Educause Security Discussion mailing list archives
Re: Secure file transfers
From: scott hollatz <shollatz () D UMN EDU>
Date: Mon, 7 May 2007 09:22:38 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
We have a big push for using outsourced ASP/data hosting services here. We have a strong policy for contract review, including a security review. We've been insisting on secure file transfer methods for data exchanges between the university and the vendor. We've accepted VPN or SFTP as methods for data exchange, especially for those contracts where the data exchanges include confidential data (we have a state law in Michigan that protects certain data such as social security numbers and credit card numbers). Data exposure (unauthorized access) of those data elements can result in a maximum $750,000 fine for the university. We've been getting a push back from some vendors that "standard FTP" is secure enough. We've been saying it isn't good enough. I am checking in on best practice. I'd appreciate your thoughts on this.
We push for SFTP (for the exchange) of encrypted data (they must decrypt after exchange). Some view this as draconian but generally works fine. One problem with this, though, is some vendors, including the military, claim they can decrypt when in fact they cannot due to company policy constraints or other technical issues in running some crypto software, and some can't even do SFTP without some coaching from our end. If they cannot do SFTP then at least the file is encrypted and they can download from the web or anonymous FTP; however, if they also cannot decrypt then an in-person exchange is done. All workarounds depend on data volume, of course.
Thanks in advance - Theresa Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
- -- scott hollatz net shollatz () d UMn eDu information technology systems and services tel +1 218 726 8851 university of minnesota duluth mn usa fax +1 218 726 7674 -- "Asn aD ta zlAp em uT zt33rg" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iD8DBQFGPzYz4og1WWfEVRsRAgOjAJ9LxIIQhmQT7ixTyob2s4/whR7H7ACcC/+w TKB8VGAtqYQF9Z1neN+erBI= =EcPG -----END PGP SIGNATURE-----
Current thread:
- Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Wyman Miles (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Buz Dale (May 07)
(Thread continues...)