Security

The following security methods are in place for Ipswitch Analytics:

Passwords

Ipswitch Analytics uses the Advanced Encryption Standard (AES) to protect the passwords used to grant access to Ipswitch Analytics, and to protect access to the MOVEit database and the Ipswitch Analytics Server.

• Ipswitch Analytics Agent: The only sensitive data that the Agents store is the password to access the MOVEit Transfer/MOVEit Automation database tables and the Ipswitch Analytics Agent password to access the Ipswitch Analytics Server. The MOVEit database password is protected using standards-based, bi-directional AES256 encryption.

  The MOVEit database password is entered in plaintext during the install process and is encrypted before being stored in the configuration. When establishing a connection to the MOVEit database, the password is decrypted and passed to the JDBC driver. Internally, the JDBC driver encrypts the password using a value supplied by the database server before it is transmitted to the server for authentication. The plaintext password is never transmitted or stored.

• Ipswitch Analytics Server: The Ipswitch Analytics Server stores passwords for locally authenticated Ipswitch Analytics users and SMTP server login passwords. These passwords are protected using a one-way secure salted hash. When a local user is added to the system, the password that is entered in plain text will be hashed and stored in the database.

  When a local user attempts to sign in, the password that is supplied will be hashed and the resulting hash will be compared with the stored hash and the user will be authenticated if they are equal. When a local user password is changed, the new password must be entered twice. These two passwords are compared against each other, and if they are equal, the new password will be hashed and stored in the database.

  System Administrators can also set minimum and maximum password size and a password strength policy ranging from Very Tough to Almost None.

Note: Report data is not considered sensitive and is not encrypted in the database nor on the file system of the servers that generate the reporting data or on the Ipswitch Analytics Server.

All authentication information used by Ipswitch Analytics is encrypted or hashed. Encryption and hashing are done using the Java Simplified Encryption library (Jasypt). Details of the Jayspt library can be found at www.jayspt.org. For Ipswitch Analytics, hashing is done using the SHA-512 algorithm and utilizes the Jasypt library to enhance the protection using random salts and multiple iterations of the hashing function. Bi-directional encryption is done using Jasypt to provide password-based encryption. The password is based on a random number generated by the Ipswitch Analytics Server at install.

Data Transmission

Communication between the Ipswitch Analytics Agents and the Ipswitch Analytics Server uses HTTPS, so data is always encrypted during transmission.

Communication between the web client browser and the Ipswitch Analytics Server uses HTTPS, so data is always encrypted during transmission.

Certificates

Certificates are used for encryption of communications. The Ipswitch Analytics Server supports the use of certificates issued by a Certificate Authority and also supports the use of self-signed certificates.

When the Ipswitch Analytics Server is installed, a keystore is created and the certificates required for secure communication between the Ipswitch Analytics Agents and the Ipswitch Analytics Server and also between the client browser and the Ipswitch Analytics Server are added to the keystore.