Accounting + Data Encryption

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 5:38 am

I'm in need a decent piece of software that can encrypt data for clients of mine who are accountants. Below is a link to the IRS and its required standards.

http://www.irs.gov/privacy/article/0,,id=217110,00.html

The second chart is the one you mostly want to look at. I was curious if anyone has had to find or use encryption programs for this sort of use. If so, any recommendations and are there any you would suggest avoiding. A few of them I found seemed very cheesy and wanted $100 per user, which seemed a bit steep. I'm not at all opposed to free options either, I don't discredit software just because it doesn't have a price tag.

The thing about the software is that it must be something that can be used on the company's computers but not require their clients download anything on their end. Ideally they can encrypt the file, send as an email attachment or hand it off on a thumb drive, and the client simple enters a password at prompt. Of course it has to meet those standards by the IRS that I linked.

I was thinking about BitLocker from Windows 7 Ultimate. I've never used it even though I've got Ultimate installed on my current system. The only issue is that I can't sell them on buying or upgrading to Windows 7 Ultimate over pro just for that purpose. Any feedback you guys would have, as usual, would kick ass.

***Edit***
There is some debate for me regarding whether the IRS means at a file level that it must be encrypted or just the transmission. I do have a new Cisco ASA which will be installed and is FIPS 140-2 compliant. However I was told that the IRS specifies that ALL exchanges, meaning the accountants handing off a copy of the file on a thumb drive, ALSO must be encrypted... Just want to make sure that I'm covering all bases, i'd find it hard to believe that installing the ASA would solve all of the problems.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2640
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 6:08 am

If you really only need to encrypt a file with strong encryption you maybe able to use something as simple as WinZIP as it supports AES-256.
kyboshed
Gerbil
Gold subscriber
 
 
Posts: 68
Joined: Wed Aug 21, 2002 5:48 am
Location: Newcastle

Re: Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 6:31 am

Welch:

The idea is that no electronic data is ever outside the FIPS 140-2 box from the moment of its creation.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20311
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 9:15 am

Maybe this can help.
Laptop: HP Pavilion 17-e016dx. AMD A8-5550M, 4GB RAM, 750GB HDD, AMD Radeon HD 8550G integrated video, 17.3" display, 1600*900 (HD+) resolution, SD card reader, Windows 8.1 (DL Classic Shell)
riviera74
Gerbil Elite
 
Posts: 864
Joined: Mon May 29, 2006 6:14 am
Location: FM, FL, USA

Re: Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 12:04 pm

http://www.truecrypt.org/ (whole-disk encryption)
http://www.7-zip.org/ (alternative to WinZIP, also does AES256)
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Accounting + Data Encryption

Postposted on Wed Dec 14, 2011 12:11 pm

Also, if you want an email solution, we use http://www.axway.com/products-solutions ... y/mailgate and it's not bad for not too much money.

Many other people will outsouce secure email to places like Zix or McAfee or Cisco, too. Or install appliances locally that do the same thing. Mailgate took some configuring but we basically run it in a VM to handle spam and encryption duties in front of an Exchange server.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Accounting + Data Encryption

Postposted on Thu Mar 01, 2012 9:55 pm

Maybe this would be useful:

http://www.gpg4win.org/
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3171
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Accounting + Data Encryption

Postposted on Thu Mar 01, 2012 10:16 pm

Full Disk Encryption: http://www.checkpoint.com/products/full ... index.html

Microsoft SQL Server 2008 R2 (Enterprise only) Encryption: http://www.microsoft.com/sqlserver/en/u ... iance.aspx

What else could you possibly need beyond that?
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7367
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: Accounting + Data Encryption

Postposted on Thu Mar 01, 2012 11:55 pm

They talk about encrypting in transit too in addition to "static" encryption. I just scanned the doc so my question is even if you encrypt the file, can you send the encrypted file over the clear in regular email, or even the email itself has to be secure?

As for the technology, BitLocker on the desktop/laptop is designed more for encrypting the disks such that in the event of theft a PIN code is required to decrypt the content. It may be too simple to defeat with guessing (too many guesses will increase wait times though) if you use PIN only mode. And of course, are you sending the whole desktop/laptop to the other side? The one you are looking at is BitLocker To Go, where you can encrypt flash drives, but it is only protected by a password and you can only snail mail the drives. So I am not sure if BitLocker or BitLocker To Go is the answer to your situation.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24439
Joined: Mon May 24, 2004 2:19 am

Re: Accounting + Data Encryption

Postposted on Fri Mar 02, 2012 12:33 pm

Flying Fox wrote:They talk about encrypting in transit too in addition to "static" encryption. I just scanned the doc so my question is even if you encrypt the file, can you send the encrypted file over the clear in regular email, or even the email itself has to be secure?


"Applicability of Encryption Requirements: Electronic Mail

IRS Publication 1075 states e-mail systems shall not be used to transmit FTI data. Under the circumstances where there is an agency business requirement to use e-mail to transmit FTI, both the FTI data and message itself must be encrypted to protect the confidentiality of FTI."

Most email servers will screen out encrypted attachments as Spam anyway.

Back to the document.

"External (outside agency LAN)

All FTI that is transmitted over the Internet, including via e-mail to external entities must be encrypted. This includes all FTI data transmitted across an agency’s Wide Area Network (WAN).
Applicability of Encryption Requirements: Application Sessions

All application user sessions, whether those be client/server or web-based applications, that access FTI from a back-end database or other server shall be encrypted and provide end-to-end encryption, i.e., from workstation to point of data.

It is recommended that all data transmissions between the server and the workstation occur over a VPN that employs FIPS 140-2 compliant end-to-end encryption. If a VPN solution is not feasible, then an alternate end-to-end encryption mechanism such as using HTTPS protocol and Secure Sockets Layer (SSL)v3 (TLS) encryption is acceptable. SSL encryption should be based on a certificate containing a key no less than 128 bits and FIPS 140-2 compliant."

The important thing to take away is that HTTPS using TLS 1 or SSL 3 is sufficient for transmission across the Internet. This makes things infinitely easier, and most of this is server config. Just clarify where your responsibility ends and the client's begins. Figuring out when it's "not your problem anymore" is the key thing.

It also suggests that VPNs, presumably IPSec VPNs, be used whenever possible, which I agree with. The second part leaves the door open for SSL-VPNs, so that could be an option with the correct configuration.

The end-to-end encryption will have to be taken on a per application basis. Some may default to using encryption for communication and some may not.

I also found out Firefox can be FIPS compliant, so that cool. (https://developer.mozilla.org/en/NSS/FI ... xplanation)

"Applicability of Encryption Requirements: FTI Data at Rest

While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers. This type of encryption is being evaluated by the IRS as a potential policy update in the next revision of the Publication 1075.

However, if a system is used to receive, process, store or transmit FTI that also serves a secondary function not related to FTI processing (e.g., a workstation used to download FTI files from Secure Data Transfer system also serves as an employee’s user workstation), and this system does not meet the IRS SCSEM recommendations for secure configuration and physical security, the FTI residing on that system should be encrypted using FIPS 140-2 compliant encryption. This can be accomplished for example, using the Encrypting File System (EFS) on Windows 2000, XP and 2003 Server systems with the AES encryption algorithm."

You're servers don't need full disk encryption, provided they are configured and secured correctly, but workstations do need, at least, an encrypted folder. The article goes on to talk about how the IRS uses full disk encryption for laptops since everything gets encrypted, so take that as you will. [Edit: Full disk encryption will be easier for users as they won't have to worry about accidently placing data where it shouldn't be.]

TrueCrypt can create encrypted folders or EFS, as mentioned, can be used. I actually use TrueCrypt to secure passwords and such as work on my workstation.

The above is just my interpretation of the linked document. I don't have any direct experience with the IRS, but everything seems reasonable enough.
Flatland_Spider
Gerbil Elite
 
Posts: 852
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Accounting + Data Encryption

Postposted on Sat Mar 03, 2012 2:15 am

Pub 1075 is for federal, state and local agencies (governmental and quasi-governmental agencies). I think the publication you're looking for (assuming you're not working with a governmental agency) is 4557.

Here's another good page from the AICPA.

The short version is that they must have a policy to protect taxpayer data commensurate with the size and complexity of the organization. I personally have used truecrypt full disk encryption at work (I am a practicing CPA, but please don't sue me!).

Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.
Jason181
Gerbil First Class
Silver subscriber
 
 
Posts: 182
Joined: Thu May 19, 2005 7:23 pm
Location: Oregon

Re: Accounting + Data Encryption

Postposted on Sun Mar 04, 2012 3:51 am

Jason181 wrote:Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.

What about an encrypted file but over clear email?
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24439
Joined: Mon May 24, 2004 2:19 am

Re: Accounting + Data Encryption

Postposted on Sun Mar 04, 2012 2:24 pm

I don't know a whole lot about encryption, but I don't feel like $100 a seat is that much, especially for a business requirement. I wouldn't dismiss it so quickly based on that; instead, just look for the best solution (based on needs) and sell it based on its merits. Offer a couple different solutions based on price if you think you need to, but make it clear why a cheaper solution won't be as effective (if indeed it isn't, otherwise it should be your top choice).

Also make sure you're taking into account support options. Free is good, but when it breaks there's nobody to call. Depending on your situation, that may or may not be a big deal, but you definitely need to consider it.
spitfire650
Gerbil
 
Posts: 31
Joined: Sun Jan 01, 2012 5:36 pm

Re: Accounting + Data Encryption

Postposted on Sun Mar 04, 2012 8:18 pm

Flying Fox wrote:What about an encrypted file but over clear email?


That's probably actually fine; I've worked for a couple of smaller firms, and that's as far as they go. If you're talking about a 100+ employee firm (or maybe even somewhat smaller) it might be wise to do a little more.

Unless there's a flaw in the encryption algorithm, you're using pgp-type encryption, or you're assigning passwords that a dictionary attack will find (or just very short passwords), the chances of breaking it are pretty slim.

I'm no encryption expert, but neither are the most of the people handling your financial data. That sounds scary, but it's the real world, and complicating the system too much will lead to insecurity too.

Jason
Jason181
Gerbil First Class
Silver subscriber
 
 
Posts: 182
Joined: Thu May 19, 2005 7:23 pm
Location: Oregon

Re: Accounting + Data Encryption

Postposted on Sun Mar 04, 2012 10:57 pm

Flying Fox wrote:
Jason181 wrote:Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.

What about an encrypted file but over clear email?


You're going to run into spam filters which will treat any email with an encrypted attachments as virus bearing spam. At best the email will end up in the junk folder; at worst, it will get deleted.

The way around this is to use a secure email system like Zix.
Flatland_Spider
Gerbil Elite
 
Posts: 852
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539


Return to General Software

Who is online

Users browsing this forum: Google [Bot] and 1 guest