MOVEit Cloud & the NCSC SaaS Security Principles

MOVEit Cloud & the NCSC SaaS Security Principles

In almost every conversation we have with a customer today, there is some element discussion around cloud adoption and usage. Particularly in the case of Ipswitch MOVEit Transfer, which launched it managed file transfer cloud offering early this year.

Key in every discussion we have is security, an area which Ipswitch has been consistently strong in for more than a decade. Providing features such as encryption at rest, in transit and multi-factor authentication.

More recently, the UK's NCSC (National Cyber Security Centre) has released their 2018 edition of their recommended security principles for SaaS solutions. Giving Ipswitch MOVEit yet another opportunity to shine.


The NCSC SaaS Security Principles

The below table of SaaS recommendations have been taken from the NCSC website.

 Security Principle Ipswitch MOVEit Cloud
Data-in-transit should be protected between clients and service using TLS.

Ipswitch MOVEit Cloud supports HTTPS and FTPS which all can be configured to use TLS. In addition, MOVEit Cloud also supports SFTP which uses SSH has a method of securing a data transmission tunnel between the client and service.

Use industry best practices for SSL certificate configuration.

Ipswitch MOVEit Cloud uses Microsoft IIS (Internet Information Services) for the presentation of its website and its own virtual service for FTPS. Certificates can be self-signed or third-party verified using industry best practises.

Data-in-transit between microservices should be encrypted.

From the moment data is present to Ipswitch MOVEit Cloud, it is encrypted using FIPS 140-2 validated AES 256-bit cryptography. At no point is the data ever exposed in an unencrypted format.

APIs should include authentication and protection.

Ipswitch MOVEit Cloud supports a REST API, which requires authentication using and username and password; and subsequently requires a post-authentication API key to validate each request against the authentication attempt.

Does the SaaS service have privilege separation?

Ipswitch MOVEit Cloud supports not just role based user creation but also individual access permissions based on protocol, IP address and particular folders. Each folder can have granular permissions related to read, write and delete functions.

Does the SaaS service permit multi-factor authentication for high privilege accounts?

Multi-factor authentication is built into the solution as part of the offering. It can be applied to particular user roles, including administrators or across all user accounts. In addition, Ipswitch MOVEit Cloud supports RADIUS authentication, which means it can be paired with an existing multi-factor authentication solution.

SaaS services should collect security and resource logs.

All activities in Ipswitch MOVEit Cloud are logged in a tamper-evident database, where each line is hashed and sequence numbered. Keeping it safe from modification or deletion.

Does the SaaS provider make logs available to the client?

Logs are always viewable in the Ipswitch MOVEit Cloud administration portal. In addition, logs can be exported via syslog or viewed as a report in the report viewer.

Does the SaaS provider have a clear plan for patching and security issues?

Ipswitch releases a new version of MOVEit Cloud at least twice a year which addresses and security patches which are required. Each release is externally audited to ensure its a quality and that it is free from known vulnerabilities. One such example is that Ipswitch validates its solution against the OWASP top 10.

Does the SaaS provider offer clear and transparent details on their product?

All Ipswitch solutions and releases have a corresponding release note and entry in the administration manual for reference. All customers also have access to the Ipswitch community knowledge base where they can benefit from the wisdom of the entire Ipswitch community. In addition, Advanced Cyber Solutions are certified in professional services, training and support for all Ipswitch solutions and are there to guide customers in the best ways to configure the Ipswitch MOVEit Cloud solution.


With every point covered, Ipswitch MOVEit Transfer yet again proves its security credentials as the industries most secure managed file transfer platform.

Are you interested in learning more about Ipswitch MOVEit Cloud? Book a call and speak to one of our solution specialists today.


New call-to-action