Educause Security Discussion mailing list archives

Re: Encrypting Data to Third Parties

From: Yonesy Nunez <Yonesy.Nunez () NEWSCHOOL EDU>
Date: Tue, 28 Jul 2009 12:22:09 -0400

Hello Patty,

We use the Accellion product Filesender.  The reality of using public
key infrastructure is that not that many people actually use it
(evidenced by the number of e-mails that come to this list, 1 out of 20
posters use PKI).  Add to that the fact that some maybe using PGP, GPG,
certificates and you have very difficult problem.  Now, some answers to
your specific questions based on the solution we use:

1.  Accellion uses and SFTP like system (which in turn uses the OpenSSL
suite of products)
2.  The files are hosted at your site and are encrypted in transit
(SSL/TLS)
3.  SSL public key encryption (you need a Third Party certificate)
4.  File is stored on your secured server and retrieved securely by the
intended recipient (the recipient has to sign-up for the your local
Filesender service)
5.  For us, this was the best solution based on mitigating real risk to
the sensitive documents we are transmitting.  Overall, this product has
been a hit at our University.

I hope this helps.  Don't hesitate to contact me directly if you'd like
to discuss further.

Best regards,

Yonesy

--
Yonesy F. Nuñez | THE NEW SCHOOL
Director, Information Security
55 W 13th Street, Rm 705 
New York, NY 10003
P| 212.229.5600 x4728
E| yonesy.nunez () newschool edu

"Patria, Patricia" <PPatria () BENTLEY EDU> 7/28/2009 11:44 AM >>>

In addition to the recent question about encrypting laptops, would
anyone be willing to share their encryption standards for sending
confidential data to third parties (i.e. excel spreadsheets and word
docs to vendors, partners, etc.)? Specifically, we are trying to
determine if we should use SFTP or an encryption program for encrypting
sensitive attachments and/or e-mail.


1.       Are you using SFTP? If so, do you house the SFTP site
internally or is it hosted?

2.       If you do not use SFTP, which file encryption tool are you
using? Is it centralized or do you require departments to purchase it on
their own?

3.       Are you using Public Key Encryption?

4.       Does the tool encrypt the e-mail, the attachment or both?

5.       Any other advise you can offer.

Thank you in advance for any information you can provide.

Patty

Patty Patria
Chief Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364

Current thread:

Encrypting Data to Third Parties Patria, Patricia (Jul 28)
- <Possible follow-ups>
- Re: Encrypting Data to Third Parties Hart, Lee Anne (Jul 28)
- Re: Encrypting Data to Third Parties Yonesy Nunez (Jul 28)
- Re: Encrypting Data to Third Parties James Cooley (Jul 28)
- Re: Encrypting Data to Third Parties Sean Maher (Jul 28)