In this Tax season, I find myself needing to share sensitive documents with relatively unsophisticated people and organizations. How should I share my files with them?
There are a few options to get those sensitive files to a provider. I will attempt to list the options, then describe the problems with each. Sadly, there aren’t any good solutions unless the service provider already has a solution setup. In my experience, be it an accountant, lawyer, doctor or shipping company, they do not.
- Encrypted Email with PGP or OpenPG or GnuPG
- Encrypted files, probably ZIPped attached to emails with a shared password
- Encrypted shared file service – perhaps Dropbox or sftp
- SSL Encrypted web portal with non-trivial userids and passwords
Sadly, there is no universal standard for sharing files, securely.
Encrypted Email with PGP or OpenPG or GnuPG
These solutions have been around for many years – perhaps 15 – yet they are not widely deployed? Why not?
- The setup for encrypted email is too complicated for most users
- IT doesn’t want the issues of having emails being locked up inside encryption where IT or other approved company representatives cannot access and read the email. GPG, GnuPG, does not support adding a company signature to every message, so the free tools are unwanted in most enterprises.
- Encrypted emails cannot be scanned for viruses, so if you get viruses over email – and who doesn’t these days – only the end user’s system can protect them from viruses, not the server-based email scanning system with completely up-to-date anti-virus signatures.
- Some clients that do not support encrypted email. This is mostly true with portable devices, but it will get better, eventually. Sadly, Apple will not allow GnuPG to be placed into their App Store since it is FLOSS. If you are using an Apple portable device, you will probably end up with an inferior commercial solution when the free versions work fine.
The good news is that most of these systems let you choose to always encrypt and sign emails sent to selected people so you don’t need to remember after the first time. You just have to make the right choice with your initial encrypted email to each specific user.
Encrypted files, probably ZIPped attached to emails with a shared password
This is probably the most likely method to work, provided YOU and the RECEIVER always remember to create an encrypted ZIP file, place all attachments inside and email only those ZIPped files. That takes a bunch of will power to always take these steps manually. Even the best of us will forget to do that when we are in a hurry.
Many IT email scanning services will block encrypted ZIP files since they cannot scan what is inside the enc
Encrypted shared file service – perhaps Dropbox or sftp or WinSCP
The issue here is that one party in this transaction probably has zero experience using the software and probably does not wish to download a new tool, then install it and remember yet another password for another company. With sftp or WinSCP, the hosting company is trusting the client to secure their credentials. If a 3rd party like Dropbox is used in a corporate setting, there are real privacy concerns when that 3rd party has a breach. Dropbox has already reported accidental cross linking of files between end-user accounts. Not good. What are the legal concerns if you are a lawyer in state “A” and use a Dropbox server in state “B”? Hosted services outside your normal legal jurisdiction can cause legal issues, quickly, and not just for lawyers.
SSL Encrypted web portal with non-trivial userids and passwords
This is probably the best method. To the client, they must use an SSL enabled web browser and manage another userid and password. To the service provider, the files appear to be stored on their internal network and can be seen and accessed nearly immediately after upload. The difficulty arises when there are hundreds or thousands of clients who must be provided access to specific file areas. You probably only want to allow write-to-new-file access and read-only access for outside clients. Internal access should be full control and appear to internal users in as simple a way as possible. A shared folder on the local network is probably the best compromise. If I were designing a deployment, I’d have upload and public access areas completely different from internal use file areas and only replicate the most recent files from the internal system to the external system.
The main issue here is now you have an externally facing web server and need to secure it, maintain the patches, and train all your clients and internal users on how to use it. This probably goes without saying, but an accidental drag-n-drop action by someone internal could easily share a file between competitors to the client. That could be bad, very bad.
If clients still email documents, now someone internal needs to manually place those into the shared folders. This adds more workload to already busy people. Sure, a client specific email alias could be created that manually strips the attachments, drops those into the “inbox” for the client and places the virus-scanned text of the email there with a timestamp, but how many accounting firms do you know with that kind of programming skill? We haven’t discussed that software means software maintenance is needed.
The company is now managing client passwords and hopefully enforcing strong passwords. This will probably make 90% of your clients unhappy, since they would rather just email data to you. As an example, the bank for my company has a terrible-to-use web interface. I’m constantly being logged off due to my browser or settings to prevent 3rd party cookies. I don’t use IE. I won’t use IE, yet they seem to have written their web interface to only work properly with IE.
The more sensitive the data, the higher level of security that should be required. UserID/passwords work for most things, but financial data probably should require a certificate and lock the access to a single PC, in addition to having a userid/password.
In the EU, use of 3rd party cookies on websites will be illegal without explicit end-user authorization later this year. I haven’t seen anything with that requirement inside the USA, but hopefully, it will happen.
Change – People Don’t Like It
Especially in profession organizations, change is often unappreciated even when the reasons for the change are explained. If you are an accountant, making a big change during the height of tax season is probably a poor choice. Waiting until May to begin any migration would be recommended. That will give your people time to become accustomed to the changes during a less stressful work quarter.
Some US States Are Mandating This
Massachusetts has a law which requires all personal client data be transmitted and stored encrypted. Ok, it isn’t all data, but data that could be used for identity theft or financial fraud. There is a good section on what most companies should do in that link too. I’ll try to summarize:
- Use SSL connections for network transmitted data (HTTPS, SFTP, Encrypted Email)
- Store data on encrypted file systems (TrueCrypt entire systems, especially laptops and portable devices). If the disk can be removed or the computing device can walk out the door, the file system must be encrypted. Consider blocking all access from Android and iPod/iPhone devices as these do not support appropriate encryption levels by default.
- Encrypt backup tapes and disks
- Do not allow external access to sensitive data stored internally. Use remote desktops for external access to retain control of the data internally. Disable file transfer, printing, and copy/paste over remote-desktop connections.
Not Everything Is Classified Sensitive
Obviously, not everything transmitted needs to be encrypted, but if only sensitive items are commonly encrypted, those who want to see the contents will only bother with encrypted transfers. It is best to encrypt everything, always. Forget about classification of contents. Encrypt it all in transmission and storage.
These are just the complexities I came up with in a few minutes of thinking. I’m certain there are others and there are probably good work-a-rounds for most of these issues too.
A few references:
- Is Email Encryption For You? It Depends On How Secure You Want To Be
- What Are the Different Types of Email Encryption Software
- Pretty Good Privacy
- GNU Privacy Guard
- Encrypt e-mail messages in Outlook
That should get you started.
Use the following link to trackback from your own site: