MOVEit 8.0: Adapting to the Changing Managed File Transfer Security Landscape

Share this story:Tweet about this on Twitter4Share on LinkedIn0Share on Google+0Share on Facebook6
managed file transfer security

While best practices can improve an organization’s overall security posture, we’ve built software improvements into MOVEit that further increase security

Through the years my role at Ipswitch has changed from someone taking front-line calls, going to customer sites and working with the engineering staff to someone who is responsible for the “health” of the MOVEit product. During this time a lot has changed in the market as well. As an example, in the past ten years I have seen the ability to secure FTP go from a “nice-to-have” to a “must-have”, including transporting files securely along with applying security at rest. These days organizations are a lot more focused on services they sign up for and the security risk they represent. As a result, they ask more detailed questions about managed file transfer security like “What encryption and hashing algorithms are being used?,” and also ask third parties to audit the services for compliance. In my opinion, now more than ever, administrators need products they can trust with sensitive data.

In my opinion security is to MFT what location is to real estate, which is of course to say paramount. As I sat down to write this post, I tried to imagine transferring files without any security or controls. To me that seems absurd because businesses move files to get work done and people lose jobs when the proper security or control is not in place.

The truth is, software needs to do more to protect all the sensitive information that is exchanged. Just as the security triad of confidentiality, integrity and availability has evolved, so must software, along with the way it is built. That was a hard realization when we started working on the MOVEit 8.0 release. We understood that we needed to adapt to the changing landscape and get ahead of our customers’ audit and compliance issues.

With that in mind, I created the following cheat sheet to help those interested in making MFT software (whether MOVEit or another product) more secure.

Based on my experience, here are eight steps administrators should take:

1. Harden the host machine, or run a trusted tool to harden it.

2. Enable the strongest password policy allowed by the organization and expire passwords on a routine basis. If possible, utilize secure, external authentication such as LDAP to centrally manage and control passwords.

3. Set expiration policies and lockout policies on all accounts. Also, enable any system-level whitelist or similar functionality to block password-harvesting scripts.

4. Constrain external traffic to secure ports like TCP/443, TCP/22 and disable non-secure FTP in favor of explicit FTP over SSL/TLS or implicit FTP over SSL/TLS. Minimize the attack surface to only the necessary services and use those services in the most secure way.

5. Use FIPS mode, if possible, and/or disable weak SSH and SSL algorithms. This allows administrators to use only the strongest security.

6. Configure and review built-in security audit reports on a regular basis.

7. Utilize two-factor authentication like SSL certificates if possible for additional security.

8. Enable user sessions to expire after a set amount of inactivity. This prevents anyone from gaining access from an open browser that is unattended.

While the best practices above help improve an organization’s overall security posture, we’ve built software improvements into the latest release of MOVEit that augment these operational changes to further increase security, Specifically, MOVEit 8.0 incorporates the following:

1. OWASP Top Ten – For as long as I can remember, we have focused on standards for MOVEit, like the RFC for securing FTP using TLS.  Enter the OWASP Top Ten, a consensus document of the top web application vulnerabilities to eliminate in software. MOVEit now has all the latest protection against these common issues like cross-site scripting (XSS) and injection attacks and more, which is one tenet of PCI DSS 2.0. In a future post, I’ll elaborate on OWASP.

2. Transport Encryption Algorithm Control – Now MOVEit administrators can enable/disable weak transport encryption algorithms for FTP over SSL and SFTP. These options, coupled with the ability to enable FIPS, allow administrators the control they need for secure file transfers both now and in the future. They can also regulate the system to only use the most secure transmission between users and partners.

3. MOVEit Security Tool – We have improved the MOVEit Security Tool “SecAux” which was initially created to help administrators easily harden their machines without having to run through the registry and local security policy. The tool is run during installation (or can be run manually) and makes it easier for overburdened administrators to apply security policies.

4. Improved Security Process and Tools – A year ago we realized we needed to improve the way we think about and securely develop our software. So we set out to utilize the best tools available, formalize processes and engage a third party to validate our work. It is by no means perfection, but I think MOVEit 8.0 reflects the continued commitment to the best-in-class security MOVEit has been known for over a decade.

All of these security improvements and more are included in MOVEit 8.0 to give businesses and administrators the confidence they need in an enterprise-class managed file transfer solution where security is paramount. There is of course more in MOVEit 8.0 and I encourage those interested to review the release notes as I’ve just given an overview of what’s available.

Lastly, I wouldn’t be true to my Midwest roots unless I thanked you for taking the time to read my post. I welcome your comments and plan to write again soon, so please check back.

This entry was posted in Auditing, File Security, Managed File Transfer, MOVEit, Security. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

4 Comments

  1. Posted October 15, 2013 at 3:49 pm | Permalink

    This is a good article. We’re running Moveit Central, and it will be interesting to see what features are introduced in 8.0. Being able to specify the allowed or preferred encryption algorithms in the SSH and SSL clients seems particularly important.

    • Posted October 15, 2013 at 4:06 pm | Permalink

      This isn’t directly related to the article, but another feature suggestion for Moveit Central would be a secure password manager. Trying to manage the sites in one tool and their passwords in another isn’t very practical.

  2. Posted October 16, 2013 at 3:25 pm | Permalink

    David, MOVEit 8 is MOVEit DMZ 7.x rebranded so unless you’re using that too you won’t see a great deal! The improvements are great though and keep MOVEit at the front of the MFT industry.

  3. Steve Staden Steve Staden, CISSP
    Posted October 16, 2013 at 4:25 pm | Permalink

    David, thank you for your kind feedback, it is much appreciated. At the end of the year we plan to release MOVEit Central 8.0, which will allow you to adjust SSH encryption algorithms similar to MOVEit (DMZ) 8.0 for SSH hosts. Also, if you contact our support department (http://www.ipswitchft.com/company/contact.aspx?section=1) they can help you to make the changes today for HTTPS and FTPS hosts.

    Good idea on the feature suggestion, I will log that into our system for future consideration.

Leave a Reply

  • Subscribe to the Blog

  • Recent Posts

  • Steve Staden

    Steve Staden, CISSP is responsible for product line management and strategy. His broad skill-set includes general management, integration,PLM, SDLC, Agile/Scrum and computer security. Steve has worked with the MOVEit line of products for over 10 years and is an expert in all things MOVEit.

    Most recently Steve was the Director of Development and QA for the Ipswitch FT division. He led all development projects, processes and releases. Before that Steve worked as a Development Manager and Security Analyst leading small development teams on MessageWay, MOVEit and WS_FTP Server releases.

    Before Ipswitch, Steve worked for Standard Networks (acquired by Ipswitch in 2008) in the support and professional services area. He then created and led the QA department for Standard Networks as the QA Manager improving the automation and testing coverage. Steve has a B.S. degree in Computer Science and Finance from Northern Illinois University and an M.B.A. from University of Wisconsin.