Educause Security Discussion mailing list archives

Re: Encrypting Data to Third Parties

From: James Cooley <jcooley () FIT EDU>
Date: Tue, 28 Jul 2009 12:41:50 -0400

We've forbidden the use of email to send any sensitive data, encrypted or otherwise.  The main issues we have regarding 
encrypting email is the human element involved.  A sender could 'forget' to encrypt an email with sensitive 
information, and a recipient could accidentally forward an email with sensitive data in an unencrypted state.

We've had great success with transmitting and receiving data from third parties through the use of site-to-site VPN 
connections, or SFTP.  The SFTP servers are centrally managed by IT, and IT works with the third party and departments 
to ensure everything is setup and working correctly.  This way, we can ensure that the SFTP servers are secured and 
properly updated and firewalled.  We usually set these up on virtual machine servers and they do not take a lot of 
hardware resources to run.

When SFTP is used, we typically require that the data files are encrypted as well, to prevent un-encrypted sensitive 
information from being left on a server with connectivity to the internet.

In general, imposing restrictions like these on departments seems to work better if IT is willing to help out with the 
implementation.

--
James Cooley
Information Security Officer
Florida Institute of Technology



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, 
Patricia
Sent: Tuesday, July 28, 2009 11:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Encrypting Data to Third Parties

In addition to the recent question about encrypting laptops, would anyone be willing to share their encryption 
standards for sending confidential data to third parties (i.e. excel spreadsheets and word docs to vendors, partners, 
etc.)? Specifically, we are trying to determine if we should use SFTP or an encryption program for encrypting sensitive 
attachments and/or e-mail.


1.       Are you using SFTP? If so, do you house the SFTP site internally or is it hosted?

2.       If you do not use SFTP, which file encryption tool are you using? Is it centralized or do you require 
departments to purchase it on their own?

3.       Are you using Public Key Encryption?

4.       Does the tool encrypt the e-mail, the attachment or both?

5.       Any other advise you can offer.

Thank you in advance for any information you can provide.

Patty

Patty Patria
Chief Security Administrator | Bentley University
175 Forest Street, Waltham, MA 02452 |781.891.2364

Current thread:

Encrypting Data to Third Parties Patria, Patricia (Jul 28)
- <Possible follow-ups>
- Re: Encrypting Data to Third Parties Hart, Lee Anne (Jul 28)
- Re: Encrypting Data to Third Parties Yonesy Nunez (Jul 28)
- Re: Encrypting Data to Third Parties James Cooley (Jul 28)
- Re: Encrypting Data to Third Parties Sean Maher (Jul 28)