Re: Secure file transfers

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Wyman Miles wrote:

> Web-based drop-off location or something? (I can't reach the link)
> Cornell's got a homegrown app called dropbox that does what Rice's
> homegrown app, webfile did, that does what many campuses have built.
>
> Easier and safer to build your own with an SSL Web server than
> contract someone else to store your content.

Or maybe not.  Not every higher ed. institution here has locally
available the resources that an institution like Cornell has.  That
said, I agree it's going to tend to be safer if done carefully.  At
least on your own machine you physically control the hardware (in
particular, physical access to it).  You can take clear, auditable steps
to secure the platform against unauthorized access, too.  Generally
speaking, though, if your data's stored on someone else's hardware, it's
not really exclusively your data any more.

> If I'm going to use some 3rd party HTTPS drop-off location, I'm going
> to encrypt the content first.  And if I'm going to bother to encrypt
> the content first, I may as well just use any number of protocols to
> move it around.

Exactly!  This is why I think policy should address data at rest as
well.  For example, I note that their product provides "[s]ecure
transfer" but says nothing about protection while the data's at rest.


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota