Search| Browse| Contribute
Library| Blogs| Jobs| Podcasts| Wikis| Feeds
Page Location:
Home > Wiki > Secure File Exchange

Secure File Exchange

What are we looking for in improved Secure File Exchanges?

  • Interest in avoiding data exposure
  • Looking for best practices, what are others doing
  • Like to help, and get additional ideas, what am I missing
  • SOA, how to secure those data exchanges
  • Data exchange with PGP and big companies – but there are others, and one-time interactions
  • Variety of exchanges
  • Inclusive of telecommuting, external partners, third-parties, government
  • Internal / external – are there different requirements

 Principles Underlying Best Practices 

  • Documented, repeatable, auditable processes and procedures
  • Centralized standards (central IT or security office) and policy
  • End-to-end process that includes staging, all rest and transmission areas
  • File transmissions only go to intended recipients
  • Key handling is done properly
  • Process and tools must verify integrity
  • Understanding why encryption is needed or used
  • Trust recipients according to the agreement
  • Least cumbersome or intrusive process that still preserves of the exchange
  • Data are transmitted by data security classification
  • Legally reviewed contract language template
  • Full consideration of compliance issues – GLB, HIPAA, PCI requires file exchange review
 

Tools

  • Documented processes – procedures – Word documents, treated with confidentiality, auditable
  • Passive tools – https, ssl
  • PGP
  • SCP rather than FTP, SFTP
  • PGP, FTP – or SFTP
  • Considering encrypting the entire file instead of the data stream
  • Some disable FTP – note user name and password are not encrypted
  • VPN
  • PostX –secure email
  • cURL – secure file transfers
  • s/mime
  • PKI
Tool Selection
  • Maybe too many tools, too complicated - ubiquitous
  • What does vendor support? Protocol defined by vendor. Does GLB apply?
  • Does confidential data – SSN in file – require special attention or is file encryption enough?
  • Tools to scan for confidential data to identify places where file exchanges might occur
  • Not just technical tools – need training, administrator policy
 

 Obstacles

  • Surfacing: Items outside our control – faculty independent file exchanges, getting faculty to identify
  • Automated file transfers – keeping key records
  • Certificate expiration tracking (tracking system, but dependent on knowing that a cert is there)
  • History – it must be ok since we’ve always done it that way
  • Tools aren’t simple, but are adaptable – not the main obstacle
  • Business goals come first

  • Theft or loss is a secure file exchange drive

 

 Resources

  • PCI DSS

http://connect.educause.edu/term_view/PCI+DSS

  •  Confidential Data Handling Blueprint

https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint

 

Bookmark/Search this page with:
   del.icio.us   Digg   Ma.gnolia   Google   Yahoo   Technorati
|
Login to post comments  790 reads