secure, managed file transfer and automation• personal email • self built ftp solutions •...
TRANSCRIPT
Secure, Managed File Transfer and Automation
Ethan Lin– APAC PreSales Technical
2
Moving Files is Business-critical
Patient Records
Account Statements
Insurance Claims
Legal Documents Loan Information
X-Rays
Test Results
Purchase Orders
XML Data Files
Large Video Files
Credit Card Payments Customer Information
3
MFT in Action - Banking
4
Many Methods & Many Reasons
Email Attachments Home Grown Scripts Cloud File Share FTP Servers
5
How do we share files?
企業內外檔案交
換
MFT Managed File Transfer
使用者間檔案分
享
Inside Enterprise Cloud
Email Attachment Dropbox, Box.net
Central NAS File Sharing (Copy&Paste) iCloud Drive, Google Drive
Microsoft Lync, Sharepoint Line, WhatsApp, Skype
SMB,NFS,HTTP,FTP Web 2.0 Modern UI
6
IT needs to deploy systems which
meets users’ needs & provides governance required by IT
IT requirements
Control
Visibility
Security
Compliance
Employee needs
Convenient
Straightforward
Easy to use
Fast
The Balance: Usability & Security
7
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
8
What are businesses doing today?
Internet Trusted Network
FIREWALL FIREWALL
• Corporate tools being used incorrectly
• Exchange email
• SharePoint
• Public sharing websites
• Personal sync services
• Personal Email
• Self built ftp solutions
• Scripted home grown solutions
• USB memory sticks
• CD/DVD
9
How a MOVEit System can help
Internet Trusted Network
FIREWALL FIREWALL
• FIPS 140-2 certified security
modules
• AES Encrypted data at rest
• Encrypted data during transit
• SAML/LDAP/AD/Radius/ODBC
• ICAP AV Integration
• ICAP DLP Integration
• Corporate branding
• Tamper proof audit log
• Built in reporting
• Failover / HA support
• Virtualisation Support
10
How a MOVEit System can help
Internet Trusted Network
FIREWALL FIREWALL
• Multi Protocol Support
• Task Automation
• End to End Encryption
• PGP payload encryption
• FIPS 140-2 Validated
• Tamper evident logging
• Complex workflows with conditional logic
• Synchronisation of files on different systems
• Remote and delegated management
• Automatic restart and Failover
11
• Advanced Tasks with
Conditional Logic
• Alternate Host Failover
• Easily Clone existing settings
• Advanced API Management
• Networked UNC Paths
• PGP, ZIP, External Processing
• Tamper evident audit
• Alerting
Workflow and Automation - System to System
12
Introduction to MOVEit Automation
13
Web Admin Screenshots
14
People to People on the same MOVEit System Internet Trusted Network
FIREWALL FIREWALL
Person-to-Person
15
Person to Person Transfers Made Easy !
16
Person to Person Transfers Made Easy !
Upload attachment
and/or message
17
Person to Person Transfers Made Easy !
Send email notification with link
to message and attachment
Upload attachment
and/or message
18
Person to Person Transfers Made Easy !
Send email notification with link
to message and attachment
Upload attachment
and/or message
Receive Message
Two Options
• Everything Secured
• File attachment only Secured
19
Person to Person Transfers Made Easy !
Read message and
download attachment
Send email notification with link
to message and attachment
Upload attachment
and/or message
Receive Message
Two Options
• Everything Secured
• File attachment only Secured
20
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder
data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
21
HT
TP
S
FT
PS
, S
FT
P,
HT
TP
S
Mobile Users
Any FTPS Client
Any SFTP Client
Other Ipswitch Clients
Microsoft Outlook
Web Browser
Email Server
Any FTPS Server
Any SFTP Server
Mainframe / Unix Server
Network Share
FT
PS
, S
FT
P,
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
Standard Architecture
22
SECURE TUNNEL
LOAD BALANCER
(OPTIONAL)
HT
TP
S
FT
PS
, S
FT
P,
HT
TP
S
Mobile Users
Any FTPS Client
Any SFTP Client
Other Ipswitch Clients
Microsoft Outlook
Web Browser
Email Server
Any FTPS Server
Any SFTP Server
Mainframe / Unix Server
Network Share
FT
PS
, S
FT
P,
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
Gateway-No Data in DMZ
23
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
24
SECURE TUNNEL
LOAD BALANCER
(OPTIONAL)
HT
TP
S
FT
PS
, S
FT
P,
HT
TP
S
Mobile Users
Any FTPS Client
Any SFTP Client
Other Ipswitch Clients
Microsoft Outlook
Web Browser
Email Server
Any FTPS Server
Any SFTP Server
Mainframe / Unix Server
Network Share
FT
PS
, S
FT
P,
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
FIPS 140-2
AES256
25
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
26
Anti-Virus (ICAP)
SECURE TUNNEL
LOAD BALANCER
(OPTIONAL)
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
FIR
EW
ALL
DATA ZONE
NAS or NAS Cluster
Antivirus ICAP Servers
SQL Server
Standalone or Cluster
27
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
28
SECURE TUNNEL
LOAD BALANCER
(OPTIONAL)
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
FIR
EW
ALL
NAS or NAS Cluster
DLP and Antivirus ICAP
Servers
SQL Server
Standalone or Cluster
External DB (File and User Account)
User DB
(AD/Radius/SSO)
29
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
30
Robust Log Files and Extensive Reporting
31
Monitor File Transfer Activity and Track Performance
Failed Transfers by End-Point Peak Transfer Analysis
32
Architecture & Components
HTTPS
• Consolidated reporting
metadata
• Secure webserver
Analytics Server Agent
• Lightweight agent install
on same server as
MOVEit
• Minimal impact on
MOVEit processing
Client
• HTML5 Browser UI
• Easy to use analytics
& reporting
• Create, publish, and
share
Ipswitch Confidential – Do Not Copy or Distribute – Shown only under NDA
33
Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems Install and maintain a firewall conguration to protect cardholder data Prohibit direct public access between the Internet and any system
component in the cardholder data environment.
Protect Cardholder Data
Protect stored cardholder data Encrypt transmission of cardholder data across open, public
networks Do not store sensitive authentication data after authorization Limit cardholder data storage and retention time
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti- virus
software or programs
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know Restrict physical access to cardholder data Identify and authenticate access to system components
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder
data Implement audit trails to link all access to system components to
each individual user.
Maintain an Information Security Policy Maintain a policy that addresses information security for all
personnel
PCI DSS Requirements
34
SECURE TUNNEL
LOAD BALANCER
(OPTIONAL)
HT
TP
S
FTPS, SFTP, HTTPS, AS1/AS2/AS3
FTPS, SFTP, HTTPS,
AS1/AS2/AS3
Any FTPS Server
Email Server
Any SFTP Server
Any HTTPS Server
Any ASx Server
SMIME Server
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
FIR
EW
ALL
FIR
EW
ALL
FIR
EW
ALL
NAS or NAS Cluster
Antivirus ICAP Servers
SQL Server
Standalone or Cluster
External DB (File and User Account)
User DB
(AD/Radius/SSO)
DLP
35
HA Architecture – Web Farm
SECURE TUNNEL
LOAD
BALANCER
SQL
SERVER
SAN, NAS
OR NAS
CLUSTER
NODE 1
NODE 2
Mobile Users
Any FTPS Client
Any SFTP Client
Other Ipswitch Clients
Microsoft Outlook
Web Browser
FT
PS
, S
FT
P,
HT
TP
S
SECURE TUNNEL
FIR
EW
ALL
FIR
EW
ALL
FIR
EW
ALL
FIR
EW
ALL
Web Browser
Any FTPS Client
Any SFTP Client
Any AS2 or AS3 Client
Other Ipswitch Clients
Mobile Users
36
File Transfer Affects the Bottom Line
Errors / Exceptions / Problems affected
4-5% of all annual
file transfer volume
Average time to correct errors / problems
related to file transfer:
4-5 hours PER INCIDENT
Security and compliance incidents
increased
4% year-over-year
REDUCING RISK
IMPROVING EFFICIENCY LOW COSTS
37