Secure Managed File Transfer Software – Diplomat MFT

File transfer processes built with custom scripts are risky because they are unreliable, unsecure, and prone to human error in their design and operation. Solutions like Diplomat MFT are purpose-built, secure, scalable, reliable, and backed by the organization that offers them. 

Managed file transfer can play a key role in a data privacy and security program by ensuring sensitive files are transferred securely and reliably. Read this for more information about how Diplomat MFT supports compliance programs.

Diplomat MFT is not a cybersecurity tool, but it is a secure data management tool. Because it automates the encryption of files sent and received, Diplomat MFT can play an important role in keeping data safe from threat actors and accidental exposures leading to a data breach.

There are many different managed file transfer vendors out there to choose from, offering similar software tools and packages. However, it’s important that you choose the right MFT Vendor and software solution for your business, which is fit-for-purposed and future-proofed. We advise that you capture the current set-up along with any file transfer challenges you may be encountering and then book in a consultation call or free demo session which most vendors do offer. It’s important as a business you are clear on your requirement. This way a potential vendor will be in a good position to let you know whether or not their software is a good fit for your business requirements. 

You may want to consider checking out review or managed file transfer software comparison websites to try and gauge an independent, unbiased view on your potential choice of vendors. MFT Pricing can vary greatly so it is always worth obtaining a few quotes for comparison and understand what you will be getting for your money. Be armed with as many questions as possible and be honest about your concerns and reservations. For example, we are used to getting asked about Cybersecurity measures, PGP Encryption, Compliance, Automation Capabilities, Replication functionality,  Data Integrity, Minimizing Business Risk & Human Error and much more.

For those clients with technical know-how who are looking to move away from custom scripted / DIY coded solutions, you may want to enquire about a free trial so you can get a feel for a low code, no code solution like Diplomat MFT. When looking for the best managed file transfer software solution for your business

Hi and welcome to this webinar. My name is Greg Hoffer from Coviant Software. And today we’re going to talk about file transfers and why they’re growing in importance to so many organizations. I will be recording this webinar today. So if you miss anything, you can always review the recording at a later date.

Today’s webinar will first present an overview of file transfers, then discuss what those look like in a modern IT landscape. Finally, we will present recommendations for performing file transfers in 2021 and have a brief Q&A session.

First, a bit about Coviant Software to establish our credentials in this file transfer. Here at Coviant Software, we develop a managed file transfer solution automates and secures file transfers. Our customers come from many industries in many sizes, ranging from a small law office to some of the largest healthcare organizations in the world.

Our Diplomat entity solutions are responsible for the business critical file transfers of many files, comprising, a large volume of data. Our solutions, transfer files between myriad services like traditional network file servers, SFTP, and FTP end points, as well as cloud storage services like S3 Dropbox and Azure files.

So as you can see, millions of files transfer daily, large data volumes to many endpoints, all covered by our software. So we have a bit of experience in this space. So what file transfers are we talking about and why do we even need file transfers. Here we see a modern enterprise on the left-hand side. We see the internal systems over on the right external cloud services, connectivity’s to banks, government manufacturers, suppliers, and that business is customers or clients or Partners, whatever they might be that does that business with the entity on the left, we see many sources and many destinations with many avenues of data flowing between them.

Sometimes the flow is wholly within an organization’s data center, but often it is across the network to some internet connected system.

So let’s look at a more real world example of a file transfer between entities with two specific examples. Let’s assume that the data center on the left, where an organization wants to transfer ACH or payment files to a bank just external to their organization. In that very common scenario, you need to worry about the security of the transfer of the authentication of the client and the encryption of the data at rest.

Often the banks require PGP encryption on the files, or as another example on the bottom, let’s assume that the organization is a healthcare company. And as they’re providing services to a patient, they must submit a claim to the patient’s insurance provider so that they can get paid for those services.

So claim files are generated by their internal systems and sent to the insurance provider so that the hospital can receive payments. These are two real-world examples of file transfers. Alright, so for the sake of discussing file transfers in 2021, let’s generalize this as follows in every business.

There is the need to move data from one system to another. I think we can all agree on that these systems might be physical or they might be virtual system. It might be containers. They might be within the same network on a virtual private cloud or VPC. It might even be across cloud services. The data itself might start out as a file or a data stream or event data sources.

But most often these are stored as files and the storage on either ends might be some kind of local disc, SAN or NAS, or kind of ephemeral virtual storage or as we see more and more these days, cloud object storage. And at times as a file moves from system a to system B, it’s not even really stored at system B.

It’s really just a conduit for some other state or stage in a data pipeline. So consider for example, a hedge fund uploading trading data to an Amazon S3. Which is really just the first stage in the data pipeline through FiveTran and Snowflake for artificial intelligence analysis of that data. So data flows from system A to system B and then possibly even onward.

But I think we can all agree on is that moving data quite often as files between systems is a critical component of many business process workflows.

That being said, we have many adversaries trying to intercept the data or thwart the data, or take advantage of that data because the data and those files are both sensitive and important. They must go through. However, you cannot tolerate those files, not going through it will impair your business or your competitiveness or fail compliance or service level agreements.

So they must go through and they must be protected. But given that there are nefarious actors out there that are always looking to steal the data, you must be vigilant and secure. For example, Solarwinds recently showed us how a motivated attacker can infiltrate very clever channels. In that case, the software supply chain to gain a foothold in your organization.

So failure is not an option for us in IT security. Data breaches or serious. And can result in non-trivial fines and severe problems for the organization suffering from it. So our business that still needs to move forward and has to send those files. We have to come up with a way to do this securely. We are not given a lot of time to keep ourselves informed of every possible avenue of attack or mitigation strategy.

Aren’t given much time by the business to adjust our security architecture or make sweeping changes or spend a lot more money. So how do we do this?

First, let’s talk about the systems involved and then address how we can achieve better and more secure file transfers in light of all these foes. Generally, as we’re talking about system transfers from system A to system B, whatever those might be, the systems could be on-premises solutions. Those could be the source of data or the destination for data file transfers.

Even with the adoption of cloud services, it’s ever increasing, we see not only cloud data centers, whether it’s a software as a service, uh, I’m sorry, whether it’s a storage as a service or compute inside your cloud, private cloud or public cloud, we still see that many organizations have legacy systems or some business specific need to keep some portion of their compute storage and or processing, uh, file processing within their own confines of their data center. And so now you see a lot of talk about hybrid data centers, where you leveraged the cloud, where it’s appropriate, but still retain some control and compute and storage within your own data center resulting in this hybrid approach, which is quite common, or perhaps the systems we’re talking about are SAAS.

Maybe you need data out of a Salesforce, a sales pipeline, or deal closed pipeline or contract. Dataset and you need to acquire that data and then move it to some system for further processing. And last but not least, we see quite a bit these days, a lot of interest in data links. So a repository for all sorts of data sets or data stores, so that you can perform artificial intelligence, machine learning analytics, et cetera.

As that grows in popularity, we see a lot of transfers taking place between systems and data links. So all of these systems are involved in data transfers and no one organization uses any or all of these, the same as any other organization. In fact, I’d be curious, let’s take a quick poll for each of you attending.

What percentage of your organization’s IT Operations are in the cloud. I’m going to take a minute to let this.

Very good.

Excellent. Those are some interesting results. As we’re speaking in a cloud, it is the thing, isn’t it. I put that in quotes, right? It’s the thing it’s cheap. It’s available. It’s reliable. The cloud is quite frankly awesome. Not everyone is 100% in the cloud. It’s actually quite rare for organizations to have wholly move to the cloud or be 100% in the cloud as they start up their organization.

You know what, they shouldn’t be in many cases. It does make sense for a lot of organizations to retain some portion within their own data center. Or makes sense for some people to be multi-cloud, but fundamentally what we see a lot of these days is the hybrid cloud, where you take advantage of cloud services, where it makes sense and retain, what else makes sense within your data center to create this hybrid cloud recent study by InLight shows that 52% of companies are using or will be using a hybrid cloud by the end of this year.

So quite a number of people are adopting this approach. And we further see that a Gartner reports that by 2022 more than half of the enterprise generated data will be created or processed outside of the data center and interestingly and outside of the cloud. But notice this other big statistic, 94% of compute workloads will be processed in cloud data centers by 2021.

It’s quite a bit of compute goes out there and cloud doesn’t it, just make sense.

Well, what we have seen here at Coviant Software is that many companies are dipping their toe into the waters of the cloud through cloud storage. And in fact, cloud storage is often the gateway drug. If you will, to other cloud services, cloud storage, like Amazon S3, Azure files, Google cloud platform, or Google cloud storage, et cetera.

It’s amazingly compelling because it’s cheap. It’s reliable, it’s distributed, it’s cheap. It’s fault tolerant. It’s cheap. I haven’t mentioned that. So a lot of people love that pay it for the consumption pay. As you go super simple payment plans for a storage. You have a lot of benefits to cloud storage.

It’s as I said, cheap, it’s reliable. It’s available. It’s always on. It’s always up. It’s across regions etc. It can be encrypted. So it has encryption for data at transit, through SSL or TLS, but also encryption for data at rest, you can manage those encryption keys, either at the server or even on the client side, you can manage those keys yourself in case you don’t trust the key manager out in the cloud, which might be a good idea.

Then many cloud services actually offer their cloud storage as a landing zone for further processing. So for example, Amazon S3 using storage buckets for their machine learning or artificial intelligence mechanisms or Google cloud storage using their, Google cloud platform has healthcare, API mechanisms that can take advantage of data stored in the cloud.

And then the cloud offers services like data deduplication, archiving, tokenization, et cetera. So there’s a lot of compelling reasons to use the cloud. And we often see in that it offers a great intermediary for file transfers as well. So for example, some cloud storage vendors will offer SFTP access to their object storage, or you just require people to upload to that S3 bucket or Azure blob storage.

So I, as an organization, I don’t need to stand up an SFTP server and manage that server. I can just use those buckets or the SFTP front to those buckets. Although be careful, sometimes you might get a little sticker shock or what it costs to have Amazon manager, SFTP servers through their Amazon S3 transport. It’s not necessarily the cheapest, but you know, even with all the benefits cloud does have its challenges.

We still see people experienced our companies, experiencing problems with improper policy configurations that leave data open. So there’s definitely a skills gap there or human error, introducing problems with data leakage. It’s not intrinsically designed for auditing reporting key rotation policies, et cetera, that you would expect out of a managed file transfer vendor.

I’m sure it will mature, but it’s designed as a cheap object storage, right? Jeff Bezos said that he wanted S3 to be the C function “calloc” for files. It’s just a place to generate a location to store. Uh, you also have challenges with DNS and certificate management. You need to make sure you get those rights so that your end points are authenticated properly and identified as your organization.

And the keys are protected, not lost or compromised. And then there’s some stirrings of late about getting data and compute closer together and not needlessly sending data back and forth to the cloud because that can raise prices. So as you think about machine learning or artificial intelligence processing workflows.

There’s a great article by Cloudian and about how things like Amazon outposts can help out because now your storage is within your data center, leveraging the concept of AWS S3, but really taking advantage of local compute and indoor storage resources to make things work cheaper and faster.

So consider how you could leverage cloud storage for your clients, vendors, suppliers and so on. Do your suppliers vendors, your internal dev ops. People have all the skills and security training and expertise to exchange files via cloud storage properly. Because you have to consider what’s easy for you might not be easy for your partners or suppliers and furthermore, the tooling that makes sense to your dev ops person to run console applications, command line applications, or python scripts.

Might not be appropriate as you grow and scale and compliance needs, et cetera. You might want to consider, even with the benefits of cloud storage, leveraging a solution like our Coviant Software diplomat MFT, which is a managed file transfer solution that wraps the simplicity of the tooling and APIs for storage and things like security, auditing, reporting, compliance management, operational efficiency etc.

All right. So let’s take a quick poll, which cloud storage vendor does your organization use? If any, so I’ll wait here for quick answers.

All right. Thank you. Let’s talk about modern file transfer challenges. What do we face here in 2021? As we consider all these file transfers, didn’t apply to us. We’ll briefly dive into these three key areas, data security, compliance, and operational efficiency. Data security is probably what we are all bludgeoned with every day in the IT space.

As IT administrators, as CEOs, as CSOs data security is known to be important. We need to protect data in transit. We’re all familiar with things like SSL or SFTP or BPMs. And we know that it requires strong authentication, strong passwords, but hopefully not just passwords, right? Those are known to be pretty terrible, but also client keys or client certificates, one-time tokens, two factor authentication, et cetera.

Security arrest is also important. Cloud offer often offers encryption of those object storage at rest, but you must decide who to trust. So S3 buckets, Azure blob files, Oracle cloud storage, Google cloud storage are great, cheap, reliable storage mechanisms, and they have intrinsic security, but you have to ask, who do I trust?

Do I trust them to manage the key isn’t encryption for me and cross my fingers that it works? Or do I leverage the capability to manage my own keys, which is great. Now I’m in control of all of the data security. I have the quote unquote keys to the kingdom. But then I faced the challenge, the challenge of managing those key securely with the proper regulatory compliance and not losing the keys, et cetera.

So, one thing to consider is that PGP is a robust data encryption standard. It can be used to augment your data at rest security policies. So our software, for example, easily supports PGP encryption of files and decryption and signing, et cetera. So that as files are moved into or out of any storage location, you can add encryption of that data.

Now it’s a layer of security where the storage encryption takes place and the file-based PGP encryption takes place. So something to consider and last but not least quantum crypto systems are starting to rear their ugly heads, right? Maybe some people feel they’re great and that’s true for all the benefits it brings.

But for us in IT, we have to start worrying our crypto systems, quantum crypto systems, going to pose a threat to break security key is faster than we can renew them. Will all of our encryption go away leaving our data vulnerable to theft? What I can say is no, not yet. I don’t think anything’s advanced enough yet to pose a threat to us, but should we be aware of it? Yes.

I would caution you to stay tuned to more on this front. And in fact, I will have the pleasure of speaking and, or being a panellist at a few different conferences this year, discussing this very problem of Quantum crypto systems so stay tuned to our website for more information.

Alright, software supply chain, something we all have learned quite a bit about after the sunburst data breach through solar winds.

This was a software supply chain attack where the automated build process of solar winds tools, unwittingly injected a backdoor vulnerability into that vendor’s products, modern software development makes it super easy to achieve great business results. We can use a great and easy tools like Python or node JS and pull down lots of libraries that do things that have been written by smart people.

There are public repository for these great packages like node package manager, NuGet for .NET, Maven for jar files, Ruby Gems, all these things. Provide repositories even get home, open source repository, where I can get all sorts of things. Uh, yeah, although they increase your dev ops or developers’ productivity, you have to ask, are these really as safe as I thought they were.

Am I putting the proper amount of diligence into this? Same is true for container registries. I’m leveraging containers for some of my dev ops processes. Are there appropriate security diligence around containers and their container repositories registries. We now see the risks, solar winds, this brought it in full relief.

These repositories are not inherently safe. The security tooling training and diligence are perhaps not as robust in your IT and Dev Ops teams as they are in commercial organizations, like a Coviant Software. We’re building software is the business. So, if it can happen to Solar Winds, it could happen to anyone.

Right. So assess your risk. Is it more likely to happen with my team until, or unless they get proper security training or tools to ensure security of the repositories, until then we advise all companies to review that supply chain, software, supply chain, usage and security. And I, what I can tell you is that we take security very seriously here at Coviant Software.

So if you would be willing to consider leveraging a specialized vendors such as us, rather than burdening your it staff without security, and we’d be happy to help you last, but not least compliance is a continuing area of concern for IT, or it should be, with the advent of things like GDPR general data protection regulation in the EU and CCPA in California.

There are real fines that can happen if you are not in compliance. In addition to those fines, there’s also the reputational damage. If you have data breaches, it’s pretty much lost customers. Everybody hears about it. You’re supposed to report it so worse if you don’t, but you have to be able to deal with this in a way that ensures compliance, because that will keep you secure.

There’s also things like PCI DSS. It’s not necessarily a government regulation, but you do need to adhere to it. If you want to pass the audits and keep receiving credit card payments. So lots of things you have to be aware of, whether it’s company or government policies, data, breach regulations, et cetera, to make sure that your data is protected.

We are doing all sorts of compliance stuff here and Coviant Software. And I think our solution can help you overcome that. Quickly, just some stats to help bring this to light. Let’s look at recent GDPR data breaches and the amount of fines. Here’s the total number of data breaches happens a lot and look at how much is going into the coffers of the EU as fines for GDPR data breach violation.

I can see this is an enormous amount of money. So you need to make sure this doesn’t happen to you, whether it’s GDPR or CCPA or any other compliance. Alright, last you want to make sure your solutions are operationally efficient. They’re empowering your operations to be as efficient as possible. To that end, we see a lot of usage of rest APIs.

They’re all the rage, whether it’s consumed by your IT Dev Ops teams with customers. Or on-premise applications or cloud-based integration platform as a service also called iPaaS. There are things that rest does really well, and it really helps you become more operationally efficient as you leverage these services in a very easy to use fashion, but large files is not one thing the rest does well.

So it has all sorts of technical challenges for large files. You can chunk the files to overcome the large file limitations, but there’s no set standard in rest for how you deal with the chunking or the binary streaming or the resumption of interrupted transfers? Every vendor seems to do something slightly differently.

There is no standard or very little integrity checking. So after a file is uploaded, am I sure it arrived at the destination in the same bit sequence as what I had on my source location. And just in general, standardization. Yes. Rest API itself as a standard, but how you perform authentication around those rest APIs?

What are the semantics for authentication and, ACL’s on file uploads. What are the standards around auditing and reporting, learning, access control, authentication, key rotation, all these different things. It’s just not quite there yet so just consider that as you look to rest API APIs and cloud storage.

Again, super cheap, reliable distributed, but in a multi-cloud environment, you are likely going to choose your data silos. A certain data goes in one place or certain data goes in another, or you’re going to move data between clouds. So your IT staff, your dev ops team that is dealing with the cloud store.

Is going to either specialize in one area it’s Google cloud storage, or they specialize in the Amazon S3 for example, or are they going out tooling and knowledge and multiple vendor tools and start gluing things together with custom scripts or iPaaS solutions, because as you embrace multi-cloud or even hybrid architecture, you’re going to have to move things between different systems.

So that just adds to the complexity and risk of human error. So think back to that software supply chain slide, where we see these challenges, uh, we S we can see the rest API makes things easy to build all these file transfer or service oriented stuff you’re doing, but it certainly can introduce risk because many people pull down from public repositories or assume to be safe, rest services.

All of these things can lead to wasted time, wasted energy, building out solutions specific to one service. And constantly building out features to get what the operational teams need to deal with SLA as exceptions and so on. You have to have staffing and training and knowledge transfer, and you end up wasting additional money that you had saved by using cloud storage or API stuff and doing all of these other steps and consider again how your customers, clients, partners, or suppliers might have challenges that are different from yours and using cloud storage. So if you use those as an intermediary and you tell your partner, just upload it to my S3 bucket and I’ll grab it might not be as easy for them. So as we be wanting to become operationally efficient, we want to, we have modern file transfers that are achieving operational efficiency, but also maintaining your security and regulatory compliance. That’s our goal.

We’re going to jump into the last slide, which is what our recommendation is. But first I’m going to ask a poll, what file transfer methods does your organization use today? Give you a few minutes or a minute to answer.

Very good.

All right. So all of this being said, We want transfers that are secure, compliant and operationally efficient. Here’s what we at Coviant Software have as a recommendation for you based on all of our experience after considering the landscape after, clarifying what our goals are, guideline and Coviant Software recommends that you consider using SFTP as the gold standard for file transfers.

Now why SFTP SFTP provides strong cryptography throughout the entire process of transferring. It has strong authentication supporting strong cryptography passwords. Multi-factor authentication, key based authentication. So various gear for authentication as secure key exchanges with lots of modern cryptography, including elliptic curves, ephemeral key use for perfect forward secrecy etc.

So, the cryptography to protect the data itself as it’s in transit and at rest with strong cryptography, lots of symmetric ciphers, modern ciphers, a strong high-strength ciphers, and last but not least, it’s got strongly authenticated hashing. So every packet that goes through SFTP has integrity checking built in.

So as you’re transferring a file, you know that at the recipient end it’s exactly the same and that the sending it in a very cryptographically secure fashion. Also, we know that SFTP is firewall friendly. You only need one port open and the firewall as opposed to something like FTP, which requires both 21 and other data transfer reports.

So it’s super easy on firewall teams. It’s easily automated. So this is a key here as well. SFTP supports rich file system semantics like directory listings. Uh, random file access renaming and delete operations. So it’s basically a remote file system over a strongly encrypted protocol with lots of mature tooling. It has a long legacy with lots of tools available on all platforms.

So you end up with a system that whether it’s interactive, a human launching files, for example, or through command line utilities or your enterprise workload automation plans. Or your dev ops team building with known good libraries. All of this is available for easy automation, uh, secure file transfers.

Also, we do recommend you consider PGP. It’s a proven cryptographic mechanism to encrypt the data at rest protected at rest has an excellent track record. Now, admittedly, these tools can be a bit more archaic or possibly expensive, but the results are good. It is interoperable, but a little bit more confusing for people to pass around public key versus private key, but it’s well worth it for cryptography and PGP can ensure that only the intended recipients can see the data and, and allows sender to be verified through a digital signature.

So this is really neat because it means you can prove that you received the file from a specific vendor by requiring them to sign it. And likewise, if you send a file to a vendor and you can ask them to sign a receipt, which might be a notification email. It might be just an acknowledgement file, but if that vendor supplier partner, customer, whatever it is, if they digitally sign that receipt file and give it back to you, now you have cryptographically secure non-repudiation of delivery. Nobody can say that you did not send the file because you have a signed receipt from them. So the combination of SMTP and PGP are an excellent. To ensure that you have secure compliant and operationally efficient transfers in 2021 and beyond.

Okay. Thank you very much for your time. I look forward to hearing more from you. If you have any interest in any of the SFTP PGP or, or file transfer automation needs, we offer client software, Diplomat MFT, that handles all of this. And I’m going to pause now to see if anyone has any questions that we’ll be happy to.

Thank you for your time. Bye bye.