asked on
Risks & mitigation for file uploading / downloading via http & https
We permit a couple of depts to upload & download files to external service providers
(eg: law firms, payment processing) : we are the http & https client while the external
providers are the web server & https server.
Q1:
I guess http is only meant for non-sensitive data but other than educating users, we
don't have a way of checking & enforcing that only non-sensitive data are via http:
Can DLP (Data Loss Prevention) help with this? In our case we only use DLP for
emails, not such files transfer. Any mitigation? We can always tell users to use
zip to encrypt with complex password but have not way to enforce from the
proxy or can proxy check if files are encrypted before allowing the transfer?
Refer below for sample proxy rules we've created.
Q2:
What are the risks with such files sharing using https ? I suppose I have to check
the remote end (Allen & Gledhill law firm is one example) https is not using SSL
but TLS V1.2 ? Any other thing to watch out for in the https?
Q3:
Even if we encrypt/zip the files with complex password, is there still risks & if so
what's the mitigation?
Q4:
In secure coding there's this "Dynamic file inclusion" but I'm unable to establish if the
remote site's coding is such that the remote end's app validate against a whitelist
(for malicious sites). Is there any way to mitigate for this considering I don't have
control over the remote end's source coding?
Below is a sample of the proxy rules :
Some of our proxy's for file sharing:
2 condition=__USERaaa condition="RequestURL 198.x.y.z" Allow ; Rule 8 File Storage/Sharing
10 condition=NoBlockYousendIT
36 condition=__USER388 condition="URL_laser.myTel
43 condition=Allow_goodnote.c
45 condition="Access to Services.intralinks.com" condition="Intralinks URLs" Allow ; Rule 58 File Storage/Sharing
65 condition="Access to files in Intralinks" condition="Intralinks files access" Allow ; Rule 82 File Storage/Sharing
66 condition=__USER181 url.domain="ftp.mmm.com" Allow ; Rule 83 File Storage/Sharing ; to SAN support
(eg: law firms, payment processing) : we are the http & https client while the external
providers are the web server & https server.
Q1:
I guess http is only meant for non-sensitive data but other than educating users, we
don't have a way of checking & enforcing that only non-sensitive data are via http:
Can DLP (Data Loss Prevention) help with this? In our case we only use DLP for
emails, not such files transfer. Any mitigation? We can always tell users to use
zip to encrypt with complex password but have not way to enforce from the
proxy or can proxy check if files are encrypted before allowing the transfer?
Refer below for sample proxy rules we've created.
Q2:
What are the risks with such files sharing using https ? I suppose I have to check
the remote end (Allen & Gledhill law firm is one example) https is not using SSL
but TLS V1.2 ? Any other thing to watch out for in the https?
Q3:
Even if we encrypt/zip the files with complex password, is there still risks & if so
what's the mitigation?
Q4:
In secure coding there's this "Dynamic file inclusion" but I'm unable to establish if the
remote site's coding is such that the remote end's app validate against a whitelist
(for malicious sites). Is there any way to mitigate for this considering I don't have
control over the remote end's source coding?
Below is a sample of the proxy rules :
Some of our proxy's for file sharing:
2 condition=__USERaaa condition="RequestURL 198.x.y.z" Allow ; Rule 8 File Storage/Sharing
10 condition=NoBlockYousendIT
36 condition=__USER388 condition="URL_laser.myTel
43 condition=Allow_goodnote.c
45 condition="Access to Services.intralinks.com" condition="Intralinks URLs" Allow ; Rule 58 File Storage/Sharing
65 condition="Access to files in Intralinks" condition="Intralinks files access" Allow ; Rule 82 File Storage/Sharing
66 condition=__USER181 url.domain="ftp.mmm.com" Allow ; Rule 83 File Storage/Sharing ; to SAN support
SecurityNetwork SecurityFile Sharing SoftwareSSL / HTTPSEncryption
Last Comment
ste5an
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.