Re: Secure file transfers

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

Theresa, 

For several reasons, mere FTP is inadequate for passing sensitive data. 

Firstly the login credentials are passed in clear test - secondly so is
the data. One must use SFTP or some such encrypted mechanism for this -
and it is all the better if you initiate the transfer from within your
perimeter rather than having to leave an inbound port open so that an
external entity can initiate the transfer. 

Since you are passing credit card numbers, then you may be able to move
your vendors toward a more secure position by referencing the
requirements that are laid out in the PCI-DSS standard. 

Best,
Dan Jones
IT Security Manager
UMass Worcester


-----Original Message-----
From: Theresa M Rowe [mailto:rowe () OAKLAND EDU] 
Sent: Monday, May 07, 2007 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Secure file transfers

We have a big push for using outsourced ASP/data hosting services here.
We have a strong policy for contract review, including a security
review.

We've been insisting on secure file transfer methods for data exchanges
between the university and the vendor.  We've accepted VPN or SFTP as
methods for data exchange, especially for those contracts where the data
exchanges include confidential data (we have a state law in Michigan
that protects certain data such as social security numbers and credit
card numbers).  Data exposure (unauthorized access) of those data
elements can result in a maximum $750,000 fine for the university.

We've been getting a push back from some vendors that "standard FTP" is
secure enough.  We've been saying it isn't good enough.  

I am checking in on best practice.  I'd appreciate your thoughts on
this.

Thanks in advance -
Theresa
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology
Services