Differences between revisions 4 and 33 (spanning 29 versions)
Revision 4 as of 2015-05-20 10:02:40
Size: 6263
Editor: tirpak
Comment:
Revision 33 as of 2018-04-13 15:48:59
Size: 9649
Editor: rowe
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#acl TechnicalServicesGroup:read,write,delete,revert All:read
#format wiki
#acl UTSGroup:read,write,revert,delete All:read
Line 4: Line 3:
{{attachment:HelpdeskDocsTemplate/logo.png}} {{attachment:HelpdeskDocsTemplate/UTS.png}} = Data Privacy in Transit and Procedures for Secure File Transmission =
== Data Privacy Principles and Definitions ==
Data privacy is a shared responsibility in the university environment. The fundamental nature of higher education involves keeping student records, employee records, and research data for long periods of time. The foundational fair information practice principles are defined by the [[https://www.ftc.gov/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission|Federal Trade Commission Fair Information Practice Principles]]. A good review for the higher education environment is presented by the [[https://ethics.berkeley.edu/privacy/fipps|University of California - Berkeley Office of Ethics Fair Information Practice Principles Privacy Course]].
Line 6: Line 7:
== User Documentation for Secure File Transmission and Encryption ==
-----
Topic: Secure File Transmission and Encryption <<BR>> Audience: Students, Faculty and Staff <<BR>> Creation Date: August 5, 2011 <<BR>> Author: Chitralekha Gopalaiah <<BR>>
At Oakland University, the policy underlying data privacy and data sharing is [[https://www.oakland.edu/policies/information-technology/860/|Policy #860 Information Security]].
Line 10: Line 9:
'''What is encryption?''' Key principles from that policy:
Line 12: Line 11:
 * Data should only be shared with those with a defined "need to know", with authorization from the employee's supervisor, and with approval from the named Data Steward.
 * Data shared with a third party, such as a solution provider with whom there is a data feed requirement, should only be shared under terms specified in a contract.
 * Confidential data must be encrypted at all points in the process. That means that the data must be encrypted at each storage point and during each transmission process.
 * Processes that can be centrally documented and automated are inherently more secure than ad-hoc or locally managed processes.

All university employees involved in a process to share data are responsible for maintaining the appropriate privacy, regulatory compliance, and security of the shared data.

Please consider the instructions here carefully. We have noticed that the biggest risk of data exposure and the high costs of handling a data breach occur when data are moved from a secure datacenter location and stored on a desktop or prepared for transmission to a third party. Such a breach is costly both in actual mitigation costs and in university reputation.

== What are special areas of concern for file transmissions? ==
File transmissions should be secure at every process stage. Transmission of large files also need special planning in consideration of networking. Firewall configurations may be required to permit communications. [[https://www.oakland.edu/uts/common-good-core-resources/network/#general|General Network Services]] and [[https://www.oakland.edu/uts/common-good-core-resources/securityinfo/|Security Information]] should be carefully reviewed and considered.

In a secure file transmission, the data file is encrypted, the transmission method is encrypted, and whenever possible the delivery points are secured so that the file may not be transmitted to an unauthorized location.

The preferred tool for extracting data from Banner is Argos. Please use Argos; if you need assistance using Argos, please send a request to uts@oakland.edu .

== What is encryption? ==
Line 16: Line 32:
'''Where is encryption used?''' == Where is encryption used? ==
Encryption is commonly used in protecting information within many kinds of systems.
Line 18: Line 35:
Encryption is commonly used in protecting information within many kinds of civilian systems.  * Encryption can be used to protect data "at rest", such as files on computers and storage devices.
 * Encryption is also used to protect data in transit, such as data transferred via networks. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.
 * Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature are other protective techniques.
 * Digital signature and encryption must be applied at message creation time to avoid tampering. Otherwise any node between the sender and the encryption agent could potentially tamper it.
Line 20: Line 40:
 * Encryption can be used to protect data "at rest", such as files on computers and storage devices (e.g. USB flash drives).
 * Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.
 * Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature.
 * Digital signature and encryption must be applied at message creation time (i.e. on the same device it has been composed) to avoid tampering. Otherwise any node between the sender and the encryption agent could potentially tamper it.
== Under what circumstances do I need secure file transmissions? ==
If you are sending or receiving data classified as Confidential under University [[https://www.oakland.edu/policies/860|Policy #860 Information Security]], you need to have the permission of the Data Steward and you need to use a process for "secure file transmission."
Line 25: Line 43:
'''Under what circumstances do I need secure file transmissions?''' If you are extracting data from Banner and sending a data file to a third party vendor under the terms of a contract, you need to have the permission of the Data Steward and you need to use a process for "secure file transmission."
Line 27: Line 45:
If you are sending or receiving data classified as Confidential under University [[http://www2.oakland.edu/audit/Policy860.doc|Policy #860 Information Security]], you need to have the permission of the data steward and you need to use a process for "secure file transmission." A secure file transmission must be verified for all transmissions, whether using a secure portal to upload data to a vendor or using a file transmission protocol to send data to a vendor.
Line 29: Line 47:
'''What is a secure file transmission?''' == How is the transmission encrypted? ==
File Transmission<<BR>> In practice, there are several types of file transmissions most users perform, including the transmission of files through SFTP (secure file transfer protocol), submitting forms by a Web server, and sending e-mail. Transferred data should be encrypted before transmission and during transmission. Transferring unencrypted files with these methods means the files travel as plain text, ready to be intercepted and interpreted by anyone. Many privacy protection programs exist to allow a user to encrypt a file. The advantage of using these programs is that the encryption can be tested before the file is sent, ensuring its usefulness. To verify that encryption is in use, send a request to review to uts@oakland.edu.
Line 31: Line 50:
In a secure file transmission, the data file is encrypted, the transmission method is encrypted, and whenever possible the delivery points are secured so that the file may not be transmitted to an unauthorized location. SSL<<BR>> The final encrypted transmission method is SSL (secure sockets layer). SSL is a method of encrypting all the communications between computers. It is used to encrypt and decrypt communications between a Web browser and a Web server. Whenever you use URLs beginning with https://, you're using SSL. SSL is included with security capable browsers. SSL itself is an open standard, and the algorithms are free to all. SSL libraries can be used to encrypt all traffic among computers, because the encryption occurs at a level that makes it transparent to both the user and any programs.
Line 33: Line 52:
'''How is the transmission encrypted?'''

File Transmission<<BR>> In practice, there are several types of file transmissions most users perform, including the transmission of files through SFTP (secure file transfer protocol), submitting forms by a Web server, and sending e-mail. Information transferred in this way should be encrypted before transmission. Transferring unencrypted files with these methods means the files travel as plain text, ready to be intercepted and interpreted by anyone. Many PGP programs exist to allow a user to encrypt a file. Other stronger methods exist for purchase, including products made by RSA security. The advantage of using these programs is that the encryption can be tested before the file is sent, ensuring its usefulness. usefulness.

SSL<<BR>> The final encrypted transmission method is SSL (secure sockets layer). SSL is a method of encrypting all the communications between computers. It is used to encrypt and decrypt communications between a Web browser and a Web server. Whenever you use URLs beginning with https://, you're using SSL. SSL is included with security capable Netscape browsers. SSL uses technology based on the commercially available public key encryption products of RSA, Inc. SSL itself is an open standard, and the algorithms are free to all. SSL libraries can be used to encrypt all traffic among computers, because the encryption occurs at a level that makes it transparent to both the user and any programs he or she is running.

'''How do I encrypt and decrypt a file?'''

We use PGP for encryption and decryption. Below are the steps.
== How do I encrypt and decrypt a file? ==
Please review information about encryption posted under [[http://www.oakland.edu/uts/securityinfo|Security Information]]. We use PGP for encryption and decryption. Below are the steps.
Line 55: Line 67:
'''Does Oakland university use any tool for transmission and enrcyption of files?''' If you need alternative instructions, please contact UTS for assistance by sending operating system information and other details to uts@oakland.edu.
Line 57: Line 69:
Yes, We use !GoAnywhere tool for encryption, decryption and transmission of files, which in turn uses PGP encryption and decryption. Help document for !GoAnywhere can be found at  https://goanywhere.oakland.edu/goanywhere/webhelp/goanywhere.htm == Does Oakland University use any tool for transmission and encryption of files? ==
Yes. University Technology Services (UTS) uses the !GoAnywhere tool for encryption, decryption and transmission of files, which in turn uses PGP encryption and decryption.  User documentation for !GoAnywhere can be found at https://goanywhere.oakland.edu under the Help tab. A User ID is required and only UTS Staff have access to !GoAnywhere. For general documentation about !GoAnywhere, non-users can view documentation at https://www.goanywhere.com under the PRODUCTS tab.
Line 59: Line 72:
'''Who do I contact for assistance?''' Some [[https://kb.oakland.edu/uts/BannerJobsubFileTransfer|additional Banner file transfer options]] may be useful in some situations.
Line 61: Line 74:
Contact database application team for any questions <<BR>> Lakshmi Maktala ( maktala@oakland.edu ) <<BR>> Mike Cox (cox@oakland.edu) <<BR>> == Can a process to encrypt data and send to a vendor be automated? ==
Yes. UTS can help develop the scripts and processes to automate a process. By automating a data transmission process, the university is assured that data are are protected at all steps of the process on a consistent and repeatable basis.
Line 63: Line 77:
----
For further help, please email [[mailto:helpdesk@oakland.edu|<<MailTo(helpdesk@oakland.edu)>>]], visit us at 202 Kresge Library or call (248)370-4357 Monday-Friday, 8 am - 5 pm.
== Who do I contact for assistance? ==
UTS wants to help protect university data, data privacy, and the security of data transmissions. Contact UTS for any questions or for assistance: UTS Support( uts@oakland.edu )

Data Privacy in Transit and Procedures for Secure File Transmission

Data Privacy Principles and Definitions

Data privacy is a shared responsibility in the university environment. The fundamental nature of higher education involves keeping student records, employee records, and research data for long periods of time. The foundational fair information practice principles are defined by the Federal Trade Commission Fair Information Practice Principles. A good review for the higher education environment is presented by the University of California - Berkeley Office of Ethics Fair Information Practice Principles Privacy Course.

At Oakland University, the policy underlying data privacy and data sharing is Policy #860 Information Security.

Key principles from that policy:

  • Data should only be shared with those with a defined "need to know", with authorization from the employee's supervisor, and with approval from the named Data Steward.
  • Data shared with a third party, such as a solution provider with whom there is a data feed requirement, should only be shared under terms specified in a contract.
  • Confidential data must be encrypted at all points in the process. That means that the data must be encrypted at each storage point and during each transmission process.
  • Processes that can be centrally documented and automated are inherently more secure than ad-hoc or locally managed processes.

All university employees involved in a process to share data are responsible for maintaining the appropriate privacy, regulatory compliance, and security of the shared data.

Please consider the instructions here carefully. We have noticed that the biggest risk of data exposure and the high costs of handling a data breach occur when data are moved from a secure datacenter location and stored on a desktop or prepared for transmission to a third party. Such a breach is costly both in actual mitigation costs and in university reputation.

What are special areas of concern for file transmissions?

File transmissions should be secure at every process stage. Transmission of large files also need special planning in consideration of networking. Firewall configurations may be required to permit communications. General Network Services and Security Information should be carefully reviewed and considered.

In a secure file transmission, the data file is encrypted, the transmission method is encrypted, and whenever possible the delivery points are secured so that the file may not be transmitted to an unauthorized location.

The preferred tool for extracting data from Banner is Argos. Please use Argos; if you need assistance using Argos, please send a request to uts@oakland.edu .

What is encryption?

Encryption refers to algorithmic schemes that encode plain text into non-readable form or cyphertext, thereby providing privacy. The receiver of the encrypted text uses a "key" to decrypt the message, returning it to its original plain text form.

Encryption is used to protect the confidentiality of information when it must reside or be transmitted through otherwise unsafe environments. Encryption is also used for "digital signatures" to authenticate the origin of messages or data.

Where is encryption used?

Encryption is commonly used in protecting information within many kinds of systems.

  • Encryption can be used to protect data "at rest", such as files on computers and storage devices.
  • Encryption is also used to protect data in transit, such as data transferred via networks. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.
  • Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature are other protective techniques.
  • Digital signature and encryption must be applied at message creation time to avoid tampering. Otherwise any node between the sender and the encryption agent could potentially tamper it.

Under what circumstances do I need secure file transmissions?

If you are sending or receiving data classified as Confidential under University Policy #860 Information Security, you need to have the permission of the Data Steward and you need to use a process for "secure file transmission."

If you are extracting data from Banner and sending a data file to a third party vendor under the terms of a contract, you need to have the permission of the Data Steward and you need to use a process for "secure file transmission."

A secure file transmission must be verified for all transmissions, whether using a secure portal to upload data to a vendor or using a file transmission protocol to send data to a vendor.

How is the transmission encrypted?

File Transmission
In practice, there are several types of file transmissions most users perform, including the transmission of files through SFTP (secure file transfer protocol), submitting forms by a Web server, and sending e-mail. Transferred data should be encrypted before transmission and during transmission. Transferring unencrypted files with these methods means the files travel as plain text, ready to be intercepted and interpreted by anyone. Many privacy protection programs exist to allow a user to encrypt a file. The advantage of using these programs is that the encryption can be tested before the file is sent, ensuring its usefulness. To verify that encryption is in use, send a request to review to uts@oakland.edu.

SSL
The final encrypted transmission method is SSL (secure sockets layer). SSL is a method of encrypting all the communications between computers. It is used to encrypt and decrypt communications between a Web browser and a Web server. Whenever you use URLs beginning with https://, you're using SSL. SSL is included with security capable browsers. SSL itself is an open standard, and the algorithms are free to all. SSL libraries can be used to encrypt all traffic among computers, because the encryption occurs at a level that makes it transparent to both the user and any programs.

How do I encrypt and decrypt a file?

Please review information about encryption posted under Security Information. We use PGP for encryption and decryption. Below are the steps.

1. Download and follow the instructions to install the software:
http://www.gnupg.org/download/index.html (look for the Binaries section to make your life easier)

2. Generate a public/private key pair: Go to your GnuPG install directory and type in gpg --gen-key. The default settings are usually good (DSA (1024 bit) and Elgamal (2048 bit)/never expires).

3. Export your public key so that you can give it to others. Run a command similar to this one (replace key name with the key name that you chose when you generated the key pair): gpg --armor --output YourCompany.asc --export "YourCompany "

4. To encrypt a file for someone else to decrypt you have to import their public key. Copy their public key file to your GnuPG install directory and run the command gpg --import other_persons_pub_key_file.asc

5. Sign their public key. You need to know their User ID (the name that they gave their key). Run the command gpg --sign-key "their User ID"
To encrypt files, use the following format: gpg --yes -eq -r "their User ID" -o encrypted_file.pgp file_to_encrypt

6. To decrypt files, use the following format:
gpg -o decrypted_file_name file_to_decrypt.pgp

If you need alternative instructions, please contact UTS for assistance by sending operating system information and other details to uts@oakland.edu.

Does Oakland University use any tool for transmission and encryption of files?

Yes. University Technology Services (UTS) uses the GoAnywhere tool for encryption, decryption and transmission of files, which in turn uses PGP encryption and decryption. User documentation for GoAnywhere can be found at https://goanywhere.oakland.edu under the Help tab. A User ID is required and only UTS Staff have access to GoAnywhere. For general documentation about GoAnywhere, non-users can view documentation at https://www.goanywhere.com under the PRODUCTS tab.

Some additional Banner file transfer options may be useful in some situations.

Can a process to encrypt data and send to a vendor be automated?

Yes. UTS can help develop the scripts and processes to automate a process. By automating a data transmission process, the university is assured that data are are protected at all steps of the process on a consistent and repeatable basis.

Who do I contact for assistance?

UTS wants to help protect university data, data privacy, and the security of data transmissions. Contact UTS for any questions or for assistance: UTS Support( uts@oakland.edu )