General Information - Regulations - Privacy/Security/Auditing

This guide answers some questions regarding MOVEit DMZ's expected conformance to HIPAA, FDIC, OCC, G-L-B Act, California SB 1386, Canadian PIPEDA, Payment Card Industry ("PCI"), Sarbanes-Oxley (a.k.a. "SARBOX") and other regulations. Please consult with Ipswitch for the latest information about how MOVEit helps its security-conscious customers achieve their file transfer and storage privacy and security standards as well as relevant contractual, industry and regulatory requirements.

• "Data at Rest" - MOVEit DMZ satisfies this requirement by encrypting all files stored on disk with FIPS 140-2 validated 256-bit AES encryption. MOVEit Crypto (the encryption module which powers MOVEit DMZ) is only the tenth product to have been vetted, validated and certified by the United States and Canadian governments for cryptographic fitness under the rigorous FIPS 140-2 guidelines.
• "Data in Motion" - MOVEit DMZ satisfies this requirement by using encrypted channels (SSL or SSH) when sending or receiving data.
• "Tamper-Evident Audit Trail" - MOVEit DMZ maintains a full audit trail of not only every file transfer but every administrative action as well. All entries are cryptographically chained in a way that makes log tampering (i.e., adding, deleting or changing entries) evident. Scheduled "tamper checks" are run automatically and may also be run manually whenever needed.
• "Integrity Checking" - MOVEit DMZ and MOVEit file transfer clients including the Upload/Download Wizard, EZ, Xfer, Freely, Central, API Windows and API Java use cryptographic hashes to verify the integrity of files throughout the transfer chain.
• "Non-repudiation" - MOVEit authentication and integrity checking allows people to prove that certain people transmitted and/or received specific files.
• "Guaranteed Delivery" - When MOVEit non-repudiation is combined with MOVEit transfer restart and transfer resume features, it satisfies the requirements for a conglomerate concept called "guaranteed delivery".
• "Obsolete Data Destruction" - MOVEit DMZ overwrites all deleted files with cryptographic-quality random data to prevent any future access. Specifically, MOVEit DMZ meets the requirements of NIST SP800-88 (data erasure).
• "Need-To-Know Access Only" - MOVEit DMZ user/group permissions allow specific access to only those materials users should access.
• "Good Password Protection" - MOVEit DMZ requires tough passwords, prevents users from reusing passwords and periodically forces users to change their passwords.
• "Good Encryption" - MOVEit DMZ uses SSL to communicate across networks. This "negotiated" protocol can be enforced to connect with 128-bit strength, the maximum currently available. MOVEit DMZ uses MOVEit Crypto's FIPS 140-2 validated 256-bit AES to store data on disk. (This algorithm has been selected by NIST to replace DES, and is faster and more secure than Triple-DES.)
• "Denial of Service Protection" - MOVEit DMZ is resilient to DOS attacks caused by resource exhaustion through credential checks or other resources available to anonymous users. ("Nuisance" IP addresses will be locked out.)
• "Hardening" - Installation of MOVEit DMZ involves a multi-step (and FULLY documented) hardening procedure which covers the operating system, web service environment, permissions and extraneous applications.
• "Firewall" - MOVEit DMZ comes with a detailed firewall configuration guide to minimize confusion on the part of firewall administrators. MOVEit DMZ also supports the use of native IPSec as a "poor-man's" (packet filtering) firewall as a second line of defense.
• "Code Escrow" - The complete source code and build instructions of major (i.e. "3.2") versions of MOVEit DMZ are escrowed with a third-party.
• "Code Review and Regression Testing" - All MOVEit DMZ code passes through a code review and change control is maintained with the help of Microsoft's SourceSafe application. Regression testing is performed on each release with an ever-increasing test battery which now includes several thousand tests.
• "Multiple Factor Authentication" - When used with a username, IP addresses, passwords and client keys/certs offer one-, two- or three-factor authentication.