Educause Security Discussion mailing list archives
Re: Secure file transfers
From: Brian Epstein <bepstein () IAS EDU>
Date: Mon, 7 May 2007 09:10:33 -0400
On Mon, 2007-05-07 at 08:54 -0400, Theresa M Rowe wrote:
We've been getting a push back from some vendors that "standard FTP" is secure enough. We've been saying it isn't good enough. I am checking in on best practice. I'd appreciate your thoughts on this.
Theresa, I have had vendors insist upon using standard FTP before. When in this situation, I've pushed to use file encryption and signing to ensure the integrity of the transfer. The problem is, an attacker could still gather data on times of transfer, file size and quantity information (along with filenames and login information). Without proper protection on the ftp server, it could allow for folks to download old files. Once they have them, it opens the door for cryptoanalysis. I would ask the vendor if you could plan and execute a penetration test of their FTP server. If none of these are acceptable, I would see if your school could setup a dropbox that the vendor could connect to retrieve the file. That way, you would be in control of the security techniques. Of course, at the end of the day, once the vendor has the information, they will no doubt unencrypt it for use. What are their handling policies and procedures once they have the file? If they are unwilling to secure the transfer of the file, what else are they unwilling to do to protect your data. Lastly, a proper data analysis for value needs to be performed. Perhaps you can send them a subset of data that is less confidential or valuable that can still get the job done. If you still find that you cannot guarantee the protection of the data, I agree with Tim, run away, or get a really, really good insurance plan :) Thanks, Brian Epstein -- Brian Epstein <bepstein () ias edu> 609-734-8179 Network and Security Officer Institute for Advanced Study Key fingerprint = 128A 38F4 4CFA 5EDB 99CE 4734 6117 4C25 0371 C12A
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
(Thread continues...)