Educause Security Discussion mailing list archives
Re: Encrypting Data to Third Parties
From: "Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU>
Date: Tue, 28 Jul 2009 12:12:19 -0400
Hi Patty, My first question to you would be do you have an ongoing relationship with the 3rd parties or is the transfer and onetime event? That answer will affect which method you ultimately choose. Are the transfers strictly email attachments or would entire emails and/or larger files need to be transferred? If the requirement is to regularly send encrypted email as well as attachments to regular 3rd parties, I would recommend GPG which is free or PGP which is the commercial version. Both work with Outlook or other email programs. It uses public key encryption and would require the exchange of public keys. http://www.gnupg.org/ Another option would be use WinZip version 9 or higher. It has the ability to encrypt zip files. The down side to this method is that password must be stronger and shared securely with the receiver and only the zip file is encrypted. http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-securi ty.html If the requirement involves secure transfers on an irregular or one time basis, you could consider an FTP server. I would recommend using a *unix system with vsftp in a chrooted environment in the DMZ. The challenge will be creating/maintaining user accounts for the 3rd parties. http://vsftpd.beasts.org/ All will involve user education and good strong passwords. Hope that helps. Lee Anne From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia Sent: Tuesday, July 28, 2009 11:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Encrypting Data to Third Parties In addition to the recent question about encrypting laptops, would anyone be willing to share their encryption standards for sending confidential data to third parties (i.e. excel spreadsheets and word docs to vendors, partners, etc.)? Specifically, we are trying to determine if we should use SFTP or an encryption program for encrypting sensitive attachments and/or e-mail. 1. Are you using SFTP? If so, do you house the SFTP site internally or is it hosted? 2. If you do not use SFTP, which file encryption tool are you using? Is it centralized or do you require departments to purchase it on their own? 3. Are you using Public Key Encryption? 4. Does the tool encrypt the e-mail, the attachment or both? 5. Any other advise you can offer. Thank you in advance for any information you can provide. Patty Patty Patria Chief Security Administrator | Bentley University 175 Forest Street, Waltham, MA 02452 |781.891.2364
Attachment:
smime.p7s
Description:
Current thread:
- Encrypting Data to Third Parties Patria, Patricia (Jul 28)
- <Possible follow-ups>
- Re: Encrypting Data to Third Parties Hart, Lee Anne (Jul 28)
- Re: Encrypting Data to Third Parties Yonesy Nunez (Jul 28)
- Re: Encrypting Data to Third Parties James Cooley (Jul 28)
- Re: Encrypting Data to Third Parties Sean Maher (Jul 28)