Slashdot Mirror
How Would You Prefer To Send Sensitive Data?
sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"
PGP without pause
Redacted using FBI security techniques will guarantee absolutely nobody will be able to see it.
Make sure you send the password with the file.
Why not some kind of secure FTP Server for her to download it?
Or if the area is not to far, why not burn it to a CD or some other kind of media and physically take it to her.
The greatest revenge in life is massive success.
Deliver it by hand.... if you're lucky they'll give you one of those cool attache cases that handcuffs to your wrist.
Three Squirrels
Not at all if I could avoid it, that's for sure. Why can't the consultant import the data into the new package on-site? Even the most secure transmission method can't stop someone outside of your control exposing that data. I'd be talking to my HR people and begging them not to send this data out. Probably a good idea to talk to Legal too.
unless the data set is so large that the answer is pgp on an external hard drive shipped by fedex. and send the password by a SEPERATE CHANNEL. I prefer to send the key by TELEPHONE -- spoken, but that's up to you.
I'd get the consultant to come to the office. If the new software is going to be run onsite, there should be no reason why the data needs to leave. But if it does need to be taken offsite then having the consultant come in to collect it makes them responsible for keeping the data secure.
A game has objectives and is competitive, anything else is just play
Take some of those fur-lined handcuffs too. Do it on a Friday and get the weekend.
Engineering is the art of compromise.
Send all the data via FedEx on a CD, in an encrypted file. Send the password via e-mail.
Of course, this doesn't address the issues revolving around exposing all this data to your consultant to begin with.
Deliver the data by e-mail, but store it such that it's determined losing it does not present plausible risk. I mean what other options do you have? Authenticated download over SSL perhaps.
PGP maybe. Say we PGP encrypt an e-mail. We now rely on the secrecy of the recipient's private key. This means we rely on the recipient's security infrastructure to properly protect a piece of data until the data we transmit has become non-useful (this includes destroying all copies of the key -- when actually done, we guarantee the key remains secret forever). Can we trust this? Not really.
Well with SSL, the certificate gets verified against a CA signature. The client automatically establishes encryption in a secret way (randomly generated public key, sent to server, which sends a signed and encrypted session key) so we know no third party can eaves drop, without any infrastructure on the client end. Now, this is where I pull up Ettercap in the next hotel room over, and the client clicks "Accept certificate temporarily for this session" when it warns him my MitM cert is self-signed. Again, can't trust this.
Well, let's hand it off on a USB flash drive. Does he lose it? Leave it in his car? Hell, it's now on a storage system at another company with odd security practices. Again, out of your control.
All solutions suck. Transport isn't an issue, it's ensuring data confidentiality at the destination (including any encryption keys used to secure the transport, as well as the decrypted data itself once stored at the other end).
Support my political activism on Patreon.
Simply use symmetric encryption (AES-256, for example) with a strong random key, then provide the key on a separate hand-delivered or voice-delivered medium.
Public key doesn't really buy you anything in this case -- if somebody grabs their copy of the symmetric key, you're screwed. If somebody grabs their copy of the private key, you're screwed. Protecting the private key with an additional symmetric key doesn't make it more secure.
But explaining to a clueless consultant how to keep a single key secure is a lot easier than trying to explain public key/private key operation.
If this is a manual task, and you are on a *.nix box or similar (OSX too), just use scp (Secure CoPy). If there are lots of files, package them first to make things easy (tar.gz or .zip or whatever), and just scp the file to the other computer. It takes the same parameters as ssh and uses ssh but was designed to just send files securely.
With scripting languages you can also automate this process.
Hand delivered by a trustworthy courier.
http://alternatives.rzero.com/
Well, the first thing you need is physical security. I would reccommend Blackwater for their premium quality goons. You'll need at least two platoons and a morter squad. Then you'll want to hand-deliver a one time pad to their secure vault, with a completely off-network computer to do the decryption. You can solder off all the connections except a secure thumb drive for the OS and the DVD containing the OTP. You'll have to keep your own copy of the OTP in your own vault. And I highly recommend Windows ME on a Dell for the encryption routine.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
I agree completely with Orange Crush. You let that data out and it is now subject to this other entity's security policy.
If you are going to let it off-site, is there a contractual agreement regarding how the data will be protected? Are their security policies audited by a third party? Worst case, does your company's insurance cover financial losses due to a third party mishandling your data?
I'd provide them with dummy data in the proper format to simulate your company's data and do like Orange Crush suggests and put data and application together only on your own premises.
But if you can't/won't do that, I'd say encrypt the hell out of it and burn it to CD, and send it by registered courier where someone has to sign for it to acknowledge chain of custody. Send the key by an alternate method.
Do you know this company's security policies? Are there any kind of investigations/background checks performed on its employees? If it is a small shop, what kind of firewall protection do they use? Is some programmer's kid using his laptop to play games on the Internet and download "free" screen savers or ring tones?
I assume that your data is in there too. How would you want it handled and what would you consider doing legally to your company if the data was in any way mishandled and your information to find its way into some identity thief's possession or posted on the web? What if your identity were to be stolen and your accounts raided or your credit ruined?
I know this probably sounds fairly paranoid and I'm sure a lot of people might suggest easier and less secure approaches, but the reality is that this kind of data is a target and far too many people do not properly protect their business computer systems because they just don't realize how pervasive intrusions and spyware are.
How would you want your data handled?
Encrypt the drive and put it in a locked case, handcuffed to your wrist. Have a second person carry the key to the handcuffs and to the case and take a separate train. Just for good measures, send out decoys for both yourself and the man with they. Rendezvous at the consultant's headquarters.
Don't forget to wear mirrored sunglasses.
Science advances one funeral at a time- Max Planck
I would be much more worried about the security after you get the data there. How does the consultant protect his network (wireless???) and physical building? Does he keep the data encrypted so if a computer is stolen, it cannot be read? There are any number of good encryption methods to use in transmitting the data, then phone with the key.
If it were me, I wouldn't even be worried about FTP for a one time transfer. When was the last time , or the first time, you heard of someone sniffing sensitive data in mid transmission? The vast majority of compromise issues are due to compromise of files on a machine somewhere. You should be concerned about the work environment of the consultant, and procedures there, far more than how you get data to the consultant. Ad hoc work environments are usually far more lax in their controls than a production environment. HR departments are (in my experience) far less knowledgeable about how to protect data than IT types. This is where your risk lies.
We use an SFTP server for transmission of financial data, and I don't lose a bit of sleep over it. You are at much higher risk for either your HR department or the consultant doing something stupid with the source or result files on their network. Your need is just to make sure that it doesn't happen on your watch.
I would be more concerned about making sure that the HR folks and the consultant cleaned up their work files afterword.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
If you are required to transfer the data outside of your organization, then there are two areas of concern - confidentiality of the data in transit, and confidentiality of the data once it arrives and is in the consultant's control.
Data in transit:
Encrypting the data prior to transfer is highly recommended, so that when it arrives it is in a secured package, and it also reduces risk should an email be misaddressed or forwarded to an unintended recipient. For this part PGP is an excellent tool. You can encrypt using exchanged keys, or you can encrypt using a strong passphrase and then communicate that passphrase out of band (phone call is preferable, separate email is workable but less preferable). For the method of transfer, securing the channel of communications is another added layer of security on top of encrypting the data ahead of time. If you are using an interactive transfer like (S)FTP, it will protect the authentication credentials from prying eyes. Although someone intercepting the PGP encrypted file now may not be able to decrypt it, tomorrow's technology may make the task trivial, so protecting it is recommended. TLS-encrypted email from organization to organization is also a good choice, but may be beyond the scope of your project. However, if this will be an ongoing need, or if your HR rep is also passing confidential content in email, it's definitely worth looking into.
Data Protection after Transit:
Once the person has received the file, your data will continue to be at risk. Each copy they make of the encrypted file is another file that could potentially be moved outside of a controlled environment. Once they decrypt the data, the risk to your organization climbs as they strip away another layer of protection. At this point the processes the consultant has in place are critical to protecting your data, and lack of processes or sloppy adherence puts your organization at risk. I often use users' Outlook Sent Items to show how easily copies of data files propagate. Anywhere they store the data, encrypted or not, may be released outside of their environment when they dispose of hard disks or tapes, or if they have them replaced because they are faulty. We empower users with tools, and those tools can increase risk in unexpected ways.
Remember the most important security rule - always protect in layers. Remind everyone to treat all data like it's their own banking information or cash money. Require your partners/vendors/consultants to meet or exceed all of your controls. Allow as few copies of data (encrypted or non-) as absolutely required for operational and preservation purposes. Continually remind everyone of the potential risk of data loss. Make sure users understand that there is no single security solution - encryption provides one layer of protection, but the best security is constant vigilance and treating your data like it's cash money.
I would recommend you have a serious discussion with your HR rep, starting out by saying "I just want to be sure you're aware of the risk here, and we are doing everything we can to protect our company and our employees." Then spell out the risks without exaggerating, and remind him/her that it's situations like this where bad decisions end up in the newspaper. The first decision is "do we have to move this data outside of our organization?" and it should only be done if it's absolutely required. If it is, then layering security and requiring that your vendor/contractor treat it with the right level of sensitivity are all that you can do.
- That local users would create decent passwords
- That remote users would be able to understand how to decrypt/open the documents
- That users wouldn't send the password in the same email as the encrypted file
The found marginal success with Office document encryption, but ultimately, things were nearly impossible to audit when people were doing their own encryption.We put a PGP Universal server with web messenger between our internal mailserver and our SMTP gateway, and set policies on what does and doesn't get secured. Aside from the occasional external user who is baffled by the concept of creating a passphrase, the server has been trouble-free. If you have to deal with arbitrary external mail recipients with unknown levels of clue, I highly recommend picking either PGP Universal or Tumbleweed.
encrypted thumb drive.
use truecrypt and create an encrypted file on a thumb drive. then if it gets lost, no one can retrieve it.
They're using their grammar skills there.
Send a CSS encrypted iso of the data on a WEP encrypted wireless network that requires HDCP to display on her monitor with a signature generated by LM hashes from an unpatched, unfirewalled Windows 98 box.
I agree completely - getting the files TO the consultant securely is relatively easy... a GPGP key exchange followed by a phone call can pretty simply ensure who they are as well as anything. (I mean, as well as you know who the company is now - it's whoever answers their phone number.)
But then they HAVE the data, and if you care about your data, that's a problem.
In a perfect world, I would start by finding a new consultant - one who wouldn't even consider RECEIVING such data through email. I suppose in a PERFECT world, there wouldn't BE such consultants.
But failing that you need to lay out every security policy you think is important to secure your data, including INSIDE a network... firewalls, care with files, background checks on IT staff, background checks on the consultants. You need this laid out in excruciating detail. And you need it in the contract with them.
Ideally YOUR company needs to do the background checks on their staff... At a minimum you need to do a really sound credit check of them and have your attorney draw up a contract where they indemnify you for any loss due to a breach and any attorney fees to defend against and to recover from it. Etc.
Basically the same kind of due diligence you'd have for someone you were letting come in and install new servers and new firewalls on your site with access to everything you've already got. Or if they refuse to get up to a reasonable standard, you can tell them they need to do their work on your site.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
If this consultant asked for this data to be sent via email in the first place, that is a big red flag to me. It suggests a pretty lax attitude towards sensitive data, possibly an indication of general cluelessness/laziness/hubris.
Frankly, I would be a little suspicious of any person who wanted to take custody of this information at all if test data can be used instead. I would never take on that kind of liability if I didn't absolutely have to.
In an environment where neither HR nor their contractor seem to have a clue, I would enumerate my concerns (in writing) and insist that they make the call (in writing). Too many weak links in this chain.
In the hands of a bonded, insured, courier, into the hands of someone under a very draconian contract that spells out in a very big way what will happen to them if even a single record is leaked.
Seriously, this is not something you want to ever push across a network that has untrusted eyes anywhere, no matter what your encryption policy. Heck, you need to keep your own employees away from it even on the local network.
If the contractor is going to be putting it into new software that will run at your site, you need to bring the contractor into your facility to put the data in directly.
If the contractor is still developing the software, then the contractor doesn't get a single row of real data.
If the software runs somewhere else, you had better make sure that all appropriate measures are in place to safeguard the data, and you had better be REALLY sure that this offsite solution is the best option.
Once you let even a teeny tiny bit of this data out where someone can take it, you're in for a world of hurt.
I'd send it on CDs, by Registered Mail, the same way defense contractors and government agencies send classified stuff, for the same reasons.
Yes, Registered Mail costs more. It is worth it. Registered Mail *EXISTS* for the sole purpose of shipping high-value items that MUST NOT GET LOST OR STOLEN. That is precisely what you have here.
And for those of you in the peanut gallery: Yes, I have done Registered Mail. Several times. It is a pain in the ass. The Postal Service thinks it is a pain in the ass, and will try really hard to talk you out of it. I usually have to say "Registered Mail" two or three times before they figure out that I really do know what I want. I have had Postal Service clerks ask if I knew the difference between Registered and Certified. They were always very disappointed when they discovered that I *DID* know the difference, could explain it to them, and wasn't about to back down.
If you are really paranoid, you send two packages, both by Registered Mail. One contains encrypted CDs. The other contains the decryption key. Or you split the data into two packages, that must be combined in a nonobvious way to reconstitute the data.
But the KEY to the transfer is Registered Mail.
If the consultant really expected you to email the data, and expressed even a modicum of surprise that you wouldn't do it, they've already disqualified themselves from being able to securely handle your data.
Do you really think that this is the only flaw in their handling of sensitive data? That, otherwise, they are security conscious and careful, except for this odd flaw where they don't understand how insecure email is?
If you care, it's time to change consultants.
If you don't care, just email it already.
(I'm actually not quite as rigid as this may sound out-of-context. I don't agree that security is all-or-nothing, so please don't strawman me that way. My second paragraph is important; anyone who expects those things emailed to them is so far away from the necessary knowledge and skills that debating whether they are close enough or whether they will be able to take reasonable care is a waste of time, arguing about whether the receiver made a touchdown when they got tackled on the 10 yard line on the wrong side of the field.)
Seriously, yes.
Back when I worked for a defense contractor, FedEx was legal for shipping classified hard drives.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
If I was that consultant my first question would have been how to transfer that data securely - but maybe that's because I know what I'm doing. Therefore, I'd be totally allergic to giving that data to this consultant, regardless of any non-disclosure agreement.
First, your company must have a policy. SSN's are sensitive data. Second, your company must have a contract with any folks not working for your company requiring that this data be protected in a manner compliant with your company policies. Third, the recommendation to have the consultant work on site or work with the data on site is appropriate. Requiring that the data NOT leave your site sounds very reasonable. If they are remote use 2-factor authentication to get into such sensitive data and administration of systems.
The right way to delivery a symmetric keys is using asymmetric key, like RSA. Where no hand delivery is needed and is very secure.
Uh, only if you have public key infrastructure (i.e. pre-trusted authorities). I can generate shared secrets all day long with Diffie Hellman, but it really only helps me if I know that the recipient is not a man in the middle.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I see a lot posts suggesting you mail or hand-deliver the files on disk. In my experience more data is leaked through lost mail and courier mistakes than by hackers.
I wouldn't send it to her at all. I'd take it to the consultants and stick around while it's being used, or have them come to my facility to use it under my control and conforming to my policies and procedures. You can use the most ultra-secure encryption you want, and you've got no clue as to what's going to happen as soon as the data gets to the other side. The first rule of security has always been "install a good lock on the door to the computer room." The other platitude that applies here is "good fences make good neighbors." Or in other words, if the consultants don't like your security, you probably need new consultants. The idea of taking the data away from the premises, loading it into a brand-new package, and then bringing the whole thing back inside just gives me the heebie-jeebies. Your HR people need you to tell them this. That's why they're doing HR and you're doing IT.
"Here's what's happening. You're starting to drive like your Dad..." - Red Green
...by email.
This consultant wanted you to send it to them? I've been a consultant and developer for nearly 20 years. I would NEVER EVER ask for data like that to be sent to me. I wouldn't want to be anywhere near owning that kind of responsibility for someone else's critical data. You couldn't make me take it if you tried.
Your biggest problem, as pointed out by others, isn't the in-transit data but rather what it does once the consultant gets it. If he's so unaware of modern security best practices as to ask you to send it to him, it's fairly a sure bet that his environment and practices are no where near good enough.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
What overkill. People recommending multiple-step, even multiple-encryption, systems. And software that needs installing and configuring on both ends. And so on.
As long as the file gets there safely, you don't care what they do with it on the other end, right? (That is the most common scenario.)
So these people are trying to shoot ants with cannons. Massive overkill. REALLY all you need is scp, and unless you are running Windows, it is already built-in and needs little if any configuration. It's ready to fly.
You would be hard pressed to get better security during transmission, and when it gets to the other end it is in its original form. No messing with keys or pads, no UN-encryption, in fact nothing at all for them to do. Send it via scp and there it is. All you need is for them to give you a username and password, which is a hell of a lot simpler than some of those other ideas.
If you're sending data to a consultant for processing, how do you expect the consultant to return the finished product to you? You can be as paranoid as you want and totally ineffective if next week the consultant emails you an unencrypted MDB file.
The other replies make a lot of sense in pointing out that your security policy is only as strong as the consultant's weakest link. Can someone potentially sniff the email as it goes by? Sure. Is anyone actually watching? Probably not.
PGP or GPG keys sent via email are always vulnerable to "man in the middle" attacks unless you verify the fingerprints through other secure channels, etc and so forth. Is anyone taking the trouble to do that for access to your data? No. Seriously.
You could probably even get away with putting all the data into a single ZIP file, and then putting THAT single ZIP file into a password protected ZIP file. (If you have more than a few files in a password protected ZIP file, there are apps out there that can do some comparisons and crack them open in moments.) One file in a ZIP, with a strong password given over the phone, should keep out the nosy and all but the more educated hackers. The educated hacker already has access to your system after asking HR's password on a "support" call.
I'd agree with the masses - GPG. However, it is VITAL that the consultant knows to encrypt the data sent BACK or it is just a waste of time. Good luck!
Help! Help! I'm being repressed!
I had a similar exercise that I went though a couple of years ago with a former employer (10k+ primarily non-technical user base, financial services company, approx 1mm outbound messages per day including automated processes, approx 30%+ contained sensitive info like acct numbers and SSNs that needed to be encrypted, and recipients were a mix of corp users and users that used free email accts as their primary address).
;) At the time that I left, we had the solution in play for 3 years and only had about a half a dozen support tickets opened on the solution - and basically, they were from users that did not read the web page they were looking at.
Email was pretty much the file transfer mechanism of choice for the business (for better or worse).
Major issues from my team (Info Sec):
1) how do we stay out of the key management business (anybody that has been to the key ring, PKI, certificate, etc. management barbecue knows what I am talking about here)
2) that we get all the mail off of our systems at the time of delivery (basically, in the wild world of e-discovery, we did not want to have to get into managing other company's 'sensitive emails')
3) no software required on the recipient's machine
I have used, tinkered with, been burned by, loved, and hated pretty much all the top players in this space... but based on our requirements and my personal motivation to just solve my email encryption problem and go back to my other work without needing to tie up resources to support users that were now using the implementation... I went with Voltage (http://www.voltage.com). It took two change control windows to get it into prod (one to test, and one to go live). For the sensitive email traffic that was not handled by gratuitous SSL/TLS (roughly 100k+ messages per day) we used Voltage at the gateway with users entering a key word in the subject line to encrypt. It took a little bit of training and some internal showing of dirty laundry, but users eventually caught on... and within about 3mos of implementation we were dealing with high 100s to low 1000s of user violations. We could have dropped the number to 0 by rigging our DLP product into the mix and forcing all remaining sensitive data flagged by our DLP solution to go through Voltage, but the business was happy with the drop in violations and did not want to do that.
In short, we dropped our plain text email violations from about 300k+ per day to about 1k per day, nobody had to do the key management dance, and no residual customer email was left in our environment. As a side note, Voltage also has a SAAS product that is completely managed by them that we referred our power recipients and business partners off to... once again, no work there for me or my team.
Hope this gives a decent data point for your issue.
You are about to send sensitive data to a third party who will load it into a new database and send you back the database. That's insane.
You need to bring the destination (the database) in-house. Either load the data yourself, or get the consultant to come in-house to load the data. Under no circumstances should the sensitive data travel outside your network boundary. It's not a question of "how strong is my encryption" at all.
WinZip with AES 256 encryption using a very strong password delivered via phone is sufficient in some situations.
Horns are really just a broken halo.
Slightly different scenario, in this case it's payroll information being sent to the company that deals with the payments.
The "consultants" suggested emailing it, when I said that wasn't going to happen they suggested putting it on an ftp site. (What the hell are we paying them for?)
As the people involved at both ends are not IT people and are all on Windows PGP isn't really an option, but S/Mime is. It also gives the advantage that you can say - go buy an email certificate from this website (pointing them at verisign/globalsign/another-t-t-p) and let them worry about the authentication issue.
S/Mime is integrated into all the common MUA software these days, certainly anything they'll be using on windows, and it's really quite easy to use.
The downside of it is that the security of the system boils down to key management & users. Once you've told them it's ok to email this information how do you guarantee that it's been sent encrypted?
... I what people seem not to get/missed.
1) Strongly encrypt the data via your favourite method
2) Setup an Sftp with a user name/strong password for the consultant*
3) Send the user name/strong password to him/her via email (PGP/GPG)
4) Keep the login log in a very safe place, along with any other email exchange, keys, etc that show the transfer has occurred and by whom.
* If you want to have a even better "paper" trail, have them send you the IP of the host that they will be logging in from and limit access to just that host. Also have make sure that this IP is verifiable owned by the consultant firm. Keep the verification.
If all of the above is done, you have made sure that the login has been done through the only *one* IP allowed (owned by the consultant firm), through a login that only one person has. So, any fuck-ups are there's and there's alone.
But, if possible, I'd also require them to keep the data encrypted and only decrypted for use, preferable not to a HDD (ram disk). Not to mention any other mechanism that you can think of. Also make sure that the paper work requires any and all requirement to be applicable to any subcontractors as well as any of the subcontractors subcontractors, etc. Because, these consulting firms have a rather poor track record of keeping this data secure. And if they don't do it, and bad things happen, there is legal recourse on your part (as well as possibly the people who's data it is).
I've been using Dropbox to move stuff between laboratories that needs to be updated by more than one party. It's all encrypted and stored server-side, and it's pretty much transparent to the end user since you just drop files into what looks like a normal folder. That eschews all the complexity of PGP or making FTP users, and is secure as long as physical access to the machines is locked down.
I have worked for two different companies that sent ACH (EFT) type transactions worth tens of millions of dollars over the internet. We used an SSL HTTP web site for the transfers, and encrypted AND signed the packets with PGP keys. That way, when we got the packet, we could decrypt it AND verify the originator.
... sorry.) And unencrypted data was never allowed in the DMZ. I'm not sure how long unencrypted data may have been on app servers or in memory, but I remember security and the developers having a lot of conversations about it.
.. don't stop at just the transmission. Security has to be looked at from source to destination and archival.
I'm sure if someone worked hard enough they could have broken it, but since the firewall would only allow connections from specific IPs, it would have been tough to inject data into the system.
This meant that the biggest threat wasn't someone stealing the raw data, but someone on the inside gaining access to the data after it was processed or was being processed and possibly in an unencrypted state. The DBA used some type of Oracle encryption to prevent someone gaining access to the database and being able to run SQL queries and return unencrypted data without some type of key (I don't know how it worked
So
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
When he totally freaks out and starts screaming. Rename the file to GrowYourPenisNow.doc, spoof the From: header to be from hotmail.com, add a subject line V1agra and send.
Nobody will ever bother to read it.
Don't move the data, move the consultant. Prepare a work space and ask the consultants to work in your office. As soon as data leaves your system you have no guarantee that it will not be passed on. Data transfer is the least of your problems.
Additional issue: Sending raw data out is easy (many ideas have been voiced in this forum) but how are you getting it back? Tables to import? Live link between your company and the consultants? Incremental? Is this a one-off or a continuing effort?
Regards, Oliver
Secure VPN tunnel and some form of remote desktop if it's GUI based,or SSH in if it's terminal based.
In a world of highspeed connections and cheap hardware there's no excuse for anything to leave the confines of your network where you as the person in charge of security remain the person in charge of the security.
I agree with the few posts I've read that've recommended PGP, but there's an easier alternative if you don't want to go through the hassle of setting up PGP keys for non-technical users: SFTP. It runs over SSH, so you're as secure as you would be when logged into a shell, and it doesn't matter which one of you has which side of the connection (client/server, I mean). There are probably some auxiliary benefits to SFTP, like controlling at least one place where the document is stored (as opposed to having it sit on some random company's email server, even in encrypted form), but the ease of use is probably the main reason to use it.
I'd probably be persuaded that the overall benefit of spreading the use of encrypted and digitally signed email is greater than the effort put into explaining to Suzy Secretary how to install Enigmail.
You are missing the point, the worst thing that happens to the data is when it arrives to the consultant. These kinds of databases are something everyone sees value in, and makeing a copy is trivial. (Even though the consultants laptop isn't on the network, and not plugged into power)
Make it very clear that this data can not be exposed. See some good posts:
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500514
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500510
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500324
Encrypt the file with PGP and put it into a TrueCrypt container on a USB stick that requires a thumb-print for access and which is wrapped in a condom and 'hand' delivered by the 'mule' via the usual hidden methods. The access codes are encrypted into an image file delivered by uploading it to a porn site, the location of which is emailed to the intended recipient with a note saying something like, "Hey, check out this babe I was with last night."
I hope this comment is well received... I could have moderated instead!
Persecutors will be violated!
IF (big IF) you can trust the outside network with the data, which I would consider to NOT be true in 99% of the cases, you could implement what I laid out on one of my sites. Check out http://cryptmsg.com
Completely open source, implement as you'd like.
Basically, you give them multiple keys, each by different methods (phone, fax, in person, postal mail, IM, etc), and you select the encryption methods. You encrypt the message on an off-line machine, and pass it to an online machine for delivery. The encrypted message goes out through any unsecured channel (i.e., email). They decrypt on their offline machine and now they have the message. All in all, it could be an easy and secure system. Since my code is open source, you can rehash it any way you'd like.
This is pretty much what I wrote it for. Secure, unbreakable transmissions over unsecure networks, where it's a given that someone will intercept it.
I include an encrypted message in my tagline. I'll Paypal $10 to the first person who cracks it.
My biggest concern would be that they're reading it on a machine that has Internet access. You can secure your servers like Fort Knox, but we all know perfectly well that every foreign machine is suspect. That's a risk you have to be willing to take.
I've seen sites that provide "secure" data on demand to authenticated users, over SSL via their web browser. You can key it to the end user's IP, and require a user:pass, but there's still potential for abuse.
If your information is that sensitive, you should only allow access:
1) If they are on the secure portion of your network
2) That part of the network does not have Internet access
3) You have a strong security policy for that part of the network
4) You have a strong security policy for the workstations on that part of the network.
Since that doesn't usually fly in the business world, you'll have to make the exceptions, which you're asking about. Make sure you have upper management approval in writing for the exceptions that you are going to make, so when it hits the fan, you are not the responsible party.
Serious? Seriousness is well above my pay grade.
First, to every other respondant so far - Know your audience. Non-geeks do not use PGP (hell, only a small fraction of geeks even use it), and most people only use SSL when/if their browser makes it 100% transparent. Don't even mention those, you'll just confuse the intended recipient and get nothing accomplished.
For the "real" answer - Using WinZip, pick 256-bit AES encryption and zip your file. Then send it via regular email, and call the recipient with the password (and although you don't need to pick an easy password, prepare to have to repeat it a few dozen times if you choose anything even remotely secure).
That satisfies any privacy/data security laws applicable to the situation, including HIPAA (presuming the recipient actually has the right to access the requested data) if this happens to involve sending medical records. No, not a glamorous solution, but it works.
It is of no use to set up a secure channel if the person you are sending to doesn't understand why you would like to secure these data
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"
Your consultant wanted you to email the personal data to them to begin with? Well, first on the wish list would be a new consultant, preferably one who takes security seriously enough to not ask that confidential personal data be sent via email. It's not like they don't know what kind of data they have there, and the lack of consideration for security in acquiring the data from you does not bode well for how it will be handled once they have it. I would probably require that they either come on site and work with the data via your machines on your network, or I would demand a partnership agreement with them that spells out hefty penalties if they fail to follow specified security practices, especially if that failure leads to data compromise.
to be honest, if you are truely concerned about the security of everyone's SSNs and personal information, you can always turn to an archaic form of secure correspondance: certified mail. every person who handles certified mail must sign for it in ink, and it is a Federal Felony to lose/misplace/steal certified mail. Dont quote me on this, but I think the US military has approved certified mail as one medium of transporting items labeled "SECRET". Given this method will take more time, but the end result will be probably the best solution to security of the data in transit. if you hate the consultant, print off the data and mail it to him, and if ya wanna be nice, just toss a CD in mail.
I hope your scp setup has chroot cages set up, because otherwise, your clients can go poking around the rest of your SCP server and potentially do all sorts of damage.
You can use chroot as an additional security blanket, to protect against possible bugs in scp. But if you don't use chroot, that doesn't mean "your clients can go poking around the rest of your SCP server". Furthermore, there are many alternatives to chroot, including vserver and AppArmor.
chroot cages are built in
There are plenty of webdav implementations that do not come with chroot.
I'm sorry, but a little knowledge is dangerous when it comes to security, and your blind faith in chroot is dangerous. Chroot is neither necessary nor sufficient for ensuring security.
I think I can help here: step 3 is: 'apply copious amounts of lubricant'.
Three years ago I would have said PGP. Today I'd email this using Zixmail encrypted email if the file size was under 5MB. If the file was over 5MB I'd zip the data with Winzip to an AES256 encrypted file, burn it to a CD/DVD, send it via courier by Fedex/USPS/UPS/etc, and send the encryption password out of band via email or phone.
Duris MUD - The best pkill MUD. Ever.
Just zip it all up and password protect it, come on!
-ducks-
Flappinbooger isn't my real name
I can't stress this enough. You need a company information security policy.
Your information security policy should at a minimum cover the following items:
I plan to write a blog post today or tomorrow at our blog, http://securitymusings.com which will go into a little more detail on this.
Now for a direct answer to your question: strongly encrypt the data using a 128-bit (or longer) standard encryption algorithm such as 3DES, AES, or Blowfish. If you are using password-based encryption, use a long and random password, such as those generated by any good password generation application. (GRC has a web-based one.) Use at least 20 random characters to create a sufficiently entropic password. Communicate the password out-of-band, such as via telephone, fax, or mail/fedex. There are lots of available tools to do proper encryption, such as PGP/GPG, WinZip, etc. Use one, don't write your own.
Check out our infosecurity industry blog: http://securitymusings.com/
Actually if you use USPS registered mail you'll get a traceable route of the data. If the data is super valuable, you can contract with a secured courier (think armored truck) to transport the CD. We occasionally do work for financial services firms, and since they already have a armored truck courier service for moving cash, it's easy for them to schedule a pick up with an armed guard.
Even if the CD is stolen, it's still encrypted--and armored trucks (especially ones carrying data) are rarely held up--and they have insurance.
This is really dumb. Just encrypt the file using any number of techniques (sheesh, even WinZip has decent encryption now) and email it. Then call him on the phone with the password.
This isn't rocket science, folks.
Just follow UK government standards and write all the data on a CD or two then stuff them in the regular mail.
Honestly, what could possibly go wrong?
It is vulnerable to man in the middle attacks, unless you buy a commercial solution with host authentication.
I have no expertise with setting up VPNs, but a similar situation may arise.
IANAL but write like a drunk one.