Educause Security Discussion mailing list archives

Re: Secure file transfers

From: Brian Epstein <bepstein () IAS EDU>
Date: Mon, 7 May 2007 09:10:33 -0400

On Mon, 2007-05-07 at 08:54 -0400, Theresa M Rowe wrote:

We've been getting a push back from some vendors that "standard FTP"
is secure enough.  We've been saying it isn't good enough.  

I am checking in on best practice.  I'd appreciate your thoughts on this.


Theresa,

        I have had vendors insist upon using standard FTP before.  When in this
situation, I've pushed to use file encryption and signing to ensure the
integrity of the transfer.  The problem is, an attacker could still
gather data on times of transfer, file size and quantity information
(along with filenames and login information).

        Without proper protection on the ftp server, it could allow for folks
to download old files.  Once they have them, it opens the door for
cryptoanalysis.

        I would ask the vendor if you could plan and execute a penetration test
of their FTP server.

        If none of these are acceptable, I would see if your school could setup
a dropbox that the vendor could connect to retrieve the file.  That way,
you would be in control of the security techniques.

        Of course, at the end of the day, once the vendor has the information,
they will no doubt unencrypt it for use.  What are their handling
policies and procedures once they have the file?  If they are unwilling
to secure the transfer of the file, what else are they unwilling to do
to protect your data.

        Lastly, a proper data analysis for value needs to be performed.
Perhaps you can send them a subset of data that is less confidential or
valuable that can still get the job done.

        If you still find that you cannot guarantee the protection of the data,
I agree with Tim, run away, or get a really, really good insurance
plan :)

Thanks,
Brian Epstein

-- 
Brian Epstein <bepstein () ias edu>                        609-734-8179
Network and Security Officer            Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE  4734 6117 4C25 0371 C12A

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)

(Thread continues...)