Main Nav

SECURITY Digest - 7 Jan 2014 to 9 Jan 2014 (#2014-3)

Hello Everyone,

 

I’m trying to find some best practices for securely distributing exam papers between Faculty and the Exams office. While the academics’ laptops are encrypted, it’s the unsecure circulation that creates a risk and I was wondering what approaches were being taken elsewhere.

 

Many thanks for all your help,

 

Eoin.

 

--

Eoin Dunne

IT Compliance Officer,  

Information Services Department,

Dublin Institute of Technology,

143 Lower Rathmines Road, Dublin 6, Ireland.

( +353-1-402 3453 (direct line)
* eoin.dunne@dit.ie
i www.dit.ie

 

 


Comments

The product is available to all users. Because we suspected that people might be using it to transfer sensitive information, we're keeping detailed logs, limiting the time that the message is exposed, and are running everything physically in-house using official SSL certs. 

As sub-optimal as it is, I'd still rather have people use "stuff" that we can see, instead of seemingly free services like dropbox.

-Kees

Dr. Kees Leune
Information Security Officer
Adelphi University
Garden City, NY
+1 (516) 877-3936


Message from hhoffman@ip-solutions.net

We have a similar service called, SecureShare that was developed in house. We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are audit logs that can be examined (via request). It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so don't recommend storing HIPAA regulated data outside of our protected systems. Cheers, Harry On 01/13/2014 01:45 PM, Kees Leune wrote: > The product is available to all users. Because we suspected that people > might be using it to transfer sensitive information, we're keeping detailed > logs, limiting the time that the message is exposed, and are running > everything physically in-house using official SSL certs. > > As sub-optimal as it is, I'd still rather have people use "stuff" that we > can see, instead of seemingly free services like dropbox. > > -Kees > > *Dr. Kees Leune* > Information Security Officer > Adelphi University > Garden City, NY > +1 (516) 877-3936 > > >
There's one very important thing that's missing from this discussion. Everyone has considered having a robust authentication system, way to restrict # of downloads, encryption of the files in transit.

No one has mentioned encrypting the file at rest. A lot of times data owners aren't diligent in WHO can access their cloud folder/box. We've seen students get access to the equivalent of world-readable folders. :-) For this reason, I feel file-level encryption is critical.  I'd like to suggest a couple of straightforward solutions to this part of the problem:

1. Microsoft Office 2007 and newer actually do real-person file encryption. It's symmetric - you pick a password to encrypt the file. It's AES 256 bit.
2. PDF/Adobe 10 or newer has an encryption feature that again actually does real-person encryption as well. It can be symmetric or certificate based.

Of course, you can get PGP-style solutions.
Just a thought......

-Randy Marchany
VA Tech IT Security Office & Lab


SECURITY Digest - 7 Jan 2014 to 9 Jan 2014 (#2014-3)

Hello Everyone,

 

I’m trying to find some best practices for securely distributing exam papers between Faculty and the Exams office. While the academics’ laptops are encrypted, it’s the unsecure circulation that creates a risk and I was wondering what approaches were being taken elsewhere.

 

Many thanks for all your help,

 

Eoin.

 

--

Eoin Dunne

IT Compliance Officer,  

Information Services Department,

Dublin Institute of Technology,

143 Lower Rathmines Road, Dublin 6, Ireland.

( +353-1-402 3453 (direct line)
* eoin.dunne@dit.ie
i www.dit.ie

 

 


Message from hhoffman@ip-solutions.net

Hi Eoin, Have you looked at one of the online filesharing services? We're using Box, which uses SSL/TLS to encrypted at the transport level. But most of the other popular services (Dropbox, Google Drive, skydrive) use SSL/TLS to encrypt in transit. Hope this helps. Cheers, Harry On 01/13/2014 04:48 AM, Eoin Dunne wrote: > Hello Everyone, > > > > I'm trying to find some best practices for securely distributing exam papers > between Faculty and the Exams office. While the academics' laptops are > encrypted, it's the unsecure circulation that creates a risk and I was > wondering what approaches were being taken elsewhere. > > > > Many thanks for all your help, > > > > Eoin. > > > > -- > > Eoin Dunne > > IT Compliance Officer, > > Information Services Department, > > Dublin Institute of Technology, > > 143 Lower Rathmines Road, Dublin 6, Ireland. > > ( +353-1-402 3453 (direct line) > * eoin.dunne@dit.ie > i www.dit.ie > > > > > >
We recently deployed FileSender, a Free Open Source Project sponsored by many of the European REN's. See https://www.assembla.com/spaces/file_sender/wiki for more detail.

Dr. Kees Leune
Information Security Officer
Adelphi University
Garden City, NY
+1 (516) 877-3936


Kees,

 

At your institution, who is using the product?  Is it just for exam papers, or do you use it for anything other protected data?

 

Theresa

 

Theresa Semmens, CISA

NDSU Chief IT Security Officer

Office: 210D IACC

Mail: NDSU Dept 4500

PO Box 6050

Fargo, ND 58108-6050

P: 701-231-5870

F: 701-231-8541

E: Theresa.Semmens@ndsu.edu

www.ndsu.edu/its/security

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kees Leune
Sent: Monday, January 13, 2014 7:48 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Encryption of exam papers

 

We recently deployed FileSender, a Free Open Source Project sponsored by many of the European REN's. See https://www.assembla.com/spaces/file_sender/wiki for more detail.


Dr. Kees Leune

Information Security Officer

Adelphi University
Garden City, NY
+1 (516) 877-3936

 

The product is available to all users. Because we suspected that people might be using it to transfer sensitive information, we're keeping detailed logs, limiting the time that the message is exposed, and are running everything physically in-house using official SSL certs. 

As sub-optimal as it is, I'd still rather have people use "stuff" that we can see, instead of seemingly free services like dropbox.

-Kees

Dr. Kees Leune
Information Security Officer
Adelphi University
Garden City, NY
+1 (516) 877-3936


Message from hhoffman@ip-solutions.net

We have a similar service called, SecureShare that was developed in house. We also don't recommend folks use dropbox but the unversity has entered into a contract with Box in which there are audit logs that can be examined (via request). It's a nice trade-off and Box is supposedly willing to sign a BAA for HIPPA compliance, although we're not there yet so don't recommend storing HIPAA regulated data outside of our protected systems. Cheers, Harry On 01/13/2014 01:45 PM, Kees Leune wrote: > The product is available to all users. Because we suspected that people > might be using it to transfer sensitive information, we're keeping detailed > logs, limiting the time that the message is exposed, and are running > everything physically in-house using official SSL certs. > > As sub-optimal as it is, I'd still rather have people use "stuff" that we > can see, instead of seemingly free services like dropbox. > > -Kees > > *Dr. Kees Leune* > Information Security Officer > Adelphi University > Garden City, NY > +1 (516) 877-3936 > > >
There's one very important thing that's missing from this discussion. Everyone has considered having a robust authentication system, way to restrict # of downloads, encryption of the files in transit.

No one has mentioned encrypting the file at rest. A lot of times data owners aren't diligent in WHO can access their cloud folder/box. We've seen students get access to the equivalent of world-readable folders. :-) For this reason, I feel file-level encryption is critical.  I'd like to suggest a couple of straightforward solutions to this part of the problem:

1. Microsoft Office 2007 and newer actually do real-person file encryption. It's symmetric - you pick a password to encrypt the file. It's AES 256 bit.
2. PDF/Adobe 10 or newer has an encryption feature that again actually does real-person encryption as well. It can be symmetric or certificate based.

Of course, you can get PGP-style solutions.
Just a thought......

-Randy Marchany
VA Tech IT Security Office & Lab


Do Microsoft's Office products offer any paw word-quality controls on their AES-256 encryption?  Last time I looked, it didn't appear there were any.  Which isn't to say they aren't there (now).

    -jml

-- 
Sent from my iPhone. This message is a co-production with Autocorrect.


On 13 Jan 2014, at 14:44, "randy" <marchany@VT.EDU> wrote:

There's one very important thing that's missing from this discussion. Everyone has considered having a robust authentication system, way to restrict # of downloads, encryption of the files in transit.

No one has mentioned encrypting the file at rest. A lot of times data owners aren't diligent in WHO can access their cloud folder/box. We've seen students get access to the equivalent of world-readable folders. :-) For this reason, I feel file-level encryption is critical.  I'd like to suggest a couple of straightforward solutions to this part of the problem:

1. Microsoft Office 2007 and newer actually do real-person file encryption. It's symmetric - you pick a password to encrypt the file. It's AES 256 bit.
2. PDF/Adobe 10 or newer has an encryption feature that again actually does real-person encryption as well. It can be symmetric or certificate based.

Of course, you can get PGP-style solutions.
Just a thought......

-Randy Marchany
VA Tech IT Security Office & Lab


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.