How Would You Prefer To Send Sensitive Data? 542
sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"
PGP (Score:5, Insightful)
How would I prefer to send sensitive data? (Score:5, Insightful)
pgp on a dvd or flash drive (Score:4, Insightful)
Locally (Score:4, Insightful)
Re:Public-key crypto (Score:1, Insightful)
Public key is to complicated for a simple one-shot (Score:4, Insightful)
Simply use symmetric encryption (AES-256, for example) with a strong random key, then provide the key on a separate hand-delivered or voice-delivered medium.
Public key doesn't really buy you anything in this case -- if somebody grabs their copy of the symmetric key, you're screwed. If somebody grabs their copy of the private key, you're screwed. Protecting the private key with an additional symmetric key doesn't make it more secure.
But explaining to a clueless consultant how to keep a single key secure is a lot easier than trying to explain public key/private key operation.
Pinkerton (Score:5, Insightful)
Re:How would I prefer to send sensitive data? (Score:5, Insightful)
The policy in my current company is that NO DATA is shared unless we have a "Non Disclosure Agreement" (NDA) Signed with the company/consultant that needs to work with our data. Have your legal department prepare such an agreement with items such as penalties for improper use of the information..
This kind of agreement sometimes scare consultants or companies, and it's cause for some struggle, but in the end if they can't handle the responsibility over your data then you should find someone who can.
GPG? The Open Source Version of PGP (Score:5, Insightful)
If you are going to let it off-site, is there a contractual agreement regarding how the data will be protected? Are their security policies audited by a third party? Worst case, does your company's insurance cover financial losses due to a third party mishandling your data?
I'd provide them with dummy data in the proper format to simulate your company's data and do like Orange Crush suggests and put data and application together only on your own premises.
But if you can't/won't do that, I'd say encrypt the hell out of it and burn it to CD, and send it by registered courier where someone has to sign for it to acknowledge chain of custody. Send the key by an alternate method.
Do you know this company's security policies? Are there any kind of investigations/background checks performed on its employees? If it is a small shop, what kind of firewall protection do they use? Is some programmer's kid using his laptop to play games on the Internet and download "free" screen savers or ring tones?
I assume that your data is in there too. How would you want it handled and what would you consider doing legally to your company if the data was in any way mishandled and your information to find its way into some identity thief's possession or posted on the web? What if your identity were to be stolen and your accounts raided or your credit ruined?
I know this probably sounds fairly paranoid and I'm sure a lot of people might suggest easier and less secure approaches, but the reality is that this kind of data is a target and far too many people do not properly protect their business computer systems because they just don't realize how pervasive intrusions and spyware are.
How would you want your data handled?
What about once it gets there? (Score:4, Insightful)
Don't over think this (Score:5, Insightful)
We use an SFTP server for transmission of financial data, and I don't lose a bit of sleep over it. You are at much higher risk for either your HR department or the consultant doing something stupid with the source or result files on their network. Your need is just to make sure that it doesn't happen on your watch.
I would be more concerned about making sure that the HR folks and the consultant cleaned up their work files afterword.
Secure in layers (Score:5, Insightful)
Data in transit:
Encrypting the data prior to transfer is highly recommended, so that when it arrives it is in a secured package, and it also reduces risk should an email be misaddressed or forwarded to an unintended recipient. For this part PGP is an excellent tool. You can encrypt using exchanged keys, or you can encrypt using a strong passphrase and then communicate that passphrase out of band (phone call is preferable, separate email is workable but less preferable). For the method of transfer, securing the channel of communications is another added layer of security on top of encrypting the data ahead of time. If you are using an interactive transfer like (S)FTP, it will protect the authentication credentials from prying eyes. Although someone intercepting the PGP encrypted file now may not be able to decrypt it, tomorrow's technology may make the task trivial, so protecting it is recommended. TLS-encrypted email from organization to organization is also a good choice, but may be beyond the scope of your project. However, if this will be an ongoing need, or if your HR rep is also passing confidential content in email, it's definitely worth looking into.
Data Protection after Transit:
Once the person has received the file, your data will continue to be at risk. Each copy they make of the encrypted file is another file that could potentially be moved outside of a controlled environment. Once they decrypt the data, the risk to your organization climbs as they strip away another layer of protection. At this point the processes the consultant has in place are critical to protecting your data, and lack of processes or sloppy adherence puts your organization at risk. I often use users' Outlook Sent Items to show how easily copies of data files propagate. Anywhere they store the data, encrypted or not, may be released outside of their environment when they dispose of hard disks or tapes, or if they have them replaced because they are faulty. We empower users with tools, and those tools can increase risk in unexpected ways.
Remember the most important security rule - always protect in layers. Remind everyone to treat all data like it's their own banking information or cash money. Require your partners/vendors/consultants to meet or exceed all of your controls. Allow as few copies of data (encrypted or non-) as absolutely required for operational and preservation purposes. Continually remind everyone of the potential risk of data loss. Make sure users understand that there is no single security solution - encryption provides one layer of protection, but the best security is constant vigilance and treating your data like it's cash money.
I would recommend you have a serious discussion with your HR rep, starting out by saying "I just want to be sure you're aware of the risk here, and we are doing everything we can to protect our company and our employees." Then spell out the risks without exaggerating, and remind him/her that it's situations like this where bad decisions end up in the newspaper. The first decision is "do we have to move this data outside of our organization?" and it should only be done if it's absolutely required. If it is, then layering security and requiring that your vendor/contractor treat it with the right level of sensitivity are all that you can do.
Re:PGP (Score:5, Insightful)
Via encrypted signed email there's a paper trail. "The data you have is verifiably the data that I intended for you to receive, and the sensitive data haven't been mangled or modified (the hashes match), it is verifiably from me (that's my signature), and I have demonstrably met your request by sending you the information on this day at this time (email headers, server logs, whatever).
If it's important and it's for work purposes, COVER ASS AT ALL TIMES.
Re:What about once it gets there? (Score:3, Insightful)
Speaking as if I was the poster of the original question, I don't care what happens to the security after I get the data there. It's not my problem.
Re:GPG? The Open Source Version of PGP (Score:5, Insightful)
These days a big issue is CYA when it comes to people's personal data. As others have noted, be sure to investigate any laws that might define how the data must be treated if it has to go off site. Be sure that your management signs off on the procedure and be sure you can document it.
The days of just letting people download data are long gone. And don't use FTP if you do. Use the secure version (sftp) and encrypt the data before it transfers. That way it's an encrypted tunnel carrying encrypted data. But I wouldn't recommend this method. I'd get a signed chain of custody with media physically delivered and assurances that all copies of the data is completely and securely destroyed and the original media returned when the job is finished.
Best way is not to let the data out in the first place.
I agree - start by finding a new consultant! (Score:5, Insightful)
But then they HAVE the data, and if you care about your data, that's a problem.
In a perfect world, I would start by finding a new consultant - one who wouldn't even consider RECEIVING such data through email. I suppose in a PERFECT world, there wouldn't BE such consultants.
But failing that you need to lay out every security policy you think is important to secure your data, including INSIDE a network... firewalls, care with files, background checks on IT staff, background checks on the consultants. You need this laid out in excruciating detail. And you need it in the contract with them.
Ideally YOUR company needs to do the background checks on their staff... At a minimum you need to do a really sound credit check of them and have your attorney draw up a contract where they indemnify you for any loss due to a breach and any attorney fees to defend against and to recover from it. Etc.
Basically the same kind of due diligence you'd have for someone you were letting come in and install new servers and new firewalls on your site with access to everything you've already got. Or if they refuse to get up to a reasonable standard, you can tell them they need to do their work on your site.
Re:PGP (Score:5, Insightful)
There are a number of issues to be resolved before worrying about how to get the data transferred. Has the consultant and/or their firm verified their security and controls to your firm's satisfaction with something like a SAS 70? Are there legal agreements in place concerning the proper controls of this data, the explanations or responsibilities in case of a disclosure, etc.? Has the idea been proposed to create bogus data for testing so that live data isn't used? Can the application be loaded on-site, so that a machine outside of your firm's control will not contain highly-sensitive employee data?
I'd ask a lot of questions like these and get answers to my satisfaction before I sent out any data. I would greatly prefer to have to explain to my management why I'm "holding up the train" than have to explain to my coworkers why I was involved in the disclosure of their personal information and mine.
Red flag. (Score:5, Insightful)
Frankly, I would be a little suspicious of any person who wanted to take custody of this information at all if test data can be used instead. I would never take on that kind of liability if I didn't absolutely have to.
In an environment where neither HR nor their contractor seem to have a clue, I would enumerate my concerns (in writing) and insist that they make the call (in writing). Too many weak links in this chain.
Re:PGP (Score:5, Insightful)
Physical transport (Score:2, Insightful)
Seriously, this is not something you want to ever push across a network that has untrusted eyes anywhere, no matter what your encryption policy. Heck, you need to keep your own employees away from it even on the local network.
If the contractor is going to be putting it into new software that will run at your site, you need to bring the contractor into your facility to put the data in directly.
If the contractor is still developing the software, then the contractor doesn't get a single row of real data.
If the software runs somewhere else, you had better make sure that all appropriate measures are in place to safeguard the data, and you had better be REALLY sure that this offsite solution is the best option.
Once you let even a teeny tiny bit of this data out where someone can take it, you're in for a world of hurt.
Registered Mail (Score:4, Insightful)
Yes, Registered Mail costs more. It is worth it. Registered Mail *EXISTS* for the sole purpose of shipping high-value items that MUST NOT GET LOST OR STOLEN. That is precisely what you have here.
And for those of you in the peanut gallery: Yes, I have done Registered Mail. Several times. It is a pain in the ass. The Postal Service thinks it is a pain in the ass, and will try really hard to talk you out of it. I usually have to say "Registered Mail" two or three times before they figure out that I really do know what I want. I have had Postal Service clerks ask if I knew the difference between Registered and Certified. They were always very disappointed when they discovered that I *DID* know the difference, could explain it to them, and wasn't about to back down.
If you are really paranoid, you send two packages, both by Registered Mail. One contains encrypted CDs. The other contains the decryption key. Or you split the data into two packages, that must be combined in a nonobvious way to reconstitute the data.
But the KEY to the transfer is Registered Mail.
It doesn't matter, you've already lost (Score:5, Insightful)
Do you really think that this is the only flaw in their handling of sensitive data? That, otherwise, they are security conscious and careful, except for this odd flaw where they don't understand how insecure email is?
If you care, it's time to change consultants.
If you don't care, just email it already.
(I'm actually not quite as rigid as this may sound out-of-context. I don't agree that security is all-or-nothing, so please don't strawman me that way. My second paragraph is important; anyone who expects those things emailed to them is so far away from the necessary knowledge and skills that debating whether they are close enough or whether they will be able to take reasonable care is a waste of time, arguing about whether the receiver made a touchdown when they got tackled on the 10 yard line on the wrong side of the field.)
Emailed? (Score:3, Insightful)
What to do (Score:3, Insightful)
Re:Public key is to complicated for a simple one-s (Score:3, Insightful)
Uh, only if you have public key infrastructure (i.e. pre-trusted authorities). I can generate shared secrets all day long with Diffie Hellman, but it really only helps me if I know that the recipient is not a man in the middle.
Re:Red flag. (Score:3, Insightful)
Don't send it to a consultant who would ask .... (Score:5, Insightful)
This consultant wanted you to send it to them? I've been a consultant and developer for nearly 20 years. I would NEVER EVER ask for data like that to be sent to me. I wouldn't want to be anywhere near owning that kind of responsibility for someone else's critical data. You couldn't make me take it if you tried.
Your biggest problem, as pointed out by others, isn't the in-transit data but rather what it does once the consultant gets it. If he's so unaware of modern security best practices as to ask you to send it to him, it's fairly a sure bet that his environment and practices are no where near good enough.
MY GOD!!! (Score:3, Insightful)
As long as the file gets there safely, you don't care what they do with it on the other end, right? (That is the most common scenario.)
So these people are trying to shoot ants with cannons. Massive overkill. REALLY all you need is scp, and unless you are running Windows, it is already built-in and needs little if any configuration. It's ready to fly.
You would be hard pressed to get better security during transmission, and when it gets to the other end it is in its original form. No messing with keys or pads, no UN-encryption, in fact nothing at all for them to do. Send it via scp and there it is. All you need is for them to give you a username and password, which is a hell of a lot simpler than some of those other ideas.
Don't send it at all (Score:5, Insightful)
You are about to send sensitive data to a third party who will load it into a new database and send you back the database. That's insane.
You need to bring the destination (the database) in-house. Either load the data yourself, or get the consultant to come in-house to load the data. Under no circumstances should the sensitive data travel outside your network boundary. It's not a question of "how strong is my encryption" at all.
AES 256 (Score:4, Insightful)
S/Mime (Score:2, Insightful)
Slightly different scenario, in this case it's payroll information being sent to the company that deals with the payments.
The "consultants" suggested emailing it, when I said that wasn't going to happen they suggested putting it on an ftp site. (What the hell are we paying them for?)
As the people involved at both ends are not IT people and are all on Windows PGP isn't really an option, but S/Mime is. It also gives the advantage that you can say - go buy an email certificate from this website (pointing them at verisign/globalsign/another-t-t-p) and let them worry about the authentication issue.
S/Mime is integrated into all the common MUA software these days, certainly anything they'll be using on windows, and it's really quite easy to use.
The downside of it is that the security of the system boils down to key management & users. Once you've told them it's ok to email this information how do you guarantee that it's been sent encrypted?
Not by email... (Score:3, Insightful)
1) Strongly encrypt the data via your favourite method
2) Setup an Sftp with a user name/strong password for the consultant*
3) Send the user name/strong password to him/her via email (PGP/GPG)
4) Keep the login log in a very safe place, along with any other email exchange, keys, etc that show the transfer has occurred and by whom.
* If you want to have a even better "paper" trail, have them send you the IP of the host that they will be logging in from and limit access to just that host. Also have make sure that this IP is verifiable owned by the consultant firm. Keep the verification.
If all of the above is done, you have made sure that the login has been done through the only *one* IP allowed (owned by the consultant firm), through a login that only one person has. So, any fuck-ups are there's and there's alone.
But, if possible, I'd also require them to keep the data encrypted and only decrypted for use, preferable not to a HDD (ram disk). Not to mention any other mechanism that you can think of. Also make sure that the paper work requires any and all requirement to be applicable to any subcontractors as well as any of the subcontractors subcontractors, etc. Because, these consulting firms have a rather poor track record of keeping this data secure. And if they don't do it, and bad things happen, there is legal recourse on your part (as well as possibly the people who's data it is).
SneakerNet (Score:1, Insightful)
Re:PGP (Score:5, Insightful)
SFTP, PGP or bust (Score:2, Insightful)
I'd probably be persuaded that the overall benefit of spreading the use of encrypted and digitally signed email is greater than the effort put into explaining to Suzy Secretary how to install Enigmail.
NO! not PGP not SFTP. (Score:3, Insightful)
Make it very clear that this data can not be exposed. See some good posts:
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500514 [slashdot.org]
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500510 [slashdot.org]
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500324 [slashdot.org]
Re:Pinkerton (Score:3, Insightful)
Re:PGP (Score:3, Insightful)
You are being awfully naive here. Personal details are worth about US$50 each to identity fraud gangs. 10,000 personal details times US$50 is half a million bucks, and that buys a lot of supercomputer time. Any encryption can be brute forced given enough brute force.
Re:PGP (Score:5, Insightful)
Not in the least. What guarantee do you have that there isn't an attacker already in your network, or the recipients network? Split into small chunks first. Encrypt with separate keys, then SCP over VPN.
Send to another person... (Score:3, Insightful)
Let me get this straight... (Score:3, Insightful)
Your consultant wanted you to email the personal data to them to begin with? Well, first on the wish list would be a new consultant, preferably one who takes security seriously enough to not ask that confidential personal data be sent via email. It's not like they don't know what kind of data they have there, and the lack of consideration for security in acquiring the data from you does not bode well for how it will be handled once they have it. I would probably require that they either come on site and work with the data via your machines on your network, or I would demand a partnership agreement with them that spells out hefty penalties if they fail to follow specified security practices, especially if that failure leads to data compromise.
Re:PGP (Score:3, Insightful)
Would you perhaps have some real information to support those claims?
If they are cracking military grade encryption, which I very seriously doubt, then they are likely doing so by buying the keys from someone, not by brute forcing it.
Re:PGP (Score:2, Insightful)
Re:PGP (Score:3, Insightful)
Burn to physical media.
Send via bonded courier.
Send password via encrypted email, or via registered mail.
If you need frequent access from both ends, set up extranet with encrypted vpn with reasonable security on both ends. The data at rest should be encrypted with strong encryption and the password should change frequently ( 90 days). Access to the password and to the storage folder should be restricted.
Yeah, all you alarmists worried about 'one compromised computer' are right, but that threat exists no matter how you connect to transfer the data. The VPN doesn't answer this threat, it answers the threat of capture of data in transit.
Re:PGP (Score:3, Insightful)
The math is simple, the amount of computing power to brute force PGP just doesn't exist on this planet yet. Maybe in a decade or two but then all we'd have to do is increase the bit length that PGP uses.
Re:PGP (Score:4, Insightful)
What?
An extra bit does double the keyspace.
Re:PGP (Score:3, Insightful)
However, it is practical to have a large enough keyspace that "enough brute force" cannot be realistically achieved, even assuming machines millions of times faster than the fastest currently available.
Re:PGP (Score:5, Insightful)
Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.
"military grade" is a pretty useless term here - the military uses all kind of encryption, from weak to very secure. But when talking about encryption suitable for "secret" stuff (i.e. classified secret), then you can be pretty sure the NSA is not going to allow any form of encryption which is known (to the NSA) to be breakable. Not breakable by any other (foreign) government agency with a multi-billion-dollar budget, and certainly not by the Russian mafia. And as a reminder, AES is a valid algorithm be used to protect secret communications and available to pretty much everyone.
To get your data, they would try to get the encryption keys by hacking the computer or by physically breaking into your house and office. They might even sneak backdoors in the software you are using and weaken the encryption artificially. But they will not bother with the encryption itself, unless you've been using weak encryption from the start.
Re:NO! not PGP not SFTP. (Score:2, Insightful)
Don't send the data anywhere (Score:1, Insightful)
If you send it PGP encrypted that only covers you during the transfer. What happens to the data after they unencrypt it? Do you trust them to securely delete it? I don't, not unless it is included in the contract.
DVD/hand carried (Score:3, Insightful)
Even if the CD is stolen, it's still encrypted--and armored trucks (especially ones carrying data) are rarely held up--and they have insurance.
Why is this considered a challenge? (Score:3, Insightful)
This isn't rocket science, folks.
Re:PGP (Score:3, Insightful)
Re:PGP (Score:3, Insightful)
Obviously it all depends on the platforms in use, the links' reliabilities, the links' speeds, the criticality of time, one's patience, one's pain threshold, etc. YMMV.