Educause Security Discussion mailing list archives

Re: Encrypting Data to Third Parties

From: "Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU>
Date: Tue, 28 Jul 2009 12:12:19 -0400

Hi Patty,



My first question to you would be do you have an ongoing relationship with
the 3rd parties or is the transfer and onetime event? That answer will
affect which method you ultimately choose. Are the transfers strictly email
attachments or would entire emails and/or larger files need to be
transferred?



If the requirement is to regularly send encrypted email as well as
attachments to regular 3rd parties, I would recommend GPG which is free or
PGP which is the commercial version. Both work with Outlook or other email
programs. It uses public key encryption and would require the exchange of
public keys.



http://www.gnupg.org/



Another option would be use WinZip version 9 or higher. It has the ability
to encrypt zip files. The down side to this method is that password must be
stronger and shared securely with the receiver and only the zip file is
encrypted.



http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-securi
ty.html



If the requirement involves secure transfers on an irregular or one time
basis, you could consider an FTP server. I would recommend using a *unix
system with vsftp in a chrooted environment in the DMZ. The challenge will
be creating/maintaining user accounts for the 3rd parties.



http://vsftpd.beasts.org/



All will involve user education and good strong passwords.



Hope that helps.

Lee Anne



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia
Sent: Tuesday, July 28, 2009 11:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Encrypting Data to Third Parties



In addition to the recent question about encrypting laptops, would anyone be
willing to share their encryption standards for sending confidential data to
third parties (i.e. excel spreadsheets and word docs to vendors, partners,
etc.)? Specifically, we are trying to determine if we should use SFTP or an
encryption program for encrypting sensitive attachments and/or e-mail.



1.       Are you using SFTP? If so, do you house the SFTP site internally or
is it hosted?

2.       If you do not use SFTP, which file encryption tool are you using?
Is it centralized or do you require departments to purchase it on their own?

3.       Are you using Public Key Encryption?

4.       Does the tool encrypt the e-mail, the attachment or both?

5.       Any other advise you can offer.



Thank you in advance for any information you can provide.



Patty



Patty Patria

Chief Security Administrator | Bentley University

175 Forest Street, Waltham, MA 02452 |781.891.2364

Attachment: smime.p7s
Description:

Current thread:

Encrypting Data to Third Parties Patria, Patricia (Jul 28)
- <Possible follow-ups>
- Re: Encrypting Data to Third Parties Hart, Lee Anne (Jul 28)
- Re: Encrypting Data to Third Parties Yonesy Nunez (Jul 28)
- Re: Encrypting Data to Third Parties James Cooley (Jul 28)
- Re: Encrypting Data to Third Parties Sean Maher (Jul 28)