, as the name suggests.
Specifically, we're going to monitor a folder. Once we monitor that folder, and let's just go ahead and pull the monitor up really quick. This is this one, it's deactivated right now, but we'll enable it when we're ready. So, this one we're going to monitor. You can do a local or network share or you can monitor different FTP locations. In my case, I'm going to monitor the services webinar's monitor folder. Let's pull that one up over here and I'll show you where that is. Here's our services webinars monitor folder. It looks like we have one PDF diagram in there. I'm just going to look for if the file exists. You can do things from a different context, whether it's created and modified, created, modified or deleted. But, I'm just going to look if the file exists and I don't care what it is. I'm just going to grab anything. But, you can do any wildcard or RegEx expression should you want to.
I'm going to monitor or basically pull this folder, check it every 15 seconds, all day, Monday through Friday. The main point of this is, once I get a hit in that folder I'm monitoring, I'm going to call this project called PGP encrypt and SFTP, and I'm going to pass in this files variable that gets created with every single monitor, which is basically just building a file list. In our case, it's just one file, but it could be 5, it could be 10, it could be 100. We don't know. It'll put all of that in a file list and pass those, that file or files as a files parameter into this project here.
First, let's go look at the project to see what it's doing. So PGP encrypt and SFTP backup. Let's go to that project. Where are we at here? Webinar? Yep. PGP encrypt and SFTP backup. It looks like in this project here, the first thing I'm going to do is, I'm going to do a PGP encrypt task, which we talked about the drag and drop task based per project designer outline. This is where we're building that business function or replacement for traditional scripting. So, we were just dragging that PGP encrypt task, and now I'm going to define a few things. Since this is going to partner A eventually, I'm going to select their public key. I can encrypt it with their public key. The input or what am I actually encrypting, well, I'm encrypting those, that file that's getting passed in from that monitor. So, those are our files variable. I'm going to put it in a placeholder called PGP files.
I'm going to turn right around, connect up to partner A. Well, in this case it's my AWS SFTP server, but you get the point. I'm going to put the PGP files, which could be as easily as just dragging that output file that just got created from that previous step here, and destination directory I really don't care for this, I'm just going to put it wherever. Maybe I want to archive the original files, so that files variable into a Linoma encrypted S3 bucket for whatever reason, ad then return right around and delete out the original files I passed into this project, because I don't want a monitor or I don't want to pick up the exact same files.
So, let's go ahead and save that and let's go back to that monitor and let's go ahead and activate that monitor. Active. It should give us this little screenshot that says, "Okay, hey, I'm going to take a snapshot." That's great. Let's go and monitor that directory here. So, we kicked it off to every 15 seconds. Hopefully, this will kick off in about 15 seconds, because it should delete the original file once it does go originally. The waiting is always the best part. So, it went through and obviously we can look at the job log, but it did the delete task at the very end.
So, if we go to the completed jobs really quickly, we can see that job that got kicked off by the monitor here at 9:46. That's about right. If we go to the job log, we can see exactly what happened. So, we can see a lot of these things here. We executed task PGP encrypt, we added public key. This was that partner A public key, went through all the algorithm, good stuff. We did an encrypting, it's going to that PDF file that we were monitoring. Then PGP encrypt it, and now we're going to SFTP connect. We're going to do an SFTP put. That's going to go through, okay. That was copied successfully. So since that happened, now we're going to execute delete task and it deleted out in the original file as we wanted it to. The copy task was actually the archive. So, you're seen it's copying that original file up to my Linoma encrypted S3 bucket.
Took that file, went through that, PGP encrypted it and send it on its way. Now on the flip side, let's say we're receiving files from somebody. In this case when we're receiving files where we have different users, they're going to have to be web users to actually connect up to whatever service or offering. In this case, this is going to be a trigger, because triggers are based off of web user activities. Specifically, I'm going to go to an upload successful, we're going to talk about that. A file that's getting SFTP to us, we're going to look for it from user redact. Then, the action is going to be that ICAP project redact trigger. So, if we look at that project really quick, ICAP project redact trigger, this one's going to go through quite a bit more. This was something, one of the bullet points that Stephen talked about where we can actually take that file, decrypt it first and then we're going to send it right to an ICAP resource to check for any viruses, things like that.
I believe in my example, I'm actually doing a redaction. So it has I think social security information, so I'm actually going to redact it. What's cool too in this example, I'm going to be using an image file because it does have OCR technology. So, we can actually redact image files as well, which is cool. I'm going to go to a different GoAnywhere instance, because this is just acting as the SFTP, basically the client. I'm going to send this out. This is just going to PGP encrypt the file using the HelpSystems public key, because that's the one that's going to decrypt it on that side. So, our file is under test files redact social security info. Let's make sure I'm not pulling one over on you here.
Let's go to that directory and I can show you that directory quick. I'm going to use this, was it the JPEG, so we can leverage that OCR technology. You'll see there's a social security number in there, in this image file. So, that's what's going to go out. We're going to SFTP put it to this environment here, this GoAnywhere environment. Then, we should see the result here in just a second. So let's go and execute that project. The put by the way, it's going to be in that inbound directory on the STFP server. Let's go to the machine that it went to, and let's go to workflows and completed jobs. There's our trigger, the ICAP redact trigger. You can tell it got submitted from a trigger from over here. Let's look at the job log here. Lots of stuff going on here, but this is going to be going to the ICAP server. This is pushing it to the ICAP server and it's going to go through all its checks.
By the way just from a status standpoint, if we hit the home button here, you'll see that this redact, going from the user redact was allowed. All that means is, the file was allowed to go because we did successful redaction. I'll show you the final product here, and going through. So, it does see the files infected, "infected". So, we're going to get a couple of status codes back, and we're going to go through some loops. There's our Wasmer status code and it's going to go ahead and copy into this redact inbound. So, security info was moved to, we've got Intac, ICAP clear space redacted folder. So let's go there. Here it is. So we're going to pull this over. That was the social security info for JPEGs. Yep, 9:50, so here's the ICAP clear swift redacted folder. So open up this, file here and you'll see those got redacted. So cool.
Not only did you PGP decrypt it automatically, but we also sent it to a resource to do some AV scanning or in this case redaction scanning for sensitive information. Then, depending upon the results or the status codes we got back, then we can actually send the file on or maybe not. Maybe we're going to block it, totally up to you.
Some of the things that we can look through, and this is again, we ran through some of the logging you can see from the completed jobs list. You can go through the individual tasks here, which is nice to see exactly what those projects are doing. But, I think it's a simplistic way one, to manage your keys. I think it's pretty straight forward whether you import them, or whether you create them straight from scratch. We didn't get a whole lot of time to go into the project designer window, but I think you can see just from the simplicity of the projects I had, it's pretty straightforward dragging the task in there and going step by step with what you want done. Pretty, pretty straight forward.
Then of course after you do these things, you've always got your audit logs. Whether they are the service logs, so looking at maybe an SFTP service log. We should be able to see some of those. There's the redact user that connected and uploaded a file. By the way, you can see from this little cog wheel that signifies that a trigger got kicked off because of that upload, which we saw. So, lots of cool things from the auditing, accountability, the automation piece. Again, I think the ease of use, I can't stress that enough, I think it's very easy to do some of these not so much complex tasks, but some nice automated tasks to get these things accomplished.
With that, I'm going to pull up that last slide here. There we go.
Q&A
Stephen: Excellent, thanks Dan. Just wrapping up on here then, obviously we've gone through the free utilities, and we've shown you I guess the automated equivalent, In this case it's GoAnywhere MFT. If you aren't using GoAnywhere yet and you're thinking of moving to an automated solution, as Dan mentioned, we can give a free trial for the entire product. Every single feature's enabled so you can see exactly what this whole solution can do for yourselves, including the full automated encryption, decryption process. Or if you'd like maybe a more tailored demo, then please feel free to request one. You can see some of the links and information on here. Feel free to contact us, and we will and get in touch and come arrange those with you.
If you go to the next slide as well, let's have a quick look to see if we have any questions, which it looks like we have. So, I think we haven't got too much time left, so definitely won't get to answer all of these. So one of the questions, are PGP passwords stored in the database in clear text? I'm sure Daniel, correct me if I'm wrong, but they are encrypted within the database. So you can't just go into the database and read those passwords.
Dan: Yeah, they're hashed using the SHA 512 algorithm, yep.
Stephen: Perfect. You may have touched on this already, but what are the best practices to manage private keys in a secure way? Because I know you've already mentioned separating them up into different vaults. I'm assuming you have permissions on each of those vaults so you can give out granular access to specific users, so only certain users can gain access to certain keys.
Dan: You can but on that note, when we're talking about PGP keys and we're talking about private PGP keys, my suggestion always is when we're talking about PGP encryption and you are using your private key, that's going to be used for decryption and apparently digital signatures as well. But, both decryption and digital signatures signifies a unique value or your unique identifier for your organization. So, if you're requiring say 50 companies to PGP encrypt files to send to you, in my opinion, I would just create one PGP key pair, export that public key and divvy it out to every single person, because at that point you don't need to know who's sending you the file, you know you're going to be decrypting it with your unique original one of a kind private key for that decryption. Same thing from a digital signature standpoint. You wouldn't want to have multiple PGP private keys, I wouldn't think. I think it just really increased the administrativeness of what's going on. So, that's my opinion. I would just do one.
Stephen: Sounds good. So the only reason you really have multiple keys, I guess within your PGP store is if you're sending encrypted information to a receiving party-
Dan: Yes.
Stephen: Because you need all of their public keys within your store.
Dan: Yes, that's correct.
Stephen: Perfect. We have another question. Can we see a history of the files encrypted or decrypted? I know you covered the files being sent in, can we see the log just showing the history of the files moving through GoAnywhere?
Dan: Oh yeah, sure. Let me jump back at it here. That's going to be your file audit list or job log. So, any of those files going in and out, and you'll see there's that ASE-2 flow diagram that I was PGP encrypting. This was the one that was coming in. Any files that are going through GoAnywhere, whether it's web users dropping off or there's a monitor kicking it out or going through projects, you're going to see it here within that file audit. Yeah. Good question.
Stephen: Perfect, right. I think we might have to take any other questions offline, because we are getting close to the end of the hour now. So, I don't want to keep everyone longer than we need to. But, I thank everyone for attending. As I mentioned, if you have any other questions, feel free to contact us, arrange a demo range, arrange an evaluation of the products. If you have any other questions, feel free to let us know and we will get back to you as soon as we can. Thanks everyone. Speak to you soon. Thanks Dan.
Dan: Thank you.
Ready to See GoAnywhere in Action?
Schedule a live demo. Choose from our 15-, 30-, or 60-minute options to pick the level of detail that works best for you!