Educause Security Discussion mailing list archives
Re: Secure file transfers
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 7 May 2007 08:08:40 -0700
Hi Theresa, You mentioned: #We've been insisting on secure file transfer methods for data exchanges #between the university and the vendor. We've accepted VPN or SFTP as #methods for data exchange, especially for those contracts where the data #exchanges include confidential data (we have a state law in Michigan that #protects certain data such as social security numbers and credit card #numbers). Data exposure (unauthorized access) of those data elements can #result in a maximum $750,000 fine for the university. # #We've been getting a push back from some vendors that "standard FTP" is #secure enough. We've been saying it isn't good enough. You're right to say that regular FTP isn't good enough, and others have already outlined why, but you may want to go beyond that: -- for example, you mentioned that you accept a VPN as providing adequate transport security, but keep in mind that: -- a VPN isn't an end-to-end encrypted path: you only encrypt from the VPN client to the VPN concentrator, with traffic from the concentrator on being unencrypted... Depending on the nature of that final bit of unencrypted path, you may still have an issue, even with a VPN in use for most of the way -- something's still moving the data within the VPN; it may be worth identifying what application is being used at that point because sometimes batch jobs in particular may be prone to passwords being written into scripts... speaking of passwords... -- sftp or scp handles encrypting the data in transit, but as deployed by many folks, those products still rely on passwords for auth; if the passwords in use are weak, sftp or scp can still be successfully targeted for brute force password guessing attacks... at least some ssh/scp/sftp clients will allow you to use public keys or SecureID instead, and for sensitive data backed up by a $750K penalty hammer, I think I'd be thinking about whether something better than plain passwords makes sense Regards, Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions strictly my own
Current thread:
- Secure file transfers Theresa M Rowe (May 07)
- <Possible follow-ups>
- Re: Secure file transfers Winders, Timothy A (May 07)
- Re: Secure file transfers Brian Epstein (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Glenn Forbes Fleming Larratt (May 07)
- Re: Secure file transfers Jones, Dan (May 07)
- Re: Secure file transfers Valdis Kletnieks (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Cal Frye (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers scott hollatz (May 07)
- Re: Secure file transfers Matthew Keller (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Ken Connelly (May 07)
- Re: Secure file transfers Wyman Miles (May 07)
- Re: Secure file transfers Samuel Young (May 07)
- Re: Secure file transfers Buz Dale (May 07)
- Re: Secure file transfers Harrold Ahole (May 07)
- Re: Secure file transfers Joe St Sauver (May 07)
(Thread continues...)