This topic explains discusses how you can use MOVEit Transfer for your Managed File Transfer (MFT) solution.
Toolkit
Description
Administrative Controls
You can perform application and org-wide actions from a web browser. You perform system-wide configuration and integration tasks from the MOVEit Transfer server node either signed on to the WebUI locally or using the Configuration Utility. For backups, you use a separate Backup and Restore utility, which is bundled with the MOVEit Transfer server software.
Admin and SysAdmin
When you install MOVEit Transfer, you set up a SysAdmin account and an Admin account.
The SysAdmin account can create a new organization, perform IP lockouts and changes, set up new users, and control settings for the system, schemes, and the organization. The account cannot upload or download files, read a user's files, or send/receive messages in any organization other than the System organization
The Admin account is used to perform daily administration, work with users, folders, and so on
MOVEit Transfer has controls needed to implement policies prescribed or mandated by data security standards such as HIPAA, PCI, CIS, and so on. This section outlines some of the controls in MOVEit Transfer designed to help you implement these policies for your organization's folder, file, and message needs.
Authentication Policy Considerations
As you plan your authentication policy, consider:
Multi-Factor Authentication (MFA)
Will you require/allow MFA for all users?
Will you require MFA for users with higher business impact? (Admin's or regular user's with folder sharing, for example)
Will you require client certificates?
Passwords
What level of password strength to require?
How often are users required to change their passwords?
How to provide passwords to users (examples: fax/phone, emailed when the user is created).
Can users reset their own passwords? If so, is the user required to sign on with the old credentials first?
Interfaces
What are your supported protocols? (FTP/SSL, FTP/SSH, HTTPS and/or AS2/AS3, non-secure FTP)
Are users who connect to port 80 HTTP automatically redirected to your secure web interface?
Do your interface options allow your clients to do ad-hoc and automated transfers?
Shared Accounts
Are shared accounts allowed?
Can users of shared account view files that other users of the account have uploaded?
Groups
Are users organized into groups?
Do you want to grant permissions by group or by user? Do you want to grant certain users permissions for specific folders, users, etc.?
External Authentication
Will all users authenticate to the MOVEit Transfer local database, through a trusted LDAP or RADIUS server, or a combination?
Will users leverage single-sign on?
Naming Conventions
How are usernames formed? Examples: first initial last name, employee numbers, company name, etc.
Should full names contain the names of key people and/or their organizational role or just a company role?
Are there different conventions for internal/external users?
Lockouts and Expiration
How many incorrect tries before that user is locked out?
How many tries for a particular IP address get before that IP is locked out?
How long can a user delay a requested password change before the account is disabled?
How long to keep accounts that have not been used, or have passed their contract date?
Allowed Hosts and IPs
The MOVEit Transfer default IP access policy allows end users to connect from anywhere but allows administrators to connect only from an internal private network. Is this restrictive enough? Are there exceptions?
Do you want to specify a list/range of IP addresses and hostnames for each user instead?
Client Certificates/Keys
If you are using client certificates, what Certificate Authority(ies) will you use?
Do you need two factor authentication or is using one cert/key sufficient?
Automated Users
Most sites set up a FileAdmin user for their MOVEit Automation file transfer automation tool. Your end users or other internal processes can also be automated.
Do you want these types of users to be exempt from periodic password changes?
Do you want these users to be further restricted by IP address, client cert/key, or interface? (Doing so mitigates the risk of a username or password being compromised)
Folder Policy Considerations
As you plan your folder permissions policy, consider:
Structure
Do you want users to each have their own tree of folders in their home folder or do you want a shared folder structure?
Do you want user home folders be in one top-level folder, or in multiple folders?
Do you want to lock users to a single folder and limit the number of items on the interface to keep them from making any mistakes?
How do you want to name the main shared folder?
Shared Folders
Does your Organization allow shared folders?
Can regular users share folders?
Can these folders be shared with temporary users?
Permissions
What level of access do users have on their home folders, on other folders, and by default?
Do you want upload quotas or filename restrictions?
Can home folders be shared?
Clean Up/Notification
How often to automatically delete old files and folders?
When and how to send notifications about file uploads and downloads success, failure, or on deadline?
Naming Conventions
How to name a user's home folder: usernames, full names, or user IDs (unique ID generated by MOVEit Transfer)?
How to name MOVEit Transfer folder trees: internal names, or to reflect specific customer needs?
How to name folders and files to accommodate automated tasks.
Ad Hoc Transfer Policies
You must have a valid Ad Hoc Transfer license (using the MOVEit Transfer Config utility) and you must have enabled Ad Hoc transfer .
Address Book Contacts and Unregistered Recipients -
Who should be able to talk to whom?
Do you want any user to contact any other user, including unregistered users, or do you want to control Ad Hoc Transfer relationships?
Who should be able to create and send packages to unregistered recipients immediately as needed?
Unregistered Recipients and Senders - When unregistered recipients sign in, and when unregistered senders self-register:
Do you want to treat them as per-package guest users, or should they be registered as temporary users for a limited amount of time?
Are there any domains in which you want to prevent MOVEit Transfer from creating temporary users, such as your own or a free mail service)?
How long will temporary users remain before they are automatically purged?
Secure Note transfer vs. Email Note, per package sender option, and related options
Do you want all content exchange to be part of secure transfers, including files and every note that senders compose when creating MOVEit Ad Hoc Transfer packages? Or do you want to provide notification similar to Outlook emails, with only the attached/uploaded files being sent exclusively by MOVEit)?
Do you want to offer both types of operations by offering senders a per package choice?
For packages sent from the Web interface and Mobile, do want to add security for the packages' Senders and Subjects? (These settings do not affect packages sent from the Outlook Plug-in.)
Permissions
Do you want attachment quotas?
Do you want filename restrictions?
Retention
How long to keep packages online?
Delete or archive packages after that time?
Appearance
As you plan your site's appearance, consider these items:
Banner and Scheme
Do you want a banner logo and scheme to match the colors and fonts of your corporate site?
What logo will you use for the mobile app and web?
Display Profiles
Which parts of the web interface do you want to be visible to users before and after they sign on?
Can users change the interfaces language before sign on, during sign on, or after sign on?
International Languages
What is the default language for the organization?
Notifications
How much information (username, fileID, file names, etc.) is sent in clear-text email notifications?
Who should appear as the sender?
Do you want to make changes to any notification templates?
Do your users prefer HTML notifications or text notifications?
Sign-On Banners
What appears on the sign-on page to users before a user signs on?
What information is on the home page announcement?
What is the first status message that appears after a user signs-on?
Do you need a terms-of use acknowledgment?
Logging and Reporting
Consider the following when planning use of logs and reporting for production operations and tracking.
Filtering Logs
Can you find what you want in the audit logs? Configure your custom views and filters that provide insight helpful for your production operations.
Can you determine the cause of the following common problems by looking in audit logs? (For example, user could not sign-on. File could not be uploaded, downloaded, and so on. Folder or user could not be created, deleted, and so on.
Do you know how to select columns, sort and hide/show sign-on and notification entries?
Reports
What reports will you use regularly? Do you want to schedule them?
Do you expect to perform further processing on CSV or XML formatted reports?
Do you want to alter the template used for HTML reports?
Retention
How long to keep audit records? After this time, delete or archive the records?
Production Operations
People
Who are the main administrators of each MOVEit Transfer organization?
Who is in charge of the firewall?
Can any administrative tasks be delegated through GroupAdmins or using feature, such as allowing users to reset own password?
Automation
Are you using the automated features of MOVEit Transfer? (such as old file/folder cleanup, notification, and report creation)
If you own a companion MOVEit Automation server, is it automating all file transfers?
Have you automated your end user and internal transfers?
Incident Management
Do you have a notification schedule for server or database incidents? (Sometimes referred to as an on-call list)
Have you set email addresses for notifications in the DMZ Config utility to valid distribution email lists?
Disaster Recovery
How are you backing up your server?
Do you have the necessary MOVEit Transfer licenses or your backup servers?
Is the backup procedure automated and tested?
Does your main site need active-active failover?
End User Documentation
Do your end users know how to connect to you and where to go to upload/download files? (Or use secure messaging, as applicable.) (See Advanced Topics - User Forms.)
Do end users know how to ask for help? Is there additional documentation you could post online to help? (See the MOVEit Transfer Tech Support link/page and Custom Help Link feature help here.)
Administrative Documentation
Is your configuration documented and explainable? (You can use the DMZBackup utility to make a backup of the current configuration.) Do you know how to pull/schedule the reports that fulfill your audit requirements? Your billing requirements? Other business requirements?
Other Tasks
Use groups to organize the way users access files and folders.
Set up strong password requirements. For more information, see Settings and Folder pages.
Ongoing Maintenance
Use the logs pages to monitor activity and troubleshoot.
