Educause Security Discussion mailing list archives

Re: Secure file transfers

From: scott hollatz <shollatz () D UMN EDU>
Date: Mon, 7 May 2007 09:22:38 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have a big push for using outsourced ASP/data hosting services here.  We have a strong policy for contract review, 
including a security review.

We've been insisting on secure file transfer methods for data exchanges between the university and the vendor.  We've 
accepted VPN or SFTP as methods for data exchange, especially for those contracts where the data exchanges include confidential 
data (we have a state law in Michigan that protects certain data such as social security numbers and credit card numbers).  Data 
exposure (unauthorized access) of those data elements can result in a maximum $750,000 fine for the university.

We've been getting a push back from some vendors that "standard FTP" is secure enough.  We've been saying it isn't good 
enough.

I am checking in on best practice.  I'd appreciate your thoughts on this.


We push for SFTP (for the exchange) of encrypted data (they must decrypt
after exchange).  Some view this as draconian but generally works fine.

One problem with this, though, is some vendors, including the military,
claim they can decrypt when in fact they cannot due to company policy
constraints or other technical issues in running some crypto software,
and some can't even do SFTP without some coaching from our end.

If they cannot do SFTP then at least the file is encrypted and they can
download from the web or anonymous FTP; however, if they also cannot
decrypt then an in-person exchange is done.  All workarounds depend on
data volume, of course.

Thanks in advance -
Theresa
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services


- --
scott hollatz                                        net shollatz () d UMn eDu
information technology systems and services          tel +1 218 726 8851
university of minnesota duluth mn usa                fax +1 218 726 7674
                                                                         --
                                              "Asn aD ta zlAp em uT zt33rg"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iD8DBQFGPzYz4og1WWfEVRsRAgOjAJ9LxIIQhmQT7ixTyob2s4/whR7H7ACcC/+w
TKB8VGAtqYQF9Z1neN+erBI=
=EcPG
-----END PGP SIGNATURE-----

Current thread:

Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Wyman Miles (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Buz Dale (May 07)

(Thread continues...)