Through the years my role at Ipswitch has changed from someone taking front-line calls, going to customer sites and working with the engineering staff to someone who is responsible for the “health” of the MOVEit product. During this time a lot has changed in the market as well. As an example, in the past ten years I have seen the ability to secure FTP go from a “nice-to-have” to a “must-have”, including transporting files securely along with applying security at rest. These days organizations are a lot more focused on services they sign up for and the security risk they represent. As a result, they ask more detailed questions about managed file transfer security like “What encryption and hashing algorithms are being used?,” and also ask third parties to audit the services for compliance. In my opinion, now more than ever, administrators need products they can trust with sensitive data.
In my opinion security is to MFT what location is to real estate, which is of course to say paramount. As I sat down to write this post, I tried to imagine transferring files without any security or controls. To me that seems absurd because businesses move files to get work done and people lose jobs when the proper security or control is not in place.
The truth is, software needs to do more to protect all the sensitive information that is exchanged. Just as the security triad of confidentiality, integrity and availability has evolved, so must software, along with the way it is built. That was a hard realization when we started working on the MOVEit 8.0 release. We understood that we needed to adapt to the changing landscape and get ahead of our customers’ audit and compliance issues.
With that in mind, I created the following cheat sheet to help those interested in making MFT software (whether MOVEit or another product) more secure.
Based on my experience, here are eight steps administrators should take:
1. Harden the host machine, or run a trusted tool to harden it.
2. Enable the strongest password policy allowed by the organization and expire passwords on a routine basis. If possible, utilize secure, external authentication such as LDAP to centrally manage and control passwords.
3. Set expiration policies and lockout policies on all accounts. Also, enable any system-level whitelist or similar functionality to block password-harvesting scripts.
4. Constrain external traffic to secure ports like TCP/443, TCP/22 and disable non-secure FTP in favor of explicit FTP over SSL/TLS or implicit FTP over SSL/TLS. Minimize the attack surface to only the necessary services and use those services in the most secure way.
5. Use FIPS mode, if possible, and/or disable weak SSH and SSL algorithms. This allows administrators to use only the strongest security.
6. Configure and review built-in security audit reports on a regular basis.
7. Utilize two-factor authentication like SSL certificates if possible for additional security.
8. Enable user sessions to expire after a set amount of inactivity. This prevents anyone from gaining access from an open browser that is unattended.
While the best practices above help improve an organization’s overall security posture, we’ve built software improvements into the latest release of MOVEit that augment these operational changes to further increase security, Specifically, MOVEit 8.0 incorporates the following:
1. OWASP Top Ten – For as long as I can remember, we have focused on standards for MOVEit, like the RFC for securing FTP using TLS. Enter the OWASP Top Ten, a consensus document of the top web application vulnerabilities to eliminate in software. MOVEit now has all the latest protection against these common issues like cross-site scripting (XSS) and injection attacks and more, which is one tenet of PCI DSS 2.0. In a future post, I’ll elaborate on OWASP.
2. Transport Encryption Algorithm Control – Now MOVEit administrators can enable/disable weak transport encryption algorithms for FTP over SSL and SFTP. These options, coupled with the ability to enable FIPS, allow administrators the control they need for secure file transfers both now and in the future. They can also regulate the system to only use the most secure transmission between users and partners.
3. MOVEit Security Tool – We have improved the MOVEit Security Tool “SecAux” which was initially created to help administrators easily harden their machines without having to run through the registry and local security policy. The tool is run during installation (or can be run manually) and makes it easier for overburdened administrators to apply security policies.
4. Improved Security Process and Tools – A year ago we realized we needed to improve the way we think about and securely develop our software. So we set out to utilize the best tools available, formalize processes and engage a third party to validate our work. It is by no means perfection, but I think MOVEit 8.0 reflects the continued commitment to the best-in-class security MOVEit has been known for over a decade.
All of these security improvements and more are included in MOVEit 8.0 to give businesses and administrators the confidence they need in an enterprise-class managed file transfer solution where security is paramount. There is of course more in MOVEit 8.0 and I encourage those interested to review the release notes as I’ve just given an overview of what’s available.
Lastly, I wouldn’t be true to my Midwest roots unless I thanked you for taking the time to read my post. I welcome your comments and plan to write again soon, so please check back.