Privacy, Security Standards, and Auditing Requirements
This section answers some questions regarding the expected conformance of MOVEit to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry (PCI), Sarbanes-Oxley (SARBOX) and other regulations.
Please consult with Progress for the latest information about how MOVEit helps its security-conscious customers achieve their file transfer and storage privacy and security standards as well as relevant contractual, industry and regulatory requirements.
Multi-Factor Authentication - Two or more factors make it harder to steal and misuse user credentials. For interactive human interfaces, MOVEit Transfer supports password plus "soft token" authenticator applications such as Google Authenticator that implement RFC 6238 TOTP (Time-Based One-Time Password) and RFC 4226 HOTP (HMAC-Based One-Time Passwords). Machine interfaces and FTP or SSH clients may be configured to require a password and client key/cert to achieve multi-factor authentication.
Data at Rest - MOVEit satisfies this requirement by encrypting all files stored on disk with FIPS 140-2 validated 256-bit AES encryption. MOVEit Crypto (the encryption module which powers MOVEit) is only the tenth product to have been vetted, validated and certified by the United States and Canadian governments for cryptographic fitness under the rigorous FIPS 140-2 guidelines.
Data in Motion - MOVEit satisfies this requirement by using encrypted channels (SSL or SSH) when sending or receiving data.
Tamper-Evident Audit Trail - MOVEit maintains an audit trail of every file transfer and administrative action. All entries are cryptographically chained in a way that makes log tampering evident. Scheduled tamper checks are run automatically and can also be run manually.
Integrity Checking - MOVEit and MOVEit file transfer clients including the Upload/Download Wizard, EZ, Xfer, Freely, Central, and API clients provide cryptographic hashes to verify the integrity of files throughout the transfer chain. All MOVEit secure FTP, API and web-based clients, support integrity checking. (Note: Integrity checking can be a separate step)
Non-repudiation - MOVEit authentication and integrity checking allows people to prove that certain people transmitted and/or received specific files.
Guaranteed Delivery - The combination of MOVEit non-repudiation and MOVEit transfer restart and transfer resume features satisfies the requirements for guaranteed delivery.
Obsolete Data Destruction - MOVEit overwrites all deleted files with cryptographic-quality random data to prevent future access. MOVEit meets the requirements of NIST SP800-88 (data erasure).
Need-To-Know Access Only - MOVEit user/group permissions allow access to specific materials.
Good Password Protection - MOVEit requires tough passwords, prevents users from reusing passwords and periodically requires users to change their passwords.
Good Encryption - MOVEit uses SSL to communicate across networks. This "negotiated" protocol can be enforced to connect with 128-bit strength, the maximum currently available. MOVEit uses MOVEit Crypto's FIPS 140-2 validated 256-bit AES to store data on disk. (This algorithm has been selected by NIST to replace DES, and is faster and more secure than Triple-DES.)
Denial of Service Protection - MOVEit is resilient to DOS attacks caused by resource exhaustion through credential checks or other resources available to anonymous users. ("Nuisance" IP addresses will be locked out.)
Hardening - Installation of MOVEit involves a multi-step (and documented) hardening procedure that covers the operating system, web service environment, permissions, and extraneous applications.
Firewall - MOVEit includes a firewall configuration guide for firewall administrators. MOVEit supports the use of native IPSec as a packet filtering firewall as a second line of defense.
Code Review and Regression Testing - All MOVEit code is subject to code review. Change control is maintained with a source control system. Regression testing is performed on each release.