Educause Security Discussion mailing list archives
Re: Encrypting Data to Third Parties
From: James Cooley <jcooley () FIT EDU>
Date: Tue, 28 Jul 2009 12:41:50 -0400
We've forbidden the use of email to send any sensitive data, encrypted or otherwise. The main issues we have regarding encrypting email is the human element involved. A sender could 'forget' to encrypt an email with sensitive information, and a recipient could accidentally forward an email with sensitive data in an unencrypted state. We've had great success with transmitting and receiving data from third parties through the use of site-to-site VPN connections, or SFTP. The SFTP servers are centrally managed by IT, and IT works with the third party and departments to ensure everything is setup and working correctly. This way, we can ensure that the SFTP servers are secured and properly updated and firewalled. We usually set these up on virtual machine servers and they do not take a lot of hardware resources to run. When SFTP is used, we typically require that the data files are encrypted as well, to prevent un-encrypted sensitive information from being left on a server with connectivity to the internet. In general, imposing restrictions like these on departments seems to work better if IT is willing to help out with the implementation. -- James Cooley Information Security Officer Florida Institute of Technology From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patria, Patricia Sent: Tuesday, July 28, 2009 11:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Encrypting Data to Third Parties In addition to the recent question about encrypting laptops, would anyone be willing to share their encryption standards for sending confidential data to third parties (i.e. excel spreadsheets and word docs to vendors, partners, etc.)? Specifically, we are trying to determine if we should use SFTP or an encryption program for encrypting sensitive attachments and/or e-mail. 1. Are you using SFTP? If so, do you house the SFTP site internally or is it hosted? 2. If you do not use SFTP, which file encryption tool are you using? Is it centralized or do you require departments to purchase it on their own? 3. Are you using Public Key Encryption? 4. Does the tool encrypt the e-mail, the attachment or both? 5. Any other advise you can offer. Thank you in advance for any information you can provide. Patty Patty Patria Chief Security Administrator | Bentley University 175 Forest Street, Waltham, MA 02452 |781.891.2364
Current thread:
- Encrypting Data to Third Parties Patria, Patricia (Jul 28)
- <Possible follow-ups>
- Re: Encrypting Data to Third Parties Hart, Lee Anne (Jul 28)
- Re: Encrypting Data to Third Parties Yonesy Nunez (Jul 28)
- Re: Encrypting Data to Third Parties James Cooley (Jul 28)
- Re: Encrypting Data to Third Parties Sean Maher (Jul 28)