|
|
|
|
The following security methods are in place for Progress MOVEit Analytics:
Progress MOVEit Analytics uses the Advanced Encryption Standard (AES) to protect the passwords used to grant access to Progress MOVEit Analytics, and to protect access to the MOVEit database and the Progress MOVEit Analytics Server.
The MOVEit database password is entered in plaintext during the install process and is encrypted before being stored in the configuration. When establishing a connection to the MOVEit database, the password is decrypted and passed to the JDBC driver. Internally, the JDBC driver encrypts the password using a value supplied by the database server before it is transmitted to the server for authentication. The plaintext password is never transmitted or stored.
When a local user attempts to sign in, the password that is supplied will be hashed and the resulting hash will be compared with the stored hash and the user will be authenticated if they are equal. When a local user password is changed, the new password must be entered twice. These two passwords are compared against each other, and if they are equal, the new password will be hashed and stored in the database.
System Administrators can also set minimum and maximum password size and a password strength policy ranging from Very Tough to Almost None.
Note: Report data is not considered sensitive and is not encrypted in the database nor on the file system of the servers that generate the reporting data or on the Progress MOVEit Analytics Server.
All authentication information used by Progress MOVEit Analytics is encrypted or hashed. Encryption and hashing are done using the Java Simplified Encryption library (Jasypt). Details of the Jayspt library can be found at www.jayspt.org. For Progress MOVEit Analytics, hashing is done using the SHA-512 algorithm and utilizes the Jasypt library to enhance the protection using random salts and multiple iterations of the hashing function. Bi-directional encryption is done using Jasypt to provide password-based encryption. The password is based on a random number generated by the Progress MOVEit Analytics Server at install.
Communication between the Progress MOVEit Analytics Agents and the Progress MOVEit Analytics Server uses HTTPS, so data is always encrypted during transmission.
Communication between the web client browser and the Progress MOVEit Analytics Server uses HTTPS, so data is always encrypted during transmission.
Certificates are used for encryption of communications. The Progress MOVEit Analytics Server supports the use of certificates issued by a Certificate Authority and also supports the use of self-signed certificates.
When the Progress MOVEit Analytics Server is installed, a keystore is created and the certificates required for secure communication between the Progress MOVEit Analytics Agents and the Progress MOVEit Analytics Server and also between the client browser and the Progress MOVEit Analytics Server are added to the keystore.