?
Solved

How to use Outlook Email Encryption

Posted on 2013-01-08
6
Medium Priority
?
1,235 Views
Last Modified: 2013-01-31
I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.  We actually did get some pretty strong encryption setup through Barracuda, but this company that the client is sending emails to apparently lacks the mental capacity to log into a web portal and retrieve emails.  So now I'm trying to get outlook to encrypt emails so that they don't have to think much more past "click, open email".  The thing I'm not understanding is how these digital ID's work, I was reading an article online but it didn't tell me everything that's required for Outlook to encrypt emails.  The things I'm wondering are:

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

Also does having exchange affect things at all.
The client is running SBS 2003 with Exchange 2003

Any help is greatly appreciated, any other suggestions are welcome, and if I left anything out let me know.  Thanks.
0
Comment
Question by:ctagle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 668 total points
ID: 38758166
Ok, from the top then. I am going to assume by "digital ID" you mean s/mime email encryption (as built into outlook)

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Technically, no. each actor in the exchange must have a Digital ID; this is functionally identical to the HTTPS certificates used on web pages and to the certificates used for encrypting LDAPS, TLS/smtp, and so forth.  That ID must be valid and match the email(s) of the account using it.  Once acquired, the Digital ID comes in two parts - a "public" certificate, which can be used to encrypt messages to the Digital ID's matching account, and a private key, which can be used both to digitally Sign messages and decrypt messages signed with the public certificate.

It need not be a commercial cert, but in order to show as valid any machine using it must have a copy of the signing cert.  However, within those constraints, you can use the MS CA or something like xca (http://sourceforge.net/projects/xca) to issue or even create valid certificates, in which case, the "issuing" cert from the CA must also be installed on the end node machines (the only benefit to using a commercial CA is that this is already done for you)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Again, technically No.
Only the recipient of an encrypted mail need have a Digital ID. the Owner of a Digital ID may receive encrypted mails *and* send digitally signed mails.  The sender of encrypted mails needs only the recipient's cert, or to verify a digitally signed mail (which *includes* the cert) only the issuing CA cert.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

No, that's not how it works, however, to *send* an encrypted message/reply, they will need a valid cert for the intended recipient (not the whole digital ID, just the cert) - if they/you are in an exchange environment, they/you should be able to add this to the GAL as an external contact - much easier than adding each individually to each agent needing to send encrypted mail to the recipient. you can also push out the signing CA to the machines using Group Policy, to avoid having to do that per-node either.  There was no pretty GUI tool to do the GAL cert addition though in Exchange 2003, you need to use CertUtil with the dspublish flag, which is a moderate admin task (as in, it scares anyone who is lost without a gui :)
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 668 total points
ID: 38758192
Does the recipient also need to purchase a digital ID to encrypt the message?
Yes.  You can get them for free, but the recipient and the sender will both need a digital ID.  S/MIME is a Public Key Infrastructure application using asymmetric cryptography with public/private key pairs.  As such both sender and the recipient will need a certificate / digital ID.

Does each computer thats going to send encrypted emails have to have their seperate digital ID?
No.  The digital ID authenticates the sender, not the sending device.  Each email address that will be sent from requires its own digital ID.  You would add your digital ID to each of the email clients that will send as you.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

EDIT - No, each of the 20 receiving agents would require a digital ID.

I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.
You can enforce encryption at Exchange level by only sending email out over TLS only.  The massive disadvantage with this is that not all organisations support secure SMTP.  If they don't your only remedy would be to not send to those organisations...

Hope that helps.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 664 total points
ID: 38758560
The experts have covered them well, and I shall not repeat but primarily, you should be looking at S/MIME, signature and encryption. [0] All this eventually leads to common PKI encryption based using digital ID. This identity is important as it represents the identity of the end user which is typically represented as "subject name" field stated in the digital (x509v3) certificate issued by your trusted CA (internal or external).

[0] http://office.microsoft.com/en-sg/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

[0] http://office.microsoft.com/en-sg/outlook-help/overview-of-certificates-and-cryptographic-e-mail-messaging-in-outlook-HP001230534.aspx?CTT=5&origin=HP001230536#BM2
 
But the challenge (or maybe tedious part) has been also well known to be the key management aspects especially if you (or IT team) managed the internal CA and its entire PKI infrastructure. Even then, using a 3rd party certificate issued from trusted CA like verisign, thawte etc lessen the load but not remove all. The cost is cumulative with more user be it tangible (infrastructure suppt) or intangible (operational cost, helpdesk). Also not forgetting to assess existing backend exchange system to beef up security with network security device giving that additioanl anti-spam, email reputation checks etc. All is well and understood as you tread this the HIPPA compliance needs

Would be good to check out other alteratives [1] (inclusive of PKI encryption) as awareness to make informed decision. But noting we do not want to compromise the security posture required. You may see IBE over PKI [2]. PS, I am not a vendor :)

[1] @ http://www.trusttone.com/blog/viewpost/120#Solution%20Approaches
[2] @ http://www.trusttone.com/blog/viewpost/120#Identity%20based%20encryption%20over%20PKI
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758570
BlueCompute has a good point. exchange (note NOT 2003, but later editions) can be set to *require* TLS for a custom smtp bridgehead, and even if you don't have the later edition, the installation of a simple copy of EXIM or similar open source MTA as an intermediary can allow the state of TLS required; by ensuring:

1) for a list of recipient domains, TLS is required
2) for a list of recipient domains, direct delivery is required

you can achieve a situation where mail between yourselves and an external customer is *always* sent over an encrypted channel, so additional encryption per-message is unnecessary; this may require (or at least work better) if you buy a commercial cert for your SMTP bridgehead, but that's just one cert.

note this won't work well if you "front" your mail via another provider (such as mimecast or symantec) for antivirus/antispam filtering.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758580
Oh, and note that a correctly constructed SAN certificate can reduce the number of Digital IDs required from one per email to one per domain :)
0
 

Author Closing Comment

by:ctagle
ID: 38841679
Thanks for all your help, turns out in this scenario all we needed was a send connector with TLS configured and a valid ssl cert, all I needed to was create a send connector for their domain and use our existing cert and it was all good to go.  Now if only they had told me that from the beginning......>:O
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question