File sharing ideas

[nabz0r Veteran]

Long story short, we use sftp for file sharing with customers (mostly it's used when they send us log files and some other show commands, or we send them Cisco images). The password and username is changed every 24 hours, but the problem is that during this hours a customer with pass and username can see other folders and this is for me a big security issue as there are some VERY sensitive info though we delete the files as soon as we download them.

 

Is there a way to come around this? It is possible to encrypt the files before sending it to us, but not all customers are tech gurus plus this is not a good long term solution.

Is this even possible to do it with sftp or there is some other solutions that I can use?

 

All ideas and inputs are appreciated.

 

 

[+BudMan MVC]

Why would you not just create their own username and folders so they only see their own files.  And this way you don't have to change the password and username every day.  And they could use publickey auth even vs password.

 

But sure they could encrypt them before they send them to you.. Simple zip up with password should be fine..

[Skiver Veteran]

We use LiquidFiles for things like you've described above. I'm not too involved in the process and don't really use it myself but it could be a possible solution?

 

https://www.liquidfiles.com/

[Dick Montage]

Wait, so all your clients from different organisations are using the same username and password (changed on a 24 hour basis) so they drop files into a shared SFTP where they can see each others?

 

Some of these files contain sensitive information?

 

Is this a key driver for your business?  If so, you need to invest in some form of file sharing software.  We are currently trialling Citrix ShareFile as it integrates with our core systems but that may be overflown for your needs.  If you wish to use what you currently have, set up folders per client, restrict access per user and secure with decent passwords.

 

 

[sc302 Veteran]

why not have an upload folder where they can only upload files, but not see or extract contents. 

 

have a download folder where they can only retrieve their own files from (home folder). 

[nabz0r Veteran]

@BudMan, it's almost 600 customers so it is impossible to create username/password for all. Yeah zip with password would work, but today someone asked me how to do that and some are lazy and wont cooperate..

 

@Skiver, thanks but I don't think that my company will go with another third party solution. We already use some and lately we went with Syncplicity, though not sure if I can use them for this purpose.

 

@Nefarious Trigger, unfortunately yes, someone came up with this solution 12 years ago and we are stuck with it. We have one upload/download folder and username/password are generated every night at 00:00 and the files are deleted. We use Citrix today so if it is easy setup I might consider using them, can you tell me a little more about it? It is almost impossible to create one folder per customer.

 

@sc302, We have an upload and a download folder, is it possible to strict access to to the folders? I mean could upload and download but not see other folders?

[sc302 Veteran]

nabzor, absolutely. 

 

try giving a test user the ability to write but not read.  they will be able to transfer a file there but they will not be able to read the contents of the location.  Their only verification will be when their ftp client completes the transfer.

 

you can restrict access by user also, but that would require some configuration on your part.

[+BudMan MVC]

18 hours ago, nabz0r said:

it's almost 600 customers so it is impossible to create username/password for all

Says who??  Simple script would do it.. Could create 6000 users if you wanted in a few seconds to be honest.