/
Moveware Infrastructure Security

Moveware Infrastructure Security

Owned by Michelle Russell
Sept 07, 2024
4 min read

Data Access Security 

The Moveware database can be accessed one of two ways, both of which require a user security validation. 

Unique User ID access 

The main way to access the database is through the Moveware application. To login into the system, a unique user ID and password combination is required. This ID and password combination can be configured by the client to meet certain complexity, renewal and historic values.  

Once the user has logged into the system, they are assigned a combination of access rights and functions (e.g. controlling what that user can view and or edit in the system). The security can be controlled in four different levels, listed below in order of hierarchy:  

  1. Global Changes via System Parameters – Certain functions in the system can be made available/unavailable through security settings in our system parameters screen. These changes affect all users.  

  2. Company level security (in a multi-company system, each user can be assigned view/write access to different companies created within the database) 
     

  3. Branch level security (in a multi-branch system, each user can be assigned view/write access to different branches created within the database)  

  4. Cost Centre level security (in a multi-cost centre system, each user can be assigned view/write access to different cost centres created within the database)  

  5. Menu Access – Each user can be controlled on what menus within the system are available to him or her based on the Group Security assigned to them  

  6. Group Security– Each user can be controlled on their sub menu, tab, and / or specific function rights based on predetermined security groups. This can work in combination with “1” above. 

  7. Additional Tasks Security – Certain additional functions in the system, such as indicating a job is non-chargeable, or viewing credit card details, can be protected with an additional password, which is validated when the user tries to complete the action associated with it. Security Groups also provides a similar ability. 

Note that changes to the above are event logged into the system, providing details such as the user account, date and time it was modified for transparency and therefore accountability. 

User access is controlled in a hierarchy fashion, starting with a top level of a Moveware Administrator access. The Moveware administrator login has full access to the entire system, including the users table, where other users can be created and controlled. This user cannot be modified and can only be used by Moveware employees.  

Due to the high-level access this user account is entrusted with, the password to login is reset every day.  This login password is generated by Moveware’s own support desk application, meaning that in the event of a departure of an employee at Moveware, he or she will immediately lose access to all Moveware databases. 

With the Moveware Administrator having the most security access, this is usually followed by one or more assigned client-based system administrators or client power users who have access to a subset of the Moveware Administrators functions. 

These administrators however do have access to create, activate, inactivate other users, and setup their level of secure access (based on the 7 bullet points above). 

They just do not have access to sensitive system parameters and features which may cause damage to database integrity or data if used incorrectly. 

Database Encryption 

Moveware version 8.0 and above is built upon Progress OpenEdge 11.6.3.  This version has the capability to encrypt the entire database with little overhead in server resources.  This feature is provided with extra licensing through Progress, making the ability available for clients to request implementation at an added cost.  This means that reading the contents of the database is impossible without the correct decryption keys. 

On sites that do not run encrypted databases, Moveware (version 8.0+) includes individual field encryption as default to sensitive data such as debtor/client credit card numbers.  

To reiterate, the above encryption is separate to entire database encryption, as this encryption is applied to specific fields.  This means anyone who views the contents of the database cannot read the value held in the credit card fields without the correct encryption key. 

Note: For majority of our clients whose database is not wholly encrypted (standard), the contents of the data cannot be easily accessed and exported due to restricted access to our database application tools and ODBC – the two main methods of exporting data. 

Editing the database files directly will not show data in clear text or data in a legible manner. 

Database Tools Access 

Although the databases on most sites are not wholly encrypted unless requested, clients do not have the ability to access the Database Tools made available to our Moveware staff which allows you to export data and run database passes against the system. 

Application Code 

The Moveware Application itself runs on compiled code – so users are not able to view the contents of the code.  The system also does not have the required Progress Licence installed to allow you to run uncompiled code, reducing further avenues of exploitation.  

Moveware Moveconnect System 

This system service provides key functions such as receiving quotes, MoveTransfer upload and importing, uploading maintenance logs and sending automated emails among other functions. 

Data downloaded or uploaded are pulled down via https calls to our Moveware web servers located on our hosted platform.  

ODBC Access 

For reporting, Moveware currently uses Crystal Reports – which requires OBDC access to our server every time it’s run.  Access to this requires credentials to be entered and additional credentials can be added and customised to restrict access to certain database tables. 

This is handy for clients who wish to create their own crystal reports in-house instead of via our Moveware staff and should not have access to all database table. 

Mobile App access and Web services (Web Portals) 

Moveware databases can also be accessed via our web services (if client has the required licence) – Moveware products such as MoveSurvey, MoveClient, MovePartner use this to retrieve and update data in real time. 

As of Moveware 8.0 our database has been upgraded to SHA256 standard security certificates.  This replace the old SHA1 standards that were available in Progress 10.1.  These old standards run out on January 2017, meaning websites can no longer access the Moveware web service over SSL.  The upgrade to SHA256 enables Moveware to keep SSL connections from website to the Moveware web service. 

Related content

Employee Security
Employee Security
Moveware Knowledge Base
More like this
Branch Management – Security
Branch Management – Security
Moveware Knowledge Base
More like this
User Management
User Management
Moveware Knowledge Base
More like this
Security Management
Security Management
Moveware Knowledge Base
More like this
Moveware Information Security
Moveware Information Security
Moveware Knowledge Base
More like this
EU Data Protection
EU Data Protection
Moveware Knowledge Base
More like this