Educause Security Discussion mailing list archives
Re: Secure file transfers
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Mon, 7 May 2007 09:28:12 -0400
Theresa, For several reasons, mere FTP is inadequate for passing sensitive data. Firstly the login credentials are passed in clear test - secondly so is the data. One must use SFTP or some such encrypted mechanism for this - and it is all the better if you initiate the transfer from within your perimeter rather than having to leave an inbound port open so that an external entity can initiate the transfer. Since you are passing credit card numbers, then you may be able to move your vendors toward a more secure position by referencing the requirements that are laid out in the PCI-DSS standard. Best, Dan Jones IT Security Manager UMass Worcester -----Original Message----- From: Theresa M Rowe [mailto:rowe () OAKLAND EDU] Sent: Monday, May 07, 2007 8:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Secure file transfers We have a big push for using outsourced ASP/data hosting services here. We have a strong policy for contract review, including a security review. We've been insisting on secure file transfer methods for data exchanges between the university and the vendor. We've accepted VPN or SFTP as methods for data exchange, especially for those contracts where the data exchanges include confidential data (we have a state law in Michigan that protects certain data such as social security numbers and credit card numbers). Data exposure (unauthorized access) of those data elements can result in a maximum $750,000 fine for the university. We've been getting a push back from some vendors that "standard FTP" is secure enough. We've been saying it isn't good enough. I am checking in on best practice. I'd appreciate your thoughts on this. Thanks in advance - Theresa Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Wyman Miles (May 07)
(Thread continues...)