Educause Security Discussion mailing list archives

Re: Secure file transfers

From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 7 May 2007 08:08:40 -0700

Hi Theresa,

You mentioned:

#We've been insisting on secure file transfer methods for data exchanges
#between the university and the vendor.  We've accepted VPN or SFTP as
#methods for data exchange, especially for those contracts where the data
#exchanges include confidential data (we have a state law in Michigan that
#protects certain data such as social security numbers and credit card
#numbers).  Data exposure (unauthorized access) of those data elements can
#result in a maximum $750,000 fine for the university.
#
#We've been getting a push back from some vendors that "standard FTP" is
#secure enough.  We've been saying it isn't good enough.

You're right to say that regular FTP isn't good enough, and others have
already outlined why, but you may want to go beyond that:

-- for example, you mentioned that you accept a VPN as providing adequate
   transport security, but keep in mind that:

   -- a VPN isn't an end-to-end encrypted path: you only encrypt from the
      VPN client to the VPN concentrator, with traffic from the concentrator
      on being unencrypted... Depending on the nature of that final
      bit of unencrypted path, you may still have an issue, even with a
      VPN in use for most of the way

   -- something's still moving the data within the VPN; it may be worth
      identifying what application is being used at that point because
      sometimes batch jobs in particular may be prone to passwords being
      written into scripts... speaking of passwords...

-- sftp or scp handles encrypting the data in transit, but as deployed by
   many folks, those products still rely on passwords for auth; if the
   passwords in use are weak, sftp or scp can still be successfully
   targeted for brute force password guessing attacks... at least some
   ssh/scp/sftp clients will allow you to use public keys or SecureID
   instead, and for sensitive data backed up by a $750K penalty hammer,
   I think I'd be thinking about whether something better than plain
   passwords makes sense

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own

Current thread:

Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Wyman Miles (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Buz Dale (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)

(Thread continues...)