Hey Jim, I work with John here at Agari, but I want to add some more broad color to this.
First off, the forensic data provided varies by email service provider. Some like Yahoo only provide headers and URLs; NetEase only provides headers. The primary ESP that provides full messages is Microsoft Hotmail. The messages that Hotmail ships as part of DMARC forensic data are a mixture of various messages that failed to authenticate with SPF/DKIM. They including both phish/fraud/scams/malware that can never authenticate as well as legitimate traffic that should authenticate but did not. (We see larger amounts of legit unauthenticated email particularly early on in deployment; once you start to deploy authentication the ratio changes drastically to where we see much more abuse and less legit traffic.) So the relevant question is typically what the data classification was before the message was sent to Hotmail and what the classification becomes once data arrives at Hotmail and is stored there. Most organizations we talk to consider Hotmail an inappropriate place to send restricted or confidential information and have DLP systems in place (if they handle such information) to prevent its egress. Once data has exited the organization as email en route to Hotmail, it is generally classified as something like public, or TLP Green if you believe in TLP, or the equivalent in whatever information classification system you use. So yes, to John's point, we are happy to discuss our data security with you as a potential customer and get into the weeds of how our backup systems work. However, when messages are already stored outside of Federal systems - in this case on Hotmail's systems - the point typically becomes moot because the data was already directly and intentionally provided to a third party with whom (typically) no specific data security agreements are in place and at that point has exited the origin's sphere of influence. Hope this is useful to you, Chris > On Feb 16, 2016, at 13:19, John Wilson via dmarc-discuss > <[email protected]> wrote: > > Jim, > > Please contact me off list. I'd be happy to share our SOC3 and answer any > additional questions you may have. I can also put you in touch with other > Agari customers who had similar concerns but overcame them. > > John Wilson > > On Tue, Feb 16, 2016 at 8:31 AM, jim c via dmarc-discuss > <[email protected]> wrote: > I work for an organization that has fairly stringent security requirements > regarding where our data is stored. We recently moved towards DMARC, and are > working with Agari. > > One of the things that Agari does - essentially the most important - is > receive and analyze any forensic data returned. The issue that we've noticed > is that the forensic data is the entirety of the email. It isn't just header > info, but contains the entire message text, along with attachments. This > means that any externally-bound valid email that is mistakenly marked as a > failure will have forensic data - ie the entire email - sent to Agari. They > will house the emails on their internal servers, wherever their data center > is. These emails are available for only 14 days....however, they cannot tell > me how long their system backups are stored. It wouldn't matter if they > could, as we have no way of auditing their security measures, enforcing > requirements, validating encryption, backup storage security, etc. > > Agari advertises as a cloud service, yet they are not Fedramp'd, which I > believe should put them out of consideration for most federal agencies, > considering accidental disclosure of classified data via email, if flagged as > a failure via DMARC, would cause the email and hence the sensitive data to be > house outside of any government system. If Agari's systems were be to > hacked, all of this data would be available - and again, they are not > Fedramp'd, which ostensibly certifies their compliance with federal security > requirements. > > Does anyone know if this issue has been discussed before (I couldn't find > it), and how any of you out there that may work at organizations with similar > security concerns, have dealt with this issue? > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) > > > > -- > John Wilson, Field CTO > [email protected] l M: 650.996.5848 l www.agari.com > > Changing Email Security For Good. > l > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
