[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 471
  • Last Modified:

need a secure way to share documents

I'm looking for a reasonable+ means of securing a document that needs to be shared online or via e-mail.

The data resides on my home computer, but I am asking about delivering a document to a couple of recipients, what is a decent solution and how secure is it.

- basic option is to add a password to a Word document and e-mail it, I use gmail, recipient uses corporate e-mail.

- 2nd option I am considering is posting the document on a website, then the user can just download it.

So looking for a reasonably secure method of delivering the document electronically.

From a usage standpoint, I prefer to post online and download the document (mostly it would be opened and printed), thinking that this is more efficient and a better end user experience (users goes to the link and downloads it), whereas "storing" everything on e-mail to me is not only a cheesy way of doing this but might actually be considered less secure as now there are multiple copies stored on e-mail and likely the person would download to their machine (and likely ultimately download to multiple machines).

If the document were compromised, it would be very bad. Our competition would very much like to get their hands on this and if they did, it would sink our operation.

The risk of the competition finding where this document is seems to be very, very low, and they actually don't know it exists. But they can reasonably assume that a document of this nature probably exists and so they are determined to find it. Basically there's no reasonable way of them finding it without leaks on our part, so I'm essentially just asking a quick security assessment of the two options I've listed, and possibly what would be a reasonable next higher level of security (I looked at securing a .pdf document and that seemed fairly involved to a security novice, so at the moment I'm just using a password on a MS office document).
0
Alaska Cowboy
Asked:
Alaska Cowboy
  • 7
  • 5
  • 2
  • +1
4 Solutions
 
n2fcCommented:
Password is a good start... Just make sure you have a decent (strong) password that incorporates upper/lower case, numbers & special characters to prevent "dictionary attack" hacking...

Be concerned over how you transmit the password to your audience.

Make sure your intended recipients are trustworthy & will secure the password effectively as well!

A PDF file is only slightly more secure than the MS Word document, but you can also encapsulate either file type within a zip or rar archive that can be password secured as well... This "double encryption" might be a simple solution to up your sense of security (paranoia)!
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Encrypting your documents before sending / posting is something I would do. You can use freeware gpg for this, quite secure. Every recipient needs to supply you their encryption keys / certificates, you encrypt your files for all recipients after which you post/send the encrypted document. Recipients decrypt the document with their private keys / certificates.

See: http://gpg4win.org/ and some screenshots here.
0
 
Alaska CowboyAuthor Commented:
n2fc - good suggestion on double lock entry with zip file (haven't used rar archive, but good option as well).

gewinjansen, gpg4win looks really good, probably my next step up beyond the simple password. How would my partners "supply me with their encryption keys / certificates", especially if they are operating in a home (non-corporate) environment ?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
HAVARD7979Commented:
I agree you can zip the file with a password to help protect it.  but do not put it on a website to be downloaded.  you should use a ftp site that the user has to log into to get to the download. that adds another layer of protection.
0
 
Alaska CowboyAuthor Commented:
havard, just need to clarify what you are saying . . . if I have a document that's stored here: www.mywebsite.com/documents, and the user goes to that site and sees an index of documents, is that "on a website" ?

I guess I don't understand what is "an ftp site" that's "not on a website" . . .

but this sounds like another good layer of security, and avoids versions piling up in e-mail
0
 
HAVARD7979Commented:
if you put the doc in www.mywebsite.com/documents  anyone can go and download it.  Then it is a matter of using software to crack the password on the file. you should have the file in ftp://mywebsite.com/documents  that would require a username and password to even see the file.  Are you hosting your own website or is it at a hosting service?  If you are hosting your own there are several free easy to use ftp servers. I use zFTPServer for our stuff.  If you are using a hosting company it is just a matter of going into your cpanel and creating a ftp user and password.
0
 
Alaska CowboyAuthor Commented:
Havard, ok, makes more sense now. I will investigate the ftp://mywebsite and post another question if needed
0
 
Alaska CowboyAuthor Commented:
just what I was looking for, thank you all
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
You're welcome :)
0
 
Alaska CowboyAuthor Commented:
sorry, quick follow-up . . .

I like the ftp solution and did a quick set up of a user.

the hosted service on cpanel wanted to put them in public_html/[user_name].

but I created a folder on public_ftp/[directory_name]

so does this mean it's "not on the web" and only available via ftp, so entry credentials are the host ip address, the user name, and then the password ?

I kind of like this solution, as I don't have to fiddle with password protecting the file, I can just dump the files there (although I realize this would be an extra layer of security).
0
 
HAVARD7979Commented:
I would have thought it would have gone to public_ftp.  but by having in public_htm you will need to write a .htaccess file to block people which is not what you want.  I would force it to the public_ftp side.  you should be able to call your hosting company and they should be able to walk you through setting up a ftp site and user without any trouble.  A different way to go would also to use Google docs and only give out the login to that to the right people.  I have a restaurant chain that uses Google docs for all there training manuals etc.
0
 
Alaska CowboyAuthor Commented:
Havard, I was able to change it to public_ftp, it just defaulted to public_html.

so does this count as "an ftp site" ?

google docs is also a good functional solution but I'm just nervous about the security there.
0
 
HAVARD7979Commented:
best thing is to test it.  just type it in the browser and you should not be able to see it.  If you type ftp:// then it should prompt for a password.  see:

http://dataroom.coles.com/  vs. ftp://dataroom.coles.com/

for an example.
0
 
Alaska CowboyAuthor Commented:
yes, I think I'm good, thanks !
0
 
HAVARD7979Commented:
glad to hear that
best of luck
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 7
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now