We help IT Professionals succeed at work.
Get Started

Risks & mitigation for file uploading / downloading via http & https

268 Views
Last Modified: 2016-08-30
We permit a couple of depts to upload & download files to external service providers
 (eg: law firms, payment processing) : we are the http & https client while the external
 providers are the  web server & https server.

 Q1:
 I guess http is only meant for non-sensitive data but other than educating users, we
 don't have a way of checking & enforcing that only non-sensitive data are via http:
 Can DLP (Data Loss Prevention) help with this?  In our case we only use DLP for
 emails, not such files transfer.  Any mitigation?  We can always tell users to use
 zip to encrypt with complex password but have not way to enforce from the
 proxy or can proxy check if files are encrypted before allowing the transfer?
 Refer below for sample proxy rules we've created.

 Q2:
 What are the risks with such files sharing using https ?  I suppose I have to check
 the remote end (Allen & Gledhill law firm is one example) https is not using SSL
 but TLS V1.2 ?  Any other thing to watch out for in the https?

 Q3:
 Even if we encrypt/zip the files with complex password, is there still risks & if so
 what's the mitigation?

Q4:
In secure coding there's this "Dynamic file inclusion" but I'm unable to establish if the
 remote site's coding is such that the remote end's app validate against a whitelist
 (for malicious sites).  Is there any way to mitigate for this considering I don't have
control over the remote end's source coding?


Below is a sample of the proxy rules :
Some of our proxy's for file sharing:
 2      condition=__USERaaa condition="RequestURL 198.x.y.z" Allow      ; Rule 8      File Storage/Sharing
 10      condition=NoBlockYousendIT condition=URL_www.allsendit.com Allow      ; Rule 17      File Storage/Sharing
 36      condition=__USER388 condition="URL_laser.myTelco_&_tracker.campaignsend" Allow      ; Rule 46      File Storage/Sharing
 43      condition=Allow_goodnote.com_MM2168888 condition=URL_goodnote.com_MM2168888 Allow      ; Rule 54      File Storage/Sharing
 45      condition="Access to Services.intralinks.com" condition="Intralinks URLs" Allow      ; Rule 58      File Storage/Sharing
 65      condition="Access to files in Intralinks" condition="Intralinks files access" Allow      ; Rule 82      File Storage/Sharing
 66      condition=__USER181 url.domain="ftp.mmm.com" Allow      ; Rule 83      File Storage/Sharing  ; to SAN support
Comment
Watch Question
Senior Developer
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 1 Comment.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE