This section answers some questions regarding MOVEit's expected conformance to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry ("PCI"), Sarbanes-Oxley (a.k.a. "SARBOX") and other regulations. Please consult with Ipswitch for the latest information about how MOVEit helps its security-conscious customers achieve their file transfer and storage privacy and security standards as well as relevant contractual, industry and regulatory requirements.
"Data at Rest" - MOVEit satisfies this requirement by encrypting all files stored on disk with FIPS 140-2 validated 256-bit AES encryption. MOVEit Crypto (the encryption module which powers MOVEit) is only the tenth product to have been vetted, validated and certified by the United States and Canadian governments for cryptographic fitness under the rigorous FIPS 140-2 guidelines.
"Data in Motion" - MOVEit satisfies this requirement by using encrypted channels (SSL or SSH) when sending or receiving data.
"Tamper-Evident Audit Trail" - MOVEit maintains a full audit trail of not only every file transfer but every administrative action as well. All entries are cryptographically chained in a way that makes log tampering (i.e., adding, deleting or changing entries) evident. Scheduled "tamper checks" are run automatically and may also be run manually whenever needed.
"Integrity Checking" - MOVEit and MOVEit file transfer clients including the Upload/Download Wizard, EZ, Xfer, Freely, Central, API Windows and API Java use cryptographic hashes to verify the integrity of files throughout the transfer chain. All MOVEit secure FTP, API and web-based clients (including the upload/download Wizard) support integrity checking. Note: Integrity checking is a separate step when using the JavaScript Wizard.)
"Non-repudiation" - MOVEit authentication and integrity checking allows people to prove that certain people transmitted and/or received specific files.
"Guaranteed Delivery" - When MOVEit non-repudiation is combined with MOVEit transfer restart and transfer resume features, it satisfies the requirements for a conglomerate concept called "guaranteed delivery".
"Obsolete Data Destruction" - MOVEit overwrites all deleted files with cryptographic-quality random data to prevent any future access. Specifically, MOVEit meets the requirements of NIST SP800-88 (data erasure).
"Need-To-Know Access Only" - MOVEit user/group permissions allow specific access to only those materials users should access.
"Good Password Protection" - MOVEit requires tough passwords, prevents users from reusing passwords and periodically forces users to change their passwords.
"Good Encryption" - MOVEit uses SSL to communicate across networks. This "negotiated" protocol can be enforced to connect with 128-bit strength, the maximum currently available. MOVEit uses MOVEit Crypto's FIPS 140-2 validated 256-bit AES to store data on disk. (This algorithm has been selected by NIST to replace DES, and is faster and more secure than Triple-DES.)
"Denial of Service Protection" - MOVEit is resilient to DOS attacks caused by resource exhaustion through credential checks or other resources available to anonymous users. ("Nuisance" IP addresses will be locked out.)
"Hardening" - Installation of MOVEit involves a multi-step (and FULLY documented) hardening procedure which covers the operating system, web service environment, permissions and extraneous applications.
"Firewall" - MOVEit comes with a detailed firewall configuration guide to minimize confusion on the part of firewall administrators. MOVEit also supports the use of native IPSec as a "poor-man's" (packet filtering) firewall as a second line of defense.
"Code Escrow" - The complete source code and build instructions of major (i.e. "3.2") versions of MOVEit are escrowed with a third-party.
"Code Review and Regression Testing" - All MOVEit code passes through a code review and change control is maintained with the help of Microsoft's SourceSafe application. Regression testing is performed on each release with an ever-increasing test battery which now includes several thousand tests.
"Multiple Factor Authentication" - When used with a username, IP addresses, passwords and client keys/certs offer one-, two- or three-factor authentication.
