Solved

How to use Outlook Email Encryption

Posted on 2013-01-08
6
1,219 Views
Last Modified: 2013-01-31
I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.  We actually did get some pretty strong encryption setup through Barracuda, but this company that the client is sending emails to apparently lacks the mental capacity to log into a web portal and retrieve emails.  So now I'm trying to get outlook to encrypt emails so that they don't have to think much more past "click, open email".  The thing I'm not understanding is how these digital ID's work, I was reading an article online but it didn't tell me everything that's required for Outlook to encrypt emails.  The things I'm wondering are:

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

Also does having exchange affect things at all.
The client is running SBS 2003 with Exchange 2003

Any help is greatly appreciated, any other suggestions are welcome, and if I left anything out let me know.  Thanks.
0
Comment
Question by:ctagle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 167 total points
ID: 38758166
Ok, from the top then. I am going to assume by "digital ID" you mean s/mime email encryption (as built into outlook)

Does the recipient also need to purchase a digital ID to encrypt the message? (if the answer to this question is yes then solution isn't viable anyways)

Technically, no. each actor in the exchange must have a Digital ID; this is functionally identical to the HTTPS certificates used on web pages and to the certificates used for encrypting LDAPS, TLS/smtp, and so forth.  That ID must be valid and match the email(s) of the account using it.  Once acquired, the Digital ID comes in two parts - a "public" certificate, which can be used to encrypt messages to the Digital ID's matching account, and a private key, which can be used both to digitally Sign messages and decrypt messages signed with the public certificate.

It need not be a commercial cert, but in order to show as valid any machine using it must have a copy of the signing cert.  However, within those constraints, you can use the MS CA or something like xca (http://sourceforge.net/projects/xca) to issue or even create valid certificates, in which case, the "issuing" cert from the CA must also be installed on the end node machines (the only benefit to using a commercial CA is that this is already done for you)

Does each computer thats going to send encrypted emails have to have their seperate digital ID?

Again, technically No.
Only the recipient of an encrypted mail need have a Digital ID. the Owner of a Digital ID may receive encrypted mails *and* send digitally signed mails.  The sender of encrypted mails needs only the recipient's cert, or to verify a digitally signed mail (which *includes* the cert) only the issuing CA cert.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

No, that's not how it works, however, to *send* an encrypted message/reply, they will need a valid cert for the intended recipient (not the whole digital ID, just the cert) - if they/you are in an exchange environment, they/you should be able to add this to the GAL as an external contact - much easier than adding each individually to each agent needing to send encrypted mail to the recipient. you can also push out the signing CA to the machines using Group Policy, to avoid having to do that per-node either.  There was no pretty GUI tool to do the GAL cert addition though in Exchange 2003, you need to use CertUtil with the dspublish flag, which is a moderate admin task (as in, it scares anyone who is lost without a gui :)
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 167 total points
ID: 38758192
Does the recipient also need to purchase a digital ID to encrypt the message?
Yes.  You can get them for free, but the recipient and the sender will both need a digital ID.  S/MIME is a Public Key Infrastructure application using asymmetric cryptography with public/private key pairs.  As such both sender and the recipient will need a certificate / digital ID.

Does each computer thats going to send encrypted emails have to have their seperate digital ID?
No.  The digital ID authenticates the sender, not the sending device.  Each email address that will be sent from requires its own digital ID.  You would add your digital ID to each of the email clients that will send as you.

Does each recipient have to add the digital ID for each person into their contents to decrypt messages?  For example, if ten people are sending encrypted emails from my client to 20 agents on the other side, does each one of the 20 agents have to go in and add all 10 digital ID's

EDIT - No, each of the 20 receiving agents would require a digital ID.

I'm trying to see whats required to get email encryption setup in Outlook.  We have a client who is a home health agency and needs to encrypt all emails coming from their Exchange 2003 server containing confidential information in order to meet HIPAA compliance and send emails to companies.
You can enforce encryption at Exchange level by only sending email out over TLS only.  The massive disadvantage with this is that not all organisations support secure SMTP.  If they don't your only remedy would be to not send to those organisations...

Hope that helps.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 166 total points
ID: 38758560
The experts have covered them well, and I shall not repeat but primarily, you should be looking at S/MIME, signature and encryption. [0] All this eventually leads to common PKI encryption based using digital ID. This identity is important as it represents the identity of the end user which is typically represented as "subject name" field stated in the digital (x509v3) certificate issued by your trusted CA (internal or external).

[0] http://office.microsoft.com/en-sg/outlook-help/encrypt-e-mail-messages-HP001230536.aspx

[0] http://office.microsoft.com/en-sg/outlook-help/overview-of-certificates-and-cryptographic-e-mail-messaging-in-outlook-HP001230534.aspx?CTT=5&origin=HP001230536#BM2
 
But the challenge (or maybe tedious part) has been also well known to be the key management aspects especially if you (or IT team) managed the internal CA and its entire PKI infrastructure. Even then, using a 3rd party certificate issued from trusted CA like verisign, thawte etc lessen the load but not remove all. The cost is cumulative with more user be it tangible (infrastructure suppt) or intangible (operational cost, helpdesk). Also not forgetting to assess existing backend exchange system to beef up security with network security device giving that additioanl anti-spam, email reputation checks etc. All is well and understood as you tread this the HIPPA compliance needs

Would be good to check out other alteratives [1] (inclusive of PKI encryption) as awareness to make informed decision. But noting we do not want to compromise the security posture required. You may see IBE over PKI [2]. PS, I am not a vendor :)

[1] @ http://www.trusttone.com/blog/viewpost/120#Solution%20Approaches
[2] @ http://www.trusttone.com/blog/viewpost/120#Identity%20based%20encryption%20over%20PKI
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758570
BlueCompute has a good point. exchange (note NOT 2003, but later editions) can be set to *require* TLS for a custom smtp bridgehead, and even if you don't have the later edition, the installation of a simple copy of EXIM or similar open source MTA as an intermediary can allow the state of TLS required; by ensuring:

1) for a list of recipient domains, TLS is required
2) for a list of recipient domains, direct delivery is required

you can achieve a situation where mail between yourselves and an external customer is *always* sent over an encrypted channel, so additional encryption per-message is unnecessary; this may require (or at least work better) if you buy a commercial cert for your SMTP bridgehead, but that's just one cert.

note this won't work well if you "front" your mail via another provider (such as mimecast or symantec) for antivirus/antispam filtering.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 38758580
Oh, and note that a correctly constructed SAN certificate can reduce the number of Digital IDs required from one per email to one per domain :)
0
 

Author Closing Comment

by:ctagle
ID: 38841679
Thanks for all your help, turns out in this scenario all we needed was a send connector with TLS configured and a valid ssl cert, all I needed to was create a send connector for their domain and use our existing cert and it was all good to go.  Now if only they had told me that from the beginning......>:O
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Overload?
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question