General Information - Regulations - Privacy/Security/Auditing
This guide answers some questions regarding MOVEit DMZ's
expected conformance to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry ("PCI"),
Sarbanes-Oxley (a.k.a. "SARBOX") and other regulations.
Please consult with Ipswitch for the latest
information about how MOVEit helps its security-conscious customers
achieve their file transfer and storage privacy and security standards
as well as relevant contractual, industry and regulatory requirements.
- "Data at Rest" - MOVEit DMZ satisfies this requirement by
encrypting all files stored on disk with FIPS 140-2 validated 256-bit AES encryption.
MOVEit Crypto (the encryption module which powers MOVEit DMZ) is only the tenth product to have
been vetted, validated and certified by the United States and Canadian governments for
cryptographic fitness under the rigorous FIPS 140-2 guidelines.
- "Data in Motion" - MOVEit DMZ satisfies this requirement by
using encrypted channels (SSL or SSH) when sending or receiving data.
- "Tamper-Evident Audit Trail" - MOVEit DMZ maintains a full audit trail of not
only every file transfer but every administrative action as well.
All entries are cryptographically chained in a way that makes
log tampering (i.e., adding, deleting or changing entries)
evident. Scheduled "tamper checks" are run automatically and
may also be run manually whenever needed.
- "Integrity Checking" - MOVEit DMZ and MOVEit file transfer
clients including the Upload/Download Wizard, EZ, Xfer, Freely, Central, API Windows and API Java use
cryptographic hashes to verify the integrity of files throughout the transfer chain.
- "Non-repudiation" - MOVEit authentication and integrity
checking allows people to prove that certain people transmitted and/or received specific
- "Guaranteed Delivery" - When MOVEit non-repudiation is combined with
MOVEit transfer restart and transfer resume features, it satisfies the requirements for
a conglomerate concept called "guaranteed delivery".
- "Obsolete Data Destruction" - MOVEit DMZ overwrites all
deleted files with cryptographic-quality random data to prevent any future access.
Specifically, MOVEit DMZ meets the requirements of NIST SP800-88 (data erasure).
- "Need-To-Know Access Only" - MOVEit DMZ user/group
permissions allow specific access to only those materials users should access.
- "Good Password Protection" - MOVEit DMZ requires tough
passwords, prevents users from reusing passwords and periodically forces users to change
- "Good Encryption" - MOVEit DMZ uses SSL to communicate across
networks. This "negotiated" protocol can be enforced to connect with
128-bit strength, the maximum currently available. MOVEit DMZ uses MOVEit Crypto's FIPS 140-2 validated
256-bit AES to store data on disk. (This algorithm has been selected by NIST to replace DES, and is faster and
more secure than Triple-DES.)
- "Denial of Service Protection" - MOVEit DMZ is resilient to
DOS attacks caused by resource exhaustion through credential checks or other resources
available to anonymous users. ("Nuisance" IP addresses will be locked
- "Hardening" - Installation of MOVEit DMZ involves a
multi-step (and FULLY documented) hardening procedure which covers the operating system,
web service environment, permissions and extraneous applications.
- "Firewall" - MOVEit DMZ comes with a detailed firewall
configuration guide to minimize confusion on the part of firewall administrators.
MOVEit DMZ also supports the use of native IPSec as a "poor-man's" (packet
filtering) firewall as a second line of defense.
- "Code Escrow" - The complete source code and build instructions of
major (i.e. "3.2") versions of MOVEit DMZ are
escrowed with a third-party.
- "Code Review and Regression Testing" - All MOVEit DMZ code passes
through a code review and change control is maintained with the help of Microsoft's SourceSafe application.
Regression testing is performed on each release with an ever-increasing test battery which now includes several thousand tests.
- "Multiple Factor Authentication" - When used with a username, IP addresses, passwords and client keys/certs offer
one-, two- or three-factor authentication.