[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 2022-03-16 14:10 Simon Waters <simon@xxxxxxxxxxxxxx> wrote:
Secure file transfer generally requires an agreed protocol, and thus cooperation. So there is no one answer, you need a way to identify the recipient and confidence in any systems, encryption and keys used.
But hopefully you train folk such that a URL and a weak password in plain text email is a big red flag that this isn't the kind of thing to do.
We used online document management system that provided the guarantees we needed at places I've worked that needed it.
Email generally isn't the answer, although with strong encryption it could be although most implementations of email encryption are pretty ropey (e.g. S/MIME or PGP). Although where it mattered I did a lot of work to make sure emails were encrypted between servers, and only valid certificates were accepted, email addresses outside those domains got highlighted in red in case of typos etc etc. But that was belt and braces because users don't always follow the rules and we wanted them to fail as safely as possible, and completely disabling email attachment use is likely counter productive for most organisations.
One of the local councils forced people to classify attachments in emails and then used a web service for sensitive documents. Unfortunately the web service wasn't great and I bet people under classified to avoid it, and newer cloud based document storage means it is now easier to use regular tooling to share sensitive files securely (Make your default way of working secure is always the best way, don't make people think, most aren't very good at it, myself included). Again it generally forces recipients to use a 3rd party service, so you probably want to agree that between organisations, to make sure correspondents use MFA with that service etc.
-- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: https://www.dcglug.org.uk/faq/