Welcome, 
Secure File Sending with YouSendIt
I. Introduction
With the rapid rise in electronic file delivery, the risk to the integrity and security of data has correspondingly increased. No matter whether a company is large or small, it must ensure that the file sending solution it deploys offers highest level of security available.
Secure file transfer is not merely a matter of ensuring that no one can intercept data in transit. It requires an all encompassing solution that addresses every possible threat to data confidentiality and integrity. Today, a broad range of solutions exist to meet the needs of companies and individuals that must transfer large files. Most, however, are either inherently insecure or involve cumbersome set up and maintenance issues. Small businesses and the enterprise level organizations alike need a solution that offers both highly secure transfer and a low Total Cost of Ownership (TCO).
YouSendIt helps businesses meet these challenges, while facilitating secure and easy file sending. The YouSendIt security platform consists of three parts:
1. Secure transfer via SSL
2. A hardened datacenter, protected by best practices security methods
3. Optional "out of band" measures employed by customers to maximize security
This white paper will detail how these methods enable YouSendIt to provide a low cost, highly secure file sending solution to its customers.
II. Secure File Transfer via SSL
1. In Transit Security with YouSendIt
In the YouSendIt file sending model, a sender first uploads a file to a server in the YouSendIt datacenter. An email is automatically generated to the recipient or recipients, who then download the file to their computers, PDAs, or other device. To ensure that data is not compromised in either transfer, YouSendIt employs the Secure Socket Layer (SSL) protocol.
SSL is browser-based protocol, originally developed by Netscape to provide for secure transfer of information between two points on the Internet. Today, it is the most common way e-commerce and other commercial sites protect an end user's confidential information in transit.
SSL works by encryption. A secure website first sends a user's browser a public encryption key, which is used to construct another, unique, non-public encryption key. This key, which is known only to the web server and the user, is then used to protect all subsequent transfers of information. In practice, SLL provides a secure tunnel between two points on the Internet. Files transferred along this tunnel are wrapped in a layer of encryption that makes them impossible for third parties to view or compromise.
2. Data Confidentiality with YouSendIt
Using its SSL solution, YouSendIt can ensure complete data confidentiality. The encryption methods it uses are based on keys only available to the user and the server, making it practically impossible to decode the data sent, even if it is intercepted.
3. Data Integrity with YouSendIt
YouSendIt's SSL solution also ensures data integrity. That means that no outside source can modify data as it travels between an end user and a server. If data is changed in transit, the protocol automatically recognizes the modification and asks the client to resubmit the file.
4. Advantages of YouSendIt for IT Management
Many other solutions exist for secure file transfer—such as Secure FTP, Secure Shell (SSH), and custom products offered by third party vendors. In choosing a file sending solution, companies should not only consider security, but also the Total Cost of Ownership (TCO). The YouSendIt solution offers a number of benefits that lower costs and reduce the strain on IT departments. These include:
Firewall Friendly Solution
Unlike FTP and SSH, YouSendIt provides an easy way to transfer large files at a higher level of security. Both Secure FTP and SSH solutions require ports to be opened permanently in a firewall to allow for inbound commands to a network, leaving them vulnerable to attack. Because YouSendIt's SSL solution works with the HTTP protocol on port 443, it does not require a permanently open port. Instead, firewalls dynamically open and close the port for it as needed.
Low Maintenance Set Up
In addition, YouSendIt requires no resources to set up and maintain. IT departments do not need to track logins and passwords, activating and retiring them as employees come and go.
Cross Platform Access
YouSendIt's solution is inherently cross platform and works on any browser. Even if a recipient is remote and has no access to an FTP client, he or she can still download files securely using any web browser.
III. Physical and IT Infrastructure
In addition to file transfer, YouSendIt has employed best practices security methods to ensure that customer's files remain secure while stored on its servers. These include everything from the physical security of YouSendIt datacenters to the firewalls and other measures the company uses to protect its servers from electronic attack. Some of the top features of YouSendIt's infrastructure security include:
Application Management
Applications are the most dynamic part of an IT Infrastructure, since they directly interact with the user. As a result, they require special care to guard against both accidental and intentional damage. YouSendIt uses only brand-name client, server, middleware, and database applications, specifically hardened and customized for its uses. Every server has a firewall, every router has filtering. They all receive the latest security updates and are constantly monitored against threats.
Virus Scanning
The server farms that store customer data at YouSendIt are equipped with antivirus software that is automatically updated on a regular basis. They scan every incoming file for viruses and provide alerts to customers if a virus has been detected.
Datacenter and Security
The setup and surveillance of physical infrastructure plays a vital role in security management. Physical access to a server may allow attackers to circumvent electronic barriers. As a result, YouSendIt has severely limited access to its datacenter.
Public access to YouSendIt offices is limited to certain rooms, which are under constant surveillance by the staff. The datacenters do not allow any public access; only identified persons acknowledged by the management may enter them. Their entry and exit time is recorded, and they must not only have a correct password but they also must pass a biometric scan to gain entry.
Multiple datacenters
To ensure that data is never lost, YouSendIt maintains two separate datacenters, both hardened to resist fire, earthquakes, and other natural disasters.
IV. Additional security options using YouSendIt
In addition to providing secure transfer via SSL, YouSendIt also offers a number of optional, out-of-band measures and monitoring activities that can be used to maximize the security of file transfer. The out-of-band features require offline communication—such as a phone call or email—to complete a file transfer. The monitoring activities can help a user check to ensure that no unexpected downloads of a file occur. Users can also quickly delete a file from YouSendIt's servers, if they fear they may have been compromised.
Password-protected downloads
In some cases, a user may require an additional, offline security method to ensure that only a specific person can receive a file. This situation usually arises when the recipient of a file works on a shared computer, shared email account, or in an insecure environment. YouSendIt helps its customers secure such file transfers with password-protection.
To use password-protection, a user specifies a password during file upload. This password will not be transmitted by YouSendIt to the recipient. Instead, the file sender must communicate the password by a separate method, such as email or telephone. To download the file, the recipient must enter this password.
Authorized download
A further way users can be sure that their files are being transferred properly is through authenticated delivery. This service requires that the recipient of a file have a YouSendIt account. They must log in with their username and password prior to being allowed to download a file.
Auditing
YouSendIt also provides an auditing ability through its Tracking service. There users can monitor how many times their files has been downloaded, and delete them if they wish.
File deleting
Users can delete files from YouSendIt's servers on the Sent Items page. The page contains a list of all files sent by a user that are still on the server. By clicking the trash can icon next to an item, users can delete those files. Files are also automatically deleted after a set period of time that varies with a user's service level.
V. GBLA Compliance
YouSendIt complies with the privacy provisions of the Gramm-Leach-Bailey Act (GBLA), a law that governs certain activities of the financial services industry. Under GBLA, YouSendIt qualifies as a service provider. To achieve compliance, it has developed a security policy and it stores and transfers client information on for the purpose for which it was intended. For more information, please see http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.
VI. Future Measures: On Disk Encryption
All files stored on YouSendIt servers will soon be encrypted using industry-standard techniques. This measure will ensure that decryption without the proper keys is almost impossible.
VII. Conclusion
The YouSendIt solution is designed to provide the highest level of security for file sending, while reducing the strain on IT departments. This white paper has outlined the comprehensive measures the company employs to ensure that customer data remains safe. These include SSL encryption for file sending and downloading, hardened datacenters, and additional "out of band" options for users with special security needs. All of these measures are supported entirely by YouSendIt, without requiring IT departments to specially configure their firewalls or to maintain user log-ins and passwords.
Today, small businesses and enterprise-level organizations alike need a secure, easy way to send large files. They can find that solution with YouSendIt.
