Re: AES-256 and Sensitive Documents

[Zachary Yamada <zachary.yamada () CHEMEKETA EDU>]

We have been using LiquidFiles for over five years now. Overall, we have
been happy with it and users do not seem to have difficulty with its use.
It is administered by my team and I. Originally the system was delivered to
us as a virtual appliance and the initial setup and configuration, as well
as ongoing maintenance, updating, and monitoring of system usage was and
continues to be relatively simple.

We've configured the system so that all of our students and staff can use
the system both for sending and receiving secure e-mail and files. When it
comes to training, we have a three-page help document. However, as far as I
know, we have only had to provide this document to one individual
throughout our years of use of LiquidFiles; the remainder of users were
able to self-train using the system's built-in documentation and help
resources.

If you'd like a copy of our training document or would like to talk more
about Chemeketa's experiences using LiquidFiles, please feel free to e-mail
me directly.

Best,

Zachary Yamada, CEH, CHFI
Chemeketa Community College
Information Security Team Lead
503.584.7367
zachary.yamada () chemeketa edu


On Thu, Dec 13, 2018 at 12:06 PM Amanda Williams <akwilliams () pittstate edu>
wrote:

> For the folks using LiquidFiles, curious how it is going.  Is it easy to
> use for both the end user and the recipient?  We are thinking of
> implementing it to allow for secure upload of documents.  Who on your team
> is the administrator?
>
> Thanks,
>
>
> *Amanda Williams *
> IT Security Officer
> Information Technology Services
> Pittsburg State University
> 620.235.4657 <callto:620.235.4657>
>
> Simple. Safe. Smart. You are receiving this email because you are a
> Pittsburg State University student, employee, or other University community
> member. If you have questions or concerns regarding the validity of this
> email, please contact the individual or department that sent this email,
> ITSecurity () pittstate edu , or Gorilla Geeks at 620-235-4600
> <callto:620-235-4600>.
>
> ------------------------------
> *From: *"Hart, Michael" <mhart20 () MSUDENVER EDU>
> *To: *SECURITY () LISTSERV EDUCAUSE EDU
> *Sent: *Thursday, November 29, 2018 9:32:12 AM
> *Subject: *Re: [SECURITY] AES-256 and Sensitive Documents
>
> We’re currently rolling out LiquidFiles for some of our teams until we can
> get rights management experience in the OneDrive arena.
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Lovaas,Steven
> *Sent:* Thursday, November 29, 2018 8:19 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] AES-256 and Sensitive Documents
>
>
>
> Has anyone considered OneDrive's capabilities for this kind of need?
>
>
>
> ================================
>
> Steven Lovaas
>
> University Information Security Officer
>
> Colorado State University
>
> steven.lovaas () colostate edu
>
> 970-297-3707
>
> Mit der Dummheit kämpfen Götter selbst vergebens.
>
> ================================
> ------------------------------
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jeff Holden <
> jholden () CCCTECHCENTER ORG>
> *Sent:* Wednesday, November 28, 2018 5:38:32 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] AES-256 and Sensitive Documents
>
>
>
> The server sets what encryption methods it will accept, without having
> access to the server config I couldn't tell you why it would default to
> AES128, it could be that was the default server algorithm. If you require
> AES256 then disable all of the other methods on the server.
>
> Thanks,
>
> Jeff Holden, CISSP
>
> Chief Information Security Officer
>
> California Community Colleges Technology Center
>
> California Community Colleges Security Center
>
> https://cccsecuritycenter.org
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcccsecuritycenter.org&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714232080&sdata=yrLahaqYFWJnW5FqN%2Bx%2BbqlrD1JrilF2NgysAQE5nfM%3D&reserved=0>
>
> Schedule a meeting *calendly.com/jeffholden
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcalendly.com%2Fjeffholden&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714242089&sdata=zuENJLPzX13H%2Bi7yJbvBRWSx7mz3Q6TmSAfKfUnX6XI%3D&reserved=0>*
>
> Need help with a CCC Security Center Service?
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cccsecuritycenter.org%2Fservices%2Fservice-request&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7Cc6db27c4e1394cb72f6d08d6560e0e6d%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C636791015714242089&sdata=mJJ%2FTDiKlDN0%2BI%2BRS54HuHyzGM3tMhcmrUs%2B0uZsfZA%3D&reserved=0>
>
> (530) 715-0778
>
>
>
>
>
> On Wed, Nov 28, 2018 at 2:55 PM Ronald Loneker <rloneker () cse edu> wrote:
>
> Thank you - the information I was looking at did not specify this.
>
>
>
> It's curious that the encryption level in Chrome defaulted to AES-126 with
> the upgrade of the browser to TLS 1.3 while the other browsers using TLS
> 1.2 show they're encrypted at AES-256 by default.
>
>
>
> Interesting.
>
>
> Ron
> -----------------------------------
> Ron Loneker, Jr.
> Director, IT Special Projects
> College of Saint Elizabeth
> Henderson Hall, Room 202C
> 2 Convent Road
> Morristown, NJ  07960
>
> Phone:  973-290-4229
>
> e-mail:  rloneker () cse edu
>
>
>
>
>
> On Wed, Nov 28, 2018 at 3:44 PM Jeff Holden <jholden () ccctechcenter org>
> wrote:
>
> Unless the RFC changed AES 256 is supported in TLS 1.3 via
> *TLS13-AES256-GCM-SHA384*
>
> Thanks,
>
> Jeff Holden, CISSP
>
> Chief Information Security Officer
>
> California Community Colleges Technology Center
>
> California Community Colleges Security Center
>
>
>
>
>
>
>
> On Wed, Nov 28, 2018 at 11:30 AM Ronald Loneker <rloneker () cse edu> wrote:
>
> Good Afternoon All -
>
>
>
> Our Financial Aid office would like to have students and their parents,
> when e-mailing financial aid documents containing sensitive information, to
> comply with federal regulations saying the documents should be e-mailed
> with AES-256 encryption.
>
>
>
> Since TLS 1.3 was released and is now in use in Chrome, the TLS 1.3
> protocol uses only AES-128 encryption so we're considering asking our
> students and their parents, if e-mailing sensitive documents, to encrypt
> them with a yet to be decided encryption application at the AES-256 level
> and attach the encrypted file to the e-mail being sent to our Financial Aid
> office.  We would provide links to easy to use, free encryption software
> and provide directions on how to download, install and use it.  We are also
> considering adding this software to our computer lab images for those
> students who want to e-mail documents but don't have access to a computer
> at home.
>
>
>
> Right now, the other web browsers seem to be using TLS 1.2, currently
> operating at the AES-256 level, with Firefox and Safari saying they expect
> to move to TLS 1.3 in the near future at some point.
>
>
>
> I'm curious as to what other schools are doing, and whether they are
> putting any sort of language on their website saying that documents like
> this should be encrypted to prevent unauthorized access to the data.
>
>
>
> *Please note that I am not looking for vendor solicitations.*
>
>
> Ron Loneker, Jr.
> Director, IT Special Projects
> College of Saint Elizabeth
> Henderson Hall, Room 202C
> 2 Convent Road
> Morristown, NJ  07960
>
> Phone:  973-290-4229
>
> e-mail:  rloneker () cse edu