BookmarkSubscribeRSS Feed

Please add encryption to ODSpackage. Either add to the filename statement or ods package will do.

Now users have to encrypt the zip post-SAS or in a X command. which adds another step to the processing.

 

Kind regards,

 

Patrick

8 Comments
RW9
Diamond | Level 26
Diamond | Level 26

But anyone sending or recieving any data or outputs which would need to be encrypted, know that sending things by password protected email is not a secure or viable method.  Email generally has limits on file size (and sometimes type), and email is not secure, nor is the practice of sending password in a separate email.  Thus the preferred solution for sensitive or private data is to use FTP or Secure Web Portals.

Kurt_Bremser
Super User

Encryption of data is not needed. Put data in a safe place, and use safe means (ftps,sftp,https) for transfer.

If encryption is needed (eg data is kept in an off-site third-party data center, or in a cloud), then encrypt the whole system.

Patrick_Tan
Fluorite | Level 6

@RW9:About sending the zip by email:

- The zip usually is to big for email, that is not the point. Having to encrypt in a separate step adds to process time and often a call to an external program like winzip is not allowed by the system administrators.

 

@Kurt_BremserAbout not needing encryption:

- Many organisations like banks require at least two levels security measures for transferring and storing data. Encrypting the container (ZIP) is one of the security measures and certainly not the only one. The statement "Encryption is not needed" is a very bold one. Just a safe(encrypted) place and secure transport are minimal measures. So far too many incidents leaking data have surfaced on the net to feel secure. I prefer paranoid when it comes to security, wouldn't want my data to end up on the dark net...

 

Kind regards,

 

Patrick 

Kurt_Bremser
Super User

And how do you protect the password needed for decryption, and how do you proliferate it to the people who need it?

ChrisHemedinger
Community Manager

I don't disagree that relying on ZIP password is a dodgy security practice -- but this is a request we've seen before.  That and ability to create pw-protected XLSX files (which are basically ZIP files too).  The tech exists, so SAS users would like to make it easier to apply in their SAS programs.  I can tell you that it's under consideration, but I don't have a time frame to offer.

Patrick_Tan
Fluorite | Level 6

@Kurt_Bremser: A little beside the point but the passwords are transferred via an automated secure message system.

As a single security measure zipping and encrypting is indeed sub-par to say the least. It is however legacy we have to work with. 

 

@ChrisHemedinger: Thanks!

 

Kind regards,

 

Patrick

ChrisHemedinger
Community Manager
Status changed to: Under Consideration

I verified that this is under consideration in our tracking system.

DaveShea
Lapis Lazuli | Level 10

Adding the ability to password protect and encrypt the contents of a .zip file is way overdue. I work at a number of sites where using CALL SYSTEM has been disabled and users are left without the ability to programmatically create an encrypted and password protected .zip file.

 

Despite protestations to the contrary, in the comments above, the reality is that SAS users do want this facility. How those users manage the actual password between sender and receiver, is irrelevant.

 

Tools such as 7-Zip offer AES-256 encryption from the get go. Assuming that good encryption is paired with a strong password and password management, users are offered good level protection. 

 

In my opinion, adding the encryption/password facility to the FILENAME ZIP method rather than to the ODS PACKAGE would be a neater way to make this facility available to most users.

 

Cheers,


Downunder Dave
Wellington