Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Would You Prefer To Send Sensitive Data?

Posted by samzenpus on from the by-armored-truck dept.

sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

3 of 542 comments (clear)

  1. If she's cute.... by EmbeddedJanitor · · Score: 5, Interesting

    Take some of those fur-lined handcuffs too. Do it on a Friday and get the weekend.

    --
    Engineering is the art of compromise.
  2. Re:PGP by Eskarel · · Score: 5, Interesting
    Well e-mail isn't really a practical solution for a large volume data set, which presumably it is or there wouldn't be much point. So while PGP e-mail is quite a wonderful technique, it won't help much.

    You've also got to remember that you only have control over the security of the data during transit. It's all you're legally responsible for and it's all you have any sort of effective control over. So you're really looking for the best solution based on the transmission type you choose. For anyone who wants to put all sorts of extra security on it remember the thing problem with copy protection you can't secure something and give people the access to view it at the same time, so if the recipient doesn't secure it properly in their system, no amount of PGP is going to help anyone.

    If the data set is fairly small, then encrypted e-mail might be a valid solution. If it's small to middling in size or you need to do frequent transfers SFTP or FTPS would be viable(presuming you're not using keys generated in the last two years on a debian box).

    The simplest solution would be to encrypt the data, put it on a CD/DVD/Portable HD, and send it by courier or deliver it yourself(ideally in a sealed envelope). You get a signature to verify you sent it, you get a signature to verify who picked it up, you've got proof it wasn't tampered with and if someone steals it along the way it's not worth anything.

    If it were me I'd also ensure that your contract with the recipient includes liability for any security breaches within their system including appropriate financial penalties. Any of those solutions will ensure it gets to the recipient without someone else stealing it and that's all you can do.

  3. Re:PGP by |DeN|niS · · Score: 5, Interesting
    You are being awfully naive here. Personal details are worth about US$50 each to identity fraud gangs. 10,000 personal details times US$50 is half a million bucks, and that buys a lot of supercomputer time. Any encryption can be brute forced given enough brute force.

    You keep saying that. Maybe you want to run the numbers sometime? Something like all the computing power in the world in constant use for X thousand years? Barring a fundamental flaw in the algorithm, or a botchy implementation (say generating your keys on Debian) there is no way this is brute forcable in anyones lifetime. It's just math. It's your random claim the russian maffia can break any encryption, versus math. I know whose side I am on.

    Half a million bucks buys you a 56 bit DES message in under 24 hours. Note that an extra bit does not double the effort, it squares it. Do the math.