sunhux
asked on
Best practice for ssh keys exchange : 1-way (& which way) or 2-ways
We are outsourcing our customer screening function (to screen for customers who
are known to be $ laundering or terrorist-funding related) to an external vendor.
We have to do sftp to transfer our customers' info to this vendor daily.
a) Is is more secure that we are the sftp server (ie the vendor connects to us to
'get' the data or the vendor is the sftp server (ie we 'put' the data to the vendor
or it doesn't matter?
Considering whether to get Tectia ssh client or Tectia ssh server
b) Anyone come across direct secure data transfer between apps (say via API)?
Does such API uses sftp protocol? If so, any keys need to be established and
exchanged between our apps & the vendor's apps? Perhaps this question
doesn't make sense
c) For a more secure environment, should we enable one-way instead of two-ways
ssh keys exchange?'
d) I'm inclined to think that should an ex-employee left us, he can copy the ssh
keys out; so would a 2nd extra authentication (say password authentication)
help? Or what could help with this scenario where a staff at vendor's end
or our end leave & copies out the ssh keys?
are known to be $ laundering or terrorist-funding related) to an external vendor.
We have to do sftp to transfer our customers' info to this vendor daily.
a) Is is more secure that we are the sftp server (ie the vendor connects to us to
'get' the data or the vendor is the sftp server (ie we 'put' the data to the vendor
or it doesn't matter?
Considering whether to get Tectia ssh client or Tectia ssh server
b) Anyone come across direct secure data transfer between apps (say via API)?
Does such API uses sftp protocol? If so, any keys need to be established and
exchanged between our apps & the vendor's apps? Perhaps this question
doesn't make sense
c) For a more secure environment, should we enable one-way instead of two-ways
ssh keys exchange?'
d) I'm inclined to think that should an ex-employee left us, he can copy the ssh
keys out; so would a 2nd extra authentication (say password authentication)
help? Or what could help with this scenario where a staff at vendor's end
or our end leave & copies out the ssh keys?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I felt uneasy that the sensitive info is extracted from our backend DB server &
then exported/saved as csv in a server in our DMZ zone : fact that it's in DMZ
means this server is Internet-facing, thus more 'exposed'. Thing is if I encrypt
this csv file (say using a Zipping tool) with a password, such a password will be
known to sysadmin (or a staff at the vendor's end) so as to be able to decrypt
it. Would it be better to use a certain OTP value to encrypt & this OTP value
is separately sent via sftp to the vendor, so the 'encryption' password is
always different as it's "one-time" only? I have no idea how to implement
such 'OTP' encryption currently