Globalscape Application Security __full__ -

. Instead of storing data in the "demilitarized zone" or opening inbound firewall ports to your internal network, the DMZ Gateway acts as a communication proxy. No Data Storage: Files never reside in the DMZ; they transition directly to the internal EFT server. Closed Inbound Ports: The internal EFT server initiates an outbound connection to the Gateway, creating a "streaming" path that keeps your internal network hidden from the public internet. 2. Multi-Layered Authentication Passwords alone are no longer enough. Globalscape supports robust authentication protocols to ensure only authorized users gain access: Multi-Factor Authentication (MFA): Integrate with SMS, email, or authenticator apps to add a secondary verification layer. Identity Provider (IdP) Integration: Use SAML or OpenID Connect to link EFT with your existing enterprise identity management (like Okta or Azure AD). Certificate & Key-Based Access: Move beyond credentials by requiring SSH keys (for SFTP) or SSL certificates (for FTPS) to validate the identity of both the client and the server. 3. Encryption: Data at Rest and in Transit Globalscape ensures that data is protected at every stage of its journey. In Transit: High-strength encryption protocols like AES-256, alongside modern TLS (1.2 and 1.3) and SSH versions, prevent "man-in-the-middle" attacks. At Rest: Even if a storage volume is compromised, the files remain unreadable. Globalscape can automatically encrypt files as they arrive using OpenPGP, ensuring that only the intended recipient with the correct private key can access the data. 4. Automated Security Policies and Compliance One of the platform's biggest advantages is the

Globalscape Application Security: Comprehensive Protection for Enterprise Data In an era where data is an organization's most valuable asset, Globalscape Enhanced File Transfer (EFT) serves as a critical defense layer for managing and securing sensitive information. Beyond simple file movement, Globalscape provides a robust application security framework designed to protect data at rest, in transit, and during administrative access. Core Security Architectures Globalscape application security is built on a multi-layered approach that integrates secure protocols with granular control mechanisms: Encryption at All Stages : The platform employs end-to-end encryption, utilizing OpenPGP to safeguard files at rest and secure protocols like SFTP (SSH) , FTPS (SSL/TLS) , and HTTPS for data in motion. DMZ Gateway : To prevent external threats from reaching internal networks, Globalscape uses a DMZ Gateway . This allows for data exchange without storing sensitive information in the demilitarized zone or requiring inbound firewall holes to the internal network. Advanced Authentication : Security is bolstered by Multi-Factor Authentication (MFA) , including support for RSA SecurID, RADIUS, and SAML (WebSSO). This ensures that only verified users can access the system, significantly reducing the risk of credential-based attacks. Strategic Security Modules Globalscape extends its core capabilities through specialized modules that address specific application security needs: Globalscape EFT - Managed File Transfer Software

This guide moves beyond basic "set a strong password" advice and into architecture, hardening, compliance, and attack surface reduction.

Deep Guide to Globalscape Application Security 1. Core Security Architecture Globalscape EFT is not a single executable but a suite of services. Understanding the architecture is the first step to securing it. Key Components & Their Risk Profiles globalscape application security

EFT Admin Interface (Port 1100/HTTPS): The control plane. Highest risk. Manages users, settings, and encryption keys. EFT Engine (Service): Processes transfers (FTP/S, SFTP, HTTP/S, AS2). DMZ Gateway: A reverse proxy that sits in the DMZ. It accepts external connections and forwards them to the internal EFT Engine without opening direct firewall holes to the internal server. Database (SQL Server, Oracle, or internal DB): Stores user accounts, settings, and audit logs. EFT Auditing & Reporting DB: Stores transfer logs, events, and admin actions.

Security Boundary Principle

Never expose the EFT Admin port (1100) or the EFT Engine's management port to the internet or untrusted networks. Only the DMZ Gateway (ports 21, 22, 443, etc.) should be public-facing. Closed Inbound Ports: The internal EFT server initiates

2. Authentication & Identity Security Supported Methods (Least to Most Secure) | Method | Security Level | Use Case | |--------|----------------|-----------| | Local EFT Users | Low (admin overhead, password hash storage risk) | Internal, low-volume | | Active Directory / LDAP | Medium-High | Centralized control, MFA support | | SAML 2.0 / SSO (Okta, ADFS, Azure AD) | High | Enterprise, MFA enforced externally | | Client Certificates | High | Automated system accounts (no password rotation) | | Database Lookup | Low (unless hashed) | Legacy integration | Hardening Checklist

Disable local users where AD/LDAP is available. Local accounts bypass Group Policy password complexity. Enforce MFA for all admin accounts – Use TOTP (Google Authenticator, Duo) via EFT's native MFA or SAML IdP. Use strong password policies – Minimum 14 chars, complexity, history (12), lockout after 5 attempts. Certificate-based authentication for automation – Eliminates hardcoded credentials in scripts.

3. Network & Transport Layer Security Protocol Security Tiers (Globalscape EFT) it may allow weak ciphers.

FTP (Plain) – NEVER USE – Passwords in cleartext. FTPS (FTP over TLS) – Acceptable if PROT P (private) is enforced. Use TLS 1.2+ only. SFTP (SSH File Transfer) – Recommended. Uses port 22, single connection. HTTPS / Web Transfer Client – Recommended for user portals. Enforce HSTS. AS2 (Applicability Statement 2) – For B2B EDI. Sign + encrypt messages.

Cipher Suite Configuration (Critical) Globalscape EFT uses Windows Schannel. By default, it may allow weak ciphers. Action: Use Group Policy or IIS Crypto tool to disable: