Secure Data Transmission

1
Secure Data Transmission

• James Matheke
• Information Security Architect
• Ohio Department of Job and Family Services

2
IT Security ManagementCritical Success Factors

• Managing Confidentiality, Integrity, and
  Availability of IT Services and Data
• Providing Security Cost Effectively
• Proactively Addressing Security Improvements
  Where Needed

Source ITIL
3
How to Share Data Securelywith Other
Organizations

• Key Findings
• If the IT organization does not proactively
  address the issue with policies and practical
  alternatives, then end users will obtain their
  own mechanisms for sharing sensitive information
  externally, resulting in unwanted and potentially
  harmful data leakage.
• A growing variety of convenient and
  cost-effective technologies enable data owners to
  control the use of their data, even when it is
  accessed and modified on noncorporate PCs.
• Despite availability of technical solutions, lack
  of appropriate care is the primary cause of
  unintended data leakage. The most significant
  control is to ensure that your staff and their
  external partners are aware of the problem, are
  willing to help prevent data leakage and know how
  to share information safely.

4
How to Share Data Securelywith Other
Organizations

• Recommendations
• Implement a policy and educational campaign to
  ensure that employees perform a careful risk
  analysis before sharing sensitive data with
  external audiences.
• Begin experimenting with mandatory forms of data
  protection technology.
• Look for practical mechanisms to detect and
  reduce inappropriate use of information through
  access controls and activity monitoring,
  remembering that highly motivated persons will
  always find ways to circumvent controls.

Source Gartner
5
What are Your Four GreatestFile Transfer
Concerns?
Source Ziff Davis
6
FTP Use is GrowingDespite the Risks

• FTP is not secure
• FTP is not free
• FTP is unreliable
• FTP is unmanaged
• FTP is susceptible to security breaches

7
Secure File TransferControl

• End User
• Manual
• Automated
• System-to-System
• Centralized System

8
Secure File TransferMechanics

• File Encryption (e.g. WinZip)
• Network
• Private Line with or without Encryption
• Virtual Private Network (VPN)
• Site-to-Site
• State Wide
• Remote Access

Source Gartner
9
Secure File TransferMechanics

• Application/Protocol
• SFTP (Secure FTP over SSH)
• Private/Public Keys
• FTPS (Secure FTP over SSL)
• Certificate
• HTTPS (HTTP over SSL)
• Password
• Proprietary (e.g. Sterling ConnectDirect
  Secure)
• Private/Public Keys

10
Secure File TransferBest Practices

• Ensure Confidentiality and Integrity of data both
  at rest and in transit.
• Ensure authenticity of all users and processes
  involved in your transactions.
• Implement appropriate access control and
  authorization throughout the transaction
  lifecycle.
• Minimize performance and availability cost
  created by the security controls.
• Implement a centralized system to deploy,
  maintain, and monitor security components.

Source SSH
11
Secure File TransferChecklist

• Contract/Agreement for data sharing
• Ensure perimeter security at the DMZ
• No storage of data in the DMZ
• Harden the System/Server
• Log and audit usage
• Eliminate anonymous users
• Leverage existing security infrastructure (e.g.
  LDAP)
• Use strong authentication
• No hard coding of credentials in scripts