For those exploring managed file transfer options, security is likely to be an important consideration. One that regulatory compliance and business best practices have made an imperative. In this blog, we explore Iswitch’s approach to security, and to detail the specific features included in their popular MOVEit managed file transfer solution.
The File Transfer Lifecycle
The file transfer lifecycle describes the stages upon which a file or set of files traverse through in order to be transmitted from source to destination. These stages are coloured in teal in the below diagram and range from file upload to file receipt.
Whether using a managed file transfer or not, almost all methods of file transfer, even an email attachment will loosely follow these steps.
On the outside of the wheel, the grey elements describe the recommended security features and techniques which can be employed at the corresponding stage in order to maintain a high level of information security.
Users of Ipswitch MOVEit solutions will be pleased to know that all displayed features are employed in their managed file transfer solutions.
File Creation and Upload
To access file transfer services, MOVEit Transfer requires users to authenticate via login against one or any combination of the following sources.
Internal - MOVEit Transfer has its own secure, built-in user store, and securely encrypts all passwords stored in this database. Internal authentication features include:
- Password strength.
- Password ageing.
- Password history.
- Account lockout.
- Blacklists and whitelists.
External - MOVEit Transfer supports any user database accessible via one of the following standards:
- Secure LDAP.
- RADIUS Server
- SAML v2.
In addition, the release of MOVEit 2018 introduced multi-factor authentication as a built in feature. Users can now be authenticated using a six-digit token value sent to their nominated email account; or using a compliant smartphone app, such as Google Authenticator.
Tasks such as pushing and pulling files to and from any FTP/SFTP/HTTPS servers or network shares and UNC paths based on events or schedule; manipulating and transforming file content; and managing files for transfer, storage or deletion can be automated with MOVEit Automation.
Automating movement of files eliminates external access to the trusted network by pushing encrypted files into the DMZ for external access, and pulling files from external sources into the LAN.
MOVEit Transfer provides non-repudiation and integrity checking.
MOVEit also supports file transfer automatic retry and resume on its HTTPS and FTPS interfaces. In addition to being useful during transfers of multi-gigabyte files, this feature is also secure in the sense that it makes large file transfers less susceptible to denial-of-service attacks.
Files at Rest
MOVEit Transfer provides a number of security features for files at rest, including:
- Encrypted storage of data.
- Protection of encryption and decryption keys.
- Generation and use of strong cryptographic keys.
- Secure distribution of keys.
- Cryptographic key rotation based on cryptoperiods.
- Restricts unauthorized substitution of cryptographic keys.
A multi-tier deployment integrating MOVEit Transfer with existing database servers and SAN/NAS storage servers enables storage of files, logs, keys and configuration data inside the trusted network.
File Encryption at Rest
Managing keys for file encryption in any scenario has been an issue for most organisations, but MOVEit Transfer handles this transparently.
For files at rest, MOVEit uses the industry standard AES 256-bit encryption, validated to FIPS 140-2 and FIPS 197. Within the MOVEit application, all configuration data (including user authentication information, etc.) is encrypted, ensuring no unencrypted data is ever available on the host operating system, database or file store.
Ipswitch MOVEit is ITAR compliant. But, what on earth is ITAR? Read our blog to learn more.
Secure Transfer to Storage
At no point during the transmission or storage of data is it unencrypted in the MOVEit Transfer environment.
MOVEit spools parts of files received into much smaller buffers, encrypts them and writes them to disk immediately. Spooling files in this manner reduces overall exposure in two ways:
- It reduces the amount of information exposed.
- It reduces the time information is exposed.
During the file receipt stage, which involves transmission to the destination, Ipswitch MOVEit provides security through file encryption in transit, non-repudiation, integrity checking, and DLP and anti-virus integration.
File Encryption in Transit
MOVEit Transfer supports a number of file transfer protocols, and provides minimum 128-bit encryption, configurable by the MOVEit administrator. In MOVEit Automation, all file movements can be optionally PGP encrypted.
Supported secure protocols for transmission include:
- AS2 and AS3.
Tying users to their actions is not always easy, however with Ipswitch MOVEit non-repudiation is a default position. Meaning you can always guaranteed delivery or receipt of files.
This is a security best practice and is required by a number of regulatory standards and industry compliance standards such as:
- The Federal Information Security Management Act (FISMA).
- Gramm-Leach-Bliley Act (GLBA).
- Health Insurance Portability and Accountability Act (HIPAA).
- Sarbanes-Oxley Act (SOX).
MOVEit Transfer uses the cryptographically valid SHA-1 hash capability in its FIPS 140-2 validated cryptographic module to automatically ensure the integrity of the files it stores in its 256-bit AES encrypted file system.
All Ipswitch clients support automatic SHA-1 integrity checks with MOVEit Transfer.
Data Loss Prevention and Anti-Virus Integration
With integration to file content and anti-virus scanning software, MOVEit submits incoming files to scanning system upon arrival and delivery.
Supported solutions include: RSA, Symantec, Sophos and McAfee.
Transferred files can be allowed, blocked or quarantined. All activity is logged and alerts or status are displayed to users, including the malware or virus name if found by your anti-virus solution.
Did you know that the Danish Supervisory Authority has ruled that all personal data must now be transmitted by secure email service or using TLS? Read our blog to learn more.
Post-file transfer and outside of the linear timeline of a file transfer, managed file transfer solutions must have self-containing management features such as auditing, backups and reporting.
File Tracking, Auditing and Reporting
For auditability, Ipswitch MOVEit maintains application audit logs to support customer recordkeeping and to facilitate daily log review by system administrators or security officers.
MOVEit deployed on-premises integrates with a number of log management or SIEM systems using either the SYSLOG protocol or by forwarding logs to the Windows Event Log. The database used to house the audit logs are tamper-evident, meaning any unauthorised modification will always be reported to the system administrator.
As of version 2018 SP2, MOVEit solutions include a dashboard revealing both real-time transfer statistics, short-term historical overviews and warning panels for items such as soon to expire keys and certificates.
Both active-passive and active-active load balanced high-availability options are available with Ipswitch MOVEit. In addition a possibility of introducing a gateway server means that almost any permutation of architecture is possible.
When a file is deleted in MOVEit, a secure shredding feature means that the space it occupied on the disk is written over with random characters. It cannot be retrieved and therefore has been securely deleted. Never can a file be accessed outside of the applications authorised channels.
If you would like to learn more about Ipswitch MOVEit Transfer; and how it is being used by tens of thousands of customers worldwide. Book a call with one of our product specialists today.