Rationale for the Standard

• To provide for data security protection when transmitting data that has confidentiality requirements between our systems that reside on publicly accessible data networks.
• To reduce the number of methods, protocols, formats and media that are used to transmit secure data.

Electronic Data Transport Standard

It is recommended that all but the public data be transferred between platforms via a secured protocol. The recommended protocols are the following:

• SSL/TLS (Secure Socket Layer/Transport Layer Security)
• PGP/GPG (Pretty Good Privacy/GNU Privacy Guard)
• SSH (Secure Shell)
• IPSec (IP Security)

Application of Standard

This standard applies to data file transfers over the Internet on the UConn publicly-accessible network between UConn system platforms and data file transfers to/from a UConn system and external system platforms.

It is assumed that the sender of the data bears the responsibility for the security of that data from its origin to the destination.

A secured protocol is required for platform-to-platform data transfers within the UConn network, including transfers on a local subnet, except when that transfer can be accomplished over a secure dedicated virtual or physical connection.

This standard is to be used for file transfers using UITS computer platforms and applications.

Exceptions and Amendments to the Standard

An exception to this standard may be necessary with some regulatory agencies that require data and may insist that this data be transferred using their protocols. (The Social Security Administration is currently such an agency, but adequate protection is provided by the fact that this data is transferred over a dedicated dial-up line.)

Note that within UConn, some platforms may have a point-to-point connection that may avoid the need for secure transport. The platforms, UCONNVM and UCONNMVS, share such a connection via their RSCS/JES-NJE connection.

Other exceptions to this standard including the addition of other protocols requires the approval of the data steward(s) responsible for the data in question based on technical guidance from the Director of Information Technology Security, Policy & Quality Assurance.

Data Classifications Implications

For the purpose of this standard, no differentiation in the transfer protocols is proposed for the various secure data classifications (Registered Confidential, Confidential, Internal Use). For purposes of this standard, secure data classes should be transferred as secure (encrypted), while public data may be transferred without encryption.

Available Secure Transfer Protocols by System Platform

The following table lists the available protocols by Operating System. The use of these tools is intended for UITS applications and resources. Other software tools that comply with the transport protocols may be considered. For UITS purposes, these tools should be endorsed using the Exceptions and Amendments to the Standard procedure above.

Status of Additional Secure Transfer Protocols

For UConn’s zOS platform (UCONNMVS), the Curl client (for SSL/TLS use) still needs to be installed and possibly configured.

For UCONNMVS, the "Ported Tools" package (for SSH use) needs to be configured and tested.

Other software tools, including freeware that use the above transfer protocols, may be used by non-UITS departments for files transfer to/from UITS resources

Implementation Considerations

For UCONNMVS, it is clear that when these protocols are available that procedures must be written describing their use. The procedures must include a programmatic method that can be used to write zOS "jobs" that can automatically transfer data.

Last updated on June 30, 2006