I am no security expert, so forgive my ignorance. I understand that Exchange servers have the ability to encrypt all the "data at rest" on the server, and may well be able to encrypt the data sent to a client using ActiveSync. But, isn't it true that an email, once it leaves the sever via SMTP, is unencrypted?
--Matt Ross Ephrata School District Michael B. Smith <[email protected]> , 4/23/2014 8:54 AM: This would be better on the Exchange list. But two concepts come into play. Data-at-rest and data-in-motion. Data-in-motion – in MANY (not even most, just many) modern systems is encrypted using SSL or TLS. If the system is Exchange, then Exchange ensures that all data in transit is always encrypted. Data-at-rest is far more complex and requires a certain level of operational maturity to implement. Lots of third party compliant email systems do this on THEIR servers. But not on yours. Authenticated data-in-motion and authenticated data-at-rest are what you refer to by suggesting “key exchange is required”. Typically, this is S/MIME. And that’s a whole different kettle of fish. From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 11:31 AM To: [email protected] Subject: [NTSysADM] RE: is email over SSL same as email encryption? After doing some more reading, it looks the sender and recipient needs to exchange keys for this to work. To the members here who have to be HIPPA compliant for email, do you mind sharing what you have in place? Do you use a 3rd party to handle this? How do you communicate with users outside your organization and also be compliant? From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Wednesday, April 23, 2014 8:19 AM To: [email protected] Subject: [NTSysADM] is email over SSL same as email encryption? I ask this because I have a client who wants to be HIPPA complaint with patient communication. I don’t know much about compliance with email except that the email needs to be encrypted. Currently, they use email hosted by bluehost via imap and over SSL. This just means the connection to bluehost is encrypted, but by the time it hits the patient’s inbox, it is no longer encrypted correct? TIA, Jimmy
