TR Forums

I'm in need a decent piece of software that can encrypt data for clients of mine who are accountants. Below is a link to the IRS and its required standards.

http://www.irs.gov/privacy/article/0,,id=217110,00.html

The second chart is the one you mostly want to look at. I was curious if anyone has had to find or use encryption programs for this sort of use. If so, any recommendations and are there any you would suggest avoiding. A few of them I found seemed very cheesy and wanted $100 per user, which seemed a bit steep. I'm not at all opposed to free options either, I don't discredit software just because it doesn't have a price tag.

The thing about the software is that it must be something that can be used on the company's computers but not require their clients download anything on their end. Ideally they can encrypt the file, send as an email attachment or hand it off on a thumb drive, and the client simple enters a password at prompt. Of course it has to meet those standards by the IRS that I linked.

I was thinking about BitLocker from Windows 7 Ultimate. I've never used it even though I've got Ultimate installed on my current system. The only issue is that I can't sell them on buying or upgrading to Windows 7 Ultimate over pro just for that purpose. Any feedback you guys would have, as usual, would kick ass.

***Edit***
There is some debate for me regarding whether the IRS means at a file level that it must be encrypted or just the transmission. I do have a new Cisco ASA which will be installed and is FIPS 140-2 compliant. However I was told that the IRS specifies that ALL exchanges, meaning the accountants handing off a copy of the file on a thumb drive, ALSO must be encrypted... Just want to make sure that I'm covering all bases, i'd find it hard to believe that installing the ASA would solve all of the problems.

If you really only need to encrypt a file with strong encryption you maybe able to use something as simple as WinZIP as it supports AES-256.

Welch:

The idea is that no electronic data is ever outside the FIPS 140-2 box from the moment of its creation.

Maybe this can help.

http://www.truecrypt.org/ (whole-disk encryption)
http://www.7-zip.org/ (alternative to WinZIP, also does AES256)

Also, if you want an email solution, we use http://www.axway.com/products-solutions ... y/mailgate and it's not bad for not too much money.

Many other people will outsouce secure email to places like Zix or McAfee or Cisco, too. Or install appliances locally that do the same thing. Mailgate took some configuring but we basically run it in a VM to handle spam and encryption duties in front of an Exchange server.

Maybe this would be useful:

http://www.gpg4win.org/

Full Disk Encryption: http://www.checkpoint.com/products/full ... index.html

Microsoft SQL Server 2008 R2 (Enterprise only) Encryption: http://www.microsoft.com/sqlserver/en/u ... iance.aspx

What else could you possibly need beyond that?

They talk about encrypting in transit too in addition to "static" encryption. I just scanned the doc so my question is even if you encrypt the file, can you send the encrypted file over the clear in regular email, or even the email itself has to be secure?

As for the technology, BitLocker on the desktop/laptop is designed more for encrypting the disks such that in the event of theft a PIN code is required to decrypt the content. It may be too simple to defeat with guessing (too many guesses will increase wait times though) if you use PIN only mode. And of course, are you sending the whole desktop/laptop to the other side? The one you are looking at is BitLocker To Go, where you can encrypt flash drives, but it is only protected by a password and you can only snail mail the drives. So I am not sure if BitLocker or BitLocker To Go is the answer to your situation.

Flying Fox wrote:

They talk about encrypting in transit too in addition to "static" encryption. I just scanned the doc so my question is even if you encrypt the file, can you send the encrypted file over the clear in regular email, or even the email itself has to be secure?

"Applicability of Encryption Requirements: Electronic Mail

IRS Publication 1075 states e-mail systems shall not be used to transmit FTI data. Under the circumstances where there is an agency business requirement to use e-mail to transmit FTI, both the FTI data and message itself must be encrypted to protect the confidentiality of FTI."

Most email servers will screen out encrypted attachments as Spam anyway.

Back to the document.

"External (outside agency LAN)

All FTI that is transmitted over the Internet, including via e-mail to external entities must be encrypted. This includes all FTI data transmitted across an agency’s Wide Area Network (WAN).
Applicability of Encryption Requirements: Application Sessions

All application user sessions, whether those be client/server or web-based applications, that access FTI from a back-end database or other server shall be encrypted and provide end-to-end encryption, i.e., from workstation to point of data.

It is recommended that all data transmissions between the server and the workstation occur over a VPN that employs FIPS 140-2 compliant end-to-end encryption. If a VPN solution is not feasible, then an alternate end-to-end encryption mechanism such as using HTTPS protocol and Secure Sockets Layer (SSL)v3 (TLS) encryption is acceptable. SSL encryption should be based on a certificate containing a key no less than 128 bits and FIPS 140-2 compliant."

The important thing to take away is that HTTPS using TLS 1 or SSL 3 is sufficient for transmission across the Internet. This makes things infinitely easier, and most of this is server config. Just clarify where your responsibility ends and the client's begins. Figuring out when it's "not your problem anymore" is the key thing.

It also suggests that VPNs, presumably IPSec VPNs, be used whenever possible, which I agree with. The second part leaves the door open for SSL-VPNs, so that could be an option with the correct configuration.

The end-to-end encryption will have to be taken on a per application basis. Some may default to using encryption for communication and some may not.

I also found out Firefox can be FIPS compliant, so that cool. (https://developer.mozilla.org/en/NSS/FI ... xplanation)

"Applicability of Encryption Requirements: FTI Data at Rest

While encryption of data at rest is an effective defense-in-depth technique, encryption is not currently required for FTI while it resides on a system (e.g., in files or in a database) that is dedicated to receiving, processing, storing or transmitting FTI, is configured in accordance with the IRS Safeguards Computer Security Evaluation Matrix (SCSEM) recommendations and is physically secure restricted area behind two locked barriers. This type of encryption is being evaluated by the IRS as a potential policy update in the next revision of the Publication 1075.

However, if a system is used to receive, process, store or transmit FTI that also serves a secondary function not related to FTI processing (e.g., a workstation used to download FTI files from Secure Data Transfer system also serves as an employee’s user workstation), and this system does not meet the IRS SCSEM recommendations for secure configuration and physical security, the FTI residing on that system should be encrypted using FIPS 140-2 compliant encryption. This can be accomplished for example, using the Encrypting File System (EFS) on Windows 2000, XP and 2003 Server systems with the AES encryption algorithm."

You're servers don't need full disk encryption, provided they are configured and secured correctly, but workstations do need, at least, an encrypted folder. The article goes on to talk about how the IRS uses full disk encryption for laptops since everything gets encrypted, so take that as you will. [Edit: Full disk encryption will be easier for users as they won't have to worry about accidently placing data where it shouldn't be.]

TrueCrypt can create encrypted folders or EFS, as mentioned, can be used. I actually use TrueCrypt to secure passwords and such as work on my workstation.

The above is just my interpretation of the linked document. I don't have any direct experience with the IRS, but everything seems reasonable enough.

Pub 1075 is for federal, state and local agencies (governmental and quasi-governmental agencies). I think the publication you're looking for (assuming you're not working with a governmental agency) is 4557.

Here's another good page from the AICPA.

The short version is that they must have a policy to protect taxpayer data commensurate with the size and complexity of the organization. I personally have used truecrypt full disk encryption at work (I am a practicing CPA, but please don't sue me!).

Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.

Jason181 wrote:

Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.

What about an encrypted file but over clear email?

I don't know a whole lot about encryption, but I don't feel like $100 a seat is that much, especially for a business requirement. I wouldn't dismiss it so quickly based on that; instead, just look for the best solution (based on needs) and sell it based on its merits. Offer a couple different solutions based on price if you think you need to, but make it clear why a cheaper solution won't be as effective (if indeed it isn't, otherwise it should be your top choice).

Also make sure you're taking into account support options. Free is good, but when it breaks there's nobody to call. Depending on your situation, that may or may not be a big deal, but you definitely need to consider it.

Flying Fox wrote:

What about an encrypted file but over clear email?

That's probably actually fine; I've worked for a couple of smaller firms, and that's as far as they go. If you're talking about a 100+ employee firm (or maybe even somewhat smaller) it might be wise to do a little more.

Unless there's a flaw in the encryption algorithm, you're using pgp-type encryption, or you're assigning passwords that a dictionary attack will find (or just very short passwords), the chances of breaking it are pretty slim.

I'm no encryption expert, but neither are the most of the people handling your financial data. That sounds scary, but it's the real world, and complicating the system too much will lead to insecurity too.

Jason

Flying Fox wrote:

Jason181 wrote:

Certainly sending unencrpyted taxpayer data via email would be a violation, but the rules aren't as hard and fast as they are for governmental agencies.

What about an encrypted file but over clear email?

You're going to run into spam filters which will treat any email with an encrypted attachments as virus bearing spam. At best the email will end up in the junk folder; at worst, it will get deleted.

The way around this is to use a secure email system like Zix.