Storing and sending data securely

Use the AUAS network and MyAUAS to store data securely

When storing business information, the most secure option is to use the AUAS's central storage services, either the AUAS network (home directory and group folders) or MyAUAS. This system ensures that your data are kept safe and that backups are made of your files.

If you share files, make sure that confidential data are only accessible to authorised individuals by checking the reading and editing rights on files and folders. Note that MyAUAS is not suitable for storing highly confidential data (e.g. special personal details).

Use of facilities other than the central storage services is strongly discouraged

In view of the safety risks (loss, theft, privacy laws, and so on), we strongly discourage the use of storage facilities other than the central AUAS storage services. If you do save data on a USB memory stick, external hard disk, your own laptop or in the cloud, be sure to take the safety precautions given below!

USB memory stick

Information stored on a memory stick can be secured in two ways, by using a hardware-encrypted memory stick (A) or special software to secure a regular memory stick (B).

A. Recommended hardware-encrypted USB memory sticks

There are many different brands and not all are equally safe, so make sure to be informed. Some recommendations are:

  • The IronKey Basic S250 has been approved by the Dutch government for the storage of confidential data.
  • The Kingston DT 4000 encrypted USB stick is a good cheaper alternative with an adequate security level (FIPS 140-2 level 2, strong encryption, strong casing, limited number of login attempts, strong password requirements).

The IronKey memory stick is better because it has additional physical security features. Cheaper hardware-encrypted memory sticks such as those made by Corsair tend to be less safe. Note that with the more secure memory sticks, the stored data will be destroyed after a certain number of incorrect password entry attempts (e.g. ten).

B. USB memory stick security software

Another option is using encryption software (e.g. VeraCrypt). However, this also has some drawbacks, since it requires more knowledge and effort and you are not forced to use a strong password as with the hardware-encrypted memory sticks recommended above. You can also select specific files or folders on your memory stick to secure, for instance using AES Crypt.

Storing and sharing data in the cloud using SURFdrive

SURFdrive is a personal cloud storage service for the Dutch higher education and research sector, which lets employees easily store files and share these with users at fellow institutions and with external users via a registered email address. As an AUAS employee, you have 100 GB of storage capacity on SURFdrive. SURFdrive complies with all Dutch and European privacy legislation. For example, SURFdrive has conditions of use that ensure data safety during use as well as retention of ownership of your own data. Because your data are secured in the Netherlands and never made available to external parties, they are guaranteed to be safe – on the condition that you encrypt all your confidential data.

Encrypt confidential business information on SURFdrive

If you use SURFdrive to store highly confidential business information (e.g. relating to tenders, or a large quantity or special personal data), you must encrypt them, for example using AES Crypt or .ZIP software such as 7-Zip. Encryption is also recommended when storing confidential data, as there is always a risk of data ending up on an unsecured device via synchronisations.

Dropbox: not suitable for confidential AUAS data

Dropbox is not suitable for the storage of important or confidential AUAS data. Although Dropbox does provide security, backup and access facilities, there are a number of drawbacks:

  • Cloud services such as Dropbox and others are American companies that are regulated by American law and hence are not compliant with Dutch and European personal data protection legislation. Under the US Patriot Act, the American government is furthermore authorised to access these data.
  • Though files are encrypted, no end-to-end encryption is used and no guarantee exists that they cannot be accessed by others. Theoretically, Dropbox itself can also view files.
  • The verification file needed to gain access to data in a Dropbox account can be transferred to another PC, enabling unauthorised individuals to gain access to your files without needing login details.
  • AUAS is unable to offer any help or support in the event of theft.

Always encrypt confidential data before sending

When transferring/emailing confidential information, such as research data and/or personal details, always encrypt the files first using .ZIP software with an encryption feature, such as WinZip or 7-Zip.

Transfer large and/or confidential files using Filesender

SURFfilesender is a secure SURF service that you can access using your AUAS ID.

Published by  ICT Services 5 October 2018