It's not just linear progression between encryption options either. Some pros and cons: TLS: easy to do, invisible, always on .... only works with defined partners (opportunistic TLS aside), offers nothing beyond the mail server to mail server encryption S/MIME: easy to understand for the user (to an extent), protects the message to the mailbox so no sysadmin access, sometimes protects against sending to the wrong address (only if they don't have a cert .. in which case the error will alert you!) .... you need a cert infrastructure, users can and do forget to press the encrypt button all the time, any attachments are no longer encrypted as soon as saved, requires the other end to have a cert if you're sending to them, initial cert exchange can cause headaches, needs some BES work to support on BB, can get stuck in mail filters that quarantine encrypted mails File Encryption (eg. PGP): strongest of all as encryption is independent of transport and guaranteed to the user, even when saved (as long as kept encrypted and temp files are managed!), key management easier to do on a small scale without a CA ... user training issue (always a challenge for non-tech users), for escrow you need a chunk of infrastructure and complexity, users find it cumbersome generally, not an option for reading on a BB (AFAIK), can get stuck in mail filters that quarantine encrypted mails Web-based Portal: simple to understand, easy to use, under your control ... non-standard (some ppl really just prefer to email), pain on BB, may require PT assurance from 3rd parties, something else to manage for you that could be a disastrous compromise if you get it wrong! That's not exhaustive, but should give you some idea. Encryption is not currently easy. a
________________________________ From: Brian Desmond [mailto:[email protected]] Sent: 04 March 2011 18:00 To: NT System Admin Issues Subject: RE: Seeking secure e-mail options The question I haven't seen answered is what phase needs to be secure? If you're just concerned about traffic on the wire, then Server to Server TLS would work fine. If you're concerned about guaranteeing that the message is only accessible to the recipients, then you need to look at something like S/MIME. Thanks, Brian Desmond [email protected] <mailto:[email protected]> c - 312.731.3132 From: Tom Miller [mailto:[email protected]] Sent: Friday, March 04, 2011 11:31 AM To: NT System Admin Issues Subject: Re: Seeking secure e-mail options Good points. The message contents need to be encrypted since they will house patient/clinical/financial information. Not sure about signed. If we do TLS on the gateway, then server-to-server communications would be encrypted. I can't say too much else about requirements, since there is a state committee looking into this and I thought I'd ask your opinions. But we do need something that will be fairly easy for the sender and recipient, fairly easy to configure and manage. And something that isn't "Exchange-centric", for example. Tom >>> "Andrew S. Baker" <[email protected]> 3/4/2011 12:10 PM >>> Please define "secure email". Does individual messages need to be encrypted? Do messages just need to be signed? Does server-to-server communications need to be encrypted? There are lots of ways to do this, and depending on your requirement, this can be a breeze (use TLS between servers) or ridiculously complicated (PGP between clients) or somewhere in between (TLS + S/MIME) ASB (Find me online via About.Me <http://about.me/Andrew.S.Baker/bio> ) Exploiting Technology for Business Advantage... On Fri, Mar 4, 2011 at 8:35 AM, Tom Miller <[email protected]> wrote: I'm looking for suggestions on secure e-mail. I have a Barracuda which can do some sort of verification, but I don't think that's what is needed. Like agencies in my state are looking for secure e-mail options so we can send clinical data to each other. I'd prefer something that is autonomous to whatever e-mail system is used, since other agencies may be Exchange or other e-mail products. We don't use Exchange here. Suggestions appreciated. Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
