SFTP Access Setup

Overview

Moveworks uses the Secure File Transfer Protocol (SFTP) service to securely transfer data. By default, SFTP uses the SSH protocol (Port 22) to authenticate and establish a secure connection. Moveworks requires creating SSH key(s) (set up SSH keys) for this particular use case and sharing the specific public key with the relevant Moveworks point of contact. In return, Moveworks will provide you with a user account on the SFTP server which will be associated with the SSH key provided. This will allow Moveworks to provide you with ongoing access to the data.

Note: SFTP data export is available for the Classic bot analytic data only. SFTP SIEM Logs are available for both Moveworks Classic & Moveworks Copilot.

Moveworks SFTP Endpoints

RegionSFTP Endpoint
Moveworks Commercialsftp.moveworks.io
Moveworks GovCloudsftp.moveworksgov.com
Moveworks Canadasftp.am-ca-central.moveworks.com
Moveworks EUsftp.am-eu-central.moveworks.com
Moveworks AUsftp.am-ap-southeast.moveworks.com

SFTP Port: Port 22

Username: [will be provided by Moveworks]

Data Security

  • Customer Data is stored in a dedicated, isolated, and encrypted S3 Bucket
  • Customer Data is always encrypted at rest with unique and dedicated AWS KMS keys per customer.
  • Customer Data is always encrypted in transit via AWS SFTP Service

Customer Requirements to Get Access

  • File a support ticket Moveworks with Public SSH Key (the default length that is generated by the ssh-keygen command is 3072 bits (RSA))
  • Configure a SFTP client or command line tool to connect to Moveworks SFTP endpoint.

FAQ

Q: What is included in the daily data export?

A: The data dictionary for the SFTP data export can be found in the SFTP guide.

Q: How long will historical data be available via SFTP?

A: We only delete data upon customer request.

Q: Does Moveworks support PGP Encryption?

A: This is not supported, as Moveworks already has an encryption policy for data at rest. Moveworks currently leverages AWS’ SFTP service which is integrated and supported by S3. Data is always encrypted at rest and Moveworks uses S3 bucket encryption with a unique and dedicated per customer KMS key to enforce Moveworks’ encryption policy.

Q: How do I create an SSH Key and why should I use one?

A: Give Moveworks a copy of your public SSH key that you’ll use to authenticate to our SFTP server. This should be associated with the corresponding private SSH key that you use for authenticating into the server. Authenticating with an SSH key pair ensures that only you can access your data. For instructions on generating an SSH key pair and copying the public key, many how-to articles are available, such as this one from Google support: https://support.google.com/youtube/answer/3071034?hl=en

Q: Which encryption algorithms can I use?

A: Moveworks supports RSA, ECDSA, and Ed25519.

Q: How do I connect to Moveworks SFTP Service?

A: Use an SFTP client or command line tool. There are many SFTP clients available. Instructions for one such client can be found here: https://support.google.com/youtube/answer/3079012?hl=en&ref_topic=3070553
If you prefer to use an SFTP command line tool, instructions can be found here: https://docs.oracle.com/cd/E26502_01/html/E29001/remotehowtoaccess-14.html
You can also use the following command in a terminal to access the SFTP Server manually:

sftp -i ~/.ssh/id_rsa <your_organization_name>@sftp.moveworks.io

Q: What is the public host key for our SFTP validation?

A: We provide the key below for clients to ensure that they are connecting to the correct server

SHA256:UsbzdYuhL1K6n5KlKHk3pZVkD/MOpl1FesyIzOve/+8=

Q: Who will receive our keys?

A: The customer is not supposed to share the private key with anyone. Moveworks will only require your public key to grant access to the SFTP bucket.

Q: What if I need to upload user data to Moveworks via SFTP?

A: The directory to upload the data will be: uploads/user_identity_data/ for sending Moveworks identity data. Data should be provided as a CSV in the following format e.g:

email, field1, field2
[email protected], value1, value2 

File name of the file should be: Users_{Date}.csv So if the file is being uploaded on May 18th, 2023, the file name should be Users_20230518.csv

Note: If you are not using email as your join key, you must include the join key and user's email in the SFTP export.

Q: If my files do not transfer completely over SFTP, will I be alerted?

A: Yes, Moveworks will alert you if the pipeline fails, didn’t complete, didn’t start on time or if the pipelines’ source doesn’t have data.