Solved

need a secure way to share documents

Posted on 2012-04-09
15
446 Views
Last Modified: 2012-04-10
I'm looking for a reasonable+ means of securing a document that needs to be shared online or via e-mail.

The data resides on my home computer, but I am asking about delivering a document to a couple of recipients, what is a decent solution and how secure is it.

- basic option is to add a password to a Word document and e-mail it, I use gmail, recipient uses corporate e-mail.

- 2nd option I am considering is posting the document on a website, then the user can just download it.

So looking for a reasonably secure method of delivering the document electronically.

From a usage standpoint, I prefer to post online and download the document (mostly it would be opened and printed), thinking that this is more efficient and a better end user experience (users goes to the link and downloads it), whereas "storing" everything on e-mail to me is not only a cheesy way of doing this but might actually be considered less secure as now there are multiple copies stored on e-mail and likely the person would download to their machine (and likely ultimately download to multiple machines).

If the document were compromised, it would be very bad. Our competition would very much like to get their hands on this and if they did, it would sink our operation.

The risk of the competition finding where this document is seems to be very, very low, and they actually don't know it exists. But they can reasonably assume that a document of this nature probably exists and so they are determined to find it. Basically there's no reasonable way of them finding it without leaks on our part, so I'm essentially just asking a quick security assessment of the two options I've listed, and possibly what would be a reasonable next higher level of security (I looked at securing a .pdf document and that seemed fairly involved to a security novice, so at the moment I'm just using a password on a MS office document).
0
Comment
Question by:Alaska Cowboy
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 19

Assisted Solution

by:n2fc
n2fc earned 75 total points
ID: 37823432
Password is a good start... Just make sure you have a decent (strong) password that incorporates upper/lower case, numbers & special characters to prevent "dictionary attack" hacking...

Be concerned over how you transmit the password to your audience.

Make sure your intended recipients are trustworthy & will secure the password effectively as well!

A PDF file is only slightly more secure than the MS Word document, but you can also encapsulate either file type within a zip or rar archive that can be password secured as well... This "double encryption" might be a simple solution to up your sense of security (paranoia)!
0
 
LVL 37

Assisted Solution

by:Gerwin Jansen
Gerwin Jansen earned 100 total points
ID: 37823444
Encrypting your documents before sending / posting is something I would do. You can use freeware gpg for this, quite secure. Every recipient needs to supply you their encryption keys / certificates, you encrypt your files for all recipients after which you post/send the encrypted document. Recipients decrypt the document with their private keys / certificates.

See: http://gpg4win.org/ and some screenshots here.
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37823485
n2fc - good suggestion on double lock entry with zip file (haven't used rar archive, but good option as well).

gewinjansen, gpg4win looks really good, probably my next step up beyond the simple password. How would my partners "supply me with their encryption keys / certificates", especially if they are operating in a home (non-corporate) environment ?
0
 
LVL 6

Assisted Solution

by:HAVARD7979
HAVARD7979 earned 75 total points
ID: 37823509
I agree you can zip the file with a password to help protect it.  but do not put it on a website to be downloaded.  you should use a ftp site that the user has to log into to get to the download. that adds another layer of protection.
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37823544
havard, just need to clarify what you are saying . . . if I have a document that's stored here: www.mywebsite.com/documents, and the user goes to that site and sees an index of documents, is that "on a website" ?

I guess I don't understand what is "an ftp site" that's "not on a website" . . .

but this sounds like another good layer of security, and avoids versions piling up in e-mail
0
 
LVL 6

Accepted Solution

by:
HAVARD7979 earned 75 total points
ID: 37823866
if you put the doc in www.mywebsite.com/documents  anyone can go and download it.  Then it is a matter of using software to crack the password on the file. you should have the file in ftp://mywebsite.com/documents  that would require a username and password to even see the file.  Are you hosting your own website or is it at a hosting service?  If you are hosting your own there are several free easy to use ftp servers. I use zFTPServer for our stuff.  If you are using a hosting company it is just a matter of going into your cpanel and creating a ftp user and password.
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37824089
Havard, ok, makes more sense now. I will investigate the ftp://mywebsite and post another question if needed
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Closing Comment

by:Alaska Cowboy
ID: 37824101
just what I was looking for, thank you all
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 37824166
You're welcome :)
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37824218
sorry, quick follow-up . . .

I like the ftp solution and did a quick set up of a user.

the hosted service on cpanel wanted to put them in public_html/[user_name].

but I created a folder on public_ftp/[directory_name]

so does this mean it's "not on the web" and only available via ftp, so entry credentials are the host ip address, the user name, and then the password ?

I kind of like this solution, as I don't have to fiddle with password protecting the file, I can just dump the files there (although I realize this would be an extra layer of security).
0
 
LVL 6

Expert Comment

by:HAVARD7979
ID: 37824947
I would have thought it would have gone to public_ftp.  but by having in public_htm you will need to write a .htaccess file to block people which is not what you want.  I would force it to the public_ftp side.  you should be able to call your hosting company and they should be able to walk you through setting up a ftp site and user without any trouble.  A different way to go would also to use Google docs and only give out the login to that to the right people.  I have a restaurant chain that uses Google docs for all there training manuals etc.
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37825067
Havard, I was able to change it to public_ftp, it just defaulted to public_html.

so does this count as "an ftp site" ?

google docs is also a good functional solution but I'm just nervous about the security there.
0
 
LVL 6

Expert Comment

by:HAVARD7979
ID: 37825154
best thing is to test it.  just type it in the browser and you should not be able to see it.  If you type ftp:// then it should prompt for a password.  see:

http://dataroom.coles.com/  vs. ftp://dataroom.coles.com/

for an example.
0
 
LVL 1

Author Comment

by:Alaska Cowboy
ID: 37825168
yes, I think I'm good, thanks !
0
 
LVL 6

Expert Comment

by:HAVARD7979
ID: 37827658
glad to hear that
best of luck
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 96
OWA and AppPool problem 20 111
PCI DSS 2 64
Please explain: Aspect Oriented Programming 2 55
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now